If asked what job role is most associated with Identity and Access Management (IAM), what would you say?
Most of you might think a highly technical specialist, or an “IT person”. However, many CEOs, CFOs, Customer Service team leaders, HR analysts and other professionals across companies are involved in IAM decision making. But why is this? This blog will explore why it is important for companies to invest more time and effort in ensuring that Identity and Access Management is well understood across various job functions.
Firstly, let’s understand what Identity and Access Management is.
What is IAM?
“Identity and Access management is the people, processes and systems used to manage digital identities and their entitlements throughout their life-cycle.” ~ Open Measure Dictionary
Organisations use IAM software to manage and secure the identities of both internal and external users for their services and applications. There are two main styles of IAM systems, that are currently in use:
Traditional IAM or Internal IAM
Traditional IAM takes care of the internal identities, mainly employees but also can include other groups of individuals such as subcontractors and representatives from partners and suppliers. Think of an employee, from their user account creation, granting the right access to perform their job, until the account deletion when the person leaves the company.
Customer Identity and Access Management (CIAM)
CIAM forked from IAM when the number of Internet applications in every company’s data environment exploded in numbers. Such growth was clearly reflected in the number of screen icons in our devices. Companies of all kinds expect that their applications will be accessed by thousands or millions of consumers, citizens, remote workers, and other types of users. These “customers” could be B2C or B2B. Particularly with the innovations in the LEI world, B2B IAM is becoming a hot topic that will bring massive benefits to the B2B world.
Why IAM matters to everyone
Not long ago, when you started a new job or became a university student, someone from IT would provide you with access to necessary systems, and a username and password that needs to be changed after the first login. All identity and access management processes were semi-manual and done by the IT team. Today, we have modern identity standards, but often IAM is an area that only a small group of people in the organisation are involved in. With companies embarking on digital transformation, a larger percentage of the companies’ staff is now becoming involved in building new web and mobile services. But unless everyone has an adequate understanding of IAM, these projects are doomed to fail. Therefore, knowing IAM is not only for the IT folks as it was at the beginning of the millennium.
Who normally sees Identity and Access management on their desk?
Identity and Access Management is not an everyday task for many professionals beyond the IT team (or IAM team if it exists). However, when the time comes for strategic decisions, there are several people who will have a voice and decision power in how IAM is acquired, planned, deployed, maintained and expanded.
Especially for the biggest decisions involving risk and money, several sub-organisations and functions have the responsibility to build consensus with the IAM team in order to get their own business objectives met. The most critical of these stakeholders are:
- Compliance Officers. There is no software that magically makes a company GDPR-compliant. Same with PCI DSS, CCPA and other regulations. Compliance officers use IAM among other tools and processes to fulfil their audits. Undoubtedly the compliance team will have clear requirements about what IAM must offer.
- The Chief Information and Security Officer. With a large portion of employees working from their home offices, the risks of attacks to the companies’ systems have drastically increased. The Chief Information and Security Officer is well aware that IAM has taken a leading role in the organisation’s security.
- Customer Service. Since the concept of self-service account management appeared, CIAM has made a tremendous impact on customer service, and there are multiple ways that CIAM can help. Even in a utopian passwordless world, users will need account recovery and might end up panickily calling customer service. And customer service will ask CIAM to help. Find out more about leveraging CIAM for more effective customer service and marketing here.
- Business Development / Umbrella Organisations. New student portals, patient portals, citizen portals, new mobile apps, improved authentication methods for existing applications…; for every new or existing web service, every day a new service is being created or improved, and IAM needs to be in place. That’s why business units must understand IAM very well in order to reach their set goals.
- Human Resources. Today any HR information system (e.g., SAP SuccessFactors, Workday) is in one way or another connected with the IAM systems, both Traditional IAM and CIAM. There again, several persons in the HR team will have a lot to say about what IAM should do and shouldn’t do.
- The CFO. We know it well, that IAM is a necessary but also hefty investment for organisations. The Chief Financial Officer will carefully evaluate the financial impact and will ask both the IAM vendor and the aforementioned stakeholders for a clear Return On Investment (ROI).
Most of these people unfortunately only truly care about IAM when an issue arises for them.
Let’s educate everyone on IAM
Seeing how relevant IAM is across the functions, shouldn’t we start a crusade to educate more people about it?
“30% of the time for an IAM team should be dedicated to education and knowledge transfer to people who are outside of the IAM team, and the rest of the organisation.” ~ Richard Slater on Let’s Talk About Digital Identity.
With my personal experience, spending time on educating around IAM is realistic and crucial. There are commonplace and unconventional ways to make this happen: presentations, pre-recorded demos, mini workshops, discussions on hot topics. The executive who leads IAM in the organisation has to become a persuasive agent and make sure that these activities happen, and that more people will be converted into IAM ambassadors. Everyone in the company will benefit from it. After all, times have changed, and there is no digital transformation without CIAM.
Contact us if you wish to discuss IAM and how this may help your role and organisation.
About The Author: Oscar Santolalla
With more than 15 years of experience in the technology space, Oscar is a trusted advisor for Ubisecure Customer Identity and Access Management (CIAM) customers and partners. As a Sales Engineer, Oscar runs product demos, supports customers and partners, and leads the IAM Academy training programme. He is also the author of the book ‘Create and Deliver a Killer Product Demo’, and hosts 'Let's Talk About Digital Identity" podcast.
More posts by Oscar Santolalla