By: Tony Naples, Director IAM, Trace3
After endless cost-benefit meetings, business case rewrites and months of organizational readiness activities, your identity and access management (IAM) project is funded, has a staff and a start date. You did everything possible from an organizational readiness perspective to prepare and ensure conditions were set to achieve maximum value. Now you are ready to deploy the solution and following these five steps can help your organization have a successful project launch.
First, ensure the executive sponsor stays engaged throughout the project to help keep the effort on track and within scope and reinforce expectations. Hopefully s/he is also the identity program champion, tying the project to the identity strategy. Regardless if the sponsor is an information technology or line of business executive, make sure you’ve built an active role for them. Unless the project has a visible, committed executive with decision-making power, when those unforeseen policy issues arise (they always do in IAM efforts) or when a critical target system owner decides not to clean up bad data, you won’t have the muscle when you need it.
Second, embrace the features of your IAM application. The Pareto principle is best applied: 80 percent of the functionality in the deployment should be standard functionality of the product, 20 percent should be customized functionality. Over-customization is challenging to maintain, especially if your IAM and security staff are inexperienced with the product. You may find that a capability you heavily customized in the current release breaks when you upgrade to the next release of the product.
Third, don’t do too much too soon. Ensure the to-be-built solution stays in line with the project roadmap and scoped requirements. Too often with IAM efforts, stakeholders want to address every audit finding and inefficiency in a “big bang” approach, even trying to add requirements after the project begins (suggestion: use your executive sponsor to control this). Two drawbacks with this approach are that it takes too long to implement any usable value (average IAM efforts can last 26 weeks), and it doesn’t allow the staff to become comfortable with the IAM application in increments. By phasing your IAM project and delivering incremental functionality, the stakeholders will see value quicker, your staff will build proficiency, and you can identify gaps in the next phase.
Fourth, if you missed a readiness imperative, don’t succumb to the easy route of automating a bad process, tolerating incomplete data or dropping a key functional requirement. Engage the executive sponsor to reset expectations, assess the risk to the IAM strategy and develop alternative solutions (remember, that’s why you’re phasing this). You don’t want to find you can’t execute compliance audits (the reason you bought the product) because your role or entitlement structures are incomplete.
Fifth, make sure you know how this deployment will be supported after it ends, before it even begins. Training, hiring and on-boarding should have commenced right after the business case and budget were approved, but if you missed it, don’t ignore. IAM resources are in high demand. Nothing causes a project to be viewed as a failure faster than realization the staff can’t use the application, or the solution isn’t sustainable in the long run.
If you are not sure where to start, invest in Trace3’s IAM Assessment and Workshop Service. This valuable exercise will provide leadership with insight on how to make an IAM solution deployment work for the entire organization. Schedule a meeting to get started or learn more by downloading the IAM Overview here.