COLUMN

ID and access management: Just say yes

By Joel Dubin 26 Oct 2006 | SearchCIO.com Digg This!     StumbleUpon     Del.icio.us

Easy to explain in qualitative terms, but difficult to quantify, identity and access management is one of your company's vital IT services that has to be sold to your executive peers. Getting buy-in from your CEO and CFO is key.

Your CEO and CFO may have a common interest in making sure the cost of the system stays within the budget, but they probably have different concerns about other aspects of the project. The CEO wants to make sure the system makes the business more efficient and competitive, while the CFO wants to make sure the project actually saves the company money. The CFO also wants hard numbers to prove that point.

Here are ways to satisfy them both: Quantitative numbers for your CFO and qualitative benchmarks for your CEO.

For the CFO:

Calculate the ROI of the proposed access management system. For information security projects like access management, calculating ROI is tricky at best. The value is measured as the savings from keeping your computer systems safe and free of breaches rather than the profit generated from implementation and deployment. Security systems don't generate revenue, but they do save money. It's just hard to quantify.

There are two approaches to calculating ROI for a security system. One is based on the savings from reducing risk, and the other is based on the savings from making employees more efficient and productive. The return from an investment should always be positive.

Security systems don't generate revenue, but they do save money. It's just hard to quantify.

The traditional way to calculate the cost of risk is the annual loss expectancy (ALE). ALE is the product of the projected loss in a year from a given security breach multiplied by the probability of it occurring in a year. For example, if loss from a possible security breach could cost $500,000 but only has a 30% likelihood of occurring, the ALE is 500,000 x 0.30, or $15,000.

But, in the case of an access management system, what exactly is the breach, and what is its cost? Is it the cost of a break-in if a user ID and password are stolen? Authentication credentials like user IDs and passwords are easily lost or stolen through many other ways than just a breakdown in your access management system.

The second approach to calculating the cost of risk is to measure efficiency gain, rather than loss. This is better for figuring out the ROI for access management. The benefit of upgrading or installing a new access management system is the cost savings from reduced calls to your help desk or to the IT password gatekeeper. A good chunk of help desk calls are password resets.

You'll need the following information to make this calculation:

• The current number of calls per year to your help desk or other IT staff, for setting up user accounts and password resets and the projected number of calls with the new system. Get the first figure from call logs to your help desk and estimate the second from information provided by the vendor.
• The amount of time it takes your staff to create or reset a password. Is it 10 minutes, or a half hour? Use this figure to estimate the cost of issuing a password based on the salary of your IT staff handling the requests.
• The purchase price of the system and the expected annual cost of upkeep and maintenance.

More on identity and access management Read, watch and listen to more articles and webcasts on ID and access management Listen to Joel Dubin's podcast on the CIO's approach to ID and access management

In this approach, the ROI would be based on the reduction in cost of user account maintenance vs. the cost of the system. If the number of calls -- and, therefore, the time and expense -- is cut by 75%, use that figure to estimate the dollar savings from the system. Compare this with the annualized cost of the system based on its purchase price and annual upkeep to get your ROI. The savings should be greater than the cost -- the "keep the ROI positive rule" -- to win your CFO's heart.

The ROI based on these numbers is only an estimate, as it's impossible to get an exact figure. But, at least, you'll have a handle for your CFO to grab on to for selling the dollar value of your access management system.

For your CEO:

Here are some qualitative benchmarks for your CEO:

• Cost is always No. 1 in the CEO's mind, but you've already covered that with your ROI analysis. Just make sure what you've chosen fits in the budget.
• Show how the chosen system is best in class, and how it stacks up against the competition. Get white papers and independent studies, if possible.
• An access management system has to integrate seamlessly into your existing directory structure. Is the product available for only one platform, or is it cross-platform? If you're an Active Directory shop, then a Windows-compatible system might be best. If Lightweight Directory Access Protocol, then maybe Unix. Don't rip out existing plumbing if it already works.
• How easy is the product for the non-IT masses to use? Your IT staff members will adapt quicker, but they also need assurances that they can get adequate training before installation, support after deployment and can maintain it. Access management tools are one of the heaviest-used IT assets and require a lot of care and feeding. Is your staff up to it?
• Outsourcing access management to an outsider can be real risky. You're giving the most sensitive keys to your IT assets to a stranger for safekeeping. It's best to keep it in-house. Reserve the outsourcing for assistance in log analysis.

Try this combination of ROI, qualitative and quantitative benchmarks and you should be in good shape to winning over your executive peers.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security, available from Amazon.com.

Tags: Leadership and strategic planning,  Return on investment,  Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Leadership and strategic planning The Real Business of IT: Download a free chapter Gartner's top 10 strategic technologies for 2010 Qualities of a great leader from Jim Collins Lean thinking in IT: Case studies and advice from practitioners FAQ: IT and organizational change management ITSM and ITIL best practices for process improvement Maturing an ITIL strategy beyond incident, problem, change management CIO management mistakes that can harm CIO careers, cause IT failures Do you have the qualities of a good leader? Test your leadership IQ Google Wave: A sea change for business collaboration, communication? Return on investment CIO advice: IT strategies in a bad economy Enterprises fill client virtualization gaps as client hypervisors bake PPM software vs. SharePoint: Myths and user-vendor disconnects PPM and IT governance in a recession: A guide for enterprise CIOs IT portfolio management: Strategy matters more than software, CIOs say Project management governance: How much is enough? Proven IT ROI strategies in an economic downturn Key to customer service satisfaction: Simplify complexity BPM software: How to find fast ROI on smaller projects IT leadership and strategy guides for CIOs Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary