Securing Executive Buy-in for IAM According to Kuppinger Cole’s Dave Kearns

Security teams know how important IAM is, but that doesn’t mean it’ll be easy to get buy-in from senior management, especially when IAM solutions often come with six-figure price tags (or more).

“The technology is easy,” said Dave Kearns, senior analyst for KuppingerCole. “It’s the people who are hard.”

Kearns was speaking at the SailPoint Navigate ’14 conference, and he offered advice that should help security teams convince senior management to loosen the purse strings and invest in IAM.

“There are two main people-related problems security teams must overcome,” he warned. “First, users just don’t like change. Even if what you’re presenting to them is something that will make their lives easier, people just want to keep doing what they already know how to do. It’s human nature. They don’t want to slow down to learn, or relearn, things.”

The second problem is getting the appropriate people to sign off on your budget request. After all, budgeting is a zero-sum game. If you get money for IAM, somebody else in the organization likely won’t get money for a project that they believe is every bit as important.

Kearns offered some tips and tricks to overcome both users’ objections and senior management’s reluctance to devote resources to IAM.

One of the best ways to get executive buy-in for your IAM program is to emphasize regulatory compliance. “If you can spell out the cost of non-compliance, you’ll be on more solid footing,” he said. “However, audits don’t come along every day, and not every regulation has enough teeth to spark action.”

Dave Kearns

Kearns next advised security teams to hone their negotiating skills. Good negotiators know to separate people from the problem at hand. This isn’t personal, after all. You don’t want to personally attack the executive who is resisting change. It’s a business decision, and the executive may have good reasons for his or her position.

Another mistake rookie negotiators often make is focusing on positions, rather than interests. If the executive’s stance is that the organization doesn’t need IAM, quickly get past that. Instead, focus on shared interests. Perhaps, the executive is terrified of bad PR, so you could show the executive how IAM could help the company avoid the fate of those companies that have been victimized by a major data breach.

However, while every business emphasizes cooperation, it’s not always easy to achieve. According to Kearns, there are five major barriers to cooperation you must overcome: 1) People’s emotions, 2) Their positions; for instance, a VP may not want to devote money to an IT project, 3) People’s dissatisfaction; for example, if you had a project that failed in the past, they may hold it against you now, 4) A person’s power, and 5) Your reactions to people.

How to Improve Negotiations by Putting People First 

In order to overcome those barriers, Kearns advises that security pros focus on interests, not positions. To do this, you need to take the time to get to know the person you will be negotiating with. Often, you may find that your positions actually overlap in certain areas. For instance, if a VP of Marketing is trying to secure budget for a competing project, you may win that person over by emphasizing the bad PR that could stem from a data breach. Mention the Target or LinkedIn breach, and the executive could start to see how IAM is a shared interest.

Another tactic is to “invent options for mutual gain.” If you can figure out a win-win scenario, you have a better chance of securing buy-in. Kearns illustrated this point with the classic logic problem of the prisoners’ dilemma. Two people are arrested for a crime. Each person can either confess to the crime or stay silent. If both confess, each will get sentenced to 5 years in prison. If one confesses and one doesn’t, the confessor gets zero years, while the silent person gets a 20-year sentence. There is only one position that benefits both: both people remaining silent.

The prisoners’ dilemma illustrates that there is often only one mutually beneficial choice, so it’s important to figure out what exactly that is.

If you are still failing to make headway, it may be because people are negotiating based on gut feelings not logic. People are emotional creatures, so appeals to logic are often one of the least successful negotiating tactics. For instance, a user may complain that if his or her password is compromised, it can be changed without much trouble, but if the person’s fingerprint is compromised, there’s nothing you can do.

That’s a knee-jerk response not grounded in any facts. However, there’s an emotional basis for that believe: people dislike change, and they don’t want to spend time learning new processes.

Kearns recommends presenting facts in a way that subtly acknowledges the emotions beneath those knee-jerk reactions, but you need to eventually get back to facts.

“My response to worries about using fingerprints for authentication is you have ten fingers. You can use more than one. You can even create fingerprint ‘phrases,’ such as right index finger, left pinky, right index finger,” Kearns said. In other words, Kearns states those facts in a way that shows that the company will not only boost security, but he also shows that fingerprint-based authentication could actually be easier than the status quo.

Finally, before entering any negotiation, you should always know your Best Alternative to a Negotiated Agreement (BATNA). No matter how well you follow all of this advice, there will always be someone who says no. There are people who are simply wired that way or who feel like they aren’t doing their jobs if they don’t say “no.” “Auditors come to mind,” Kearns joked.

“It’s important to engage these people,” Kearns added. “You don’t want to lecture them. Instead, engage them in joint problem solving where you all sit down, write down problems, and brainstorm solutions.”

After you do this a few times, you’ll learn that you can actually guide the discussion so everyone arrives at the conclusion you want them to reach.

To figure out BATNA, ask yourself what large goal you aspire to, what smaller goal you would be content with, and, finally, what you could simply live with.

“Executives may not know that what they really need is Risk-Based Access Control (RBAC), but by identifying what they want to avoid by deploying a security solution — even if it’s just avoiding a data breach and the bad PR that comes with it — you’ll be in a much better negotiating position.”