Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Justifying the costs of identity and access management to executives

Identity and access management is easy to explain in qualitative terms, but difficult to quantify. Expert Joel Dubin offers tips on how to get buy-in from execs in this podcast.

Identity and access management is easy to explain in qualitative terms, but difficult to quantify. Expert Joel Dubin offers quick tips on how to create ROI benchmarks to get buy-in from your CEO and CFO.

Read the full transcript from this podcast below:

Joyce Chutchian: Hello and welcome to SearchCIO.com's podcast on CIO's approach to ID and access management. I'm Joyce Chutchian, online editorial director for Tech Target CIO Media Group. Joining me today is Joel Dubin, certified security consultant and author of the book, "The Little Black Book of Computer Security;" Hi, Joel.

Joel Dubin: Good morning, Joyce.

Joyce Chutchian: Today, Joel is going to discuss some simple steps to get buy in from your CEO and CFO on investing and implementing an identity and access management system. Joel will discuss some of the highlights of his guest column, featured on SearchCIO.com, which offers more detailed advice on how to persuade your executive peers on ID and access management systems. After you listen to this podcast, check out our SearchCIO.com supercast and the November issue of CIO Decisions magazine for more articles and advice on ID and access management. And now, I'll turn it over to Joel Dubin, who will share his expertise on persuading executive management on this important topic. Take it away, Joel.

Joel Dubin: Great, Joyce. As with any vital IT services and new system implementation, first you must be able to justify the cost of the purchase of an identity and access management system to both your CFO and CIO. Identity and access management is a very easy concept and it's a very easy product to explain, in terms of qualitative terms, what it does and how it works. The concept is quite easy, but sometimes putting a dollar figure on it or quantifying it is a lot more difficult. Your CEO and CFO both have a common interest in making sure the cost of the system stays within budget, but they still may have different concerns about other aspects of your project. Your CEO, for example, wants to make sure the system makes the business more efficient and competitive. While the CFO, on the other hand, wants to make sure the project actually will save the company money. And the CFO is more of a numbers person and will want hard numbers in front of him to prove the point. The good news is that you can please both of them, and I'm going to outline a few steps here, and then you can log on the SearchCIO.com for more specifics.

For your CFO, you want to calculate what's called a return on investment of the proposed access management system. Calculating ROI for access management, just as it is for any other information security type of a product, can be a little bit tricky, however. And there are two approaches to calculating ROI for a security type of system. One is based on the savings from reducing risk. In other words, reducing the types of breaches that the system might prevent, and the other is based on the savings from the efficiency type of gain; in other words, from making the employees more efficient and more productive. The traditional way to calculate the risk from an information security standpoint, to quantify it, is called the annual loss expectancy. The annual loss expectancy, or ALE for short, is the product of the projected loss in a given year from a given security breach, multiplied by the probability of it occurring in a year. For example, if the loss from a possible security breach could cost say 500,000 dollars, but only has a likelihood of occurring 30% in a year, the ALE is 500,000 times 0.3, or 15,000 dollars; the challenge is determining, what exactly is the breach, and what is its cost?

Often with an access management system, it's difficult to pinpoint a specific breach to a particular failure, for example, in the identity and access management system. So, I have another approach which I would recommend, and that's measuring the efficiency gain rather than the loss, the benefit is the cost savings from reduced calls to your help desk, which most likely handles, all of the password resets. This is a key thing in an identity and access management system, because most of the gain from the system is going to be reducing the number of calls to the help desk. To calculate that efficiency gain, you'll need the number of calls per year to the help desk -- in terms of setting up user accounts, passwords -- and projected number of calls with the new system. You'll also need to calculate the amount of time it takes your staff to create or reset a password.

Finally, the purchase price of the system, the expected annual cost of maintenance needs to be factored in. In this approach, the ROI would be based on the reduction in cost of user account maintenance versus the cost of the system. If the number of calls is cut by 70%, for example, use that figure to estimate the dollar savings from the system. Compare this to the annual cost of the system based on its purchase price and annual upkeep to get your ROI. The savings should be greater than the cost.

Now, for your CEO, you'll need something more qualitative, something that they can touch and feel basically, in terms of benchmarks. The CEO's first concern is always cost, as we've already stated, but your ROI analysis should cover that. So, for the other bases, you want to show how the chosen system stacks up against the competition. And also, an access management system is quite a large product. It has to be installed in your system, so it has to integrate seamlessly into your existing directory structure and be compatible with your current network and network log on structure. Finally, keep access management in house. This is something that you probably wouldn't want to outsource. So, if you combine the ROI, the qualitative and the quantitative benchmarks, you should be in good standing with your executive peers and on your way to show how a new ID and access management system will benefit the company and create efficiency and save money; so, back to you Joyce.

Joyce Chutchian: Okay. Thanks very much, Joel. I just have a couple of questions, and again, if you'd like to log on to SearchCIO.com after we're finished with this podcast, you can find out more information, more details, on Joel's podcast, in his columned also more information in our supercast. So, for the first question, Joel, how much time should a CIO allow for the upfront business planning or approval process?

Joel Dubin: Well, I would say that probably something within the neighborhood of a month is extremely aggressive. And again, it depends on the size of your organization and the bureaucratic structure for approval of new projects. But I would say probably anywhere from one to six months, and in some organizations that might be more optimistic than others. But in a smaller organization, an SMB might be able to work quicker.

Joyce Chutchian: Okay. And what if you've done all your research, but the CEO or CFO is still unconvinced? What do you do then?

Joel Dubin: I would contact the vendor and I would get references of other companies. Contact those other companies and, if they're willing, see if you can get them to explain to you the benefits of how the product has saved them money, how it's increased their ability to manage user IDs and passwords, how it's lowered vulnerabilities and breaches. And that's usually a very powerful way to also sell it to your executive management. Again, getting references from the vendor, contacting these other companies, and having them explain to you exactly what the benefit was.

Joyce Chutchian: Okay. Thanks very much, Joel. Is there any other advice you would like to add?

Joel Dubin: I think that's it at this point. Good luck.

Joyce Chutchian: Okay, thanks. You can access Joel's full guest column and other articles and features on identity and access management at www.searchcio.techtarget.com. Thanks for listening, and have a great day.

This was last published in October 2006

Dig Deeper on Enterprise information security management

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

To determine the hours per month IT staff no longer spends performing account management tasks, multiply those recovered hours by the fully burdened pay rate of IT staff. Similarly, to determine the hours per month help desk staff no longer spends dealing with forgotten credentials and account profusion confusion, again, multiply by the fully burdened pay rate of help desk staff