[podcast] IAM ROI
In this episode, Jeff and Jim talk about how to develop a Return on Investment (ROI) strategy when it comes to IAM.
Link to Auth0 Forrester report we discuss: https://auth0.com/forrester-total-economic-impact/
We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!
LISTEN TO OUR PODCAST HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #40 Full Transcript:
Identity at the Center #40 - IAM ROI
Jeff: Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim.
Jim: Hey, Jeff. You're still asymptomatic.
Jeff: So far, so good. COVID free.
Jim: So you're saying that because you were tested and the test came back negative.
Jeff: No, I have no idea, haven't been tested. I think that's been an issue for some folks. But symptom wise, I feel fine. I guess that doesn't mean I'm COVID free at this point. But let's just say I feel fine.
Jim: All I can say is that if I got it, it must just travel, be travelling through the air because I've gone nowhere. I feel like I've been a prisoner within these four walls. But hey, it's the P.C. alternative.
Jeff: Right. Exactly. Tomorrow will be the two week anniversary of me driving a car. So I think that I'll be cause for me to get out and celebrate.
Jim: That's why you have a Tesla. Even if you forget to drive, it can drive you there.
Jeff: It's getting close that's for sure. Highly recommended. But enough about that. So I know we had a few things that I think about this week, but what do you wanna talk about for this episode?
Jim: I wanted to talk about from IAM program manager perspective or somebody who is trying to get an IAM program funded and get some steam behind it within the organization, putting together ROI on investment analysis and kind of the approach. And I want to come from the perspective of me. You and I have done this a lot of times throughout our career and we now counsel our clients on how to do it. So I want to base its primarily on experience and what we've learned over the years. Well, we also ran into a file that are PDF kind of a white paper on ROI that was done by Forrester to Research for ROI for their product. And it just triggered a lot of ideas. I mean, it's really well done paper. And perhaps we could find a link and put it in the show notes. But, just triggered a lot of ideas and a lot of them aligned with my experience. But there are also some differences. So I figured that would be a good topic for us.
Jeff: I like that. And I think the first thing, me being a cynic that I sometimes am, is whenever you see a paper that's been commissioned by somebody Usually it's a vendor. They're commissioning someone to come up with some kind of report that should show the person, that the company or the entity in a in a positive light. So I think even with that, I thought the report was still valuable because a lot of the different things they talk about from a measurement standpoint. How do you measure the return on the investment? I think apply across not just a specific technology, but can be extrapolated out to other things. And in this case, it's off zero, right. They commissioned Forrester to run a report. And this is something that's very common in the industry is a vendor will reach out and say, hey, we're looking for this report to kind of promote our product or tool or service, whatever it is. So you kind of have to take a hold of grain salt. But I think in this case, there, like I said, things that we can kind of pull out, that makes sense and try to make it as, vendor neutral or vendor agnostic or bipartisan or however you want to put it right to make it useful for people listening here today.
And I will put a link to the report in the Shonen. So wherever you get your podcasts from, take a look at this in the notes there and you should ceiling for it.
Jim: I agree with you 100 percent. Especially in our roles as vendor agnostic consultants, we're constantly reading vendor specific documentation and white papers and things like that. And you get a combination of two things. I mean, the first thing is you can get some good holistic ideas that can be used you regardless of the vendor. But then also the motivation for a vendor to commission this type favor for is obvious, right? They won't get their name out there in a positive light. So nobody expects like the white paper come out and say, hey, there's negative return on investment from this product, that would be outrageous, outlandish.
Jeff: I would commend them for their truth in advertising like that.
Jim: Yes. Good. They'd be a great memory because they wouldn't last too long.
Jim: But yeah. So let's dive into kind of what some of the things that came back, first thing I had my notes was around, what types of benefits can you get from deploying IAM at the highest level, I think there are tangible benefits and intangible benefits. Another wards is something that you can quantify in terms of dollars versus things that you don't know. Either you are worth putting the effort into dollar rising or you can't dollarize something like satisfaction, especially if people in your employ. I think that the heart of a lot of ROI investments are taking things that are softer and kind of intangible and trying to dollarize them. The further you go in terms of trying to do that, where people are going to feel it. I think the more you're going to wash on your story, if you say we're going to have twenty five million dollars of benefit. And, you've got every, a hundred different benefits and you're taking no satisfaction of our developers and saying we're going to have 10 percent less turnover and we spend twenty five thousand dollars to acquire each new developer. So we're going to save fifty thousand dollars a year right there. Okay. I think you're going to get a lot of eyes rolling in the room. So when it comes to your tangible benefits, I think you want to try and keep them as real as possible and you want to focus on the major areas where people are going to kind of agree with your analysis. What are your thoughts?
Jeff: I think this is one of the first mistakes that a lot of people make when they're trying to do a return on investment is to try to measure everything and make it a strict dollars and cents case. The intangible benefits are a huge part of a lot of these different technologies. There are certain calculations you could perform around costs, risk if your organization has developed a risk cost matrix, those sorts of things. But how do you measure something that is the right thing to do? That is makes jobs easier to do. Right. Can you do it? And yeah. Shaved off a couple minutes here and based on average salary. It's kind of like this or that, right? I think it's one of the things that you have to consider when you're trying to develop a return on investment is to understand that there will be this nebula or void where you may not have an exact number on it and it may be more along the lines of, hey, our customer satisfaction as we pulled it two years ago was people hated it. That was the general consensus. Now, with the investments we've made and people process technology, the overall sentiment is higher. Is that a number maybe. Or maybe it's a smiley face because a frowny face, right. Or some other emoji type approach. So I think, trying to have the right balance between quantified and unquantified benefits makes a lot of sense. Obviously, numbers are good numbers sometimes are difficult to argue against. But the more numbers can have, the better, but should not be the end all be all when it comes to ROI.
Jim: I agree with that, I remember with my one of my early IT projects, even before I got into IAM somewhat I was trying to put together ROI analysis and someone said to me, OK, enough of all the soft benefits efficiency.
How many people cannot fire it's like I always remember that because it was like trying to be like this old school hard nose management style.
And to me, that was ridiculous, to me information technology is always about making the organization more efficient and making people more efficient in their job, you can quantify that in terms of dollars, but just think about the early days of PC's or mainframes and how inefficient the experience was compared today I'm talking on a Mac book in a zoo meeting. We can share video. They compare how much more efficient we can be today given the technology and that's been a slow grind over time. But it's people investing in technology and buying the next version. And, in these incremental improvements have made us more efficient over time. And so I don't want to ignore the efficiency in my perspective, and that might not be, it might be unique to me or it might not be the predominant one. And I think you have to know your organization and to your audience. But to me, efficiency, driving efficiency is a real benefit.
Whether you want to quantify it or you wanted to do it unquantifiable and say it's kind of an intangible. Right. I think that's important. Having said, all that hard savings is OK, if you can say, today we've got this legacy system and we are now out of support and everybody agrees we have to continue support. We can run this system. And if it breaks, we're out of business and we're paying a million dollars a year for this new support contract in this new system, which is going to be ten times better.
It's only going to be $500000 a year. Everybody should be sold on that one. Right? I mean, that's an easy one. But usually these ROI calculations are not slam dunks like that.
Jeff: Yeah, and the other thing, too, is you have to make sure you can deliver if you're gonna have a hard saving number. What happens if after two years or whatever your timeline you projected, you don't hit that number? Is the project a failure.
Jim: That's right. I think as information technology professional, we have to keep talking about risk and, there's risk to projects or risk to initiatives and being very clear about here's what you need to be successful, it's hard sometimes when you feel like you're ROI, just might fairly get it approved or they just might work to then throw on top of it. Hey. And this whole thing might blow up if we don't get participation from the business. So if we don't get support from an executive perspective, it's like, OK, well, maybe, this is just better just not to do this. So but I also think it's you can't get yourself so emotionally involved with it that you're willing to ignore those things. You're not bring those things up just to get it approved. You do so at your own peril. Potentially, this whole project fails and it's egg on your face anyway.
So in that case, to me, you'd be better off not having it approved in the first place. It's important to just be upfront.
Jeff: Yeah, you got to be prepared to deliver. What are some examples of a quantified benefit that could come out of doing something related to identity access management?
Jim: So the white paper we talked about follows a model called The TEI which is the total economic impact framework. And they talk about four different types of quantifiable benefits, cost benefit, flexibility and risk.
Now I'm a little more old school and, from my business class days when we looked at cost benefit and risk. And I think flexibility would be in benefit. Now, even take benefit to even be more of a cycler and talk about increase revenue, because ultimately what it comes back to if you're making a business decision is you want to increase profitability. But there's also that factor of risk. And risk could seem like an intangible, but we have to figure out a way to make it tangible to quantify the value of risk. So start with costs, because, I think this has been the traditional approach to justifying return on investment for IAM for the past at least 10, 15 years ago, this was like the only thing that vendor stalked about how much you guys spend on password resets, and it was like, you can reduce the costs of password resets by 80 percent. So if you spend $20 per password reset and you do one hundred thousand of them, now you're only going to do twenty thousand of them. Please do the math and you can figure out what amount of money you're going to spend after you deduct the costs of what you're going to spend to implement their system.
So it was such a cost focus. But I still think, cost avoidance is a major component of ROI when it comes to an IAM system. So first thing that comes to mind is automation. Automation is a big driver taking manual processes. And this goes back to the efficiency piece. But automating manual processes is a way to reduce costs. And, I think a lot of people don't like the analysis where you say you can reduce 50 percent of a person's workload and they say, well, you can fire. And again, that's not the role of IT isn't just eliminating people. It's making people more efficient so they can either work on other things or the organization can run leaner.
Jeff: I mean, we can reduce headcount by X if we do. This thing really doesn't pan out very often in my experience. I think that's maybe how people used to look at it when it's turned mount now into is what other work could we be doing if we had free time? having managed IAM teams in the past, one of the biggest challenges that I saw from an automation standpoint was more shifting the mindset of people away from IAM administrator, too. I'm an analyst. Right. It was a higher thought level process. We were taking things that were more able to be automated and shifting the people to things that were not as easy to automate, or required, more thought than we were willing to invest more technology standpoint. So in my mind, it's not really a head count savings equation a lot of time, especially for enterprises that are in the middle of trying to modernize and make their IAM programs more capable or more mature. It's more of high, like I said, how we make them more efficient, how we move them onto more value added tasks where a human would be better doing it than just resetting another password, or just creating another active director account or, in my old days, creating another Lotus Notes file, those sorts of things. So, I think it's important to consider that. And, touching real quickly on your password reset example. I think that's something that I fell victim to a long time ago, was, oh, yeah, we're doing X number of parser resets per year if we had a tool and we could automate it, we would only have to do, this percentage of it and that's how we'll save money on it.
Now, the mistake that I made was assuming that it was a perfect world. Everyone was going to register, everyone was going to use the password reset tool, things like that. So just be careful when you're creating those types of calculations that you have to assume that not everyone's going to follow the process or not follow it as quickly as you want them to. And, make sure that you've got numbers that are actually real-world achievable and not theoretically perfect type of scenarios.
Jim: Right. So I've got a couple others in the costs area. But here's your web, Jim, for this podcast.
Jeff: It's the baseball analogy. I like it.
Jim: I had to pull one out right.
Jeff: There's no baseball, so we had to get a web Jim and somehow.
Jim: Play the week, so make a list. Just start brainstorming because there are different types of IAM projects we're not in one podcast going to come up with every possible cost saving you could achieve through IAM, point Pam, deploying single sign on for your workforce or customers or identity governance. They all have different areas where you can save money and then layer on top of your specifics of your organization, what software you may be running today and get rid, etc.. So I'm just here to list a couple just to give you some ideas, but I think it's your job to kind of brainstorm through some of that. So one and this one came out of the white paper was removing identity from applications, especially custom applications can reduce the calls to manage them. So, this was an idea I actually used in my first IAM project was, like 25 percent of one of our applications in the development of that application was dedicated to managing identity and access of roles and things like that, and we thought, OK, if we can shift 50 percent of that out of that application, I would free up, you know, 10 to 15 percent of the development time for that application to re purpose towards business functionality. And how do you calculate that? based on the costs and what it costs the organization to run that development team, take 50 percent of that.
And that's how you come up with that calculation. And for my perspective, if I had to justify a number like that, it would be like, that's how we you know, here's the mechanics of how we calculated it. We weren't going to spend years trying to figure out how to calculate that number. But that is a number that makes sense. The second thing I came up with on my own, I was just thinking of the standard onboarding process, thinking once productivity time can be lost. When someone shows up there on their account, they know their password or they don't access all the applications by just deploying like an identity governance system, onboarding people before they start using rolls to automate access assignment. It can be a huge productivity boost or not wasting two or three days of time for people to go in requests access. And if you have 200 employees, there's not going to add up to a lot. But if you have 50 thousand employees, that's a huge savings.
Jeff: I think it's something to consider strongly when you're putting together these calculations.
Was there another quantified benefit that you can think of? Because I was thinking somebody is quantified, but that's have kind of associated on quantified benefits. Right. You talked about you're removing the identity of the application that also affects the user from a single side experience potentially. Right. Makes easier for them. But are there other things that that could be quantified than your mind?
Jim: I think that's the process. Come up with that list and then try to look for approaches that are creating but not outlandish to dollarize those benefits. And like we said earlier, pick kind of the top four or five. Don't try to quantify every single benefit, especially if you have 20, 30, 40 or more benefits. Don't try to quantify. Everything is going to just look ridiculous.
Jeff: Negative analysis paralysis, right?
Jim: Well, you can also come up with, hey, the return on investment of the IAM system is more than we made last year. OK, we're going to make $20 billion dollars from implementing IAM. Sounds like we should do it.
Jeff: Exactly. I mean, you got to have these numbers based in the real world. Ought to make sense, but don't go crazy with it. What are some unquantified or intangible benefits? I talked about, the one kind of associated with the reduction in kind of identity within an application where, make it easier for people to sign on, reduce the number of log ins tends to lead to higher satisfaction, lower password reset type issues. What are some other things like that?
Jim: One I got from the white paper that I thought was good was, increase developer satisfaction might. So depending on the organization you're in. That might sound like a joke. Yet you and I worked for the client last year. That was mostly developers, right. Their products were applications on the web and they gave their developers free food all day.
Somebody said that worth doing, right. Does is it going to retain people? I think it's a similar argument with, the tools you use. If you had to come to work and these insufficient tools, the time, you might not be happy working there and you might leave.
Jeff: In my mind is what business do you want to be in? Right, do you want to be in the business of developing IAM tools?
Or do you want to be in the business of developing a product and using commoditized IAM tools that are out there? right. Or standards based or something along those lines. A lot of organizations, they build something on their own because they either they don't want to spend the money to buy a commercial product or they think that they can't fit their business around it for some reason. But you really have to think about what is the business that you're in. If you're a manufacturing shop is IAM supposed to be one of the key applications that your organization wants to focus on. Or is it more along the lines of customers making the manufacturing process itself more efficient? Right. Supplies. Supply chain, those sorts of things. So I think you really need to think about where do you spend your IT dollars? And if you're not and IAM shop, why would you spend more money on that when you could reach divert those into things that are more core to the business?
Jim: I think ninety eight percent of the companies out there don't need to be building their own IAM tools. Unless you're Microsoft or Google, you're not creating your operating system. Right. There is some point where you're buying technology and that's good enough. And I think when it comes to identity management, even if you are a technology company, still probably doesn't make sense to build your own access management solution.
A couple of other things I wanted to bring up Jeff on the quantifiable side. So again, we talked about cost reduction. The other is increased revenue. And this is especially valuable when you're talking about IAM or digital transformation.
What I think here is that, this is something that most businesses will be willing to invest in improving life for their customers. Now, how do you take that and quantify it where, the IAM portion of the digital transformation? IAM portion of a new application is just a component other right. By implementing IAM, you can't take credit for $3 billion of business that's going to go through this new portal. But you can take some credit. And in my experience, the way you go about quantifying how much credit you take is working with the business unit or working with the business leader who's kind of responsible for rolling out that new system. So let's say your company wants to roll out a new portal and that portal is going to be a billion dollars a year of new revenue. So now everybody knows we need to manage identities for it and kind of come up with a strategy. We need access management, user lifecycle management, logging, etc., and come up with a plan for it. And now you have to justify spending the money to get the IAM tools work with the business leader for that portal and say, how much credit can we take for this particular part of it or can we bundle another approaches? Can we bundle IAM investment with a total portal investment? Usually the money gets parceled out and pieces, as you need to spend it. So I think taking credit for part of that billion dollars is the right approach. That's what I've done in the past. But you can't just guys an IT person go out and say, this is going to mean 100 million dollars to the company. You have to be able to go in there with the leader who says, I need this for my portal. And, it's 10 percent of our abilities to succeed is right here. And that is 100 million dollars or whatever, and that should get people's attention.
Jeff: How did that collaboration with the businesses is really important? several products I've worked my past have piggybacked IAM projects on top of or part of other types of like digital transformation or other projects that that would take advantage of those services. Right. Whether it's enhancing an existing service to take on additional demand or creating a new service because it doesn't exist the environment today. So I think that's you know, that's wise words is always work with the business, try to enlist their support, because if they see you as integral and say you meaning IAM as integral to their success, they're also going to help you obtain, the appropriate levels of support throughout the organization if you're able to piggyback on top of know, another strategic initiative as well.
Jim: That's right. And by the way, it's a great career mean you get some recognition, you want to rub elbows with the people within your company to get things done, work and press organizational boundaries, get involved with initiatives that are should teach you to the business and to the future of the business.
So a couple of things. They're into increasing revenue acquisitions and divestitures, if you can enable those, a lot of times that's on the internal I am side, be able to say, hey, we know we're adding new hospitals or we're adding new stores all of the time and we can plug them in a lot faster if we have these IAM capabilities, such as speech of the business in terms of our ability to grow or even divest, we can chunk off a business easier. That's kind of the mode that your organization is in. And then the other which I gleaned from that white paper was the ability to have more agility.
So I think, the companies that are really succeeding today are the ones that are more agile and can get things done quicker. So if you have an IAM system that, again, kind of allows people to go out and develop technology and not have to worry about the Identity layer, you enable them to be more agile. And if the company can deliver new features or new products because of that in a faster way, it's a quicker recognition of the investment that they're making, a quicker turnaround in terms of bringing in dollars into your organization. Those are real, tangible types of our Y elements.
Jeff: Even create that easy button, for developers and for the business that kind of plug it into, I know you and I are big fans of trying to use standards based and not having to customize everything all over the place. I like to call them hitch points, create a few hits points that developers and the business can plug their services into. That gives them that easy button to I IAM, which is, on boarding off boarding password management, entitlement management, privilege management, you reduce reducing risk, allowing compliance and audit and all that stuff just makes it a lot easier and adds a lot of value to the organization.
Jim: And what you just mentioned there is like kind of the third element, which I believe is quantifiable. And this is something that we as practitioners of information security need to get good at when doing our why is decreasing risk. There's not only that, hey, someone can hack into our system in and transfer out a couple million dollars, that's obvious, but also reputation risk. I mean, brands can be destroyed or seriously impacted overnight where some of the data breaches or lawsuits and regulators coming after you organizational fines. And we see it with major corporations around the world being hit by especially in the area of privacy, fines coming from regulators.
So I think understanding those and the way I like to quantify risks is and I talked about it before and the podcast is impact times Probability. So if something is a million dollar impact, there is if this event occurred, it would be a million dollar impact and the probability of it occurring is 10 percent, then it's one hundred thousand dollar risk. And whether or not that clicks for you, that's the industry standard for how you calculate the costs of a risk or what it's worth. So as a dealer, when I went to bring up right now is business continuity. Look at how many how many businesses fail to prepare for an event like this taking place within the world right now. And I think that, take advantage of this. So this might be an intangible or tangible, but it's headline news right now and it will be on people's mind for a long time to come. We'll suffer through an event like this without it leaving a mark. I think being able to say, especially if you can tie your IAM initiative to improving business continuity, I think take advantage of that.
Jeff: Yeah, that's a good point. And I mean, can imagine how many companies hadn't planned for this , they have planned for it didn't get to the level where they needed to to be able to pull it off or execute it. Interesting to see how over the next year or so and they'll be into to see how this affects us from the work that we do is how our business is going to react to this. . Did they see it more as a blip or will they start taking things like this more seriously and actually devoting time, resources, etc., to be able to address the potentiality? Because I think a lot of companies, they tend to be more reactive, unfortunately. Sometimes bad things have to happen before they're willing to make an investment, something, whether that's a breach or a pandemic or internet outage or whatever it may be, sometimes this is the type of thing that sparks the investment to get them where they probably should have been six months ago, two years ago. Right. So be interesting to see how that cap comes from an advisory perspective and what our current and future customers kind of pull from that.
Jim: The last thing I want to talk about in terms of ROI when we're running out of time here is we're in the different types ROI analysis. And what I'd say is, you want to take the easiest model that is going to work for you.
Some organizations will have a process by which they analyze the entire, let's just say, IT portfolio and projects will compete for dollars and projects with the best or why are the ones that are going to get the dollars? And after a certain point, projects are going to be deferred and that's when you need to really be able on your A-game. Other times I realize just slide the deck because everybody knows this project's going to get approved. And we just need to show that is there's some justification for it. So the three types in my mind are break-even analysis and this is usually used for the small projects. So you can spend a hundred thousand dollars. You just need to show that, hey, you know, within a year or two we're going to broke, either we're going to have experienced enough benefit either through cost reduction or increased revenue or reduction of risk that it will justify spending a hundred thousand dollars. That's number one. Number two is kind of a straight line ROI, so here is money out here is money in and we're not going to do any kind of time value of money analysis for just going to straight line and whether that's a three or five year, 10 year analysis showing how much and how much benefit occurs over that period of time.
The third is time value of money or what they call net present value, which is essentially taking into account the costs of capital. So it's, if your organization has a cost capital of 3 or 4 percent, those are kind of common numbers are really what that usually translates to is, big companies especially, they don't cover all and they have debt. And so if you have debt time, you spend money, you almost have to look at it from a standpoint of debt spending. So you have to reduce the value of future money coming in because to get those benefits and to three years down the road, you will have to finance the dollars that you spent to get there. So that's usually only for major projects where you're spending millions of dollars, you're going to get multimillion dollar benefit. What they want to make sure what that analysis is meant to do is to show that, a million dollars in the bank today is better than a million dollars that benefit 3, 4 years on the road. And like I said, that's usually only in very highly intensive capital projects.
Jeff: I think the most common is probably, what, three or five year kind of approach to it?
Jim: I think so. I mean, if you don't need to over engineered your analysis, don't.
Jeff: Keep it simple.
Jim: Yeah. Keep it simple stupid
Jeff: Keep it simple, understand your data and be able to defend it, if you're comfortable with what you're presenting. You're gonna be way easier time to defend numbers. Right. And T-bills to go in front of where we need to get in front of and try to get that investment. So good stuff. So I think if we start to wrap things up here, we talked about quantified benefits, unquantified or kind of intangible benefits, flexibility. And what else do we talk about? Risk. How to calculate risk, threat, vulnerability, coming up with things to try to address that. What am I missing, Jim?
Jim: I don't think we gave anybody an exact formula, but I think one thing that we did was give folks hopefully a framework to look at our wide analysis through the understanding that, each project sandbag its own set of benefits and cause and start off by making a list, evaluating that list in terms of what are you going to try to dollarize or quantify and build your analysis from there?
Jeff: What can you measure? What can't be measured or measured accurately? And then, like you said, being able to put that in front into a context of spend to show the benefit for it. And then also, I think the big one, right. Working with the business, being able to establish those relationships, coordinate with them and to help each other be successful is a big part of it, too.
Jim: Definitely it's a great career move.
Jeff: Definitely. I can attest to that for sure. All right. Well, I think that's probably where we want to leave it for this week. I'll put a link to the report that we were referencing on this episode into the show notes. And if folks want to, get a hold of us knew where I was happy to take questions or ideas for future shows and they can email us at email@example.com. And with that, hope everyone stays healthy. And we'll talk to you guys in the next one.
Jim: Have a great week everyone.