I noticed that most of the discussions on IAM are really focused on the operational and functional aspects. As eventually decision makers (with a budget) need to make investment decisions in this space, the usual arguments about ROIs and business-level cost/benefit analysis are made by starting from this perspective.
But, is this really what CIOs/CISOs and related strategic decisions makers want to hear? After been exposed to various interactions with people covering these roles, I believe this is not really the type of message they are looking for.
In these days, strategic decision makers (that have a budget and make investment decisions …) need to balance a variety of aspects and constraints derived from the business, legislation, governance, IT, security, etc. They need to cope with various tension points and mediate different viewpoints within the organisation; as a consequence they need to explore the various trade-offs and identify the most suitable investment choices consistently with their ever shrinking budgets.
So, arguments made in the context of IAM should move away from a pure technological/IT viewpoint (that is anyway still very important …) to encompass an holistic view that takes into account the complexity of the business, legislative and IT world they operate on a daily basis.
I believe that the economics of IAM, in a wider context of the economics of security, is a discipline and area that really need to be explored.
I personally believe this is a fascinating area where various contributions can be made. The HP Labs work on Identity Analytics, Economics of IAM and Security Analytics is really meant to make progress in this direction.
I am currently carrying on various case studies with HP customers. They are extremely valuable to refine ideas and build decision strategic support solutions. I am very keen in getting any additional input/viewpoints and (unusual) case studies to make further progress in this space.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment