Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
In this episode, Jim and Jeff have a conversation about creating IAM strategies, who to involve, and how to craft the message. Along with this video link Gartner Continuous Adaptive Risk and Trust Assessment (CARTA).

Brought to you by

Want to join the conversation? Leave us a message here: or email us at .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #21 Full Transcript:

Identity At The Center #21 - Creating an IAM Strategy

Jeff: Welcome to the Identity at the Center podcast. I am Jeff and that's Jim.

Jim: I'm Jim.

Jeff: You are Jim.

Jim: Jeff, where are you today?

Jeff: I am in scenic Monterrey, Mexico again. Admiring the tall mountains and these 70 degrees. That is much better than the 20 degrees that I had at home and Chicago and the snow on the ground. So I'm pleased about that turn right there.

Jim: All those that are freezing both out of the continental US, we really feel sorry for you.

Jeff: I'm sure you do. It's my first world problem of the day. I will try to suffer through it on behalf of you and everyone else listening.

Jim: And we are ultimately grateful, never ending gratitude.

Jeff: I'm sure you are.

Jim: So, Jeff, we have Gardner coming up in a couple of weeks, is it OK to tease our next podcast topic?

Jeff: Yes, I think we've got a few. I think in the spirit of Thanksgiving, we're going to try to figure out maybe something like what are we thankful for an IAM world? maybe for the next episode and then start getting into Gartner sessions and what we're both looking forward to in the conference.

Jim: sense good. And the other thing that I'm going to be studying up on is I'm pretty tuned into it is CARTA, a sense for Continuous Adaptive Risk and Trust Assessment. And Gartner's been putting a lot of focus on this framework and way to think about continuous authentication, continuous assessment of the person who's logged in and making sure that, you're really it's still the same person when just step up and authentication, things like that, even if it's in the middle of a session. So I'm really interested to learn a lot about that while we're at the conference. What I want to try to learn as much as possible found a pretty good presentation that was available for free online. Maybe we can add the URL to the show notes, but just simply a I'm kind of tuned into I want to spend as much time during the conference going to sessions revolve around that. And like I said, I want to kind of get studied up on it before we go.

Jeff: So here I started to map out which sessions you want to attend.

Jim: Yes, I've done my entire agenda.

Jeff: I stink because I haven't even looked at it yet.

Jim: Yeah, and a lot of the sessions which you have to register for are already hooked up or sold out or however you want to put it.

So you're probably just seconds from the same thing that you second term last time you're Gardner which we talked about or one of our previous podcasts which you had to get in and kind of register before you show up.

We're all sessions will be sold out and booked up. Then you won't get into all the sessions that you want. Fortunately, there's still tons of sessions out there, so I wouldn't be too worried about it.

Jeff: Yeah, I feel like if you don't get in early, you don't get them. You don't get into some of those. And I have a totally unfounded conspiracy theory, totally not based on any fact that they reserve some of those seats for some of their other customers and, other people, maybe you might be VIPs, things might not be as available as they look like or they're locked out for some sort of pre-sale type activity, I have no idea if that's true. That's gonna be my excuse to I couldn't get into something.  It's not that I totally haven't looked at it yet. I have no idea what's up for Gartner.

Jim: That sense of just like sour grapes.

Jeff: Sour grapes?

Jim: Sour grapes, conspiracy theory. You have no proof, but that's OK. You could be spot on.  So it is just our muse, true.

Jeff: This is true. I feel like you're helping me and your enabler, and I appreciate that.

Jim: So we want to talk IAM strategy, right?

Jeff: I think so.

That is the emphasis of this podcast, so I've been just you know, I think every week when we do this podcast, after a week of project work that we worked on. Some things are hard, some topics. So it's not always going to be a timely topic. It might just be a general topic or something that we spent a lot of time thinking about the last week. So centered these on IAM strategy and just kind of some big ideas that I'm going to throw out there that I would love to hear. Kind of your feedback on one of those is, I've been thinking about, oh, we are remotely thinking about how do you justify an IAM program or how do you make a business here work.

And I will always go back to kind of my MBA training, if you will.

And kind of the idea that there's three things that can justify an investment is to increase revenue, decrease cost or reduction of risk. And so you kind of tend to get into when it comes to reduction in costs, you kind of get into that mindset of we want to reduce costs going forward. So one way to justify IAM program is to save reduce the cost of running your current technology or pure help desk calls, things like that. Well, what I want to do. Like my big idea. Really what I've run into recently is cost avoidance. And if you can find a situation where potentially IAM program helps you avoid tech dead type solutions where you're having to do some kind of work around or a temporary IAM solution, something that becomes a throw away that can be something that can help to improve your business case or make your business case for you, definitely contribute to why it makes sense to make your investments sooner rather than later.

Jeff: Yeah, I feel like when a quote, one of my favorite people, Bert Carroll, used to work for him way back in the day and he used to say, I'm bootlegging a you this, but, there's nothing so permanent as something that's temporary without an end date. Right. If you're developing something that has and that's a stopgap and there isn't a clear plan as to what is the real plan behind it, you may end up getting stuck with it. I think we've seen that with a couple of recent classes of working with and just over time, people gonna get stuck into this. Well, we built it and this is just the way it is now.

Jim: And so this particular client has a major strategic platform that they are already invested in. Right. But they didn't have the IAM tools to kind of support it. So in order to really use this strategic platform that don't have a way to get people into this system ring off to set up an authentication scheme. It's going to be a lot of throwaway work for when the IAM system comes along. And so being green feels like the perfect time because you don't have to set up any of that throw away work. My bigger concern is this. Not only do you have that cost avoidance, you've got these folks from the application team scoring this new greenfield technology. We're onboard. And what IAM and how often do you see where people put these throwaway solutions and then fall in love with them? They say the throwaway solutions, like everything like your IAM solution not to do everything that the throw away solution does. And more. And they turn they potentially could turn from advocates of your IAM system to opponents of it. So, I write that Greenfield situation, I wouldn't say is extremely common, but it isn't me out there might be listening using the same kind of situation and thinking of cost avoidance as a way to justify IAM Spender's. It's very real. It's something that financially minded people will get right. And they usually when you're making a business case is ultimately rolls up to people who don't really blow. Aren't technophiles. Right. They're just want us understand if this is a good place to spend money from an investment standpoint or not.

Jeff: And sometimes IAM spending can get big.  So you kind of have to balance that out. There may be times where you just don't have the funding to spend what you want to spend to fix the problem. Then you start to have to figure out one of the work-around, and that's what stopgap solutions come up most often is for, at least from my experience.

Jim: And so, along the lines you say that the second big ideas along the lines of that making a business case and the increasing of revenue is a rare, extremely rare, probably never happen that implementing an IAM system in and of itself helped increase revenue. However, if there's a strategic initiative that does increase revenue and IAM is a vital component to that, you take partial credit and somehow and maybe you want to work with your leadership team to figure out how you present that case to me, IAM as an enabler, as an enabler of that. The example I gave earlier where there's a greenfield technology and that team needs IAM or I have to build work around. But, even bigger an issue is where companies are deploying a portal or, some kind of Web e-commerce site where they need a way to have people register and manage your password and authenticate, maybe do multifactor, setting it up, setting up a business case where IAM is a crucial component to that and an enabler of a much larger business activity it really brings IAM to like as a business enabler.

Jeff: Yeah, I guess if you're doing it right, you're collecting enough information around the users to be able to further fine tune your offering.  Whatever that may be based on whatever Atreus this is, you know something, you know, a lot of eCom companies will work through, as you know.

Here's Jeff. And he went to Amazon and he clicked on this and he clicked on that. So we might he might be interested in this. You know, send him a coupon for that, because that might inspire him to buy more, spend differently.

Those are all different things that could be enabled. But without knowing who I am and having my identity managed in a very tight and controlled way, that that sort of information is almost impossible to get.

Jim: Right, and there are a lot of consumer IAM solutions out there today. Like SAP And there are issues to be Gigha. That's one that is really focused on that consumer IAM e-commerce site experience where, just as much of the product I would say is about gathering customer data, customer intelligence as it is about kind of traditional authentication, registration, etc. Even though it's usually baked into those things, it's important data that you start to use your artificial intelligence and machine learning to start to build personal trends that people are doing within your applications.

Jeff: Yeah, I think it'll be fascinating to see what some of these large eCom retailers, what their data looks like around your personal identity.

Google has it buried deep within your settings. You can you can export it, but you can you can see what it thinks your interests are.

It's pretty granular, as far as, you know, what sports teams do, you look up then the different types of technologies you're interested in or movies or TV shows, etc. All that's just data, right? That for them is valuable from an advertising perspective. If they have enough of that information on people, they can make that part better.

I feel like Google is one of the companies that does IAM really well.  Obviously, they've got a strong platform and it's out there. They're up there with, Microsoft, Amazon and Apple. As far as sort of the big dogs, Facebook and Twitter as well. But with things like GDPR all these companies now, all that data that is collected about you is a lot easier to find. And most companies now have a way to export it out. So being able to manage that, it is a huge part of being able to be compliant with regulations, et cetera. In addition to being able to target your products.

Jim: Absolutely, So the third kind of big idea that I want to talk about is just not being myopic, not only looking at your specific needs, especially when you're trying to put your business case to other for IAM being able to talk about where are the trends in your industry, where are the trends in the world at large that can affect you and your organization.

Things like what you roll out with the privacy regulations, as watching a video today on how it got into blockchain but the term that was being used for it was decentralized. Identity is starting to get traction. So those are last podcast But,  just for anybody out there is thinking about that and is excited about it, remember that term, decentralized identity. And when I went back through my Gardner registration, they have a meeting. They have Windows sessions on decentralized identities now called blockchain. But ten to one, that's exactly what they're talking about.

So I heard the speaker make the statement that privacy is a basic human right. I thought about that. And it's like that's a concept that is just probably starting to get a foothold. I mean, I remember being in an IAM conference and a speaker saying you have no expectation of privacy.  It was the exact opposite view, which is that if you want to use the Internet, you want to use a Web site. You have no expectation of privacy. We do what we want with your data. Well, the tide is shifting now. So those are some of the bigger ones. That's one of the bigger trends. Another other bigger trend is just data breaches.

You hear about new data breach every week, it seems like.

And those data breaches are costing companies their reputation when we're crossing a lot of money.

Jeff: Yeah, I feel like what you're just talking about with the right to privacy and Or maybe they're not right to privacy. I feel like I fall maybe more into the former camp, meaning if I'm going to take evangel services, I expect that I'm going to have to trade some of my privacy to use that service.

Now, I expect that the service that I'm using will protect my information and they will take reasonable steps to make sure that it remains secure and that I have a way to manage it.

But I fall more into the camp that with my current thought is and this is all subject to change, is that I expect to trade privacy for some service, if the product is free, you're the product. It's kind of the way I look at it.

Google doesn't make Gmail for free because they like you. They want your information so that you can become the product and they can theoretically anonymize your information and then make it part of some sort of ad spend that a company would make targeting people like me for whatever that reason may be.

And I feel OK with that because I feel like that those are the services that I want to use, I'm probably fine with that. I wasn't then I would change my service to something else.

Jim: You know what? What if the service is not free? And what if you go to the Web site? This is  by continuing on, you agree to our privacy policy and the privacy policies is that we may share your data with third parties. And then when you look to see what Web site is, it is as a utility or it's your bank, as you seem very broad privacy statement that you don't necessarily agree with. But the reality of it is, is that you need a electric in your house and  you need to pay your bills.

So you set up automatic payment. My thing is, you shouldn't have to live like a like a hobby or like the Unabomber in order to pay your bills online. I don't see why you should have to agree to that.

Jeff: Yeah, I think where there's competition, I think that there is better. But when you get locked into a service, that is a slippery slope. And I don't know if I'm the right person be having a conversation with. But sure, I certainly understand where that's come and I see where you're coming from. And I agree with that. They're just the data needs to be protected.

Jim: one of the things I say a lot to our clients is that I've worked with clients over time and you go into the. I think we've talked about this one time, the client that, their whole IAM houses is kind of gated. They haven't invested appropriately an IAM. But they're privilege access management system is like world class or like wherever we are rich. And I think this whole privacy conversation goes back to it's like now enough privacy abuses have happened that people take it seriously. And, their GDPR and there's a California Consumer Privacy Act, and it's because companies have gone too far and how they use to secure data as they should have basic right to privacy, basic.

I say, there's probably a lot of things that we can all agree to. But if you don't want to read eBay’s 20 pages of privacy things on you. We update our privacy. You get off five times, six times a year. You want to go out there and read for 20 minutes, you just want to be able to use a service. Same time you don't want them doing. You just give your email address out to everybody else. Then you start getting half of my emails, spam that I doubt I've ever used any of these services. Somehow, they got me information. So anyway, I think we're kind of going off on a tangent as usual.

But I think that these larger trends into narrowly industry transmit trends within the world are things that we as IAM practitioners, we're trying to make our business case.

We need to help non practitioners understand the threat landscape. What's a risk? It's you know, it's OK to bring it back to a bigger conversation. This was happening in the world. This is what the cyber-attack landscape looks like as not all fear, uncertainty and doubt. As you know, you don't want to go there. You want to make it realistic and you really want to talk about these are the impacts that are taking place.

Jeff: Yeah, I think one thing is you have to remember is that not everyone in the IAM space.

When the people that you may be talking to may not be as familiar with IAM. So they maybe not even IT people. Right. Being able to communicate that in a way that makes sense and that people can understand I think is a key part of that strategy, right. How do you communicate, what are you trying to do and why it's important.

 Jim: I agree. So, I think, when it comes, IAM Strategy you're going to have some of these big ideas. You're going to have some other ideas that I haven't talked about. And then the question becomes then what?

Well, you have to kind of turn into your story. What is your story? What is that outline?

And I think the first thing is you need kind of within the walls of your organization or within your realm, whatever that is. You have to be able to tell what is happening.

We have to be able to just spread the problem, what would you add to that, Jeff?

Jeff: Yeah, I mean, what is the problem? How does it affect the organization specifically whether it's the users or the business or the strategic initiatives that the business is trying to get done? why does this problem affect those things? So that way that you can have a very clear concise. You don't want to spend an hour talking about the problem. Make it as simple as you can.

Jim: I think you kind of expand on the problem also. What are the threats that your organization places? A big idea. What are they? What are the things that are happening in the world that pose a threat to the organization?

I also think there's one thing that I find very effective when you're kind of telling a story is, you don't want to develop your IAM strategy in a dark corner, with a candle and you just write the whole thing up yourself. You want to work with others. IAM as we were in this program. The program implies that there are a lot of people involved. A lot of different parts of the business. And that you're not coming up with this thing on your own. You're not just doing it. And people are just, getting a service that you came up with the ideas that there are other stakeholders and I think it's important to kind of say who contributed? What were the meetings and what was the process you went through to put together a problem statement or call to strategy, who's involved and what their involvement?

Jeff: I think the key part is knowing who annualization to collaborate with and bring into the fold to co-presenter or to be a co-sponsor of that message. I think there's been times where you've had a conversation and you'll hear someone say, well what is so-and-so? Think about it, that kind of thing.

Jim: Right, one thing that I always hear people talk about strategies that we want to have a show you would buy. And I used to struggle with my mind. What does that mean? What does it mean that by it? And the conclusion that I've come to is that for people to buy in, they have to feel like their voices heard, that they had an opportunity to come to the table to tell their side of the story and be heard. And then they want to have that validated.

So what does that mean? It means you're able to tell them back. This is what we heard you say. So I feel like if you're developing your strategy, you want to make sure that the things that people brought to the table. Were captured that they know they're captured and love, they're now addressed by the strategy. And I kind of feel like that's the biggest key, is making sure that you bring people to the table. They have their opportunity to be heard. You validate that they heard and you say, and here's how we're going to go about solving the situation now. They still might say, oh, I don't like the way you're solving or something like that. And you can try work back and forth. And I know that there's a cookie cutter answer for how to handle situations like that. But I feel like, the quickest way to get some buy in is that whole process I just talked about with, making people feel heard.

Yeah, it's much better for our strategy to come from multiple people and problem statements than it is come from one.

Jeff: So the more people can get involved with that, the better. I kind of see it as a political undertaking sometimes with an organization and play a little bit of a Game of Thrones, hopefully with less bloodshed.

Jim: Shame, Jeff, shame, shame.

Jeff: Hopefully that hopefully a lot of that either. But, I mean, if you get,  alliances and you build up a relationship with other parts of the organization, that can help drive that. And they understand the problem and they are of like mind and want to help solve it.

I think that really goes a long way when you can walk into your your manager, your director, your DP, your CIO, whoever it may be.

If they're hearing it from multiple people and not just one or two, that goes a long way towards proving that your point is valid and helping you get them the next step.

Jim: Right. I think that it's like the socialization aspect.

I think, after you've defined the problem, obviously you have to define the solution.

And defining the solution is combination of, OK. Technically, people process and technology things that we're going to do to solve the problem.

But then it's also marrying that up with the benefits. Benefits like what is enabled? What risk? So reduce low cost or avoided or reduce and things like that. I think that's important.

Jeff: What if you don't know what the solution is, where there are multiple solutions. How do you handle that?

Jim: Well, I think you have to go in with a recommendation. So there's various stages of a strategy when you might be early on where you need to bring either your stakeholders or some experts to the table to find the solution. I think ultimately you need to boil it down to a few options. And then I think before you go to an executive audience, my experience, you don't want to just go with, hey, guys, we came up with three options and we'd like you to tell us which one you want to do. I think that is very poor in terms of how to approach. I think you need to go through it and say this will be visible. We want to do this, the option that we feel is the best option for the organization.

Jeff: I feel it is kind of like an old math test in school. Right? Show your work.

So, here's the options we have. And here is the one where you come in and here is why.

Right. Being able to show the work of your recommendation, I think goes a long way towards. Proving the viability of it and that it makes sense that you thought logically through the problem that you've addressed the different components of the problem and tried to account for key variables, those sorts of things. There's always something that may pop up, right, that maybe don't think about. And those are things that you'll kind of have to adjust to. But I think if you can show the work of your decision and why you think it's the best one. Our best option. I think that's a strong way to go into it.

Jim:  Right. And that's I think you're making a great point.

And I think having that kind of collateral, especially is something that within your organization is as the leadership is trying to pick a portfolio of investments to make in a given year if you know how they like to do their business benefit analysis. So you can break even analysis or something more complicated like net present value or even more symbol, but just whatever. However, they might frame the value of an investment if you're competing with other investments for those dollars. I think that, you need to learn that aspect of it or work for somebody who can help you within the organization. Put together the analysis, beyond the solutions, you have your solution that's obviously you need to propose a timeline, budget and research plan.  I think that's key to a strategy. A strategy is different than a vision. Vision is kind of like a picture of where you want to be. A strategy is a plan to get there. So it's a high level plan. It's a strategic level plan. But it's still a plan. And some it may isn't like a get chart, but it's a plan.

And that plan needs to include things like a timeline budgie and resource plan.

Jeff: And I think that is a really important thing that you just mentioned, is where does the strategy fit within vision and a project? it's a strategy is a strategy. It's not going to typically get down to that level of detail.

Right. You have a project plan and, you know, 100 rows or a thousand rows of detailed step-by-step analysis, but then easily enough information to be able to guide. OK. Here's what we're gonna do. And the order we're gonna do it. And roughly when. And then that's when you would start to drill down into a specific project that would be part of that strategic vision. That makes sense?

Jim: Absolutely. Just kind of round this out.  I feel like when you're at the point that you're presenting this to whoever you're presenting it to, whether it's, for example, a human resources team or what your application seems or say an executive audience, I think you need to wrap up with here's what's needed from you. That's one of the things that we have with our kick off that we finish off with. Here's what's needed for, we're going to come and do this workshop. Here are the four things that we need for you. We want you the way we want you to prepare. And what we're looking for in terms of feedback from you, in terms of an executive audience might be here's the financial and other support we need. We're working with the HR team. You might be we need you to assign a project first to our project team who can be a subject matter expert, whatever. I think that this is the time is you presented the strategy. Here's what we need from you.

Jeff: Make it easy to say yes, how do I get you into this car today? Right. What do you need? Here's what I need from you.  So we had this weird deal. Less skeevy, hopefully. But, you know, make it easy for people to agree. You've got a plan. Here's what you need to execute it. Let's go.

Jim: I would imagine you're a Tesla owner when you intend to buy a Tesla sooner, like you go to buy one or get the heck out of my dealership. There is a line of people who want them.

Jeff: Dealership. That's so that's all. You just go on the website, knew about it. That's how it works.

Jim: Is that how you bought it on the website? OK

Jeff: I mean, he's a dealer, but that's the new way. Means you don't haggle prices on those types of cars. You don't have to because they are what they are.

Jim: So the last thing which I am going to guess that you're going to agree with is how will IAM be run as a program rather than as a project?

Jeff: No way. That's not true. You should always run it as individual projects with no cohesion or any linkage or strategy at all. Just let people know.

Jim: No plan on what to do after it's implemented?

Jeff: Plan. Plans for management.

Jim: Yes. So the sarcasm, folks. Yeah. So really, I feel like this is something that gets a re-look.

It's such a passion around research and angst. Again, we just need to get this piece funded.

And I would be better off not getting it funded than having it run as a project. And then without a proper plan to pick it up and make sure that around you no one goes through a technology out there. Lot of people process and technology plan for how to run it. Hovering pretty good over time. Something should be planned for a print.

Jeff: That's how stopgap solutions come into being. You're trying to think tactically and you're trying to solve a specific problem and not being part of the larger collective group think to solve the bigger problem or the root problem. I totally agree with that. IAM as a program. It is for life. Until we no longer have identities to manage. When the board maybe takes over and we're all just numbers. Even then, there's still going to be some identity management. The organization really needs to understand that. I think there's sometimes organizations. Okay. This is like a three year project. Might be a three year project to get it started right in, to get maybe the plumbing and the foundations in place and kind of get to a spot where your managing identity better. But if you're planning on shutting down the program after three years, that's not the right way to look at it, and you're just gonna be wasting money at that point.

Jim:  That's all I have for today, Jeff. I think I intend to work like heck all week and get ready for Thanksgiving and take a little bit of time off.

I think before that we should record what I'm thankful for podcasts and then enjoy a little bit of time with our loved ones.

Jeff: I think that sounds like a plan. I think it would be cool as if we hear from some folks that are out there listening. What are the things that they're thankful for? From an IAM perspective, you can send those to , Jim and I read each and every one that comes through. Thanks to the folks who email us and we care to see what people out there think. What are some things that they've come across to be thankful for? It could be something recent or maybe just in general. Preferably within identity and access management. Then to make it relevant. But maybe it's this podcast, so a little bit of self-promotion there.

Jim: Yeah Jeff, I'm sure somebody is going to be at the Thanksgiving table next week and saying, I'm thankful for identity and our podcast.

Jeff: So is that like what we would hear at either of our Thanksgiving tables next week?

Jim: I think that's the only place you're going to hear it.

Jeff: Well, one can dream, all right. Well, I think we had a good conversation for today. Talked about creating value volume strategy. As always, appreciate folks who are listening. You can always get a hold of us . And we'll talk to you on the next one.




Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.