Learn why Identity and Access Management projects fail and how to prevent this from happening to your organization.
In 2020, organizations had to rapidly adapt to the realities of the pandemic and support remote work for their employees and contractors. This dramatic shift created challenges managing user identities and group accounts, and it also introduced additional risk. Those organizations with an Identity and Access Management (IAM) solution were able to rapidly provision VPN access and other services their workers required to be productive in a remote-only world. IAM continues to grow and expand as organizations realize that the vision of “identity as the new perimeter” is becoming a reality. Security Magazine predicts that in 2021, Customer Identity and Access Management (CIAM) products will see exponential growth for securing digital storefronts and providing enhanced customer experiences.
While there is significant value in IAM solutions, the statistics for successfully implementing these programs belie their complexity. Third-party research organizations have documented that more than 50% of IAM projects fail the first time, and even when they are successful 4 out of 5 C-suite executives believe that their IAM systems do not deliver enough value. In a study done by McKinsey & Company in conjunction with the University of Oxford, 17% of large IT projects fail so badly that they threaten the existence of the company. Strategic Identity Management projects offer the promise of improving efficiency, enhancing security, and driving administrative costs out of the business. For all this potential, IAM projects have a well-earned reputation for being complex, difficult to implement, and poorly aligned to the business requirements.
Before you continue reading, how about following us on LinkedIn?
Given these sobering statistics, we wanted to share some of the reasons why Identity and Access Management projects fail and recommend ways to overcome them.
6 Reasons Why Identity and Access Management Projects Fail
1. Insufficient Executive Support
The larger the organization and the more complex its structure, the more it resembles a giant hairball. The policies, procedures, and politics that have evolved over time become a barrier to change and progress in almost every organization. This is where having a strong executive sponsor on the IAM team is critical. We will need someone who can help evangelize the benefits of the program as well as helping to cut through the bureaucracy to drive necessary changes. Executive sponsorship decreases the likelihood that the IAM solution will fall victim to organizational politics. Equally important, a strong sponsor should ensure that the hard decisions get made (e.g. process changes, data issues, access models) and that the program is not starved for resources (i.e. proper funding, operational staff, support staff).
2. Lack of Stakeholder Buy-in/Resistance from the organization
IAM projects eventually touch all departments within a business and require changes to the way people perform routine tasks, such as onboarding an employee or contractor. Whenever change is involved, workers will push back. It’s Newton’s Third Law: “For every action, there is an equal and opposite reaction.” So how do we overcome the pushback?
There are several tools we can employ, beginning with engaging stakeholders in the process so they are aware of what is coming and we can identify “wins” for them. What do they gain from IAM? Note that 33% of IT projects fail because senior management doesn’t get involved and requirements/scope change mid-way through the project. Source: A Replicated Survey of IT Software Project Failures by Khaled El Emam and A. Güneş Koru, 2008.
Our recommendation is to engage with stakeholders across the organization from HR to IT operations. Solicit their input, evangelize the benefits of the program, and incorporate their feedback into the program. Developing a communication plan to socialize the upcoming changes to internal stakeholders (e.g. emails, internal websites, company town halls, etc.) on a regular cadence. Create and implement a change management plan to support the organization through the transformation.
3. Lack of effective program management
It is imperative that executives buy-in and support the IAM project plan, but the possibility for failure still exists if the actual program and its ongoing projects are not managed effectively. 46% of CIOs say that one of the main reasons IT projects fail is weak ownership. Source: The Harvey Nash/KPMG CIO Survey, 2017.
Effective program management begins at project launch with a documented roadmap and a formal implementation plan to follow. Organizations are keen to add additional scope, and the program manager needs to provide a formal mechanism to document and approve those changes that are necessary and defer those that would derail the program. The program manager is the single person the stakeholders can turn to with questions and for direction, and avoid the chaos of ad hoc “partnerships” between different departments with competing agendas.
4. Broad Scope and Limited Resources
If the proper budgeting, planning, and identification of risks are not done as part of the IAM business case or program development then the project risks failure from the start. Poor estimation during the planning phase continues to be the largest (32%) contributor to IT project failures. Source: PwC 15th Annual Global CEO Survey, 2012.
Successful IAM projects are iterative in nature and focus on managing risk and mitigating them so that they do not affect the schedule and budget of the project. If the expectations are not properly set, the IAM project risks failure from the very start of the program.
5. Lack of long term IAM plan and roadmap
We have historically seen organizations that only focus on the immediate IAM needs and end up with less successful IAM programs. Without a plan, it is extremely difficult to know the dependencies with individual projects and how they affect the longer IAM roadmap. It is extremely important to plan and set expectations internally throughout the organization. Tactical, short term focused plans only address the immediate issues at hand and not the enterprise opportunities that might exist.
6. Complexity of IAM Solution Increases Risk and Level of Effort
This reason for failure is usually seen during the implementation of enhancements on an existing solution. When you start building your IAM infrastructure on top of an existing product, there is a dependency on the particular vendor/employee. There have been cases observed where the existing product is implemented using custom code and there is a dependency on a particular skill set that is no longer available in the organization. A large amount of customization done by the vendor made them tightly coupled to the product which results in the failure of the IAM project.
Recommendations for a successful IAM project, the first time around:
1. Understand the Business Requirements for IGA Strategy. Collect information about the current culture and environment of the organization.
2. Perform an IAM assessment with the information collected from all the teams/business units within the organization. Inform the purpose of the project with the department owners and understand the current challenges that are faced.
3. Build a common vision for IAM with stakeholders.
4. Adapt to new styles of IAM technology and retool processes to respond to changes.
5. Verify and optimize the key business processes that impact IAM, and eliminate bad processes.
6. Demonstrate incremental business value in the IAM program every three to six months by not taking on too much roo early.
7. Implement vendor selection exercises that look closely at all options, and do not overvalue licensing costs.
The key challenges listed in this blog were identified through our experiences delivering Identity Management solutions across a range of industry verticals. We assessed IAM practices through the business use cases and through the views of both implementers and business stakeholders. While every IAM project is unique, there are common problems that frequently reveal why Identity and Access Management projects fail. The secret to success lies in the way the project is planned, designed, and then implemented. Identity Management is much more than a “product install” where we can “fire and forget”. It is an ongoing program that requires discipline to implement correctly and ongoing care and feeding to mature.
This article was written by Prajna Priyadarshini, Cybersecurity Analyst at Idenhaus Consulting.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us