Discovering Identity: Battling the Compliance Project Death Spiral
Some useful issues-based analysis from the Sun identity folks. Mark Dixon channels Sean O’Neil on the challenges of funding for identity projects.
Problem is- if you sell identity management to your board for compliance, its seen as an overhead, and treated accordingly, and will likely come under a compliance budget going forward. Guess what happens when you then try and propose to do something more strategic with the Identity management infrastructure? You got it. So be careful to keep telling stories about identity opportunities, not just identity challenges.
Sean says: “In many organizations, IdM is first put in place to help with SOX compliance. Good thing at the start; has to get done, major penalties if your company doesn’t comply. Budgeting is easy to justify. Get IdM in to solve the compliance issue and we will circle back later to do all the cool, positive ROI stuff like user self service, etc.”
But, he warns: “Some of my clients have even had the CTO flip the project over to the Chief Compliance Officer, trying to get this “compliance anchor” off his budget.
So avoid the death spiral. Keep selling the benefits. Report on milestones you have achieved. Tell lines of business how they are benefiting. Single view of the customer, single view of the employee, faster time to market for new products. Make business-focused reporting part of your projects. Try and win advocates outside the compliance team. And so on.
Sun’s identity team is evidently doing a good job of practitioner blogging. Lots of stories from the trenches, rather than product pitches. You might also check out Mike Wyatt.
Disclaimer: Sun is a client, including the identity management business specifically.
James says:
November 3, 2006 at 6:15 pm
Disappointed in that you haven’t taken the conversation deeper. Identity Management defines attestation, provisioning and workflow practices which would provide the answer of does my boss still know that I am an employee. The question regarding compliance is deeper in that one should from a central perspective understand what as an employee I am able to do which requires understanding authorization at an enterprise level of which none of these tools solve for.
If you study XACML it can provide the solution to this problem space…