Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years.
To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind.
If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.
As economic growth continues and the world becomes more connected in ways never before imaginable, so too does the frequency, probability and inevitability that sensitive data and applications will be compromised within yours or your customer’s organization. To keep up with this state of constant change, you have to adapt, and change yourself in order to be effective and add value wherever you are. Eventually you will find that in order to take your efforts to the next level, you will need funding for your program, and that involves having some higher level conversations including keeping your CIO informed, if not pitching him to sponsor or fund the program you are trying to build.
Earlier this year I pitched a $6M multi-year IAM program to my CIO and the overall experience was so rich and rewarding that I wanted to dwell on it to discover what I might learn about being a more enlightened producer within my company. Lots of interesting conversations, seasoned with some challenges along the way, combined with blue sky thinking empowered me to present my work to my CIO with greater confidence and clarity.
I present the following five disciplines that you will need to get into in the right mindset for imagining, developing and pitching your ideas to your organizations leaders.
I admit that what I have described above might sound remarkably similar to the obsessive, compulsive control freak; the same horrible boss who in some organizations is unbearable to work with or gets him or herself fired for being unmanageable. But for those with an internal compass and the courage to navigate the murky waters with knowledge that what lies beyond is a clear blue sky with calm waters and white sandy beaches… to him the opportunity is given and rightly deserved.
They always say time changes things, but you actually have to change them yourself. -Andy Warhol
To hear me speak more about pitching IAM to my CIO and the rest of my Top 10 Lessons Learned, join me in my session at the Cloud Identity Summit in La Jolla, California on Monday June 8th at 4:00pm.
In thinking back over the year about what a wild ride it has been for the IAM and InfoSec community at large, there is no shortage of topics waiting to be addressed from the boardroom to the datacenter. Taking lessons learned from the headline breaches (Target, Home Depot, Sony) to emerging tech opportunities (POS, Internet of Things (IoT), Apple Pay) to dealing with challenges and problem areas in IAM, there is clearly a lot of that can be applied and carried forward that will shape our work and our lives in 2015.
In thinking about our roles in this thing we call our work, it is easy to lose sight of how our assumptions and plans can be foiled and disrupted by threats and trends that you were not focusing on before. Many of the professionals I run into at conferences, especially vendors, tend to be focused on solving problems that their particular solution solves for without much respect to the broader concerns of the business. That is why it is important for IT leaders and architects to frequently spend time staying on top of what is happening in the industry, in business and in the world. As professionals who have responsibility for or a stake in IAM for your organization, we ought to care deeply about making sure that scale, efficiency and superior security are top principles that define our work and our legacy. As a business, not having these principles to guide investments in IAM will have a direct and immediate impact on customer experience and employee productivity. (more on this in another blog post)
If you are making the effort to find more meaning in your career, and to enhance your overall value to your clients or employer, then it is imperative to discover, develop and maintain our “Edge” in our chosen craft. My own experience with discovering and developing an edge started with writing and blogging on the management and strategy of IAM, and not the technology itself. It’s not that execution is not important, its that having peripheral vision and managing from this vantage point is a necessary and valuable activity. Most technicians (E.g. architects, developers, managers, etc…) who set their sights on architecture and strategy will not truly become liberated from their past lives and effective in the business of IAM until their peripheral vision is developed adequately. Marc Cuban, in his book How to Win at the Sport of Business stresses, “It’s not whom you know. It’s not how much money you have. It’s very simple. It’s whether or not you have the edge and have the guts to use it.”
“It’s not whom you know. It’s not how much money you have. It’s very simple. It’s whether or not you have the edge and have the guts to use it.” – Marc Cuban
If you are focused on addressing the problems your organization faces today, you are focused on the wrong problem. As leaders, we need to be thinking about the new models and strategies that will entirely transform the way we do things today and help the organization become more agile and customer focused. One of the great opportunities today is to look at how an integrated view of IAM and GRC will begin to address issues that span a diverse range of applications and user experiences and make existing investments even more effective. One way for an organization to discover an edge is in the way it manages IAM through integration with GRC and automation within its own operations.
When I discuss this vision for the future of IAM with the leaders and stakeholders at my company, initial reactions range from blank stares to flat out skepticism due to the magnitude of change (and potentially disruption) that implementing this model can bring to the IT department, and in some cases the business itself. For one, I don’t disagree that the effort is significant, will require a budget on par with a frontier investment, or that there is risk involved. Imagine if Elon Must were the CIO or CISO of your organization, the pervading attitude must be “If something is important enough, even if the odds are against you, you should still do it.” (Hyperloop anyone?)
“If something is important enough, even if the odds are against you, you should still do it.” – Elon Musk
Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years. This is not exactly something I can prescribe as each organization will have a unique set of challenges. On a professional level, you can begin with discovering your edge and doing the work of vision, architecture and strategy for your clients or your company. You can begin expanding your influence and credibility by starting the conversations with stakeholders and leaders in your company who will be involved in some way in your overall IAM strategy.
One place you might begin discovering your edge, if you haven’t done so already, is by reading this short paper I wrote on Managing IAM.
I am always happy to respond to questions either on Twitter, or in the comments section of this post.
All the best to you and your career in the coming year!
For those of you following the progress of my book Virtual Identity, I just completed Chapter 3 Evolving The IAM Architecture, and would like to offer a preview of the goodness to come.
To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind. All the while, the IAM architecture must evolve as the business evolves, taking the following opportunities into consideration:
These opportunities are not to be overshadowed by the threats and vulnerabilities facing organizations today, many of which were discussed in Chapter 2 Security Driven IAM. From an architecture perspective, we need to expect that nothing short of massive scale, security and governance of IAM will allow organizations to realize the full potential of IAM and GRC initiatives, integrating important high level capabilities as shown in the following figure, The Venn of IAM and GRC.