Monday, January 5, 2009


There’s a people side of the equation that’s all too often overlooked when companies implement a new IT solution and expect it to be embraced. The people impacted may not want to use it because they don’t know how or they don’t fully understand the value. Sound familiar?

I have spent the past two years working in the Identity and Access Management (IAM) space – more specifically the user Administration and Auditing aspects of IAM. These areas of IAM allow for the requesting, approval, granting or provisioning, and verification of system access for an identity. When you consider that these aspects of IAM are the most visible to the organization and have a direct impact on the ability to carry out day-to-day responsibilities, it seems that any improvements to these processes and technologies would be embraced. However, this isn’t always the case.

How many business folks really understand IAM and how these concepts impact them? IAM can be very ambiguous to those on the business side, and therefore just not that easily embraced.

Identity and Access Management projects are most often driven by technology departments. Business sponsorship may be weak or completely non-existent. Business drivers aren’t always well communicated. The actual "people" impacted by IAM initiatives are often forgotten as the concepts and terminology of IAM are more technology focused. The constant reference to “identities” instead of “people” can further de-humanize the IAM effort.

The outcome of an IAM project should be viewed as a win-win for both the IT and business sides of an organization. Information Security has a centralized point for maintaining the "keys to the kingdom" and the business users are provided with a slick web interface and processes for requesting system access, as well as ensuring access remains current.

But when and how should the "win-wins" be communicated? And, am I accurate in suggesting that this communication will make or break the success of an IAM implementation?

To support an article on this topic I am writing for industry publications, I'd like to solicit your comments and help me to find answers to these questions:

1. What role does the IT organization play in breaking down the techie speak and ambiguity associated with IAM?
2. How can IT help sell the value of IAM to the business users?
3. How can business engagement be secured and maintained throughout an IAM effort?

The goal of my research is to define best practices for overcoming these implementation issues, helping to make IAM initiatives successfully deployed across the enterprise.

Looking forward to hearing your thoughts!