Aligning enterprise identity and access management with CIO priorities

Randall Gamby says aligning enterprise identity and access management with business and CIO priorities demands a more strategic approach to IAM.

With the ongoing struggle for adequate funding in enterprise information security operations groups, how can an enterprise identity and access management (IAM) program continue to show value to the enterprise's CIO to get the crucial funding it needs? The best way to do this is to make the program invaluable.

The IAM team members must put their 'business hats' on and ask themselves, 'Where is the focus of the company?'

To be successful in this endeavor, enterprise IAM teams need to ensure that the identity and access management services they provide enable and support the established CIO priorities. This seems simple enough to understand, but the problem is IAM systems sometimes take months or years to fully deploy. How can an IAM team ensure that its plans for tomorrow align with those of the CIO today? That's what we'll discuss in this tip.

Thinking like a CIO

Even though IAM programs are technology driven, the first thing that must be done is to think strategically. The IAM team members must put on their "business hats" and ask themselves, "Where is the focus of the company?"

A good place to start is to look at the CIO's focus. Is the CIO focused on delivering services, like improving the organization's collaboration services or mobile technologies to the workforce? Or are business themes the priority, like reducing the cost of IT, developing a flexible infrastructure or aiding in business process improvement? If an IAM team understands the direction or themes that the CIO is focusing on, then they can examine the identity and access management services they provide and begin the process of aligning those services to support the CIO in his or her mission.

Also, IAM teams must take a hard look at their existing services and decide if they continue to provide value or are still attempting to meet old business requirements. If the requirements are outdated or have been superseded, then the services need to be refocused, or possibly even retired. It's better to save the company money by putting an end to outdated IAM projects than to continue to put good money into bad services.

Business priorities, flexibility

Next, an IAM team needs to understand the priority of the CIO's themes. Say the CIO has promised to deliver 10 themes in 2012. Do you know which of those are most important? Since most budgets are set to remain flat this year, focusing and aligning identity and access management services with the CIO's top three to five themes ensures the IAM team will provide more value than aligning to the CIO's bottom three.

Another important point in any IAM program is to be flexible and easily extended. This means that any IAM program should offer standardized interconnection points to its various components. By using standards such as XACML, OAuth, SAML, LDAP, or service-oriented architecture (SOA), it makes it easier for applications to consume the services and controls the IAM technologies provide. It's important to remember that IAM technologies are generally considered "infrastructure" services; just like the network and lighting in the building, they don't provide direct value to the organization. Only as the organization's applications consume its services do they show their true worth.

Compliance and emerging technology

Identity and access management services also provide support for regulatory and security initiatives. If the enterprise is branching out to new consumer markets -- exposing sensitive information to larger populations or extending their business partner relationships -- they need a trusted environment. With IAM providing authentication, authorization and provisioning services, as well as real-time controls for access, IAM systems are positioned to be the critical controls any CIO needs in order to successfully realize a secure environment.

Finally, IAM services are becoming a key component in emerging technologies, most notably cloud computing. Cloud services have been on CIOs' radar screens for several years; they've become a key component for reducing costs of service for technologies the CIO has no interest in operating or is lacking the resource expertise needed to maintain a professional service. With data leaving the boundaries of the organization, it's more important than ever to ensure the right people are getting to the right data; IAM fits the bill.


Identity and access management teams need to remember that regardless of what the goals and timelines are for the CIO's plans, IAM services are an important IT component to achieve them. By aligning the efforts and technologies of the IAM program with the CIO's initiatives, IAM technologies can continue to provide cost-effective, secure services for any organization, regardless of its size, location or market.

About the author:
Randall Gamby is the information security officer for the Medicaid Information Service Center of New York (MISCNY). MISCNY manages and maintains the largest state-run Medicaid claims data warehouse in the United States. Prior to this position he was the enterprise security architect for a Fortune 500 insurance and finance company. His experience also includes many years as an analyst for the Burton Group's Security and Risk Management Services group. His coverage areas included: secure messaging, security infrastructure, identity and access management, security policies and procedures, credential services and regulatory compliance.

This was last published in November 2012

Dig Deeper on Enterprise identity and access management