I noticed that most of the discussions on IAM are really focused on the operational and functional aspects. As eventually decision makers (with a budget) need to make investment decisions in this space, the usual arguments about ROIs and business-level cost/benefit analysis are made by starting from this perspective.
But, is this really what CIOs/CISOs and related strategic decisions makers want to hear? After been exposed to various interactions with people covering these roles, I believe this is not really the type of message they are looking for.
In these days, strategic decision makers (that have a budget and make investment decisions …) need to balance a variety of aspects and constraints derived from the business, legislation, governance, IT, security, etc. They need to cope with various tension points and mediate different viewpoints within the organisation; as a consequence they need to explore the various trade-offs and identify the most suitable investment choices consistently with their ever shrinking budgets.
So, arguments made in the context of IAM should move away from a pure technological/IT viewpoint (that is anyway still very important …) to encompass an holistic view that takes into account the complexity of the business, legislative and IT world they operate on a daily basis.
I believe that the economics of IAM, in a wider context of the economics of security, is a discipline and area that really need to be explored.
I personally believe this is a fascinating area where various contributions can be made. The HP Labs work on Identity Analytics, Economics of IAM and Security Analytics is really meant to make progress in this direction.
I am currently carrying on various case studies with HP customers. They are extremely valuable to refine ideas and build decision strategic support solutions. I am very keen in getting any additional input/viewpoints and (unusual) case studies to make further progress in this space.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Friday, February 12, 2010
HPL Technical Reports – Economics of Identity and Access Management: Providing Decision Support for Investments
I recently published (jointly with a few HPL colleagues) two HPL Technical Reports on the topic of “Economics of Identity and Access Management (IAM)”: HPL-TR-11 (executive summary) and HPL-TR-12 (detailed description of the case study)
These two documents discuss a case study aiming at integrating economics to security analytics methodologies, to provide strategic decision support in the IAM space:
“Identity and Access Management (IAM) is a key enabler of enterprise businesses: it supports automation, security enforcement and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision makers' issues, at the business level. Organisations are experiencing an increasing number of internal and external threats and risks: there is scarcity of resources and budget to address them all. Decision makers (e.g. CIOs, CISOs) need to prioritise their choices and motivate their requests for investments. This applies for investments in IAM vs. other possible security or business investments that could be made by the organisation. In this context, a range of possible IAM investment options has an effect on multiple strategic outcomes of interest, such as assurance, agility, security, compliance, productivity and empowerment. We have developed a repeatable approach and methodology to help organizations work through this complex problem space and determine an appropriate strategy, by providing them with decision support capabilities. The proposed approach, validated in collaboration with security and IAM experts, couples economic modeling (which explores decision makers' preferences between the different outcomes) with system modeling & simulations to predict the consequences (likely outcomes) associated with different investment choices and map them against decision makers' preferences, in order to identify the most suitable investment options. We illustrate how this methodology has been applied in an IAM case study, in a business-driven context with core enterprise services. This work is in progress. We discuss current results and next steps.”
A related paper discussing this work has recently been accepted at the 5th IEEE/IFIP Business Driven IT Management Workshop, BDIM 2010.
In addition to current engagements with HP customers, I am also looking for additional (interesting/unusual) case studies involving IAM aspects where to further refine this approach.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
These two documents discuss a case study aiming at integrating economics to security analytics methodologies, to provide strategic decision support in the IAM space:
“Identity and Access Management (IAM) is a key enabler of enterprise businesses: it supports automation, security enforcement and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision makers' issues, at the business level. Organisations are experiencing an increasing number of internal and external threats and risks: there is scarcity of resources and budget to address them all. Decision makers (e.g. CIOs, CISOs) need to prioritise their choices and motivate their requests for investments. This applies for investments in IAM vs. other possible security or business investments that could be made by the organisation. In this context, a range of possible IAM investment options has an effect on multiple strategic outcomes of interest, such as assurance, agility, security, compliance, productivity and empowerment. We have developed a repeatable approach and methodology to help organizations work through this complex problem space and determine an appropriate strategy, by providing them with decision support capabilities. The proposed approach, validated in collaboration with security and IAM experts, couples economic modeling (which explores decision makers' preferences between the different outcomes) with system modeling & simulations to predict the consequences (likely outcomes) associated with different investment choices and map them against decision makers' preferences, in order to identify the most suitable investment options. We illustrate how this methodology has been applied in an IAM case study, in a business-driven context with core enterprise services. This work is in progress. We discuss current results and next steps.”
A related paper discussing this work has recently been accepted at the 5th IEEE/IFIP Business Driven IT Management Workshop, BDIM 2010.
In addition to current engagements with HP customers, I am also looking for additional (interesting/unusual) case studies involving IAM aspects where to further refine this approach.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)