There is no doubt: We are in economic turmoils. And no one really knows when things will become better again. It is definitely interesting to observe what is happening from a risk management perspective (Why didn't governments have pre-defined actions prepared? Why didn't financial institutions understand the risks or, if they understood them, why were they willing to take them? What happened with all the positive cash-flow of many organizations which are now in trouble - too much dividends?). But that isn't my topic here. The topic is why organizations should invest in IAM and GRC - especially in these days. From my perspective, there are good reasons. And, from what I hear from vendors, especially the GRC market is still very strong, as well as at least many segments of the IAM market.

From an enterprise perspective, investments in these days should be even more focused on business value than in good days - maybe a little bit more on short-term values than before. Regarding IAM and GRC, there are - for sure - the negative inhibitors. Auditors might mandate some investments especially for SoD management, PAM (Privileged Account Management), and defined, auditable Identity/Access/Role Lifecycle Management.

But there are as well positive aspects. To name just a few:

  • Using clearly defined role concepts reduces the amount of single entitlements which have to be managed, thus reducing the overall administrative workload.
  • Management by risk is sort of "management by exceptions", focusing on the aspects which are really at risk. That's more efficient, for sure.
  • Any initiative in the area of IT risks supports Operational Risk Management. Any IT risk is, in fact, tied to an operational risk. On the other hand, virtually any operational risk is related to IT risks because IT systems are used to run the business. Very easy: Why do we talk about SoDs? Because of IT? No - because of business.
  • IAM and GRC are key to the flexibility of IT and to support changing business requirements, especially in industries which have to react fast on changing customer demands (and who hasn't)? Changing business processes requires a flexible security and identity infrastructures as well as flexible controls - that's what IAM and GRC are providing. Some BPM and non-IAM-aware SOA approaches aren't sufficient.
I've blogged also several times about the CIO agenda. It is obvious that from the things which are top at the CIO agenda, many are tightly related to IAM and GRC. Any initiative towards cloud computing requires a strong IAM and GRC backing, because IAM and GRC will become much more complex when using as well internal services as cloud services.

These are just some few reasons. IAM and GRC are an important foundation for any enterprise IT. And you shouldn't build your IT on sand.

We will have some webinars around these topics. The first one will be in German language, naming 10 good reasons to invest in IAM and GRC. You can register now. We will do the same webinar in English some weeks later and additional webinars on how to do lean, focused IAM and GRC projekts as well. Another interesting place to learn about these topics is, for sure, the 3rd European Identity Conference held in Munich May 5th to 8th. The place to be!