Home > CIO News > ID and access management: Just say yes
CIO News:
EMAIL THIS
COLUMN

ID and access management: Just say yes

By Joel Dubin
26 Oct 2006 | SearchCIO.com


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Easy to explain in qualitative terms, but difficult to quantify, identity and access management is one of your company's vital IT services that has to be sold to your executive peers. Getting buy-in from your CEO and CFO is key.

Your CEO and CFO may have a common interest in making sure the cost of the system stays within the budget, but they probably have different concerns about other aspects of the project. The CEO wants to make sure the system makes the business more efficient and competitive, while the CFO wants to make sure the project actually saves the company money. The CFO also wants hard numbers to prove that point.

Here are ways to satisfy them both: Quantitative numbers for your CFO and qualitative benchmarks for your CEO.

For the CFO:

Calculate the ROI of the proposed access management system. For information security projects like access management, calculating ROI is tricky at best. The value is measured as the savings from keeping your computer systems safe and free of breaches rather than the profit generated from implementation and deployment. Security systems don't generate revenue, but they do save money. It's just hard to quantify.

There are two approaches to calculating ROI for a security system. One is based on the savings from reducing risk, and the other is based on the savings from making employees more efficient and productive. The return from an investment should always be positive.

Security systems don't generate revenue, but they do save money. It's just hard to quantify.
The traditional way to calculate the cost of risk is the annual loss expectancy (ALE). ALE is the product of the projected loss in a year from a given security breach multiplied by the probability of it occurring in a year. For example, if loss from a possible security breach could cost $500,000 but only has a 30% likelihood of occurring, the ALE is 500,000 x 0.30, or $15,000.

But, in the case of an access management system, what exactly is the breach, and what is its cost? Is it the cost of a break-in if a user ID and password are stolen? Authentication credentials like user IDs and passwords are easily lost or stolen through many other ways than just a breakdown in your access management system.

The second approach to calculating the cost of risk is to measure efficiency gain, rather than loss. This is better for figuring out the ROI for access management. The benefit of upgrading or installing a new access management system is the cost savings from reduced calls to your help desk or to the IT password gatekeeper. A good chunk of help desk calls are password resets.

You'll need the following information to make this calculation:

  • The current number of calls per year to your help desk or other IT staff, for setting up user accounts and password resets and the projected number of calls with the new system. Get the first figure from call logs to your help desk and estimate the second from information provided by the vendor.
  • The amount of time it takes your staff to create or reset a password. Is it 10 minutes, or a half hour? Use this figure to estimate the cost of issuing a password based on the salary of your IT staff handling the requests.
  • The purchase price of the system and the expected annual cost of upkeep and maintenance.

More on identity and access management
Read, watch and listen to more articles and webcasts on ID and access management

Listen to Joel Dubin's podcast on the CIO's approach to ID and access management
In this approach, the ROI would be based on the reduction in cost of user account maintenance vs. the cost of the system. If the number of calls -- and, therefore, the time and expense -- is cut by 75%, use that figure to estimate the dollar savings from the system. Compare this with the annualized cost of the system based on its purchase price and annual upkeep to get your ROI. The savings should be greater than the cost -- the "keep the ROI positive rule" -- to win your CFO's heart.

The ROI based on these numbers is only an estimate, as it's impossible to get an exact figure. But, at least, you'll have a handle for your CFO to grab on to for selling the dollar value of your access management system.

For your CEO:

Here are some qualitative benchmarks for your CEO:

  • Cost is always No. 1 in the CEO's mind, but you've already covered that with your ROI analysis. Just make sure what you've chosen fits in the budget.
  • Show how the chosen system is best in class, and how it stacks up against the competition. Get white papers and independent studies, if possible.
  • An access management system has to integrate seamlessly into your existing directory structure. Is the product available for only one platform, or is it cross-platform? If you're an Active Directory shop, then a Windows-compatible system might be best. If Lightweight Directory Access Protocol, then maybe Unix. Don't rip out existing plumbing if it already works.
  • How easy is the product for the non-IT masses to use? Your IT staff members will adapt quicker, but they also need assurances that they can get adequate training before installation, support after deployment and can maintain it. Access management tools are one of the heaviest-used IT assets and require a lot of care and feeding. Is your staff up to it?
  • Outsourcing access management to an outsider can be real risky. You're giving the most sensitive keys to your IT assets to a stranger for safekeeping. It's best to keep it in-house. Reserve the outsourcing for assistance in log analysis.

Try this combination of ROI, qualitative and quantitative benchmarks and you should be in good shape to winning over your executive peers.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security, available from Amazon.com.



Tags: Leadership and strategic planningReturn on investmentEnterprise information security managementVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Leadership and strategic planning
Get the most out of your lean BPM solution
Solid governance model key to IT outsourcing contract success
FAQ: How does the Six Sigma methodology benefit IT?
Satyam scandal: Has it affected your IT outsourcing and offshoring?
Key to customer service satisfaction: Simplify complexity
How PPM software usage changes as firms grasp IT portfolio management
IT insourcing can bring jobs, cost savings back in-house, experts say
CIOs take business intelligence applications, strategy to next level
Business continuity plan needs the right leader, metrics to succeed
BI services and solutions for enterprise CIOs

Return on investment
Key to customer service satisfaction: Simplify complexity
BPM software: How to find fast ROI on smaller projects
IT leadership and strategy guides for CIOs
Cost reduction tips for your strategic sourcing contracts
Tips for enhancing IT's role in improving the current economy
Unearthing the potential paybacks of enterprise risk management
IT asset management focus drives Toyota Motorsport
SaaS ERP software can deliver ROI, compliance for the enterprise
IT ROI strategies guide for CIOs
VoIP savings seen in productivity and long-distance charges

Enterprise information security management
Enterprise risk management solutions for CIOs
Gartner: Future IT security jobs to focus on risk management strategy
Avoiding gotchas of security tools and global data privacy laws
Security standards to help manage compliance for those federal funds
Information security and IT governance guides for CIOs
CIO turns to identity and access management to solve business problem
Log management tool, SIM boxes combine to form security architecture
Mobile data protection options for enterprise CIOs
For network access control, this shop chose Microsoft NAP; here's why
Network access control case studies show varied options

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



CIO solution center has news, research, and guides to assist the unique challenges of the CIO
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2007 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts