IdM cost justification still a hard sell

The foundation for security and enterprise management

Over the years -- even going back to the Wired Windows column, the Windows Networking newsletter and the Novell newsletter -- a constant recurring theme has been justification of the costs of IT and IdM projects. No matter if it was a NOS upgrade, desktop management applications, directory services or the latest entitlement management service -- it's been a constant fight for scarce dollars with little in the way of bean counter-approved justification (i.e., profit-making ROI).

My friend Earl Perkins of the Gartner Group (he's a research vice president in the security and privacy team) recently wrote "The Continuing Problem Of IAM Business Justifications" in which he mentioned that discussions with clients often include the question: "Are there any business justifications for IAM that we can use as a starting point for developing our own?"

He then develops the evidence and reasoning for the lack of this information. He rightly points to the press, which often promote articles claiming to offer arguments for justification but points out that this invariably list drivers for the technology (e.g., government regulation) rather than the benefits to the business of installing, migrating to or at least investigating new technology, services and applications. He also mentions that even when benefits are discussed there's no effort to tie them to "objective, measurable metrics, the type of metrics that business decision makers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Over the years -- even going back to the Wired Windows column, the Windows Networking newsletter and the Novell newsletter -- a constant recurring theme has been justification of the costs of IT and IdM projects. No matter if it was a NOS upgrade, desktop management applications, directory services or the latest entitlement management service -- it's been a constant fight for scarce dollars with little in the way of bean counter-approved justification (i.e., profit-making ROI).

My friend Earl Perkins of the Gartner Group (he's a research vice president in the security and privacy team) recently wrote "The Continuing Problem Of IAM Business Justifications" in which he mentioned that discussions with clients often include the question: "Are there any business justifications for IAM that we can use as a starting point for developing our own?"

He then develops the evidence and reasoning for the lack of this information. He rightly points to the press, which often promote articles claiming to offer arguments for justification but points out that this invariably list drivers for the technology (e.g., government regulation) rather than the benefits to the business of installing, migrating to or at least investigating new technology, services and applications. He also mentions that even when benefits are discussed there's no effort to tie them to "objective, measurable metrics, the type of metrics that business decision makers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."

It was much easier a dozen years ago when I could write that it was best to roll out your directory services projects in a modular fashion, beginning with an easy step, such as a "white pages" directory. Something everyone could see, would know they were using and could understand the benefit. Times have changed.

As Perkins concludes: "We need to accept the fact that IAM is not a clearly defined, well-bounded set of applications and services that lend themselves easily or conveniently to a traditional justification model. Rather it is a loosely aggregated set of solutions and services that can be combined in different use cases to deliver a measurable result, but that result is seldom known until the use case and corresponding solution set is chosen, and the permutations are extensive."

I don't have the solution. If you do, then I know thousands and thousands of IdM/IAM professionals who'd like to hear it. Tell me.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.