Why recommend an IAM Program versus an IAM Project; you may ask yourself if there is a discernable difference between the two? In the mind of someone who has seen many programs and many projects, there is a vast difference, and it is all in the approach.
Why not a project? Consultants love project work right; that’s what you do. Yes, consultants love projects, because projects move in a linear direction; they have a defined starting point and a defined stopping point. There are objectives, milestones and deliverables that are detailed along the path. All of these things are great, and they lead to successful projects, but once they are done, there is a certain amount of momentum that is lost. Executives and project sponsors like complete projects; they like things to be wrapped up in a nice little package bow and then taken off the books to move on to other objectives the organization is looking at.
The problem with wrapping up an IAM initiative, like a present with a bow, is that IAM is a living and breathing organism of its own. It would be like buying a pet turtle, feeding it once, and then checking that box off for the rest of its life. We know it doesn’t work that way, with any of our dear pets; they require care and feeding, every. single. day. It’s the same with IAM, and this is why having a program is so important as compared to a one-and-done project.
First and foremost, we know that an organization that has gone through the time to justify and create an IAM program has stepped through the right processes to provide the necessary visibility around the importance of IAM in the organization. This visibility is an absolute necessity to gain the needed backing from future IAM program stakeholders. Getting the right stakeholders involved from the various parts of the organization allows for the IAM program to align with the current IT vision of the organization.
Second, an IAM program, by its definition, is an on-going approach to program management. With IAM, this goes a long way in helping executives and stakeholders understand that IAM should be an on-going, never-ending initiative for the organization. So what does that look like? Does it mean that every year it is the top initiative for the organization with all eyes focused on it? No. What it means is that IAM is top of mind in all conversations involving applications, authentication, authorization, integrations, user identities, access controls, roles, compliance and audit. When those topics of conversation come up, the IAM program manager should be involved in some way, shape or form. Not because they are looking for the IAM program manager to dictate to other departments what they can and cannot do, but because decisions should revolve around how the IAM program can support what is happening in the organization and what that will look like from a security perspective.
While any good consulting company loves a good long project, an IAM consulting company, worth their salt, loves a good IAM Program. IAM Programs, at their heart, are focused on longevity and solution success. How is your IAM Program coming along?