The Identropy Advisory team recently came together and presented to a group of CISOs in Upstate New York. The topic: The High Cost of Not Doing IAM Right. As part of that discussion, we talked about how failing at Identity and Access Management (IAM) can lead to an increase not only in the number of breaches, but the costs associated with remediating them.

While good IAM is hard, failing at it can be quite costly. Companies with less mature IAM programs suffer twice as many breaches and end up paying $5 million more on average to remediate a breach than those with a mature approach to IAM.

While there are many reasons for an IAM program to fail, we focused on three areas as part of our discussion:

The Wrong Team

Does your IAM program have a leader? Someone who has done it before and has developed a strategy that aligns IAM services with the business need? Does your IAM program have the right staff? People that are trained on the technology you are using and have IAM as a priority? If you are missing either of these, you are in for a bad time.

The Wrong Roadmap

Do you have an IAM roadmap? How does your roadmap align with the expectations of the business? Are you trying to do hard things first? If your roadmap doesn’t show value in the first 3-6 months, it’s time to re-evaluate. Make sure you have a strong foundation for your IAM services before you start to add the bells and whistles.

The Wrong Technology

What’s the current state of your IAM technology platforms? Is it easy to use and well maintained or are you still using a tactical custom solution that was built years ago and was only supposed to be temporary? What are you doing with your IAM data? Does it sit in a SQL database until the yearly audit review or are you putting it to work for you to better your program and drive your service development? While IAM programs are for life, the technology you use may not be. If tools are not meeting your needs, it may be time to re-evaluate and move on.

We closed with an open discussion on a variety of topics including the politics of IAM. This often-overlooked item has a significant impact on the success of an IAM program. A good IAM program manager is out there kissing babies, shaking hands, and marketing the value that IAM is bringing to the organization. They rally support and build consensus for IAM and in turn help deliver services to protect one the most valuable items an organization has: its identities.

Good IAM is hard.

Poor IAM leads to breaches.

Breaches cost money.

If you need help shifting your IAM program from poor or mediocre to a good state that delivers value to the business and users, improves compliance, and enhances the security of your identities, we’d be happy to help. Contact us here.

Pitfalls of an IAM Program

Jeff Steadman

Jeff Steadman

As part of our advisory practice, I partner with our clients to help plan their IAM strategies. Prior to joining Identropy, I spent over a dozen years managing, building, and running Identity & Access Management programs, projects, and teams for SC Johnson and Walgreens.