7 Things to Look for When Hiring Your IAM Manager
August 05, 2013
Recently, Dave Kearns at KuppingerCole resurrected the concept of an Identity Officer asking at what level in a company it might exist and whether it made sense. As an end-to-end security and Identity & Access Management (IAM) consultancy, we often witness the importance of an effective IAM manager both to IAM-specific initiatives and the larger cyber security picture. We may not always recommend adding a separate Chief Identity Officer when we’ve seen a number of CIO’s, CTO’s and CISO’s manage IAM programs effectively, but we DO believe in the importance of having a manager or director focused on IAM.
In the last two years we’ve seen a number of organizations actively evaluating candidates for IAM management vacancies. Having heard the horror stories of costly IAM-related overruns and failed IAM projects, many organizations are now taking a more cautious approach and not moving forward with IAM investment until the “right” IAM Manager is in place. Unfortunately, as it sometimes happens during the hiring process, the right candidate doesn’t always fill that request, and as a direct result, the 5 Causes of IAM Project Failure can come into play.
- Lack of aligned stakeholders or cross-functional department buy-in
- Lack of executive sponsorship
- Lack of effective day-to-day project or program management
- Unrealistic expectations (time, money, internal impacts, process change) or improperly set expectations
- Lack of long-term IAM plan or roadmap; lack of an IAM endgame
The right candidate will be able to drive and own the multi-level communication, the long term planning and consensus building that comes with a successful IAM Program.
On a positive note, we have also seen what happens when the right candidate is in place and, over the years, have been able to advise customers on what traits and experiences to look for when hiring a good IAM Manager.
- Experience working with applications and systems that cause widespread process change or require collaboration across many cross functionality groups (i.e. ERP or CRM deployment). IAM experience is great, but it can also be learned. We find that candidates with backgrounds related to things like ERP deployments tend to adapt very quickly to the nuances of IAM. They understand the communication and patience necessary to get disparate groups within their organization on board with IAM investment.
- Breadth AND depth of IAM experience. The definition of IAM is rapidly expanding. It used to be just provisioning and role management but has since morphed into true access governance, Privileged Access Management, federation, cloud services, IDaaS, integration with DLP solutions, SIEM solutions, etc.
- Experience with process change, definition and improvement rather than deep technology knowledge. Technology can be learned, but it’s much harder to teach how to build consensus between disparate teams in an organization or how to successfully sell an IAM business case up the management chain. Focus on experience that deals with an understanding of process change, definition and improvement and avoid hiring candidates who are focused on one technology vendor because that’s all they know.
- Vertical industry experience. The candidate should have experience working in the organization’s industry vertical (i.e. healthcare), but additional industry verticals are even better. You never know when your company will diversify, be acquired or even partner with another company that may not be in your immediate market.
- Technical project management experience. Candidates with technical project management experience bring an understanding of both how to manage complex projects and what it takes to be successful with an IAM program.
- Experience managing others from an HR perspective as well as hiring and growing resources. It’s important that the teams they’ve managed have folks with varying levels of experience and ages and have demonstrated growth under the candidate’s guidance. It is difficult to build a team and a program with all senior resources, which makes teamwork and mentoring all the more important. These candidates often have the ability to evaluate and engage outside assistance to execute their IAM plans. Working effectively with integrators like FishNet Security can often improve an organization’s chances of IAM success.
- "The team, the team, the team." To paraphrase the great Bo Schembechler, you don’t want candidates that give the impression they are “playing for a contract.” This is often displayed by an excessive use of the “I’s” - “I did this” or “I did that” - instead of “we” or “they.” When hiring, you want to create a team and a program that are represented by highly functioning, likeminded, team-focused individuals. In order to run that type of team, you need an IAM Manager whose first priority is the prosperity of that team and not individual accolades.
IAM investment will always be fraught with challenges and risk of failure due to its complexity and business focus. However, with the right IAM Manager in place to champion IAM in your organization, manage the day-to-day program and its governance and act as the central point of communication and escalation, you can reduce those risks and become a case study for IAM success.