How to Build a Business Case for Identity Management

There were more data breaches last year than ever before, and the cost of breaches has never been higher. Increasingly, these breaches are being tied back to identity, including the large-scale data breach at Target where hackers gained access to critical data through credentials stolen from HVAC contractors. That breach cost Target millions – and continues to cost even more – and we continue to see similar repercussions from large-scale data breaches around the world.

Hearing about another company’s misfortune may not be enough to get management buy-in for an IAM program at your company. Selling IT programs to management can be difficult, especially when the programs don’t tie directly to the bottom line. But just as identity-related breaches can cost millions, strategic IAM programs can – and do – provide measurable ROI. The key is understanding how to demonstrate that.

Don’t let number crunching intimidate you. We have a simple process to help you show financial justification for your IAM strategy (some of which you’re probably already doing, at least partially):

  1. Assess Your Internal Needs: Find out the most pressing issues and opportunities for management: compliance, security, costs or inefficient procedures. Make these issues the center of your business case.
  2. Create a Baseline of Costs and Resources: Analyze your current IAM process in detail. Quantify all of the resources, both financial and manual labor, currently being used for Identity Management processes.
  3. Clearly Articulate the Program Goals: Define the business goals your program will achieve, as well as the expected benefits to the organization. Explain which metrics will be collected, the type of improvement the business will experience – like governance, compliance and data security, and the value of that improvement compared to the cost of the program.
  4. Build a Financial Model: Estimate how much the program will cost, including technology, services, personnel, and other related costs beyond software licenses. Then project how the program will save your organization time and money. Not all benefits will be measured in dollars, so find a way to add monetary value to improvements like faster deprovisioning or fewer helpdesk tickets.
  5. Adjust the Approach: If management doesn’t respond to your business case, suggest breaking the program into phases or look for smaller projects that offer quick wins. Once management sees the benefits from an Identity Management project, they’re more likely to agree to a larger program.



A strong IAM business case will highlight the benefits, including lower costs and streamlined processes to improve profitability and efficiency, while protecting company and customer information. And, it will provide a tool that continually measures return on your investment, which will help justify future spending.

As you start building your business case, a useful resource is this white paper from SailPoint, ‘Building a Business Case for Identity Management.’ It provides more guidance on each of the steps in this process, as well as a detailed list of potential metrics to measure.