My near philosophical musings about the world in general its problems and possible ways out.


IAM, a purely organizational task

Identity- & Access Management (IAM) quite often is regarded as just another part of information security management (ISM).

Information Security management in turn often suffers from its not totally positive reputation. Well, everybody agrees that some level of Information Security seems to be necessary after all. But on the other hand we have to carry the heavy burden of high cost and key person effort. Most often no one in the corporation is able to prove with reasonable certainty to what degree it contributes to the corporate success. On the other hand everyone can feel in his daily life that strict security measures slow down the affected activities and introduce inconveniences. Moreover vendors in the Information security arena tend to sell their products via the fear factor – putting unsavoury pressure on the top management.

Oh my god, not a very pleasant situation – for IAM as well.

But wait a minute, there is a solution – no, even two of them.
    First of all there is a way to tie Information security measures to the corporate success – if done right on top of a delivering OpsRisk (see my previous post:

    Second, who said IAM is integral part of ISM? Well, IT needs to implement IAM controls in order to maintain a certain security level. There is some operational pressure to be felt in the IT being the last element of the chain. “Ok, if you need it fix it. Don’t bother us with such trivial down to earth tasks. We have to keep the business running after all!” might be a typical response from the other department. So again the big finger points at the poor IT people. They are in charge now; they have to carry the burden. And quite often they fail.
But why not IT?

IT people most often are technical people. When they think of IAM they think of implementing an IAM system. And more often than not IAM projects start exactly that way – looking for a system to solve the problem. And now the trouble starts. Having a closer look to the distribution of the efforts we can easily recognise, that the major part is sunk in processes, roles & rules, policies and responsibilities – pure organisational stuff.

But who is mandated to (re-) organize to corporation? Most often IT is not in charge to tailor and optimize business processes, define roles of process actors and issue business policies. If so, who then is?

For me it was fun to ask this question again and again to different companies. Quite rarely I received a convincing answer.
  1. IT as pointed out most often is not mandated for corporate change.

  2. ISM has quite a narrow focus on Information Security. Well, it’s their job. But they will not be of much help to unleash IAMs true power as an enabler for business automation.

  3. HR could be regarded as the natural host for identities and their attributes. But HR people quite often don’t share this view. To make things worse they typically are not know for true real time behaviour but rather think in payment cycles.

  4. The business departments on the other hand tend to have a narrow focus on their LOB and the operational business. They don’t feel in charge for conceptual cross corporate activities.

  5. We found a better fit when it was assigned to the COO, Corporate governance, the corporate change function or similar high level cross company functions.
IT – unless mandated otherwise - you better focus solely on the implementation. Keep your fingers off the corporate change.

But in the majority of the corporations for some high level corporate functions there is still some homework to be done. May be they end up with a new function.

No comments: