When Guardian Life Insurance Company of America’s identity and access management team decided it was time to update to a modern IAM system, they knew it might be difficult to get executive buy-in. In the insurance industry, there are so many business issues competing for budget, such as dealing with health care reform, that it’s important to have a clearly defined process. Otherwise, other needs will trump yours.
“You often have only 5-10 minutes to sell your pitch to business executives,” said Joseph Shay, Guardian Life’s Head of Identity and Access Management. “If it takes longer than a few minutes and you focus too much on minutia and use a bunch of jargon, you’ll lose them.”
Guardian Life’s existing user provisioning and application access process was a long, complex, manual one. Simply stating that might seem like enough to sell executives on IAM, but it’s not.
“We created a business case with a five-step plan to secure organizational buy-in,” Shay said.
First, Shay and his team established a business problem. If you can articulate a problem that makes sense to everyone, you’ll get better results. Next, they emphasized “the voice of the customer.” When customers complained that gaining access privileges was too slow and complicated, Shay and his team listened to those concerns and communicated user pain points to the rest of the organization.
Third, they pointed out that they would be switching to a scalable IAM solution and away from hard-to-scale manual processes. Having a scalable approach also allowed them to roll out the deployment in such a way that they could show the organization quick wins to keep momentum going.
“After all, you don’t want to go back to the executive team to ask for more money every 6 months or so,” said Christopher Nawrocki, Senior Manager for Guardian Life.
Fourth, Guardian Life figured out how they would evaluate the outcome to showcase the ROI. “We focused on access management, efficient processes, and training,” Nawrocki said.
Finally, they detailed as precisely as they could just how much the overall IAM project would cost.
Good Planning Results in Millions for the IAM Project
This five-step process paid off. Shay, Nawrocki and their team secured the budget for an IAM roll out that would take 5-7 years. They also brought in a third-party consultant to help them with the deployment. “We’d never done this before, so it was really important to have help from someone who had,” Shay said.
The consultant immediately advised Guardian Life against getting bogged down in technical details. Instead, they suggested that they focus on people and processes. Guardian Life benchmark themselves against other insurance companies that had previously deployed IAM.
Guardian Life selected SailPoint IdentityIQ and started with a small, manageable deployment. In the first phase, they integrated 11 apps and 3 directories with SailPoint, including its’ HR system. And, it didn’t take long for the benefits of IAM to start accumulating.
“We intend to integrate 200 apps this year,” Nawrocki said. “At our peak, we were adding about 40 apps per month, most with complete automated provisioning to all legs of the application.”
When asked by an audience member at Navigate ’14 about difficulties along the way, Shay noted that people and processes take the most work. “I can’t tell you many how many times organizations roll a product out, fail to engage users before hand, and as a result, users don’t like it. You need to engage users early.”
Guardian Life ended up training about 1,200 managers. “Throughout the training, when we heard feedback, we acted upon it right away. Don’t just brush aside user concerns or throw their feature requests on a wish list. Otherwise, they’ll end up hating the product,” Shay said.
Achieving ROI in three years
Obtaining a sufficient and significant budget may sound like a challenge, but managing 380 apps and all of the access rights and privileges associated with them was previously a manual, cumbersome, costly process.
After implementing IdentityIQ, Guardian Life was able to streamline the entire process. For instance, they previously administered the access provisioning process through as many as 30 teams that required up to nine approvals. Now, a two-step enterprise-wide approval process was implemented for all applications, people manager and application owner(s) and requests are provisioned either automatically or by a single, centralized team.
As a result, Guardian Life is already saving tens of thousands of hours per year on provisioning and access certification administration efforts.
Other cost savings accrued from automated password synchronization, automated de-provisioning, and streamlined application access certification.