The topic I discuss probably most often as well with vendors and system integrators as with end users is how to sell IAM. The problem behind this is that IAM is mainly seen as an infrastructure element (which IAM is). The potential business value is often quite unclear, as well as many people just don’t know that they need IAM even because they are using different terms. The CRM don’t see their system in the context of IAM even while it’s the biggest identity store in most companies – just an example.
One thing I’m intensively working on is a business-related argumentation which starts with the business problem and ends with IAM – and not the other way round, like it is done in most cases. The other aspect which came into my mind is to sharpen the relationship between IAM and the CIO’s agenda. The first step in this is to have a look on the CIO agenda – what shall be on that agenda (which are not necessarily the same issues that are on the agenda today).
My four main points for the CIO agenda are
- Business control
- Independence
- GRC
- Accountability
Business control is pretty clear. IT has to do what the business needs. In a way that is as efficient as possible. Flexibility and many other requirements are derived from this necessity.
Independence is something which is often not taken into account. I doubt that there are many areas in corporations which such a high degree of vendor lock-in like in IT. The way business adopt themselves to specific ERP systems are just one example. The real problem is that vendor and product decisions in IT often are made without a clear analysis of the impact these decisions have on the long-term lock-in to a vendor. GRC, e.g. making the move from Corporate to IT governance and supporting the compliance standards in an efficient manner is another important part of today’s IT business.
And there is accountability, e.g. the ability for a clear view on IT costs, the ability to assign costs to departments and so on. The need for an ERP for IT. This influences many areas of IT, like the need to use services in the context of identities because this is the only way to collect the information for a correct cost assignment.
The interesting point is, that – from my perspective – all major IT activities can be subsumed under these four (or five, with reliability/availability) points. Thus, a CIO can measure all his activities based on these aspects – which might lead to a pretty simple dashboard or scorecard. What I like as well is that IAM is one of the things which add to most of these key areas of the CIO’s agenda. This relationship and some more thoughts abot the CIO agenda will be discussed in future articles in my blog.