SAN DIEGO -- Want more money or manpower for a new IT security project? Become a leak.
Start gathering all the information you need -- from financial costs to regulatory compliance needs. Talk to constituents and business partners to understand their needs and concerns. Know the pain points within the organization and where problems may lurk. Run project numbers through several traditional ROI models and determine a true cost of ownership.
Then systematically spill the beans.
"You don't want to surprise management with the numbers you have. Start leaking information as you come across it," explained principal consultant Randall Gamby at Thursday's Burton Group Catalyst Conference.
Gamby was referring specifically to justifying projects in the ever-expanding identity management realm, which analysts say has matured into a highly visible market that's bound to grow as enterprises continue to virtually collaborate on ideas and exchange information, assigning every person, application, device and transaction its own digital identity.
"The business case for identity management is as strong as it's ever been," said Burton Group senior analyst Mike Neuenschwander. He predicts vendors' "feeding frenzy" to end soon and ID management companies to leverage recent acquisitions and mergers into providing more one-stop-shops and specialized suites of best-of-breed technologies.
Speakers at the conference continued for a second day to stress identity management's importance in an increasingly regulated and Web-based world. As a result, ID management should be embedded in, and not just built onto, an organization's IT architecture.
"Identity is now a lot more than logging on," quipped
But C-suite managers may still need convincing if the right project for an organization is to become a reality. That's where Gamby's recommendations come in.
Justifying ID management services and business applications today requires more than the traditional metrics to prove cost effectiveness. Technologists must speak the language of business, using financial formulas and project pitches that are on point and attention-grabbing. "Talk CXO-speak," the consultant advised.
That means having a project manager that can effectively communicate. Also, find out how others successfully navigated the process at your organization. And "be prepared to be flexible and implement incrementally," he added.
Other practical advice includes keeping business case reports clean and neat: No more than 25 pages, beginning with an executive summary outlining the strongest points for justification. Don't bog the report down with every possible benefit or option but do include intangibles like reputation risks in the event of a data breach.
Be careful with promoting a program through fear, uncertainty and doubt, or FUD. It's been overdone. It's a good idea, though, to remind managers of the consequences if the enterprise does not comply with state or federal laws protecting the ideas and identities housed on a company's networks.
Stone, whose publicly held company Novell is subject to the Sarbanes-Oxley Act, says that last point may be a much stronger selling point now. Penalties are harsh for Chris Stone, vice chair of the Office of the CEO for Novell Inc. executives found in violation of data protection provisions under the new federal law. "CEOs -- guys like me -- we go to jail if we don't get this right."