Easy to explain in qualitative terms, but difficult to quantify, identity and access management is one of your company's vital IT services that has to be sold to
Your CEO and CFO may have a common interest in making sure the cost of the system stays within the budget, but they probably have different concerns about other aspects of the project. The CEO wants to make sure the system makes the business more efficient and competitive, while the CFO wants to make sure the project actually saves the company money. The CFO also wants hard numbers to prove that point.
Here are ways to satisfy them both: Quantitative numbers for your CFO and qualitative benchmarks for your CEO.
For the CFO:
Calculate the ROI of the proposed access management system. For information security projects like access management, calculating ROI is tricky at best. The value is measured as the savings from keeping your computer systems safe and free of breaches rather than the profit generated from implementation and deployment. Security systems don't generate revenue, but they do save money. It's just hard to quantify.
There are two approaches to calculating ROI for a security system. One is based on the savings from reducing risk, and the other is based on the savings from making employees more efficient and productive. The return from an investment should always be positive.
The traditional way to calculate the cost of risk is the annual loss expectancy (ALE). ALE is the product of the projected loss in a year from a given security breach multiplied by the probability of it occurring in a year. For example, if loss from a possible security breach could cost $500,000 but only has a 30% likelihood of occurring, the ALE is 500,000 x 0.30, or $15,000.
But, in the case of an access management system, what exactly is the breach, and what is its cost? Is it the cost of a break-in if a user ID and password are stolen? Authentication credentials like user IDs and passwords are easily lost or stolen through many other ways than just a breakdown in your access management system.
The second approach to calculating the cost of risk is to measure efficiency gain, rather than loss. This is better for figuring out the ROI for access management. The benefit of upgrading or installing a new access management system is the cost savings from reduced calls to your help desk or to the IT password gatekeeper. A good chunk of help desk calls are password resets.
You'll need the following information to make this calculation:
- The current number of calls per year to your help desk or other IT staff, for setting up user accounts and password resets and the projected number of calls with the new system. Get the first figure from call logs to your help desk and estimate the second from information provided by the vendor.
- The amount of time it takes your staff to create or reset a password. Is it 10 minutes, or a half hour? Use this figure to estimate the cost of issuing a password based on the salary of your IT staff handling the requests.
- The purchase price of the system and the expected annual cost of upkeep and maintenance.
Security systems don't generate revenue, but they do save money. It's just hard to quantify.
In this approach, the ROI would be based on the reduction in cost of user account maintenance vs. the cost of the system. If the number of calls -- and, therefore, the time and expense -- is cut by 75%, use that figure to estimate the dollar savings from the system. Compare this with the annualized cost of the system based on its purchase price and annual upkeep to get your ROI. The savings should be greater than the cost -- the "keep the ROI positive rule" -- to win your CFO's heart.
The ROI based on these numbers is only an estimate, as it's impossible to get an exact figure. But, at least, you'll have a handle for your CFO to grab on to for selling the dollar value of your access management system.
For your CEO:
Here are some qualitative benchmarks for your CEO:
- Cost is always No. 1 in the CEO's mind, but you've already covered that with your ROI analysis.
Just make sure what you've chosen fits in the budget.
- Show how the chosen system is best in class, and how it stacks up against the competition. Get
white papers and independent studies, if possible.
- An access management system has to integrate seamlessly into your existing directory structure.
Is the product available for only one platform, or is it cross-platform? If you're an Active
Directory shop, then a Windows-compatible system might be best. If Lightweight Directory Access
Protocol, then maybe Unix. Don't rip out existing plumbing if it already works.
- How easy is the product for the non-IT masses to use? Your IT staff members will adapt quicker,
but they also need assurances that they can get adequate training before installation, support
after deployment and can maintain it. Access management tools are one of the heaviest-used IT
assets and require a lot of care and feeding. Is your staff up to it?
- Outsourcing access management to an outsider can be real risky. You're giving the most sensitive keys to your IT assets to a stranger for safekeeping. It's best to keep it in-house. Reserve the outsourcing for assistance in log analysis.
Try this combination of ROI, qualitative and quantitative benchmarks and you should be in good shape to winning over your executive peers.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security, available from Amazon.com.