Here, we will continue the playbook items list that we started in part 2.What is in the playbook

What is New in this New Playbook? (Continued)

5. Consider CapEx vs. OpEx carefully

There are many ways to procure IAM. Pay as you go in many cases is financially better than pay upfront, plus it gives you the option to exit under certain conditions, rather than having to depreciate a capital investment through its useful life.  Many vendors favor subscription-based pricing nowadays. Some of them will even work with you to help you adopt Pay-as-you-go as CapEx instead of OpEx, and at times, pre-paying for the service could represent a substantial financial advantage for your organization.

Clearly, most of this is predicated on the direction your CFO has stated on how you should procure business critical infrastructure or services.

6. Everything being equal, favor quicker time-to-value

Here’s the kicker: assuming you did not care about any of the above parameters, you may want to think about this one. If equivalent solutions were available (functionality wise) at the same cost, you should choose the one that gets you to production sooner. Remember that your CISO or CIO cannot wait any longer.

What this means in practice, is that you should look for options that take you from zero-to-Production in the shortest time possible. These will most likely be solutions that leverage pre-built components, rapid deployment models, managed or cloud-based models, such that you can circumvent otherwise time-consuming and resource-intensive deployments.

Now well, for you to truly take advantage of this, you need to ask yourself:

  • Do I need my deployment to be this unique or this complex?
  • Couldn’t I succeed by leveraging pre-built, likely proven and tested use cases and modules?
  • How much customization do I need? The more customization the longer it takes to deploy and the more expensive it is to maintain

7. Who is going to manage this once in Production?

Many organizations do not answer this question until too late, and then they pay the price of not being ready to effectively support the environment once it is deployed. It is not easy to hire, train and retain well-qualified IAM technical resources. 

You may have an IT operations team who will take over the IAM platform once deployed, but are they equipped to properly support it? Do they have enough bandwidth to take this on?  Do they have the right expertise?  You’ll need to honestly assess these answers.

An approach to addressing this need is outsourcing this to a provider – someone that specializes in IAM operations (i.e. a managed service provider or MISP)? 

Many organizations define outsourcing as contracting cheaper, not specialized, often-remote (i.e. offshore) resources to act as their front-line support for their IAM system, supplemented with specialized, more expensive management level resources to oversee the outsourcee’s work.

Our definition of outsourced IAM is signing up for a managed service governed by SLAs, so your internal resources can be re-focused on more strategic IAM initiatives, such as IAM program governance, up keeping your IAM roadmap, prioritizing the backlog of systems to bring under governance, evolving role-enabled processes such as access request and recertification, maintaining an up-to-date “heat map” of risk levels by application that is equated to the appropriate assurance level, and so forth.

Remember, if the IAM solution cannot be supported in production, you may as well not deploy it and save time and money.

Bottom line

In order to address the business needs that drive IAM nowadays, enterprise leaders need to open their mind to new approaches. Otherwise, they risk falling behind in reaching their objectives, and exhausting the patience of those that are funding the IAM initiative – a luxury that one cannot afford these days.


SCUID Operations Data Sheet

Frank Villavicencio

Frank Villavicencio