A Tale of Access Governance: Ownership vs. Facilitation – Part 2 of 2
In part 1 of this 2-part article, we described some of the symptoms that are found when the IAM team is perceived as the owner rather than the facilitator of access governance processes. This article will provide some pointers and suggestions on how to re-focus the program.
How do I get well?
If this condition is identified, then it is imperative, particularly for the IAM program manager or for the head of Compliance, to raise this to the program’s executive sponsors and senior business stakeholders. This should start the process of defining governance models and assigning ownership appropriately. Likewise, you will need to start communicating to internal and external auditors regarding who has responsibility for what. Only then can you expect to see real success in your IAM initiative.
Is this a culture change?
Yes, for some organizations, but it is the way of the future. Sustainable compliance, as it relates to IAM, can only be achieved if the processes and responsibility regarding access governance have been defined and mapped. This should be followed by automation in order to make it more efficient.
I would go as far as to say: stop investing in any IAM technology deployment until you have sorted this out. You will most likely regret it otherwise.
Two Solutions to your Problems...
In combating this epidemic, we have come up with two offerings that we believe will significantly help organizations maximize their changes of success in IAM. Anecdotally, one of our clients referred to these services as therapy, and I must say this client was not in healthcare…
- We are stubbornly leading with our advisory services program, namely our Kickstart program, on any new engagement with clients. This program has been very successful, not only because it is well defined, compact, cost-effective and is a great way for our clients to gauge our value and for us to gauge our chances of success with the client. In the end, Identropy’s customer satisfaction is one of our key assets, so we want to ensure we are achieving success with our clients at all times. Since I lead the advisory services practice for Identropy, I can say with conviction this is something I wished I had put in place in previous jobs. In a way, we view this as an opportunity to go back in time if you will and say “if I had to do this all over again, what steps would I take differently, what pitfalls would I avoid”. Evidently, we do not offer time-travel in advisory services, so the benefit of doing this from the onset with any new client is that the client will happen to be our next opportunity to do things better, based on our past experience.
As I write this, I can share with you that we are considering “productizing” a new program, in addition to our Kickstart program, which will be aimed at helping organizations define and instate the IAM governance model best suited for them. Which in our honest opinion is the biggest factor in the success of any IAM program. We are trying this out actively with two of our clients, and thus far, I can report it is going well.
- The second offering that we see as a significant and unique value proposition in reducing complexity from our client’s IAM programs, is our managed service offering called SCUID. Beyond technology, what we are proposing with SCUID is a way to remove or minimize the technology issues from the IAM infrastructure deployment and operations. Our stance is this: if we can remove the technology factors from the equation for our clients in computing the success of their IAM program, and trade them for a cost-effective, quicker time-to-value proposal, we can allow our clients to free up some of their heavily constrained human resources, who can now tend to facilitating the access governance processes, working with their business stakeholders.
We believe we are not only able to deliver on this value proposition, but we can do it better than anyone else, and we have some strong evidence of that from existing clients and a growing client base.
That’s it, perhaps a bit salesy (I beg the identerati’s pardon), but charged with passion. I would love to get your reactions if you could share them with us.