Aveksa.com/blog

Building A Business Case (ROI) For Access Governance

 digg it |   delicious |   StumbleUpon |  reddit 

We recently read a post on Earl Perkin's blog (Research VP at Gartner) regarding "the continuing problem of IAM business justification." 

In his post he states..."Sure, I've seen press articles with a title that include "IAM business justification", and they do a decent job at outlining key drivers of IAM and some of the benefits, but those articles usually have two consistent characteristics: (1) they are PRIMARILY about the key drivers rather than benefits, and (2) when benefits are discussed, they are seldom tied to objective, measurable metrics, the type of metrics that business decisionmakers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."

Aveksa has seen the exact same trend with customers.  We get asked quite often to help build a business value/ROI justification by organizations that are considering an Access Governance solution to automate the processes associated with access certification, enterprise role lifecycle maintenance, access request and access change management. 

Earl's right, establishing metrics to measure are key.  And he is spot on that organizations focus too much on just cost containment when they should also be considering the importance of cost avoidance associated with the the operational business risks that can materialize from the misuse of access (compliance audit findings, fines and penalties as well as the potential for increases to operating expenses and the loss of revenue and brand reputation).  

As he states, "customers focus too much on operational efficiency to the exclusion of possible justifications in the process or governance area of IT? The answer is ‘maybe'. While we would like to think that IAM has moved beyond its "pipes and pumps" view by our main customers, the fact is that we not produced enough in the way of identity intelligence, risk management and workflow optimization to warrant (yet) a seat at the big-boy table when discussing matters of IT governance or business process improvement. We're close, though (e.g. compliance reporting), and perhaps it's important that we include a justification rigor to run concurrent with efforts to deliver these higher-level IAM functions. (I'm actually giving advice to myself to ensure future research in these areas reflects this, so consider this a ‘note to self' comment as well as one to you.)" 

Including metrics for cost avoidance will help to build a more complete value justification for investing in process and policy automation by providing metrics for business assurance (access risk management).  It's what the organization really values IT security for - providing the assurance that the "bad events" won't happen. 

If you want to learn more about how to build such a business case to justify an investment in your access governance initiative, click here.