Implementing an Identity and Access Management Program
Identity and Access Management (IAM) is a concept that can be overwhelming, however, starting out can be simple. If you are just getting started in the IAM space, you will immediately be inundated with articles, knowledge bases, and regulatory requirements all focused on the same thing: making sure the right people have access to the right resources at the right times and for the right reasons. You may wonder where to start in this world of Identity and Access Management and how to make it a successful program at your firm. I have created a simple framework to help you get started and bring an IAM program to life.
Envision for a minute, that you are tasked with establishing an IAM program. Multiple teams may be conducting activities to support IAM, but now your firm has decided it is time to consider a centralized team to help build guiding principles and implement a platform. Kicking off an initiative with a firm-wide impact, like IAM, means you’ll need buy-in from various areas. Before you run out and purchase that platform, I want you to pause and continue reading. The five steps below will ensure the success of an IAM program and, ultimately, build a strong business case to bring in the right platform.
Get Informed and Understand Current State
Remember how you used to research a topic back in school? It’s the same concept. Check out simple articles online, talk to peers, or look up white papers/research from respected firms or IAM experts. For several weeks, you will need to eat, breathe, and sleep (ok - maybe not sleep) IAM. You will also take this time to conduct interviews and document the current state of IAM workflows (e.g. joiner, mover, leaver). The goal of this step is to get excited about how IAM will help your company. Hold onto that excitement because you’ll need to leverage it for the next step!
Create a Road Show
Now that you know all about IAM, you need to educate stakeholders, explain why it is amazing, and how it can help them! Start by making a list of individuals in business units and support areas who participate in critical workflows that IAM touches. Meet with them and provide an IAM overview, what processes it impacts, and ask them to provide current pain points. The road show serves two purposes. First, you are educating others at your firm about IAM, so when they hear about something that may apply to the program, they are more likely to loop you in. Secondly, it helps build relationships and excitement by highlighting pain points that may be remediated by an IAM program. These relationships will be essential as you continue to move forward with this initiative.
Often IT and HR have processes that intersect, and you want the ability to dig into them without jumping into problem solving
Hold Requirements Gathering Sessions
You’ve now become an IAM expert at your firm, built cross-functional partnerships, and are starting to develop buy-in. The current state documentation and pain points you heard during the road show will become your foundation for requirements sessions. I would recommend separating your sessions with Subject Matter Experts (SMEs) in the following ways: support areas, business units, Human Resources (HR), and Information Technology (IT). By creating cross-functional support area and business unit sessions you are offering the immediate benefit of knowledge share. IT and HR are purposely separated to allow for candid conversations throughout the sessions. Often IT and HR have processes that intersect, and you want the ability to dig into them without jumping into problem solving. Once the groups are created, the sessions are held separately for the joiner, mover, and leaver processes. The intention of breaking out these sessions is to have focused time on each process and not overwhelm your participants. Structured 1-1.5 hour meetings should be all you need!
After meeting with the SMEs and hearing pros and cons of the current processes, it is time to place them into themes! The SMEs will then review these themes to ensure that nothing is missed. Lastly, the entire group will force rank them based on business need, allowing you to construct your requirements and business case for why you may need to implement a platform.
Build a Business Case
The last step is to synthesize everything and develop a business case. What better way to do that than to share with your executive leadership the themes that you gathered from the requirements sessions? The goal is to take the themes and correlate them to features in an IAM platform. This will show leadership why they should provide you funding to make the current processes more efficient and streamlined while enabling the business. Taking the time to become an IAM expert and gather requirements will give you the depth of knowledge you need to make this conversation successful.