Skillsoft Blog

Top Five Warning Signs that your IAM Program is About to Fail

By Ertem Osmanoglu

Over the past 10 years, the risk and threat landscape has changed significantly and organizations are facing more complex and coordinated attacks from both within and outside. The traditional business and IT boundaries are rapidly disappearing as cloud, mobile, social networking and other IT consumer trends gain traction. Identity and Access Management (IAM), is the core function of any cybersecurity program, as it facilitates the interaction between business and information technology, while at the same time protecting privacy, enhancing user experience, enabling accountability, and controlling access to an organization’s assets. Further, managing digital identities of entities (people, services, and things) and their access is critical to the success of the day-to-day operations of most businesses.

In most organizations, IAM programs are undergoing transformations to enhance integration with risk management processes, improve coverage and simplify controls implementation. But more often than not IAM programs still fail. Below, I have summarized key observations that have grown out of my experience of taking over failed implementations of IAM initiatives (over 50 initiatives in more than 35 institutions across multiple industry sectors over the last 10 years). Here are the top 5 most common warning signs of IAM programs that may be on the path to failure:

1. Lack of an executive level sponsor and governance structure

2. Lack of acceptance of IAM as critical business function

3. Unwillingness to prioritize key decisions based on business strategy and risk assessment

4. Limited or no user adoption

5. Limited or no understanding of the ongoing nature of enterprise IAM needs

Our research and experience serving organizations around the world indicate that those that turn IAM into an explicit business enabler, rather than a cost center, will create a competitive advantage. As the IAM market consolidates and integrated IAM functions become more dominant, we expect organizations to consider the warning signs highlighted in this article, avoid falling into the same traps, and achieve the key business benefits while providing a flexible, standardized and secure enterprise service.

The details of these five points are laid out here:

1. Lack of an executive level sponsor and governance structure

  • Poorly defined program sponsorship, ownership, and stakeholder roles and responsibilities
  • Governance structure that does not support effective oversight and decision making, which may impact the timeliness and results of the program and the effectiveness of program management leadership
  • Lack of or inadequate policies, standards, procedures, and guidelines to guide design and implementation of IAM process and technology improvement initiatives
  • Limited or lack of enterprise-wide, foundational components and architecture standards, resulting in redundant efforts and costs
  • Program/project sponsors who are not sufficiently accountable for the success of the program or project
  • Oversight activities that are not focused on driving the program using a balanced set of business KPIs

2. Lack of acceptance of IAM as critical business function

  • Business personnel view IAM as purely an IT function and responsibility
  • Business issues and decisions that can impact the priorities for – or even the viability of – a program or project often are not communicated from the business to IT
  • Point solutions are implemented to address specific issues, but do not realize greater value due to a lack of integration
  • IAM executed as a series of tactical compliance projects, and aimed at strategic results or ongoing sustainability

3. Unwillingness to prioritize key decisions based on robust business strategy and risk assessment

  • IAM programs are not fully aligned to the key goals of the business – which could mean that resources (funding, staffing) may not be allocated appropriately and effectively
  • Lack of consensus among business leadership, security, IT, audit, and compliance organizations on the roles and responsibilities, which hinders accountability for access management
  • Difficulty in providing reliable user and access profile data to relying applications, exacerbated by attributes stored in multiple repositories with no method to keep them in sync.
  • No data standards governing format and quality of identity and access profile data

4. Limited or no user adoption

  • Lack of ongoing enterprise-wide communications and change management
  • Poor user experience with IAM interactive capabilities (request, approval, authentication, review, and certification processes)

5. Limited or no understanding of the ongoing nature of enterprise IAM needs

  • IAM oversight typically ends after processes and technologies are implemented
  • Many organization’s overlook the importance of ongoing program management, including having experienced and/or dedicated IAM program management professionals in place

Ertem Osmanoglu is the Cybersecurity practice leader in Financial Services Office. He is a results-oriented business leader, who consistently surpasses objectives by building top-performing regional teams, with over 20-year track record of information security, technology and financial services experience. He has managed complex programs and projects for large global clients with Cybersecurity, identity and access management, e-business strategy, cyber risk management, and compliance service needs. As a frequent speaker and guest lecturer at industry events and writer to industry publications, Mr. Osmanoglu has been cited as a leading industry professional on enabling business performance through risk based approaches to Cybersecurity and identity and access management, the functions needed to support a comprehensive program and new techniques used to manage cyber risk. He relies on strong collaboration to achieve success. He is the author of numerous information security articles and the author of Identity and Access Management: Business Performance Through Connected Intelligence (Syngress).


Post a comment

Comments are moderated, and will not appear until the author has approved them.

(URLs automatically linked.)

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)