While the needs and benefits of IdM are real, many companies feel challenged to build a business case and show the potential ROI for this type of project. But don’t let number-crunching intimidate you! In a world of financial uncertainty where there are many competing technology investments, it’s more important than ever to show financial justification for your IdM strategy and direction.

To help you get started, we’ve developed four steps to consider when building your business case for a governance-based IdM strategy, focused on explaining the technology’s potential for delivering demonstrable ROI to the organization:

1. Internal needs assessment: Begin the evaluation process by first determining what the most pressing IdM issues or opportunities your organization is facing.
2. Baseline costs: Quantify how many and what types of resources are currently being spent on IdM processes (including manual labor costs).
3. Set project goals: Formally define your goals of the project and the expected benefits to the organization.
4. Build the financial model: Estimate how much your project will cost (technology, services, personnel) and then project how the project will save the organization time and money.

One of the keys to building your business case is to provide real-world examples of the tangible and repeatable benefits and cost savings that can result from your IdM project. SailPoint often partners with our customers to provide insight and help throughout this process. Below are some ROI stats that our customers have reported when demonstrating the ROI on their projects:

• Saved 50 full-time employees annually in controls testing and documentation on a project that spanned 600 applications across 28 countries.
• Reduced IT Operations costs by $800k annually by automating the de-provisioning of terminated employees.
• Slashed time spent on compliance by 66% by completing user access reviews in just 4 weeks instead of 3 months.
• Achieved 30% reduction in excess entitlements after the first user access review cycle.

We recently hosted a webinar that delves further into this topic. If you are interested in more details, you can access the free on-demand webinar here. The topics and real world use cases covered in the webinar are designed to help you define clear goals for your project and map out a compelling business case. Check it out!

The details of the FTC announcement were interesting on two fronts. First and foremost, there was an absolute lack of strong security measures at both companies, making it child’s play for intruders to gain access to sensitive customer data. Lookout was charged with failure to implement strong password policies, storing passwords in clear text, and failure to provide access control to confidential web pages. Ceridian was charged with storing sensitive personal information in clear text on the company’s network and failure to take reasonable measures to detect and prevent unauthorized access to sensitive data.

The second interesting aspect of this news is that it demonstrates how the FTC is proactively taking action to protect consumers against data breaches. Both companies were charged with “unfair and deceptive trade practices” they advertised security safeguards that they failed to provide. The message is clear: if you suffer a data breach that impacts consumers and have advertised the how great your security is, you’re a target for a federal watchdog!

I like how the FTC is requiring the companies to implement and prove strong controls over access to sensitive data as part of the settlements. By mandating comprehensive data security plans and independent security audits, the FTC has sent a clear signal that companies managing consumer information will be held accountable to high standards of data protection. Notably, by prescribing explicit security plans and audits, the terms of the FTC settlements go well beyond the scope of many security and privacy laws in effect today.

But, do these approaches work? Even with the alphabet soup of regulations around the globe, we still see “compliant” companies reporting major breaches. Why? I believe many companies lost sight of the original intent of the regulation (risk management, security, data protection) because they were so focused on following the letter of the law to pass the IT audits. As a result, it’s pretty common to see companies investing significant resources into achieving literal compliance, but sometimes, in their zeal to be “compliant,” these firms push security (and common sense) to the side. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing, and mitigating risks.

The flip side of the debate about regulation is to let the free markets drive good corporate governance. The theory is that companies who “allow” security breaches will lose brand value and customers, and therefore will approach security and privacy protections as good business strategy. However, as a number of analysts and industry watchers have pointed out, breach disclosures don’t always affect revenue or stock prices. The TJX data breach was one of the biggest, costliest and most publicized breaches ever – yet customer and investor confidence in TJX remained largely unshaken in the aftermath. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price a year later was just over $29. And during the one year following the breach, TJX reported that comparable-store sales increased 4%.

We probably all agree that strong corporate governance is necessary – and in fact, I’d suggest it’s a strategic differentiator for many companies. But as I talk to companies approaching the same problem from different perspectives, I still wonder: Should we let free market forces determine what corporations do, or should we mandate the “right” behavior to protect consumers and stakeholders?

What do you think?

A key takeaway from the report is the fact that compliance, not security, drives security budgets. I don’t think this will shock anyone, but it’s worth thinking about. As most of us know, it’s easier to justify a security project based on a mandate (SOX audit deficiency!) than to explain the business value of a security investment (I’m not talking ROI here, but the value of avoiding or mitigating potential threats and their consequences). In recent years, regulatory mandates have fueled an almost recession-proof level of investment in security products and services that shows no sign of slowing down.

Everything would be hunky-dory if the security investments justified by SOX et al. were perfectly aligned with the security needs of the organization, but evidently they’re not (here’s where the Forrester reports gets interesting). Using data protection as a case in point, the report shows that the great majority of enterprises do not align their security spending to the factors that pose the greatest business risk. In fact, enterprises are more likely to fund projects that address low-impact accidental breaches rather than high-impact breaches (such as malicious theft by insiders).

Whether you agree with the report or not, it’s worth a quick read. It’s got some interesting quantitive data on incidents and cost of incidents. This level of information is what is required to assess risk and align security controls appropriately – but it’s also the data that is oftentimes hard to come by.

The report is a great reminder that we shouldn’t let the “ready built” justification provided by compliance to prevent us from doing the real work of security, which is risk management.

In the coming weeks, we’ll devote much of this blog to providing you with more insight into our new approach and new products. First, I’d like to explain how SailPoint arrived at today’s announcement and what it means for our current and prospective clients.

SailPoint released the first iteration of our identity governance solution, IdentityIQ, in early 2007. Since then, we’ve been dedicated to helping customers achieve regulatory compliance at a reduced cost, improve internal controls and better manage the risks associated with access to sensitive data and applications across the enterprise. There was clearly a need for this solution in the market – as evidenced by the increasing focus industry analysts have placed on this space, as well as our own customer adoption.

In September 2008, we added business-friendly, self-service access request capabilities to IdentityIQ. As we worked with our customers to roll that capability out across their organizations, those same customers began pushing for SailPoint to manage the entire lifecycle of user privileges. The problem was that existing solutions for requesting and managing user access were at best outdated and inefficient, but more importantly, they were too complex to be used by business users.

As many of you know, SailPoint’s heritage dates back to Waveset (acquired by Sun in 2003), so many of our executive and technical staff have deep roots in the provisioning space. Leveraging that history and knowledge base, we began working on a solution that would better address the huge pain points our customers were experiencing with available provisioning technologies. Today, we’re not only announcing two new provisioning products, Lifecycle Manager and Provisioning Engine, we’re also announcing an entirely new approach to provisioning.

This new approach begins with our Governance Platform, which centralizes identity data, captures business policy, models roles and mitigates risk to support both compliance and user lifecycle business processes. As we stated in the press release, this governance-based approach to provisioning delivers three distinct advantages to customers:

• Simplified deployments. SailPoint’s approach begins with the mining and modeling of all necessary information about users, access privileges, roles and policy into a single governance platform, enabling organizations to automate access request and provisioning processes without extensive workflow and custom coding. This reduces custom coding requirements by 200-300 percent.

• Lower deployment costs. SailPoint provides an open and flexible approach to the “last mile” of provisioning – the connector layer where changes are executed on IT resources – by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on “last mile” integrations. It also allows customers to immediately focus their identity management efforts where the highest value exists: at the business process and governance layer to ensure consistent, enterprise-wide compliance with internal and external security mandates.

• Business and IT alignment. SailPoint provides the first user interface designed specifically for business users to request access and manage user lifecycle events. Traditional provisioning tools were designed for use by IT administrators and were too cryptic and technical for business users. With its business-friendly user interfaces, SailPoint makes it easy to involve business users in all identity management processes, such as access requests, change approvals, access certifications and role lifecycle management.

The entire SailPoint team is excited about today’s launch. The early feedback from customers and analysts has been extremely positive, and we look forward to sharing more details with many of you during this spring’s tradeshow season (in the meantime, you can read more about the products here).

I’m always interested in what themes get the most play at RSA. This year, I’d have to say that “the cloud” wins the contest hands-down. Cloud computing was ubiquitous – a centerpiece of most keynote addresses, a feature on booth signage throughout the show floor, and not surprisingly, the butt of quite a few jokes (example: let’s do a tequila shot every time we hear the word “cloud”).

In the show’s opening keynote, RSA’s CEO Art Coviello declared cloud computing “the most over-hyped but underestimated phenomenon in history” (borrowing a phrase from Nicholas Negroponte). Coviello went on to say that cloud computing presents us all with the rare opportunity for a “do over” – to be present at the rollout of a new wave of computing with security built-in from the get go. I have to admit I raised my eyebrows at this turn of phrase. I predict that the evolution toward cloud computing will be moderated and incremental – and not a “do over” by anyone’s definition.

Another interesting observation about this year’s show is the continued (and perhaps even bigger) blend of public and private sector speakers. Past years’ shows have featured Michael Chertoff, Melissa Hathaway, and Al Gore. This year’s speakers included Secretary of Homeland Security Janet Napolitano, Howard Schmidt, the U.S. cybersecurity coordinator appointed by President Obama in December, and Robert Mueller, director of the FBI. On Tuesday, Schmidt presented a keynote address and hosted a heavily-attended town hall meeting. In both of these venues, he conveyed a very measured and pragmatic approach to addressing the cybersecurity responsibilities of the federal government. He said more than once “there is no silver bullet.”

During an entertaining Q&A session with the audience, Schmidt revealed the following about his agenda:

• He’s not a proponent of more regulation to drive better security practices. The one exception he mentioned was the area of data breaches (where there is pending legislation).
• He assured the audience that any measures taken by the Fed will respect privacy and civil liberties issues.
• He admitted that the Federal Information Security Management Act (FISMA) is archaic and needs to be changed. He mentioned that some changes are being rolled out this year.
• He believes that we, as a society, are making real progress with cybersecurity. He pointed out that there are fewer devastating attacks and service disruptions than in previous years.

Unfortunately, Schmidt’s position is made all the more challenging by the bureaucracy and interest groups he will have to navigate in Washington – it’s not just a matter of fixing problems and fighting the bad guys. On a positive note, the amount of focus being put on the issue of cybersecurity at the federal level can only be a good thing.

The overriding goal of the CIP standards is to protect the bulk electric system from cyber attacks, including attacks from within the utility (i.e., insider threats). The eight standards include establishing programs for managing access to cyber assets, documenting which personnel are authorized to access cyber assets, and creating plans and processes for electronic and physical security of assets, among other things. The deadline to become “auditably compliant” by July 2010 provides the real “teeth” to the mandate, requiring organizations to undergo audits and provide documented evidence of compliance or non-compliance with the standards.

While the NERC CIP standards are more prescriptive than some regulatory mandates, they do leave many implementation details up to the affected organizations. Put another way, NERC defines “the what” but not necessarily “the how” of getting compliant. This factor makes it critical that organizations think strategically and holistically about their approach to NERC CIP and follow three important guidelines:

1. Take a risk-based approach that focuses controls on the most critical cyber assets and avoids boiling the ocean;
2. Automate compliance processes for consistency and repeatability, and to control costs; and
3. Don’t forget the people component in “people, process, and technology” – communications and information sharing between stakeholders is key.

Because controlling access to critical infrastructure is one of the highest priorities for complying with the CIP standards, identity governance will be a key component of any organization’s compliance strategy. Identity governance provides an automated approach to strengthening access controls and delivering evidence of those controls for audit purposes. By offering a framework for automating compliance, facilitating business and IT collaboration, and taking a risk-based approach, identity governance helps organizations to achieve sustainable, auditable compliance with the standards’ requirements.

To help organizations plan and implement a cost effective, risk-based approach to NERC CIP compliance, SailPoint is presenting a free webinar with Corporate Integrity’s Michael Rasmussen on February 10^th (details here). We’ll review the CIP standards, what’s needed and how identity governance can help companies achieve the next level of compliance. Following the webinar, we’ll also provide access to a free whitepaper that walks companies through the eight CIP standards focused on IAM, and provides a roadmap for how to best comply with each.

UPDATE: The webinar is now available on-demand. Feel free to view at your leisure and share the link with your colleagues! We also have a white paper that you can download.

Additional key findings from the survey include:

• More than 50% of those surveyed confirm that IT is responsible for ensuring the security and managing the risk around sensitive applications and data.

• 42% reported shared responsibility and accountability with business managers for the access certification process.

• 61% of the respondents report that they use manual or homegrown processes to manage a company’s access privileges.

• Only 14% of companies believe they have adequate controls in place to address the risk of insider threats in 2010 (which is a similar statistic from our May 2009 Market Pulse Survey).

The complete Market Pulse Survey results, as well as an in-depth analysis of what they mean, is available here.

1. Cautious Investment Strategies Will Remain. The tough economy has made buyers more selective about how they invest in software solutions. The constricted budgets and constrained resources of 2009 in many cases brought clarity to project prioritization. CIOs have become more discriminating customers who want results quickly and who expect a solid near-term return on investment. Particularly in the identity governance space, companies expect to have full visibility and control over access privileges in months, if not weeks, with measurable results along the way. Even if companies enjoy larger budgets next year, CIOs will continue to be laser-focused on solutions that provide immediate, measurable results.

2. The Compliance Burden Will Grow. Compliance, transparency and risk management will remain top priorities for global companies. Everyone agrees that as fallout of what transpired in the financial markets in 2008, even more regulation is on the way, not less. The Model Audit Rule, which effectively requires SOX-like compliance for non-public insurance companies, takes effect on January 1st. Part of Obama’s stimulus package included the HITECH Act in healthcare, which effectively adds more “teeth” to HIPAA by requiring companies to disclose any privacy breaches. And most recently, the Personal Data Privacy and Security Act of 2009 passed a major hurdle and will be voted on by the Senate. Clearly these are US-only examples, but companies around the world are going to be bombarded with new requirements and more stringent rules.

3. Identity Management Will “Grow Up.” As a result of the growing focus on governance and compliance, organizations are starting to view IdM as more of a business-centric discipline than an IT-only domain. IdM processes can no longer be the exclusive realm of identity admins and help desk staff. To ensure compliance initiatives are successful, organizations must get business users involved in the process. It is the business user, after all, who has the most accurate knowledge of who should doing what with which applications and datasets. Collaboration is required across teams of business, audit/compliance and technical staff. As a result, there is a growing need for IdM solutions to evolve into business-friendly solutions to better manage IT and business risk. The IdM market will see more business process management (BPM) functionality in the coming year and will begin delivering business intelligence and decision support solutions.

4. Identity Governance Will Energize the IdM Market. As I’ve said many times, I believe the recession has served as a catalyst in IdM’s evolution – both by elevating the importance of transparency and risk management, as well as increasing corporate focus on rapid results and return on investment. I believe our industry is now at an inflection point where companies are starting to rethink how they approach IT risk management and what they expect from technology vendors. As identity governance technology matures, innovative startups will completely disrupt the IdM space by bringing a level of intelligence and risk management that is of high value to the business. We’ll see a few dinosaurs try to evolve, but this race will be a fast one and we’ll see if they can keep up.

How do you think 2010 will differ from 2009 in the IdM market?

During a phase of dramatic company growth in the 2003-2005 timeframe, Humana set out to improve its user onboarding processes, which were particularly painful in high-growth and high-churn areas of the business. Andy described how Humana’s early IAM projects progressed through a “Peak of Inflated Expectations” phase, then descended into the “Trough of Disillusionment,” as initial enthusiasm and commitment for the IAM program waned. During this period, there were many stops and starts, including a period where Humana considered throwing out its provisioning solution and starting over. But ultimately, the project found stability and success.

In the 2007-2008 timeframe, Humana’s priorities turned to regulatory compliance. SailPoint entered the Humana IAM program in 2008, when Humana selected IdentityIQ to automate access certification and policy enforcement. Andy described how SailPoint IdentityIQ helped Humana gain enterprise visibility to “who has access to what” and automated necessary oversight by IT and business managers. He concluded his presentation with the message that Humana had, after five years, climbed the “Slope of Enlightenment” and was reaping the productivity benefits of a mature IAM program.

Later that morning, Robert Mazzocchi, VP of Identity and Access Management at AIG, took the stage. Robert’s case study described how AIG addressed its compliance and risk management needs during an exceptionally volatile period of the company’s history – events that were exacerbated by AIG’s highly decentralized business units and lack of a centralized HR system. He described how AIG scoped its Global Access Certification project, with the goal of aggregating, correlating and certifying user and access data for high-risk applications that spanned geographies and operating environments.

Robert described how IdentityIQ helped AIG to create certification reports and send them for periodic processing to department and application managers, providing all necessary capabilities such as reminder notices, escalation, delegation, and status tracking and audit reporting. As he described how AIG was conducting global recertifications, Robert emphasized that AIG’s main driver for performing recertifications was to reduce corporate risk. He stressed the need to be able to identify high-risk users in the environment, such as privileged users. And to scope controls accordingly, so that the greatest oversight is applied where it’s needed the most.

For me, the customer presentations were the most compelling ones of the show because they connected the advice presented by the analysts previously at the show to real-world IAM projects. As a result, the attendees got invaluable exposure to first-hand accounts of successful IAM and identity governance projects, which will undoubtedly help them with their own projects.