Risk Management Business Case - Identifying the IAM Role

By Robert Block ·

This is something we’ve seen a number of clients struggle with over the years. There really is a strong need to include risk management as one component of the overall business case preparation. Many IT-focused business cases tend to concentrate on a project that features critical operation infrastructure, like email or networking. Or, they look to focus on a project where it is easy to demonstrate a positive ROI to get approval, like a password reset solution that diminishes the need for calls to the help desk.

Demonstrating hard-dollar ROI is very challenging for IAM projects, and has been for years, but the fundamental challenge is that identity and access management costs are spread across multiple departments in organizations and aren’t tracked sufficiently to accurately determine current spend. The access request process is a great example of this. A user’s manager might request access via a portal, the help desk might process the request, and an IT administrator might fulfill the request, but there is no clear tracking of what actually costs are for the entire request process from a resource perspective. Without a current cost to compare the outcome against, it is virtually impossible to come up with a realistic ROI number. For these reasons, we think it is very important to focus on risk management concerns when making a business case for identity and access management.

What kinds of risks can you focus on? One example is operational risk. This could be a user who has inappropriate access and could fraudulently steal money or product. Or, it could an employee who causes a breach of contract scenario, such as not meeting an SLA? Could this destroy critical data? Real-world examples of these are really hard to come by because so few organizations that have experienced such issues want to talk about them.

To cite a few examples that we do know of:
• A large utility had a terminated worker who maintained their physical badge access, and the company returned to a substation where the worker flipped the vital system switch and caused an outage.
• In the communications sector, a terminated worker retaliated by taking down servers that supported millions of high-speed Internet customers, resulting in a multi-million dollar refund.
• At a services company, an employee thought she was going to be fired and, in retribution, deleted all of her employer’s files (including all of the backup files) from years of operation.

These are examples of operational risks that need to be considered, since having access to these types of systems creates risk instead of reducing it. You can also look at it in terms of IT risk primarily related to inappropriate access. However, most folks who are approving business cases are not overly concerned with IT risks, so you have to keep it in their language so you can move on from operational risk to financial risk. You’ve certainly got the aforementioned fraud issue, and there are literally dozens if not hundreds more cases of users perpetrating fraud that nearly crippled those organizations.

What about some things that are near and dear to the IT department’s heart? License Management? Well, if you are properly revoking users who are terminated or separated from the organization, you could be saving licensing expense associated with paying on a per-user basis. Those types of things are typically not included in an IAM business case, but they should be.

Another risk that you should include in your business case are compliance risks. You’re subject to fines, penalties and so forth if you are not in compliance to various regulations. The significance on this can be influenced by the industry and geographic region that you are operating in, but we are seeing cases where some fines go from a slap on the wrist to multimillion dollar events, and this is significant enough to get some buy in from the executive management.

One final intangible that can also be included are reputational risks. Brand awareness, especially for consumer-focused businesses, is critical to their ability to operate. You have a major breach, outage or other type of incident that really erodes the confidence, like the recent Sony Playstation 3 Network hacking, and those incidents can literally drive your customers to competitors. These are the types of messages, included in a business case that can help you get the support you need, to move forward with your identity and access management case.