Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

 We are back and ready to tackle 2020! Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.

In the first episode of this decade, Jim and Jeff talk about what it takes to be a good IAM program manager as well as some of the mistakes they made in their IAM careers and mistakes they see organizations making today.

Brought to you by

Want to join the conversation? Leave us a message here: or email us at .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

 *Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.


 Podcast #27 Full Transcript:

Identity At The Center #27 - What Makes a good IAM Program Manager

Jeff: Welcome to the identity of the Center podcast episode number twenty seven If Identity Access Management is your jam, then you've come to the right place. It's a new year. We got a new intro. I'm Jeff. And that's Jim. Hey, Jim.

Jim: Whoop Whoop!

Jeff: What was that?

Jim: That was the celebration of the new intro and this being my jam, I figured I'd throw a little bit of hip hop in there. Definitely not hip hop, right?

Jeff: We'll leave that for the folks to decide. So we took a little bit of a break over the holiday season. I think a well-earned break for us. But we're back. I started new weekly streak of content. I hope, so we will try something new. And we used to publish on Fridays and try and publish now on Mondays and see how that works and see if that makes it easier for folks to kind of keep up with the content and pushing out our previous record was, I think, twenty six episodes since July of last year up through December. So we'll see how it goes this year before we have to take another break or decide taking on the break because we can do that.

 Jim: Yeah, I would say I have to give you credit, Jeff. I mean, this was you've been talking about this for years. The beginning of this year. We are beating you wash, your 2019. We said, all right, let's actually do it. And we did it between episodes. That is a pretty big accomplishment, I think.

And I'm looking forward to 2020. I want to top that number of episodes this year for sure. I understand a weekly basis and I'm hopefully, increased the number of people who are getting value from this podcast. And I'm looking forward to this year. I'm pretty positive person that positive spin on everything. But I feel like there's going to be a year where we have an opportunity to achieve a lot of our goals.

Jeff: Yes, I agree. I think it's a good kind of. Let's start off strong. Know we've got a couple of topics to talk about today. The first one we're going to talk about is what makes a good IAM program manager.

And then we'll talk maybe about some mistakes that we've made in our IAM careers and what we see other companies making from an IAM perspective, a mistake wise, a little bit after that. Why don't we start with what makes a good IAM program manager? What are your thoughts?

Jim: Well, I think we're qualified to talk about this potential, some pretty big companies, and typically with the engagements we do with Identropy or counterpart at the company as the program manager. And, I feel like an IAM program manager has to be somebody who's well-rounded, who's kind of been my perspective for a long time. Maybe it's my bias because I kind of think of myself as a well-rounded person.

But, you know, somewhere in the neighborhood of 50-50, having IAM knowledge and not IAM our knowledge or experience and various other than IAM.

That doesn't mean that you haven't spent 50 percent of your career in IAM that you can't be a good IAM program manager. But I do think you have to have some understanding of the space.

And if you don't and you find yourself thrust into that role, I really feel like it behooves you to go out and research and go to conferences and spend time watching YouTube, reading white papers, networking with people who are in the space and starting to get an understanding, when I when I first got into IAM it was a pretty small industry. I started IAM in two thousand three and I was like, this is actually a space I'd never heard of before. And so I was one of those people who was kind of thrust into an IAM program manager kind of role. And I did not have the background. And I was pretty early in my career, too, so I didn't really have all the skills. And you got to practice, learn on the fly and kind of, have the right personality. I think the personality is a big thing. I think you have to be somebody who has a good combination, be a teacher but also being tactical, you can only be at the 50000 foot level and not be able to get your hands dirty and kind of implement projects. But at the same time, you can't be just a doer. Right. You have to be able to think strategically. Look at the big picture and communicate. I think communication skills are pretty important. So I said a lot. They're kind of throwback to you. What do you really think?

Jeff: I agree with a lot of what you said. Really kind of everything. I think it's one of those things where how do you know you're a program manager and whether or not you're any good at it? I think it's always a challenge because I think a lot of it relies on experience. And there's so much to being an IAM program manager. I don't know if it necessary fits into one bucket, but I think there's this perception that you need to be like this super technical IAM person to be a good program manager sometimes, and I don't feel like that's the case at all. I think the most important thing is that, you have a plan as a program manager. What is it you're trying to do, from a strategy perspective, whatever that may be, it could be simple. When I started out in the IAM space, I was building Lotus Notes ideas and work and just kind of like a normal account prisoner. And then like, oh, you know what? We should probably get something to help a passer recess, because that's what we seem to struggle with the most and have a lot of volume on that. And then it just kind of evolves from there and expands.

So I think if you had a plan, if you've got executive support behind you to help with that and being able to understand what that strategy is that you're trying to execute against both from an IAM perspective, but also from like a security risk strategy. And then just from the company itself, I think it's more important to understand how the different components of IAM work together, not necessarily being a builder of those systems, but understanding how they work together and being able to talk through what are the benefits from a business standpoint with different stakeholders might have an organization. So whether it's risk or security or the user experience improvements or, in some cases costs things like that, being able to shake hands and kiss babies, build those relationships, across the organization and be able to articulate, here's what we're doing and here's why it's important. Here's what you're going to get out of it. When I was program managing, it was very little technical work actually on my side. It was mostly strategic. It was managing priorities and making determinations as far as, you know, what's the strategy going to be? What are we going to do now? whatever they do down the road, those sorts of things. So I feel like you don't have to be a technical person, super technical person, but you at least have to understand the different areas of IAM and how they work together and how to put that puzzle together for your organization, because no organizations are the same everyone's gonna do it differently, they have different needs, etc. And being able to fit the Lego bricks of the Tetris pieces together to solve the puzzle I think is a big part of being a good IAM program manager.

Jim: Yeah. And I think one thing that was interesting there is you're talking about the path that you took and thought there are several different paths to get there to be an IAM program manager and they are quite different. It was more of the techie guy. I was actually very technical, was responsible for our entire Windows server architecture. And then after that, I came responsible for our web DMC on a very textural level. And then I had an opportunity to do project management. My first really big project was to implement IAM well, that's what turned out to be. So I was kind of a different path and I had to learn IAM on the fly and I happened to be an expert on IAM, which that's a whole other sphere, which is that you've got the internal management of identities and then you have external customers and B2B partners, things like that. So I think there are many paths to get there. One of the things I also kind of thought as you were talking was you obviously care, right? A lot of people, I think are like, they're doing provisioning or whatever and they're responsible and they see the problems with their logo while somebody else has to fix it or I'm not empowered. But you look at things like this is important and you cared enough to actually try to do something about.

I think that's very important. And then knowing you, for as long as I've known you, I know you have excellent communication skills. And, I can imagine that some people, they struggle with communication or that they're not really confident in communicating. And I don't think that means that you can't be a good IAM program manager, but I do think that's an area that if that is kind of one of your weaknesses, that's area you really ought to work on. Because I feel like being able to communicate your thoughts and being confident in what you have to say is not really important to be a good IAM program manager. But if you have aspirations in your career to kind of move up the management channel or get into consulting or really to succeed in general, I think communications is such an important key.

Jeff: You got to be able to talk good news.

Jim: The talk is good, right there?

Jeff: Yeah, exactly. I think, like you said, it's not as though IAM thing the communications side of things. Any that I found, as I have moved up, sort of the management change over the years as communications is the number one skill that aids and abets everything that you do. You can understand and be the smartest person at work. But if you can't make that message known to other people, you're gonna really hard time get anything done. So I think, building those relationships and being able to be comfortable with the message you're sharing is important. And it's probably one of the most important things. And I think the only way you get comfortable with it is to truly understand what is it you're trying to do and why and have no skin in the game. The passion for it or whatever and say, hey, look, this is what we're trying to do. This is why I think it's important. Here's how these different things come together. If you want to get more detail, we can do that. Let me bring in, so and so, Jim, to help me, you know, talk about through the Windows architecture, that sort of thing.

But, yeah, the communication, I think is such a huge component of it. And that relationship building and, I don't feel like I'm any special when it comes to communication. I feel like I just this is the way I talk and communicate in the way that, I interact with folks is pretty much the way interact with folks all the time. It's not really, a different personality that put it out there. And maybe that's just the way that I operate. But I know that there is a lot different communication styles that could be out there. And if you had a chance to take some of those like profile and your Myers-Briggs and just, the discovery ones, things like that, those can provide some insight as well, those could be helpful, not only understanding yourself, but also how to communicate with other people as well if you're able to figure out what their profile is as far as being able to figure out the best way to communicate with them.

 Jim: Yeah, I mean, self-awareness is definitely key. And I say that primarily because especially if you're early in your career but even if you're not, you're a new IAM program manager. You aspire to be one. I think knowing what you're good at and where you need work is important. So like I said, I really can make a technical kind of background. And I realized that I needed to improve my business skills. So one of the things was I took opportunities to do project management. I find that almost any organization needs more project managers, people, and even if it's not the official title of project manager, but being able to say, I'll take something big and break it down into a plan and, go from plan to execution and go live and being able to communicate to people at a 360 degrees. I think that just shows the ability to organize and basic business skills. I want to take it further. Why? Because I want to do IAM program management, but I had a goal of moving up the management chain, even though I realized later in my career that I ended up in the consulting space and I loved it. It's like I wouldn't want to change, but I realized that I needed to work on that area. So I actually signed up for business. I already had m bachelor's degree, so I signed up for an MBA program at Rector's. It took me six years to get it. But I know it's funny because when I started that program, I said to myself, if I could just sign up and get this piece of paper, I probably would do it. But by the end of that of that six year program, it was tough and a very nice time.

I got married, I had kids, and then my whole life changed and I'm going to night school. There was a lot of work, but I realized I learned so much and really understood how the business works. And I had some opportunities. One of the other things I say I've been in the IAM industry since 2003 and I have, but I've also done some projects and manage other areas of information technology side. I spend some time doing ERP. I run a project management office and I teach all those. I think, again, kind of going back to is the basis of a good IAM program manager. I think being well-rounded and having experiences outside of IAM not just being like, I went to school, I got an IAM degree and now I'm doing IAM and spend the next 20 years of your career doing IAM. Because when especially when we're doing our consulting engagements, like our topics go back and forth between CRM systems and accounting systems and the discussions kind of touch on all these different areas where we can't be blind to how a business operates. So I think having that background, I also think on the technology side of that is perhaps the weak area. You really need to figure out how to sharpen the saw when it comes to technology. And as I mentioned, one of my favorite areas of YouTube, a bunch of YouTube videos tell us in a few minutes whether or not noticed at the right level for you. And it's explaining things at a level that you can understand and observe and hopefully relate back to areas where you do have some experience.

Jeff: I think YouTube is a big help. And it's obviously more recent development. I think we both started around the round sometime around 2003 or so in the IAM space specifically, and I don't think that there was YouTube back then. So a lot of it was, reading on the Web and trying to put pieces together and searching for papers and stuff like that. But I think is I think experience at conferences definitely I think experiences a great teacher, too. We've both taken very different paths to kind of get where we're at today, for me, experience was probably my biggest teacher. And having some really good managers and directors throughout the course of my careers that I could learn from as well. And see what works, see what didn't work and just really kind of observe how things progressed as we went through different programs and projects and different things like that.

Jim: I think another thing earlier than I thought was like spot on, which is like kind of having the confidence to surround yourself with people who are smarter than you or know at least know their areas way better than you. I've talked to folks in the past or in the IAM program manager role or intimidated working with other people in their organization because they feel like those people are just more advanced than me. And I feel like to be successful. You've got to put the good of the organization and the good of the effort ahead of your own desires for personal advancement. If you do that enough times throughout your career, you're going to end up winning.

Jeff: Plus, you're going to learn from those folks, too. But I think it's also an expectation thing that, as you take on bigger roles in an organization, you're typically not going to be the person doing it. And the success of your program project, whatever it may be, is going to be directly related to the people that are on your team actually executing against the strategy and the vision that was out there. So, surrounding herself with smarter people is always a good idea. So, sometimes it can be a hit to the ego. Right. If it's not handled correctly, because, you certainly don't want to be in a position where, there is an uncomfortableness from a from a way that information is getting shared, but not a big fan of you. Bring the best team, best people put together and learn from those folks no matter where they're at. Up and down the hierarchy of the of the program or the organization, because they're just going to click. Is that one better? But it's also going to help you out, too, because no one knows everything.

Jim: I feel like another thing, just kind of thinking back on my own path. I am talking about how I was, this really hands on technical person. It kind of shifted from that to as IAM program manager.

In the course of less than a year, I went from Running  a DMZ server environment, which Windows and Linux to being an IAM program manager and implementing IAM for all of our external facing Web sites. And I remember kind of  in that transition period, my manager was saying, we need to do this. That and the other is like, I've got to upgrade, you know, 40 servers this week. He's like, OK, you find another person on my team. Couldn't they do it? Well, not really. The problem is I do want to give that up. It was part it's like I had to kind of eventually get it to the level of being secure to say, I'm going to take a chance, I'm going to step out on the ice, hopefully not fall through, and I'm going to give up what I've been doing, which is maintain the servers. And there was like a certain level of security is a security blanket of managing that environment, because I said, hey, I like it. You know, I'm very important to the organization because I know managing these systems is critical. At the same time, I wasn't giving myself the time or I wasn't really secure kind of going out into that new world. You said, what do you where do you see yourself five years down the road?

So much I'm getting into management is like you think getting into management or simply managing these servers is really good at it. I thought about a lot of my saying it happened overnight, but eventually I gave up those responsibilities and there was somebody else who separated in that role and took over and that was fine and gave me the opportunity to grow if somebody else the opportunity to step into something new. And so I would encourage people that, if you're in that position where it's like you've got to give up. So what you've got now to take on something new that you've got to do, you've got to pick your spots, but you're not going to be able to do both. Right. You're not going to be able to maintain those servers. And then the program.

Jeff: Yeah. At least not do it effectively, right? I mean, something's gonna give, especially as you get more responsibilities on either side of things. It's funny you bring that up because I think that's going to talk a little bit about, biggest mistakes that we've made in our IAM career, isn't you spark something that maybe think of what are the mistakes that I didn't have on my list here already? So that'll be a teaser coming up. What else makes for a good IAM program manager. I'm thinking also like in an environment, being able to make mistakes and correct them, I think is an important part. And part of it is being able to be comfortable enough to make those mistakes, because I think sometimes there's a lot of organizations where, one wrong move in and you're in trouble or you're out. Nothing goes 100 percent perfectly every time. So if you're in an environment where you know your management and your executives are supporting, here's the decisions that you're making and here's why you made them.

As long as you're using logic, around those that make sense. If something doesn't go right. Being able to have the opportunity to shift and correct and refocus or refactor, whatever may be, I think is the important part, too.

Jim: I mean, I think you're bringing up something which is that, if you're in your organization you're not in the environment where you're feeling secure, you're stepping on the ice. It might not be right decision, but the bigger question might be, are you at the right organization for you? Are you somewhere where you're going to be able to query you.

Jeff: Yeah, because you give me the best IAM program manager around the world. And if you don't have the right components around you to enable that success, you're still going to fail.

So I think, the right the right time, right organization, right people is a big part of it.

Jim: Absolutely.

Jeff: All right. Anything else you think that makes it good IAM program manager?

Jim: I think it's one of those things also, this is what I was contemplating IAM program manager. When you see that person, you kind of know like that person will make good IAM program manager. To me, it kind of comes back to a lot of the basics. Usually the person who makes good IAM program manager is they have good communication skills and they care. So I think those are probably the two most fundamental things. And then tactical skills and business skills can be built up along the way. But you've really got to carry you've got to be passionate about it, but you've got to at least care about something and probably the well-being of the organization. And when people see that you care and that you're going to go the extra mile, I feel like, you're going to get chances to be very supportive and try to make you successful.

Jeff: Yeah, I agree. I feel like when we walk into some of our clients about the time we're done. I feel like I've already I know who's gonna be a good program manager there and where that responsibly should lie, just based on a few weeks of, working with folks and seeing how they work as part of the project and the team and communicate and be part of that process.

So unfortunately, I think for at least my perspective, I've seen a lot of really smart, great people through my travels over the last few years and consulting, there's a lot of opportunity out there for program management. If people are interested in that sort of thing.

Jim: And I would say also there's a bay out there who's listening, who are saying that just me, I need more help, we did it maybe touching some of the things. Reach out to us. I know. I'd be willing to take a phone call. It's not like we have millions of listeners. I'm going to get inundated with phone calls. So somebody out there wants to talk to Jeff or I. We'd love to help you.

Jeff: Yeah. You can always email us at and Jim and I read all those a come through and we're constantly getting back in touch with folks as they reach out and trying to make the IAM world a better place before that. All right. I think we've beaten that topic pretty much up as well as it should be. Why don't we take a quick break and kind of reset and refactor. And when we come back, we'll talk about the biggest mistakes that we've made in our careers and some of the mistakes that we see others making other organizations, etc.. When it comes to getting the needle to move forward when IAM prospective.

Jim: Sounds great.

Jeff: We'll be right back.

All right, we're back.

Let's talk through some of the biggest mistakes that we've made in IAM career. I'm going to go first because you had me thinking about this one. And this is in no particular order, but you're talking about giving up earlier the responsibilities of doing different things. I think that's one of the big mistakes that I made early on in my career, was not having a replacement ready to go or in a position where they would be able to step up and take over my role, which I felt like it limited my ability to be promoted within an organization. So, being able to train and educate and have others be able to step into your role and I think is an important part.

If you're interested in moving up in the organization because it makes a lot easier. OK. Well, we can't afford to to promote Jeff because he's to dabble here and there's no one that can salvage his role versus. Oh, yeah. Jeff would be a great pick. And we have someone that can slide right into his role relatively easily. Let's go ahead and move forward.

So that was kind of what things that I teased earlier that I think you got from a mistake perspective. I would you know, if I didn't have the experience now, I'd go back and do that over again.

What about you?

Jim: Think that's a good one? Well, I mean, just to add to that, kind of sharing my story about how I transitioned out and actually was fortunate that I had an awesome and reserves to hand things off to somebody I hired. And he stepped into that role and was at least as good, if not better than me. And, he went on in his career and now he's like he's doing some really cool stuff. So. I mean, after this release IAM. But he's with this company that builds sports arenas and sports stadiums. So like the new stay in their building out in Vegas, I think he's got two projects, one in Vegas and one in L.A. where he's putting in all the IT for these big stadiums, including the humongous monitors and screens that they have. It's like, the guy took off and, I knew he had skills.

So giving that area up was less about whether or not he could handle and it was more about whether or not I was ready to give it up. And I finally did. And it was the right move.

Jeff: Yes. So there are things that mistakes some things are a little more tactical at the time. I remember getting into battle might be a strong word, but let's go with it, battles with IT teams as far as, what's the tool they're going to use for an access catalog perspective? Is it going to be the ticketing system or is it going to be the capability that I have in my IGA platform, for example? I remember having many discussions around that. And, I don't know if this is a right answer still in my mind, but I remember having many discussions with, helpdesk teams and other IT infrastructure teams as far as, OK. Where are we going to put all these requests for people who want to do stuff with service access?  those sorts of things. So, I think that was a little more tactical, but I remember having too many conversations around that.

Jim: Right. Right. I was thinking about this questions. I don't really have regrets because I'm exactly where I want to be in my career. I love what I do. I'm passionate about it. And I feel like I've got the right work life balance.

But just kind of to kind of reiterate, I guess, because I talked about this already was I was really deep in IAM and I took other opportunities within my company at the time, going back 15 years. But I ran a project management office site. I ran a team implement ERP and actually doing that in Europe. So as I tell you, all kinds of cool stuff. And then I got back into security because I was wanting to transition from the company I was and get into banking. And that was one of the things about IAM and I think this is good career advice for anybody.

I think starting as a generalist and getting a good understanding of a domain like IT or like infrastructure, even more specifically infrastructure or development or something like that, I think is a great way to start your career. But I think, too, especially you want to build a career as a subject matter experts to refine around a specific area and kind of the more tightly focus if you get in an industry like IAM and I feel really fortunate to have this early IAM experiences because I think this is an industry that hasn't been just homogenized. Like where I originally started was with server administration. So all that is, is a lot of that has been outsourced so that I've taken the natural path.

I might have ended up in a data center and I'm punching a clock. And that wouldn't be kind of the career that I wanted. And I wanted it to be something more dynamic that would leverage kind of my natural skill set and communication, developing strategies and things like that. So I feel very fortunate of ended up IAM, but I kind of feel like, over time where a good career strategy would be to find an area to specialize in. I think Identity and Access Management is a great area to specialize in, so I don't feel like I've made a mistake in terms of career path. I one there I was going to also point out was, OK, so now I'm in consulting with Identropy for 8 years or so I ran two Major IAM programs projects to coming to Identropy and then I went into consulting and my first two projects and notices those same people from those organizations. But those first two clients were universities, very large universities. I'm not going to say that they were, but I had and was in for a rude awakening in terms of how much I knew because I felt like I had a pretty good understanding of how IAM work. So I stepped in these universities and they were using different technology, I thought I understood how they work, but I really didn't. And man, it was it was like truly drinking from a fire hydrant.

And I felt like that for a few years after getting into IAM consulting was like, my goodness, it feels like, overload in terms of all this stuff that I don't understand. But, you have to kind of go through that uncomfortable period. I think does kind of my learning was, going through that uncomfortable kind of lack of confidence and just, put yourself out there and learning new stuff at the same time, the industry changing underneath your feet. So I'd say within the probably the last four years of the first three or four years with a lot of growing pains like that. And then I kind of started to feel a lot more confident, whereas today I kind of feel very confident in the space. I know I don't know everything. Not even close. And the more you know, the more you realize you don't know. I think that's very true paradigm. But I do feel like, even the stuff that I don't know, I'm not afraid to ask anymore. And I could pretty much go into the industry. And, I don't feel like I need to know everything walking in the door because, I do know what I know. I know the basis of how to manage who has access to what I know kind of the industry solutions and I kind of figure out the rest.

And I can lean on, even more important that I know who to lean on when they don't. Something to touch base with and get, how they can help me. I'm not threatened by the fact that I don't know something. I can kind of reach out to people who are experts in that area.

Jeff: You've come to arrive to be at peace with your theory, strengths and weaknesses, and I feel that's important part of it too. I felt the same way moving into consulting was,  I think I thought I knew enough. And then when I made the switch to consulting. It was the same thing where, the expectations that you're sometimes, from the client side is that you're an expert on everything, which I don't think, as I say, realistic.

But as you do more engagements and you see how other organizations do things, that just adds, I think, to your body of knowledge when it comes to being able to understand what will and won't work and some of the things to look out for, because, a lot of consulting is based on experience. And when you work for one company, you see how they do it. So you become trapped in the context of that organization. So these are the tools we use. This is what I know. This is what I know works and doesn't work for our organization. But if you expand that out into 10 organizations a year, 20 organizations a year, whatever it is that you know, we work on from a client perspective, you start to see a much broader picture of space and  things to ways to solve issues that one company that you may have seen somewhere else. I think that's part of the biggest thing that I've seen. Just making the jump from working for big organizations moving into a consulting role. I certainly agree with that for sure.

Jim: Yeah, the kind of consulting we do is, I think it's having a unique or you're parachuting in for a couple of months and you're going to develop the IAM strategy for an entire enterprise. And, that's pretty challenging is pretty daunting task. We've done so many times, just like I'm not even intimidated by any more. But sometimes we bring other folks in from our organization to help us. And I mean, these are people just as much experience in IAM as you and I have. And they're usually brighter in one area or another. Usually the technology, somebody you've got a development background or has been implementing IGA or access management for a decade or more. And so but they're kind of intimidated by the idea of kind of the operating model we use, which is that we kind of go in and we're a blank slate in the beginning and learning about the organization. And one of the things I tell people is that you you can't be intimidated to ask questions like if you don't know something. Don't sit there and pretend you know it or be afraid to ask the question now.

Everyone will answer really stupid questions like what's your workday like? Okay. Well, you know, even a workday is.

 Jeff: I know that's Monday through Friday, Jim?

Jim: Yes 9:00 to 5:00. And then you go and live your life. No. But like, sometimes you go into organizations, they're talking about a system that they call something like Workday. And it's like I'm just going to add.

And you find out there's some customer database that they built. If you're afraid to ask the question, you're sitting there thinking, all right, it must be, you know, I'm going to search the Web and find out what it is. You've got to find the right balance, right. You don't want to go in there and sound like a total doofus. But at the same time, if you're afraid to ask questions about things you don't know, you're going to lose. And then if you lose, the client loses. Right. There you go. They're not going to get the very well-thought out strategy. So I take the chance of looking stupid sometimes in some technology. But if I don't know something, I'm going to ask the question. I think that's something I've learned, is that it's better to take a risk and, potentially look like you don't have the expertise. Usually it's like if I did usually with me, it's that I didn't hear it. It's a workday. We said work O'Shay or something like that.

I definitely don't know about that is.  We say workday. Oh, ok. But I feel like that's something that one thinks with on the consulting side. You have to you have to be confident enough in yourself that if you don't know something, you're not asked the question.

Jeff: What about companies today, what are some of the IAM mistakes that you see them making?

Jim: You know, again, we work on strategy. So I think the biggest mistake is that usually when they're calling us because we have X, Y and Z problem, we're not able to do kind of these basic blocking and tackling moves. So we have to do , I think the big mistake is like if the focus is on just solving the current problems because the industry is moving so fast that if you solve this current problems and it takes you two years to solve them, the end of the two years show of all new problems because the landscape is changing. I mean, who is thinking about DevOps five years ago or even three years ago, a lot fewer organizations were using things like kubernetes. And that's one of the things that, you know, it's one of the things that I try to do with my clients is to get them thinking about those things.

And if they're not using those things, it's like, well, don't you think in a couple of years you're going to be.

And so I think  that's one of the biggest problems is is thinking about the here and now and not thinking about all the trends that are happening and and being prepared for the future. I think that is a mistake or I see a lot. What about you?

Jeff: I think the biggest one that I see and the one that concerns me the most is an organization not doing anything. Even though they may not have a program or they just don't see the benefit to doing it. So they just kind of sit there. Don't do anything. Or even after we've come through and built out this great strategy and everyone kind of agrees to it, and then they sit on it for like a year. So it's not like things are going to get better. So I think in my mind, the biggest mistake coming to you is to just not do anything at all. OK, well, the price tag we saw was too expensive or whatever. The reason is, typically it's, funding related. And so we're just going to push that and, kick the can down the curb like. Yeah, better or cheaper, the longer you wait.

Jim: We usually be gotten to that position because we've underinvested over a period of time. Right. So there are already extreme laggards in security. And now they're trying to do all these things that IT, they're doing things like DevOps. And the IAM program is like not even doing basic blocking and tackling. So now you need to make a very big investment just to get caught up. So I think under-investing in IAM or like you said, not doing anything is that is a big problem. But I think a lot of times where we'll meet with clients and work with clients is like you get to a kind of a solution, stay. You're talking about solutions stay where you would be doing it, right. I will never spend the money on that. That's like that becomes the reason not doing things like golf course, golf scores. And you know what? It's that's what's going to cost more. Data breach or investing in the right technology.

Jeff: Right. And you're going to spend that money anyway. Right. It's whether you're gonna do it now for this price or two years or three years from now at a higher price, most likely, because you just can't continue to accumulate more bad habits and more things. And on top of that, you've increased the risk, like you said, of a breach. So, yeah, I think some of it is organizations always trying to figure out, well, what's the cost benefit for IAM technology? And if this is me, investing in IGA isn't going to save me money, that I'm not going to do it, for example. That used to be the way that I think people would did it, especially when you were looking at just password resets and things like that, because I know that's what we looked at. You know what? I was just getting started, but I think it's changed out to more risk mitigation. User experience, all these other things. So, in addition to not do anything is when they see that price tag to do something, they start to try to figure out, well, what's how do I justify this and how did I chose to save money when in actuality it's a lot harder to determine. I think these days, especially you start to go up against sort of kind of like soft benefits, right. Well, how what is a turnaround time worth to an organization if they want to remove access in a timely manner?  And duration of access when they first start an organization.

Jim: We talked about what makes good IAM program. And you're somebody who can explain that. You can talk about risk, somebody who understands that side of the business as well. I remember early in my IAM career someone saying to me, fine, how many people can I fire? And it was like we'd put together a whole business case on all of this time that people were spending doing IAM tasks and how it was distributed around the business. And you were spending like three hours a week here and there. And I kind of, and they said,  all that soft savings. I know soft savings, but that's really what IT does is it makes the organization more efficient. That's why we all carry laptops. Twenty years ago, it's kind of like having your laptops everybody. How much money is that going to save me? Could you imagine the world today without these basic pieces Technology makes us so much more efficient. And security is like that, I think another thing another thing that I had for this question was. Trust. And we're in this world where one of the one of the big popular IAM framework's now is zero trust. The idea that, you can't just build the crunchy shell with the soft center and be secure with that. But I just the name Zero Trust. I worked with a lot of organizations where they say, we only have 10 domain diminished traders and we trust them. It's a pleasure when you talk to the person who manages them like I manage them They're all kind of good people. And, if they leave a lockout, all their accounts and it's just like I think that is a very flawed way of looking at security, especially identity management.

I think you have to get into a world where it doesn't come down to trust. It just comes down to good security practices. And we're going to make sure that people don't know the password to machine accounts and things like that. And that we don't we're not vulnerable if that person goes haywire or just, decides that they're going to hack the company failed. They are separated from the organization or something like that.

So I feel like that's one thing, the one thing that we run into almost everywhere we go is that certain people are trusted and unfortunately those are usually the people that have the keys to the kingdom. And I feel like a lot of times for when I start working with a client where the biggest thing that jumps out at me is that, they have a number of insiders who really could, cause a lot of harm to the organization. And I'm saying, that's the biggest problem that needs to be addressed. And they have their focus on, well, single sign on or identity governance. Those things are very important as well. But for me, like locking up the keys to the kingdom, there's nothing more important than that.

Jeff: Yeah. Trusts implies an acceptance of risk. In my mind, whatever it is, it could be a vigorous little arrest as a matter of trust. Just it's assuming you're assuming risk. So I think that's an important thing to think about the level of risk. And you don't. You've got people with privilege access and you trust them. Great. That's a lot of trust to give someone who could basically bring down your entire network, either because they did it or because someone got a hold of their account. So it's not necessarily necessary that the individual but the hygiene around how they're protecting those counts as well.

Jim: I think that's a fantastic point there. And when you're talking about accepting risk, who is accepting the risk that IAM program manager for the person who manages these people? It's not their job. Your job is not to accept that kind of risk.

And maybe in a very, very small organization.

But I think that's a very good approach, is known identifying areas of risk and making sure that they are accepted and that they're communicated properly to the right people within the organization. And that's you know, that's the one of the central themes that think of a lot of our strategies as having good governance, some muttering about identity governance, but good program governance to make sure that the right stakeholders are involved with the IAM program, that the right decisions are being made by the right people.

And so if an organization doesn't have a framework built around that, they don't have a steering committee, if they don't have stakeholder involvement at the appropriate level, then they run the risk of something goes down that the right people weren't involved and they just wash their hands of it.

Yeah, IAM program that gets a big black eye.

Jeff: Yes, exactly. What else? Any other mistakes in when want bring up They see companies making or organizations making?

Jim: I feel like the biggest mistakes that I see are the same things that you'd see in almost any other area of IT Things like not having a executive sponsorship. I think, kind of not looking at IAM as an opportunity, especially when you go into a new update in your IAM a strategy or moving to a new system. Trying to copy the process that you have to say, not looking at as an opportunity to re-engineer things to a set of best practices. Those are things that I used to see in my ERP days, which was, hey, this we do a purchase order and we're getting a new ERP system and the ERP system asked to do purchase orders. So we would do them well. What if we flip that on its head? You said this is how the ERP system does purchase orders. Can you do it that way? And if not, can we minimize the amount of customization so that we basically work within the, quote unquote, best practices that system has seen and whether or not you like that practice. I'm going to tell you, if you decide to change this system up for every single practice that you do differently, you're gonna spend a lot of money to customize this system. This can be very hard to maintain over time.

Jeff: Yeah, that's a good one. I think getting too along with that technology is keeping that technology upgraded and updated to the latest versions because you can have the best technology in the world. But if you don't keep up with it, from my perspective, you're probably going to hate it in two to three years and then think it's not effective. So, keeping your tools updated is as a reporter one too, that I see sometimes companies make mistakes on.

 Jim: Yeah, I mean, we might want to do a separate podcast, we got that really cool slide in our pre-sales deck, which is based on a blog that was written by frankly like ten years ago, we've updated since then. But it was the ten biggest mistake or ten pitfalls of an IAM programming and user attention. We've been talking about some of them, but it's kind of a classic. And you look at our blog statistics and it's one of the ones against that still gets the most hits. Everybody's like how do we avoid failing? And I will say, like, when I got involved in this industry, IAM projects were rare, the clip of over 50 percent. And part of it was that the technology wasn't as good or easy to use as it is today. But a lot of it was these pitfalls. It kept running into customizing systems and trying to get them to work.

The way the manual processes work. And so we should go over that sometime.

Jeff: Yeah, have a good topic. For one, we can build a show around. All right. I think we're in pretty good spot to kind of leave it for this week. Anything else you want to bring up, Jim?

Jim: Just happy New Year to everybody. And I wish everyone the best when talking about careers and running IAM program. So I hope everybody has a great year in terms of achieving their personal goals and achieving their goals for their for their employers.

Jeff: Well said. And with that, welcome to 2020! Thanks for listening and we'll talk to you on the next one.


Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.