KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Welcome everyone to today's talk with Rob burn field strategist at one identity about the topic of success strategies for your IM program. So how to make your IM program a success. And we all learned over the past that there are, or many of us learned at least that there are a lot of challenges when running an IM program. So we will give you some advice from our experience. So Rob's experience from being in the field with funnel identity, my experience Martin Cooper, as an Analyst on what we see as potential strengths to make IM or potential strategies to make IM programs a success.
So let's look at our first advice. And I think Rob, you might comment directly on that, which is about the stakeholders and expectations. I think so what are your experiences here? Hmm. So the thing about an identity access management project is it really touches many, many aspects of the organization and of the business.
So this, what we mean by stakeholders are people who are going to be involved in the project who will contribute to the project who may receive benefits from the project. And really when it runs out, it could run out all the way to all of the employees in the organization, even out to the larger partner, you know, wider sort of supply chain ecosystem. And of course, internally within the organization, it's gonna touch the HR, the it, the applications, the E R P system. It really is a wide ranging project.
And so we need to firstly, identify who those people will be, and we need to communicate with them. We need to reach out very early in the project to identify ourselves, to, to them and to identify themselves, them, to, to us.
So, so that's, that's the thing and what are we gonna do when we, when we go to see them, we're going to explain the project. We're gonna explain what it's about, and we're gonna try to set expectations. And I would say the expectations can be of different kinds. We're gonna communicate the give and take of identity management. Meaning sometimes we'll be giving, we'll be relieving audit pressures. If it's a security oriented, you know, a person we're talking to, we could be introducing optimized workflows for perhaps the HR people.
We, we, you know, we can be helping with pain points around. Self-service reset on past lot, lots of different things. Sometimes it's good, but sometimes it's take, Hey, HR people we're gonna need from you and authority to feed let's. We have agree and interface.
Hey, ad guys, you know, we need access to the system SAP guys. We need to talk to you about sod. And how did we define that? What makes sense in the business?
So, sorry, Martin. Yeah, please. So what you're saying actually is two or three important things.
One is, it is a cross divisional project. It's a cross organization project. So you have a lot of stakeholders sometimes even beyond your organization and don't do it as an it project only. And what you're also saying, and I think this is a very important thing is expectations. I is not only saying, okay, this will be the outcome, but it is, that would involve these changes, this work from your end, this work from our end. So understand this well. And I think there's another thing clearly when it's about expectations, set expectations, realistically.
So there's, I think there's, you surely have observed this, this, this promise at the beginning. Oh, within the next two years, we will have connected 90% of our systems. And then when you're after two years, not at 90%, but maybe at nine systems or something like that, I've seen everything then you're in trouble. So I think that is the other part be realistic, isn't it? Yeah.
Yeah, absolutely. I think we it's, it's, it's a balance. It's a difficult balance because at one hand we're all salespeople, we're selling a vision, we're selling a project, we're selling value of what we're doing, but on the other hand, and so we need to, to do that and be optimistic about it, but absolutely we need to be, we need to be realistic so that we don't have disappointed in the end.
Let's, let's look at our next advice. The next one we'd like to look at is resources. And that always, I believe has been a challenge, identity and access management, but I feel that it's getting even bigger challenge these days with more and more projects running.
So, so what is your experience and also maybe what is your advice regarding external versus internal resources? Mm Mm, exactly. So I think there's a very important observation to make here, which is that there's a, a really big gap and shortage of skilled it, security people in the market.
It's, it's all across the world seems to be particularly in the APAC region, but it's true in Europe and, and America as well. So just finding those people who you can bring into the project can be difficult. So you do need to assemble the right skill set, you know, identity, access management. I think we're fairly mature now, but in early days, I think we had a lot of network security people coming into this world and they don't necessarily have that mindset about application level security or, you know, Hey, what's the difference between an iden.
They tend to confuse an identity with an account. So finding the people nowadays that have those skills, we need to, there's an educational component there as well. Of course.
I mean, people can learn and change. So it's not that we don't welcome our network security people, but, but there, there may be some educational steps to take. You mentioned the external sources and the outsourcing in order to combat that problem of staffing it's, it's, it's going. And we will almost certainly, I think almost every project looks externally for, for resources. I think Martin and you, I guess you'll have something to say about this, but the, the important thing there is, what do I outsource and what do I keep internally?
What are the skills and knowledge I need to keep internally? That's the question. That's what very a hundred percent. I agree. I think you need to have a very clear perspective on what is where I need to remain in the steering on the steering wheel. What is what I have to guide, what I have to decide and which knowledge will I need to have in my organization to, to manage what I deploy also when it shifts from the pro tracks to the line management. So what is, it becomes part of our line organization, by the way, an interesting point around where do you get the people?
Someone said, why don't you look while ago? I think it's a good advice. Why don't you look at the E R P people?
Also, they are very good in processes and we know a lot of stuff specifically around IGA process work. And so also that might be an interesting advice. Having talked about resources, let's look at our next topic. And as I've said, we will have five areas we look at. Yeah. And I think this is in some way, close to what we trust ended up. You need to have internal resources because you need to maintain what you do after the project, but you also need to have internal people to understand your organization processes and problem areas.
And I believe this is another reason for, for, for having at least a good mix of internals and externals, but it's also clearly one of the challenges that identity and access management deals with a lot of problems with a complex organization. So what's your advice. Understanding the organization is, is super important. We've already said it's a, it's a, it's a cross business cross-functional activity when we do identity management.
So those internals, those people, the most incredibly valuable people who have that deep, perhaps historical knowledge of not only the structure of an organization, which is rather static thing, how did it get to be that way? Who are the people I should talk to? It comes back also loops back to the stakeholders who the people I should talk to. Who's a good guy to talk to, right? There may be two people, but you know, some people are more corporate. These are all deep relationship things that let's be honest, the external guys, oh, I wouldn't, you know, I don't wanna say they don't care.
You know, they kind of do care, but not as much as I do, you know, it's my baby. So I kind of care more right than the, and that knowledge of the processes.
I think I, a great example. I'd love to give you the example of a customer in France, where there was a very, quite a complex business process around the people moving from one region to another and ensuring that from an access profile, access management, you know, password, every, you know, know all of that stuff that has a seamless experience.
You know, if you have a VIP or high level exec moving from a big job in London to a big job in New York, he will not be happy. You know, if he's to spend time resetting stuff and PA so, so that was a big challenge. Decoding deciphering, ex exactly the nature of the process, refining that with several different organiz, you know, business units within the organization, and then coming up with a way to codify that was a big win for our project. Albeit it took a long time. Yeah.
I'd like to add one thing around the problem areas and understanding the organization, everything trust ahead of our conversation, I've been in a cul customer. I knew it was a very core team, so we can speak a little bit more open, but they said, it'd be also interesting to, to understand where other organizations are and, and where they're heading. And I said, you know, in fact, you are somewhat spearheading this entire area. And they said, oh, be very careful saying that internally, because they don't want to be understood as, as too much of a pioneer.
And so yes, you need the internals because otherwise you, you will every now and then just make mistakes because you don't know things which others who are in the organization for long understand very well. Exactly.
So I, I would just finish on this point. I know we don't have an infinite amount of time you touch, I think on the notion of culture and, and having an understanding and a feeling for that culture is, is, is where the internals will really help us. Yes. Okay. Next point. So let's look at the elephant or the slices of the elephant.
I, I'm a strong believer in, we should have an IM program and that I programs should consist of smaller projects we can handle to reduce the complexity of overall IM. So how do you see it?
Exactly, absolutely. So, you know, we're touching here on project management or program management to use the, that term and, and breaking it down.
You know, one, one comment I'd make is that what, what we see now is a lot of our projects go following agile methodology with, you know, the scrums and, and the sprints and all that terminology. But really if, if you ask in agile guy look just what really, what is it about, he'll say fundamentally, it's about breaking the problem down into smaller pieces. And that's what we're talking about here. Packages should be obvious.
You know, I, I can achieve that quicker. I can. And we come onto that in another point, we can demonstrate that, but, but even on, on the level of project management risk, reducing risk around those elements, if you put all your eggs in one basket, you're really gambling on either a big win or a big loss. Let's not go that way.
You know, and We, we have to big advantage to technology is also getting sort of more modular with look at architectures microservice, etcetera. It makes it easier to split projects into smaller chunks. And that increases that the chance to, to succeed, because if it's small project, then you will be done earlier. And that will be sort of the quick win when you have a very long running project and people say, okay, you've spent millions over the last two years and what is happening then you're in trouble. So it makes our life, I believe, much easier.
Yeah, it does. You know, I think related to this is the, where do I start question and, and prioritizing systems or organizations or business units or divisions, perhaps a risk driven approach is a way to do it.
We, we, we're fortunate that we have the luxury of, of advising our customers with us to, to make a start, you know, at lower levels, like, like at the active directory level or maybe around privilege teching, you know, if that's the pain point of the core, you know, issue or going into, you know, identity governance, a way to start by the way, governance proceeds as heavy, you know, it's the heavy articulated Laurie that comes, why not start in readonly mode and just go for access review reporting.
You know, that's also a great way to start and, And, and start with, to sync, really need to solve first. So start, start with the, the things which are maybe getting grip on your ad, stuff like that, and then go further from there instead of trying to do the biggest thing at the very beginning.
So, because once you have some direct record of success, it's far easy to get the next batch to run the next project, et cetera. So let's look at our, our final item we'd like to touch on, which is, again, I would say closely related, I just talked about quick wins, so when quickly and show it.
So, so the one thing I always like to, to tell people and, and advise people, and that is my perspective is aside of having sequence is really important to gather some metrics, some KPIs before you start, because otherwise it's hard to prove that you improved Exactly measurement. It kind of touches on the subject, falls into the category. I think of monitoring and, and KPIs and, you know, different levels of KPI operational, but also I would say access management level, you know, there's different, different, different ways to, to look at that.
Often customers don't have those and really modern platforms for all the modern platforms for privilege and, and governance. There's no excuse because the data is there. If it's a good platform, the data is there, the metrics are available. All you gotta do is take 'em out and have a look at them. They're all there.
They're, you know, either in, in dashboards or they're available over APIs and, you know, and so on. So there's no excuse not to have the KPIs. And so the first, what I see, you know, the very first reports coming out of these projects is often that count hygiene related things like orphan accounts and, and, and entitlement creep and, and those reports, how can I demonstrate that I've improved if I don't know what the original situations? Yeah. That's the point. Yeah.
So Rob, thank you very much for taking the time we already are through that. Hopefully we were able to deliver all the people, listening to this, talk some, some insights and some ideas on what to do in their projects for their success. Thank you again and talk to you soon again. Thanks Martin.