Last Updated: 13th August, 2022

IAM is perhaps the front-line defense within the Identity and Access Management (IAM) field to secure your business and its data. Just about all businesses in the sector interpret IAM as a low-value overhead cost or as a needed evil, resulting in IAM (Identity and Access Management) models failing to secure adequate investment.

Although the news is often overflowing with data breaches and various exploits directly associated with IAM (Identity and Access Management), sufficient funding and focus is not given to IAM models. Juniper Research forecasted that the number of personal data records stolen by cyber-criminals will reach five billion in 2020, while Cybersecurity Ventures predicted that by 2021, cybercrime would cost the public 6 trillion dollars worldwide, up from 3 trillion dollars in 2015.

Meanwhile, the average cost of a data breach reached $3.92 million, according to self-reported breach costs at more than 500 organizations worldwide, in 16 countries and 17 industries, which equates to approximately $150 per stolen record.

Considering this, one would assume a securing buy-in for IAM models wouldn’t be too difficult. Unfortunately, securing buy-in is often an uphill battle. One must ask, has IAM become the big despondency in the room that everyone knows about, ignores, and hopes will go away?

Many client IAM (Identity and Access Management) strategies will focus on today’s problems alone and fail to prepare for emerging risks and future innovations. As an example, in 2017, the Verizon Data Breach Investigation Report noted that “Sixty-two percent of all breaches involved hacking, and 81% of those leveraged either stolen and/or weak password.”

In retrospect, KPMG and Everett conducted and IAM (Identity and Access Management) survey with over 125 organizations from various sectors and countries in 2009, which reported that more than 75% of IAM Projects FAIL by not delivering expected results. Why?

The primary reason for the failures was due to lack of business buy-in, unrealistic goals around time, impact and budget. Many teams fail to understand or articulate their existing limitations within their delivery models that would not be addressed without innovation to align with their business’ goals and drivers.

Unfortunately, not much has changed in the last 10 years. Forbes surveyed organizations which had been breached: “74% stated it involved privileged access credential abuse, however, only 48% of those businesses have a password vault. 65% are sharing the root or privileged access to systems and data at least somewhat often.” The issues in these examples were the same drivers for IAM project requests 10 years ago.

IAM (Identity and Access Management) models are often based off of legacy technologies with limited flexibilities to support emerging technologies such as the cloud. Like any project, IAM project teams must be careful with over-committing or exaggerating deliverables. The expected duration to deliver new technologies or transformations seldom aligns with reality because projects are not broken out into realistic phase.

Identity and Access Management (IAM) models must focus on the risks versus the benefits. Projects are often brought forward with a focus on benefits such as productivity or compliance improvements without any quantifiable evidence. Maybe the focus should be on the risk? With all the new regulations established to protect personal data, the selling point of the project should be focused on the risk of doing nothing.

More companies are storing their data electronically. This data include the client’s crown jewels, employee data, and other. IAM (Identity and Access Management) is integral in protecting their company’s data and must have appropriate tools available to achieve this goal.

Identity and Access Management (IAM) models must ensure that the threat is evident to assist clients develop a robust and secure-rich pragmatic solution. These programs should incorporate new values for their business where both the risks and benefits are clear to prevent IAM from being the despondency in the room in their business.