After a Year of IAM Consulting, Here's What I've Learned
It has been just over a year since I joined the dark side started IAM consulting. Prior to that, I spent over a dozen years in the daily trenches of IAM–administrating, managing, directing, operating, supporting, justifying, marketing–you name it.
Over the past year, I've been part of over a dozen IAM advisory engagements. In no particular order, here is what I've learned:
Doing IAM Well
A lot of companies really do not do IAM well. The best I have seen is what I would call average, but still has some significant flaws to work out. The worst I saw, well, still relies on paper to get things done in 2017–C'mon man!
Companies are shifting away from heavy IAM infrastructure and hard to maintain apps from legacy vendors like Oracle and IBM. Agility, speed, and more cloud options are on the rise! Having to raise an internal army to keep IAM afloat is also shifting towards a leaner and meaner model.
There are some really smart IAM people and programs held back by organizational dysfunction. You can have the tools and know-how, but if your organization isn't rowing the boat with you, it's rowing against you.
Privileged Access Management
People are very interested in privileged access management and many companies are looking to get that done in the next year. I have thought for years it can be a comparatively quick win for an organization to improve the overall security of the organization and not something that just financial companies needed to do.
Consultants are not the devils I thought they would be–well, not the good ones, anyway. For years, I've dealt with consultants that gave me the same information I can look up on Gartner.
The good ones go deeper and learn about your organization, the people, the processes, the technology, and know how to mold IAM programs around what will work in the real world versus taking a cookie cutter approach.
If your company needs help with any of the above, we are happy to help. We only do IAM, so you’ll work with real (and fun) people with real experience that want your IAM program to not just be okay–but thrive and be something you and your organization can be proud of.