The 5 Causes of Identity & Access Management Failure
July 30, 2013
The Identity & Access Management (IAM) space continues to grow and expand to include new technologies, new vendors and new types of customers. With this growth comes an increased risk that an IAM investment will fail or be less than successful. Whether you’re a customer that has attempted IAM in the past or a new customer determining how best to start an IAM program or project, the same risk of failure applies. Many analysts, integrators and even FNS experts have opined about the topic in the last few years, but the reality is the culprits of failure remain consistent and present.
In our years in the IAM space, we’ve experienced many successes as well as lessons learned. We’ve seen strategic IAM programs that operate successfully to this day. We’ve also seen tactical projects that go one phase with questionable success and ultimately lose funding and momentum. In both situations (and many in between), success is dictated by how effectively the 5 Causes of IAM Failure are managed.
Please note that the 5 Causes of IAM Failure do not include technology by itself. At this stage of maturity in the space we feel that the ultimate degree of IAM success or failure is rarely determined by technology but instead influenced by lack of buy-in, lack of planning and lack of management.
The 5 Causes of IAM Failure:
- Lack of aligned stakeholders or cross-functional department buy-in
- Lack of executive sponsorship
- Lack of effective day-to-day project or program management
- Unrealistic expectations (time, money, internal impacts, process change) or improperly set expectations
- Lack of long term IAM plan or roadmap; lack of an IAM endgame
Avoiding IAM failure is an on-going, never-ending activity throughout the life of a customer’s IAM program. While IAM is still largely a behind-the-scenes set of technologies and processes, today’s IAM is focused squarely on the business and not just IT. As a result, failures are enhanced. More importance needs to be placed on effectively managing the 5 Causes of IAM Failure in order to claim success and, in certain cases, secure funding for additional IAM investment.
- Lack of aligned stakeholders or cross-functional department buy-in: Because IAM has so many “tentacles” in many different departments, processes and technologies, it is important that cross-functional consensus is built. Often we see IAM programs become less successful or fail when stakeholders aren’t on the same page or key people in departments like HR or Compliance aren’t involved early and often. IAM business cases and programs built in a vacuum eventually fail or don’t get off the ground.
- Lack of executive sponsorship: In every organization, the executive layer is ultimately responsible for the success of the IAM program as well as the continued funding of the program. Executive sponsorship also increases the likelihood of enterprise-wide adoption of IAM and gives a face to the IAM “champion.” Lack of executive sponsorship often limits the socialization and adoption of the IAM program with the key stakeholders in various departments, lines of business, etc. Lack of adoption means eventual lack of funding.
- Lack of effective day-to-day project or program management: It’s important that executives buy in and support the IAM program, but the potential for failure still exists if the actual program and its ongoing projects aren’t managed effectively. The right IAM Manager is extremely important in this situation. He/she will make sure in-scope projects are aligned with the long term IAM program’s strategy, goals and milestones. IAM projects that don’t deliver on executive promises or end up missing milestones and finishing over budget, often negatively impact momentum of the program moving forward.
- Unrealistic expectations (time, money, internal impacts, process change): If the proper budgeting, planning and identification of risks and dependencies aren’t done as part of the IAM business case or program development, then the project risks failure from the start. Successful IAM programs and projects are iterative in nature and focus on managing risk, involving the right people and biting off chunks of scope that can be adequately managed. If expectations aren’t properly set, the program risks failure from the very first project. This is especially true in situations where an integrator like FishNet Security is involved in delivery and management of the IAM projects.
- Lack of long-erm IAM plan or roadmap: We have historically seen customers that only focus on immediate, tactical IAM needs eventually lose momentum and end up less successful with their IAM programs than their strategic-thinking colleagues. Without a plan, it is extremely difficult to know where you’re going IAM-wise and what your endgame is. It is also extremely difficult to plan and set expectations internally throughout the organization. Tactical, short-term-focused plans only address the immediate, narrow issue at hand and not the enterprise-wide opportunities that might exist.
Look for my upcoming post about the importance of hiring an IAM Manager, what traits and experience to look for when hiring that right internal candidate, and the impact that person can have on the success of the program and avoidance of the 5 Causes of IAM Failure.