The 2 ROIs of IAM

Posted on by Steve Tout in Architecture Guidance,Management

Last week I unveiled Identity Coherence in my webinar on the same subject(sponsored by CSA) and started by talking about the impact that IAM has on customer experience, federation and risk management. I concluded with a discussion on the 2 ROIs of IAM: Return On Investment and Risk Of Ignoring.

If you step away from any IAM implementation and defocus the technology, what you see is a constellation of factors that either propel your efforts forward within your organization or stop you dead in your tracks. Naturally, this vantage point delivers insights into the upfront work needed to modernize IAM, including strategy, architecture, operations and innovation. But from experience, looking at IAM through the lens of program management, GRC, customer experience and even company culture all of which are critical to ensure ongoing success of an effective IAM program. This mental model is what I refer to as Identity Coherence.


Identity Coherence provides the conceptual framework critical to the success of serious IAM initiatives. Not every organization needs to invest equally in each leverage area, but it’s to your benefit to consciously consider where you will direct your investments so that you can create the strategic IAM program your business needs to be successful and scale.

Risk Driven IAM

Jumping into a critical component for modernizing IAM within your organization, federation of IAM enables the business to integrate sales, marketing and support functions as well as extend the value of identity into interactions with 3rd parties whether it be to support HR, accounting or productivity suites. With customer facing IAM, we begin to see that by actually connecting applications and services together with session management and federated IAM that we begin to see the potential to improve CSAT and drive top line revenue growth.




As companies increase their usage of SaaS and place critical workloads in the cloud, there is an immediate need for enhacing security of infrastructure and getting a degree of visibility and control over who has access to sensistive data.  The sophistication and maturity of IAM and cyber security have grown to such advanced levels that it is at your own risk to consider a federated IAM architecture without also showing how it will be secured and monitored (such as I have attempted to do in the above diagram.)

With the cost of data breaches sky rocketing 23% in just two years and between 22% and 76% of data breaches being caused by compromised credentials (depending on which research report you read) it is evident that security and governance of IAM in the cloud should be a top priority. As the cloud access security broker (CASB) space matures, you will see the lines between IAM and advanced security solutions begin to blur.

The security solution for your SaaS applications, whether integrated via a CASB or native capabilities, should include the following at a minimum:

  • Real time visibility
  • Policy enforcement point
  • On-prem or cloud-based proxy
  • Data encryption & tokenization
  • Enforce DLP policies
  • User behavior analytics

Looking at recent news headlines, it’s not difficult to take notice that it is not due to a lack of technology that data breaches are occuring. It was recently reported that more than a dozen financial institutions who use ADP for payroll and human resources management had their identities stolen by hackers.  What is more telling is the lack of knowledge based authenticators, which could have prevented such a breach altogether.

Clearly, urgency in securing SaaS coupled with making use of stronger authentication mechanisms are needed today. We don’t need better technology, we need a better mindset!

The 2 ROIs

Though this article is a condensed version of (Part 1) of my talk on Identity Coherence, you need to quickly put the 2 ROIs in the context of conversations about this subject. Technology and business leaders are best served to take a balanced approach to investing in interventions that improve customer experience, usability and reduce risk, by considering the following:

Return on Investment

  • Increase revenues
  • Improve employee productivity
  • Reduce risk
  • Avoid fines
  • Reduce costs

Risk of Ignoring

  • Loss of competitive advantage
  • Loss of IP
  • Breach customer PII
  • Increase customer churn
  • Reputational damage
  • Missed earnings

While it’s easy to dismiss any of these risks as hypothetical, the sophistication and frequency of data breaches occuring daily should be a cause for alarm. I’m not trying to create FUD – did I mention that my superpower is being able to resist negativity? Technology and business leaders need to be realistic about the risks inside their organizations. We need to resist throwing technology at every problem and consider the extent to which improving people, governance, process and scale of IAM has more to do with the results you achieve than vendor/technology selection does.

Guidance for CISOs and CIOs

There is plenty of work to be done. Where a lot of catch up needs to occur, however, is in applying the same sensibilities used for security operations and security engineering within the enterprise to the vast and growing number of SaaS and cloud services. Today we can put DLP, SIEM, GRC and a host of other capabilities to work for cloud IAM with excellent results.

The CISO and CIO in your organization should take a vow and ensure that the following actions are taken if they haven’t been already:

  • Get business stakeholders and end users involved in your assessment to quantify IAM impact on productivity and CSAT
  • Engage your risk management and business stakeholders to inform and prioritize IAM initiatives
  • Use systems thinking to look at IAM from end-to-end, not just within a department
  • Don’t let consultants die at your company – expect transformation, not just sustaining life support
  • Integrate IAM with GRC and CASB for near continuous compliance and risk reduction


You can watch the webinar on Identity Coherence here.


You may also catch me at Cloud Identity Summit on June 9th where I’ll be presenting Career Development for IAM Professionals.

Subscribe to Forteadvisory group news