CHAPTER 5
Making the Business Case

The first duty of a wise advocate is to convince his opponents that he understands their arguments, and sympathizes with their just feelings.

—Samuel Taylor Coleridge

By this time, your investigation is done. You’ve uncovered the current requirements of the organization, along with what the various departments think they might need down the road as well. You’ve found the trends, the issues, the problems, the concerns. You have a good idea of how compliance impacts, and will continue to impact, your policies and procedures.

Earlier, I said that you have to think like Us and Them. That is, “Us” are the people in charge who put the processes in place. “Them” are the users who will be affected by your decisions. Well, now turn that around. “Them” is now pointing the other direction up the food chain, at the management layer, whom you will ask for money and resources to implement an IAM framework. You must state your case, which is also their case, since it’s for everybody’s good within the company. But they won’t necessarily think like that. If they’re doing their thing and making money, why rock the boat? You must make that case, one more time, and now you need to think like “Them.” What are their hot buttons? What will get them on your side?

A very smart ex-boss of mine named Ralph used to repeat the mantra, “it’s not what you do, it’s how you do it,” and he used to practice that in order to serve as an example to his employees. Once in a while you have to deliver bad news, but there’s a proper way to do it. For example, a salesman will tell you it’s not a bad thing that a proposed discount goes away after the end of the quarter; it’s a good thing that you can take advantage of that discount if you act sooner rather than later.

Round Two in Front of Management

So here’s your chance to do it the right way. Management has heard some of this from you already. Now you need to revisit that information, only this time you’re armed with the data from your investigations. How you present that data will make all the difference.

You don’t buy your spouse a birthday present and then toss it at him or her. You wrap it up nicely. Well, let’s start wrapping.

Sell the Business Value

People at the top of the food chain don’t always understand bits and bytes. Frame everything you say in terms of the value to the organization. You won’t say, “We need connectors that support SMTP and RACF.” You will say, “We need automated e-mail notifications, and we need to pull our mainframe into the framework.” Everything should be stated in terms of cost savings, operational efficiency, security, and so on. Identity management is not a value unto itself (unless IdM itself is your business); it must serve the larger goals of the company.

Look Organized

Avoid the classic salesman mistake they call “show up and throw up.” You’ll get around to all the pieces, eventually. But do them in the right order. Build the case from the bottom up. State the issues, the problems, the concerns, and then the solutions. Don’t forget the problems that you haven’t yet encountered, but that you anticipate will bite you in the behind in the coming months or years. Prioritize (we’ll discuss that more in a minute). Put your issues in categories, maybe constituencies: administrators, end users, employees, partners, customers, or departments, geographic locations, lines of business, areas of concern. And once you’ve got it all organized, rehearse. No kidding. Put in the time to actually know your material. Don’t read your slides; know your stuff. A script is a good thing, but treat it like a set of suggestions to remind you to say what you already know. “We need IAM, and here are the reasons why.”

Believe in Your Message

This will sound like an oxymoron, but be passionate, yet not emotional. Sound as if you care, because surely you do. But sound rational. I watched a guy in Detroit once get so agitated trying to convince his own management of the need for a particular piece of software, that after the meeting, the managers were questioning the man’s self-control, and wondered if he should be in charge of the effort. I’ve also seen presentations that were delivered in so mundane and bloodless a manner that management was far from inspired to provide budget.

Prioritize

You may or may not get budget for everything you need, but you can just about guarantee you won’t get budget for everything you want. Pick your big dogs and put them at the front of your list. It also makes perfect sense to prioritize in the order you will implement, since most often the pieces will build on each other. For example, you might state that first comes the user directory, then authentication, then authorization, then SSO, and so on. These will help you provide those deliverables.

Another aspect to consider is which incremental pieces will be most disruptive. If you can put off the uglier stuff until later, it’s not a bad idea. Remember, if you’re upgrading, it’s likely more natural. Single sign-on is a basic function. But moving to an RBAC-based system from standard groups is far more transformational, and therefore a potential cultural leap that requires a greater learning curve.

Compile Real Evidence

It’s not enough to say, “Hey boss, IAM will make everything better.” You need to make an actual business case. In a minute we’ll talk about Return on Investment (ROI). When aggregating the data, shoot for real dollars. When putting together the “soft ROI” that represents the more intangible benefits (for example, user experience), gather as much anecdotal evidence as possible. Interview end users, system admins, customers, your auditors, and whoever else may be affected directly or indirectly by your current system limitations. If possible, when you put together that compelling presentation, have some of those folks you’ve interviewed come to present their personal stories. I’ve been told for the better part of two decades that my use of real stories, containing real customers with real issues (with all the names changed for obvious reasons), is my best ammunition when stating the value of a security solution.

Anticipate Objections

Someone might argue, “Well, you wanted one of these, so naturally you rationalized it so you can get it paid for.” But the counter-argument to that is, “No, we already knew we needed it, but what we’ve done is quantify it with empirical data. It’s not just needs any more. It’s documented needs. Let me show you the documentation.”

Take the position of the devil’s advocate, and take the time to figure out what somebody will throw back at you. “We can’t spend this money because we haven’t had a breach. Nobody’s complaining to us about how long it takes to log in. We’re not currently subject to Sarbanes-Oxley. Manual provisioning has been working so far.”

An executive sponsor will help you prebuild those defenses, by providing you insight as to the concerns that upper management will have, besides the obvious one, costs. In fact, that’s the big one, right? “This thing will cost too much.” So what’s the obvious defense? “Let me tell you the cost of doing nothing.” And this will point directly toward the consequences of a security breach, or the costs of failing an audit, or the dollars wasted in manually driven processes.

Getting Help with Your Pitch

You can get a lot from people when they think there’s a payoff up the road. You may or may not have an idea of what you need, but chances are you at least have a notion. So invite in some smart folks. Get some freebies. Start with the big ones, the large consulting firms, many of whom double as auditors.

NOTE

If a consulting company is your auditor already, they may be able to advise you on what you need to fix, but there’s a 99% percent chance they can’t actually help you implement anything. There have always been rules about auditors not being able to consult for their auditing clients, and there were always paths around those restrictions. Since Enron and other scandals, that is no longer the case, except for grandfathered projects.

Auditors or other partners may be able to put you in contact with officers from other companies (most likely companies that don’t compete with you) who have been through this before. Their experiences may very well help you put together your business case.

Analysts can provide you not only validation for your concerns, but also the value proposition for a solution. If you can’t afford to bring in an actual analyst (which isn’t necessarily cheap), you can usually purchase corroborating data, and in fact you can find a lot of it online. The analysts themselves pay people big bucks to examine the trends, the risks, the consequences, and the solutions, and they make this data available to their customers, naturally for a price. Don’t just grab, for example, Gartner’s magic quadrant info for provisioning or access management for the latest calendar year; get hold of one of the whitepapers. Also check Forrester, Burton, and so on. An analyst will also, for a price, give you a checkup. If you go this route, of course, be ready to write a check, and don’t ask them to tell you what you want to hear—ask them for their honest opinion.

Request Budget

Going to the people in charge for budget is a big game, a gamble. You could

Ask for the whole thing at once. It’s bigger than any individual piece. But if you don’t get the whole thing through now, you may never get any of it. It might be harder for management to back out of it when it’s all or nothing and you’re halfway through.

Ask for it in phases. Makes it more digestible to upper management. It shows more planning, more discipline. It could be easier to get the first phase or two approved and funded. Of course, it’s always possible that you’ll get what you need for Phase One, and then management may decide that’s all you need for now, effectively killing Phase Two and beyond. If you’ve been through the prioritization process already, you can easily translate that into what pieces you need now to build for the future.

Software vendors like a particular word: champion. It’s their “in” guy at a customer, somebody who likes their story and will help them sell the product internally. Well, when you’re trying to pitch the notion of IAM to your bosses or stakeholders, find yourself at least one champion. You need help to sell the concept, to build the case, to support your existing case, and eventually to petition for budget. This might be somebody you can later encourage to support you by making their favorite critical apps candidates for the first round of strong authentication or single sign-on.

NOTE

If you end up shopping for software later (rather than building it yourself) and you find a product you like, you may end up becoming the champion for that vendor. In other words, you’ll be used heavily and regularly by that vendor. But is that necessarily a bad thing? That salesperson will do everything in his power to make you look good and get you all the material you need, not just to sell that product up the chain, but just to sell the concept up the chain. It’s all part of the game, but use it to your advantage when the time comes.

Here’s an extremely common occurrence: A customer-facing or revenue-generating project will more often than not take precedence over an identity project, despite the clear value of security and identity. It truly helps to highlight the risks of not having identity management and access control.

Return on Investment (ROI)

If you’re begging for money, then you have to justify it. This means demonstrating to management what they’re getting for their investment, which means clearly stating ROI. Software vendors and consultants are repositories for documents, spreadsheets, slide decks, and whitepapers describing the incredible Return on Investment for an IAM system. There’s “soft ROI,” which is “it’s wonderful, it’ll provide a better user experience, it’ll give us more control and security.” Then there’s “hard ROI,” which is an actual dollar amount. They will tell you how much you’ll save with IAM in place.

Hard ROI

Let’s take a look at those areas where you can attach actual costs. In every operation, you have the opportunity to quantify the ROI in deploying an IAM framework.

Replacing hard tokens If you’re using RSA or some other token setup, that carries a particular per-user cost. These setups are secure, no doubt. They can be integrated as just another authentication scheme by common authorization and SSO engines. They’re also no fun to roll out or upgrade; they’re expensive, and they break. Some people swear by them, since it involves your bodily presence to authenticate. Sure, so does logging in, but in this case, you’re providing a physical representation of yourself to authenticate. The main thing is, they’re not cheap. If you can authenticate without them, it’s an obvious ROI.

Self-service This old chestnut gets beaten to death, but it still holds true. It will save you not only dollars that you’re spending on help desk hours, but also a metric ton of aggravation for both your help desk and your users if those users can maintain their own profiles, reset their own passwords, and unlock their own accounts.

Provisioning This includes the entire life cycle of enabling, modifying, and disabling users. Managing a user’s privileges not only eats up administrative time, but it can also easily cut into a user’s productivity. On the front end, you’re paying somebody a salary for sitting around waiting for access. In the back room, lack of automation translates directly into manual processes. As of this writing, I’ve just returned from a scoping engagement in which an institution of higher learning admitted they have more than twice as many service desk personnel as they’d need if they could automate access grants. So a good provisioning system has definite staffing and productivity ROI.

Audit support There’s no arguing with the benefits of good reporting. And good reporting is built on good log data. Supporting an audit with a weak system takes a lot of labor. Audits can eat up plenty of a staff’s time, as they compile custom reports at the request of auditors. And let’s take one step back and talk about provisioning one more time. The more manual processes you have in place, the more mistakes you’ll see, guaranteed. Automated processes give you the consistency and the logging you won’t get with fat fingers doing all the work. The more mistakes that are uncovered, the more the auditors will attempt to uncover. Don’t give them any more ammunition than they’re bound to find anyway.

Putting developers back to work on business apps rather than security By providing that IAM framework, you’re taking the security burden off the guys who should be doing other things, and who probably aren’t qualified to manage security in the first place. It’s a common question for a developer: How much time are you spending on security code and policy creation?

Soft ROI

So after you’ve tackled the hard ROI, go after the soft ROI. Sure, it might not exactly have dollars attached, but it can cause more noise among the rank and file, affecting end-users’ and administrators’ day-to-day activities, thereby allowing you to gather more anecdotal evidence of the need for IAM than the hard stuff. Soft ROI manifests itself in a variety of obvious ways:

Superior end-user experience Self-service is a big piece of this. Not only does this lend itself to hard ROI in terms of staffing and productivity, but it also makes for much happier end users who can handle their own password, account lockout, and resource request issues. These same capabilities also make your help desk people happier, since nothing sucks the life out of you more than handling the same old password reset for eight hours a day.

Faster time to market By taking away the need to re-create security for every app on its own, you are making it far easier and quicker to launch apps. Security is already taken into account by the framework.

Competitive advantage Not only will you have more cash to invest in business-building activities to overtake your rivals, you can say, “Look, you happy customers, we’ve got the tightest security in the market, and our anti-phishing capabilities always let you know you’ve come to the correct web site to do your banking or shopping.”

Protection of your good name I cannot overstate the damage to your reputation if you are hacked. I also cannot overstate the value of a good end-user experience for a non-captive audience. An employee will put up with a certain amount of interface hassle. I’ve never heard of somebody quitting a company because he didn’t like the GUI tool they built the corporate portal with. But if paying customers make enough use of your online tools, and dread logging in, they’ll vote with their fingers and their mice. A few years back, during a time of market volatility, my broker got tired of my bi-daily phone calls and suggested I could more easily get my questions answered on their web site. I pointed out to her that they had the world’s slowest authentication scheme, and an awful-to-navigate site with dreadful menus, meaning that from the time I clicked Submit on my password to the time I got my data, it could take me several minutes. If I were someone more liable to manage my own account online rather than through a broker, I most certainly would have dumped them.

Protection against even worse consequences Fail an audit, lose customer data, suffer a material breach, and it will cost you big money. You will face penalties, lawsuits, lost business, and possibly paying extra costs such as credit monitoring for customers whose account info you’ve lost.

Overall satisfaction within the organization When you take into account operational efficiencies, end-user experience, cost savings, reputation, and other advantages, it all adds up to a happier organization with the appearance and feeling of being in charge of its own destiny. Every single company, without exception, has at least one system in place that everybody complains about. It’s like that drunken uncle who comes to all the weddings and funerals, and you’re stuck with him, and there’s nothing you can do to avoid the usual embarrassments. But robust security and identity is not only a vital corporate function; it also indicates that you’ve got a handle on the single most important thing you can provide, outside of the actual product or service with which you make your profits. Where I work, provisioning is like good housekeeping. It’s so smooth that we don’t even think about it. If I request access to something, I get it within a reasonable period. If I didn’t have that, I’d be screaming. But I do have that, so I don’t even notice how efficient it is. This allows me the convenience of complaining about a whole bunch of other things.

Preserving Your Existing Investment

This is neither hard nor soft ROI, but rather getting more mileage out of what you already own. Naturally you currently have in place at least some pieces of an identity foundation. You may want to stay with your user directory, individual workflow engines, or account creation scripts. Not all of it is going away, and in fact when selecting vendors and/or technologies, part of what you will ask is, “How much can we keep?”

Maintaining current components as part of the new framework has multiple values. First, it’s less labor. If you have connectors to legacy apps, discrete workflow processes, scripts that create accounts on legacy platforms, and if you can connect them to a larger framework without losing efficiency, then you are calling on those pieces, rather than having to build them from scratch (although you’ll still have to configure your new workflow to use them). Second, those may represent pieces you don’t have to buy (connectors, directory).

Therefore you’ve got a better message for management: “Look, boss, our new security platform is friendly with our old one, which translates to continuity and cost savings.”

Asking for Help, One More Time

Again, think about getting backup. This is especially useful if you think you’ve found the right technologies and/or partners to assemble your project, or if you’re tight with your auditors. Your auditor may render aid just to keep on your good side. And any outside company who isn’t your auditor won’t make a dime off you unless you get your internal approval. So make them work for it. Have them help you put together a business plan that includes ROI, business case, and so on. I’ve been asked by literally dozens of customers to provide ROI for them to push up their own food chain.

When you’re trying to get budget and resources from your own management, you are doing what software and hardware vendors do all the time: sell. In this case, you’re not trying to make a profit; you’re trying to improve the quality of life at your organization, as well as positively impact the bottom line. The problem, of course, is that in the short term you will be negatively impacting the bottom line, so the trick is to get management to perceive the long-term, bigger-picture benefits.

Oracle has an excellent program called Insight, in which they visit customers for a three-to-five day conversation. They interview all the pertinent staff, in large and/or small groups, and ask questions that the customer perhaps never thought of asking themselves. It helps when they bring in a team that is familiar with the particular vertical the customer is in, such as insurance, banking, healthcare, higher education, and so on. At the end of the process, they regurgitate to the customer what they heard, to make sure they have an accurate reading, then present recommendations—and no, they don’t all involve installing software. I’ve participated in a number of these, and I see the definite benefit to some organizations of having external validation of issues that customers already know they have. In addition, the Insight team can help IT staff make that business case for improving processes, and realizing that return on investment. In most cases, IT staff builds solutions for a living; they don’t make presentations for a living, so a little professional help can, well, help.

Later, we’ll discuss how to vet software vendors and consultants.

Finalizing the Request

Naturally, at the end of the business case process, do what salespeople have always done: ask for next steps. What else do the managers need to hear? Is there a heartbeat? Did what you say resonate? Do they understand your issues? Do they understand how your IT issues impact their business issues? Do they see the value to the business? That’s the $64,000 question.

As we already discussed, they may approve some portion of a proposed solution. Make the most of that. If you don’t get everything, then think back on it’s not what you do but how you do it. So think of it as an opportunity. Deliver what is approved, and that’s your best chance of getting approval for the next batch of wishes off the list. Failure to deliver that first batch will pretty much kill any future initiatives. So if you ask for it and get it, then make sure you can do it.