Security and identity and access management (IAM) leaders often struggle to secure funding for investment in IAM capabilities because of a failure to communicate the wider business benefits. Without this funding, it is almost impossible to fulfil IAM obligations and potential within organisations.
Establishing a successful business case requires a thorough understanding of the links between key IAM programme elements and the goals and values of the organisation that it supports.
However, security and IAM leaders tend to be too focused on the technology and narrow business drivers such as cost and efficiency that they fail to communicate the broad impact an effective IAM programme can have.
Gartner's security-oriented 4I Model divides expected business value into four categories: investment (captures expected returns); integrity (emphasises the impact of the reliability and availability of daily business operations); insurance and assurance (addresses risk management benefits); and indemnity (highlights the compliance benefits of limiting regulatory and stakeholder exposure).
A fully realised IAM programme is likely to find drivers under each of the categories in the model, although this will not always be the case. The alignment of programme objectives with business drivers is intended to illustrate what is being done (programme objectives), why it is needed (business drivers), and the expected benefits (business value).
It is also worth taking into account the fact that initial IAM investments are often easier to justify than ongoing investments. One reason for this is that organisations often underestimate the complexity of the underlying problems that must be addressed.
IAM leaders must be modest with what they promise and attempt to deliver, especially in the early stages. Many IAM initiatives have been launched with ambitious schemes, such as enterprise directory, single sign-on or role-based access control, only to drift toward failure or irrelevance once stakeholders realised that such ideals were much more difficult to achieve than anticipated.
Moreover, organisations are hesitant to make investments that appear risky, and many lose their appetites for IAM due to the perceived failure of other promising initiatives. To avoid this outcome, be realistic when explaining the benefits, and focus on delivering consistent, incremental value. Demonstrate an appreciation for risk management through the structure of the IAM programme.
Additionally, be modest when making claims about ROI. Business cases that rely primarily on quantitative ROI for IAM investments are notoriously vulnerable to business leader challenges. References to ROI should play a secondary role in support of other business drivers.
When including ROI calculations in an IAM business case, the focus should be on hard costs with realistic projections. If an ROI calculation depends on assigning potential costs to speculative events, it should be dropped from the business case or converted into a non-quantifiable benefit.
Business expertise is often just as important as IAM-specific domain expertise when developing the business case for an IAM programme. The business case cements the relevance of the IAM programme with the stakeholders and sources of funding.
Many IAM leaders are too focused on technical details and fail to effectively communicate the benefits and challenges of the programme to business executives. When developing the business case, it is useful to consult knowledgeable experts about the specifics of the business in order to help with establishing its relevance.
Finally, the business case must be marketed effectively within the organisation to have the greatest chance for success when budgets are allocated.