Home » Identity & Access » Identity Management

How to Make a Business Case for Identity Management

Sure, a good identity management program is great for security and oftentimes necessary for regulatory compliance--but there are productivity and efficiency benefits as well. Kate Walsh IDs five tips for finding and articulating the business case for IDM.

"It all comes down to putting things in black and white and explaining how IDM can help reduce the costs related to a certain action or set of business processes, says Martin Gee, CTO at ICSynergy, a identity management consultancy. Many times, an IDM case can be made as it relates to help-desk costs. You could explain how much time per month the company is spending doing password resets, and how much money an IDM system that puts password resets into the users' hands could save the company, he says.

For example, Palma says, if 40 people are doing manual administration, giving people access to the applications through self delegation could cut that number down to ten eventually. "That's an attractive way to position it," he says.

Chris Gervais, SOA program architect and technology relationship manager at Partners HealthCare in Boston, says, "ultimately you want to position your IDM program at a strategic level so it can be used as a lens through which the business can make decisions." You can also use compliance to your advantage, as Gervais has done at Partners. His team rolled out an enterprise-wide password management solution a little more than a year ago. Although the goals behind it were multifaceted, one of them was in response to HIPAA regulations. "We needed to make sure we had a strong enterprise password policy and that the business was complying with it," Gervais says. He positioned HIPAA compliance as a business imperative, and IDM as one way to achieve it.

Another compliance-related incentive for IDM is automation. "The margin for error is high with the manual approach to compliance, so automation of that process [through IDM] is one way to make the case," says Gee.

3. Create a Tangible, Phased Implementation Plan

Without having an idea of how you are going to accomplish what you say you will, an IDM implementation can become a never-ending spiral, says Palma. "Organizations that try to do too much end up not moving the ball down he field at all. You have to get tangible around your operational plan--what you can get done within a reasonable time frame--and then incrementally push up the bar as you move forward."

This key concept of "under-promise and over-deliver" can be accomplished by taking a phased approach to IDM that produces results at various intervals. "Use a short-term vision (within a year we want to make sure we can synchronize user passwords across all enterprise-facing systems) instead of a long term one (our goal is to have a completely pervasive distributed federated IDM system that allows us to interoperate and connect with customers and reduce the cost of M&As) right off the bat," says Gervais.