With all the stories of failed implementations, starting an identity governance initiative in your organization can seem like a daunting task. However, it doesn’t have to be a painful process. After more than a decade of experience with hundreds of organizations, SailPoint has identified the most common “pitfalls,” as well as how to avoid them.
- Approaching identity as a project, not a program
- Involving not enough, or the wrong people
- Not properly planning or justifying the program
- Sequestering the program in the organization
- Attempting to “boil the ocean”
Approaching Identity as a Project, Not a Program
Perhaps the most common problem, which spans every industry, is that its all too easy to use “program” and “project” interchangeably. While similar in nature, it’s important to think of these as separate ideas within the larger IT security ecosystem, and they each have distinct purposes. Understand early on that this is a longterm program that is made up of smaller projects.
Identity program — encompasses the entire implementation timeline with a focus on the long-term and a set of related measures, events and activities; After the program to implement identity was completed, the organization had achieved its original goals, had saved money and was more efficient in its security processes.
Identity project — a short-term set of goals that is focused on a particular aim, usually run by an individual or team; The project was focused on identifying the differences between the current and ideal provisioning processes.
Not understanding the implications that these two words carry can lead to varying expectations on timelines, resources and commitment. In order to best protect the information your organization considers sensitive or otherwise important, securing the access to that data should be your first priority. In order to do this, you must put identity at the center of your IT security. This is not a short three-week project, but rather a structural change and improvement to how your security ecosystem operates today that involves incorporating IT controls into the business.
- Splitting up the program into a set of projects makes the program easier to implement for the whole organization.
- Projects are short and iterative, focused on completed a smaller task or set of tasks, and tied to a set of metrics along the way.
- Give the team involved measurable milestones and achievements throughout the full implementation cycle.
Involving Not Enough, or the Wrong People
Identity programs touch virtually every department and business unit and involve collaboration with business managers. In order to be successful, almost every program will need the following key individuals to helm and guide the program:
Your first order of business is to have an executive sponsor, the owner and figurehead of the program. This is who makes the identity program what it is, makes it relevant to the business, and ensures a steady source of funding and resources. They are also to whom escalations are given for final decision-making.
Steering Committee & Stakeholders
Directly below the executive sponsor in the chain of command is the steering committee and stakeholders. These are the individuals who are regularly involved and can weigh in on design and issues, as well as help the program remain relevant to each department in the business. Involving a wider audience is imperative to an identity program’s success; we have seen IT-oriented projects leave this committee out and as such, the identity program is an isolated piece of IT infrastructure that isn’t relevant because of the lack of input during the implementation process.
The last piece of the foundation for the identity program is the program manager(s). They help coordinate and run the program by interfacing and managing individual project streams or managing the wider influence of the identity program within the business.
Not Properly Planning or Justifying the Program
It’s not just the people that are important to an identity program’s success, however. You also need certain definitions and guidelines.
A program cannot live without a purpose or mission, and the business case does just that. It also establishes the spirit of the program and may help to defend its existence. This is where the team you put together can especially help to ensure the program is seen as necessary from all points of view.
Every program needs resources to keep going, and identity governance is no different. Once the business case has been approved, funding needs to be secured. Different programs can use different means of funding from a single, defined source, to a pooled budget garnered from many different departments. This is where your executive sponsor is of particular benefit. However, funding should not be a single iteration; a stream of resources must be available, as security is not something that simply goes away once an identity solution and process are in place. Your business, employees, and the world at large all change as time goes on, and so too will your identity program.
Just as you have to break up a program into smaller pieces – projects – to make the program more easily attainable, you must also plan out a roadmap. This does not need to be an exhaustive list, but rather a high-level “this is what we want to accomplish, our timeline and how we’re going to achieve it.” The identity program and its supporters should be in the habit of evangelizing the long-term goals while marching towards the short-term ones.
The last piece is the communication within the program. The people involved in the program need to quickly and easily understand each other, and essentially, writing a glossary of terms helps keep everyone on the same page. Don’t reinvent the wheel, however; use industry terms as often as you can.
Sequestering the Program in the Organization
Just like with the identity program at large, you need key individuals and assets for your identity projects to succeed.
Each project needs to be led by a project manager, who is in charge of managing the delivery of the project within given resource and time constraints. This can be the same person as the program manager, depending on the scope of the program and project. This person monitors and reports issues, risks, milestones, and tracks progress, as well as ensures the success of the project overall.
Every project also needs to have individuals assigned for the process work in addition to communicating about and for the project in the wider-business groups. Leveraging the program stakeholders here is important to make sure that things get done and decisions get made.
We refer to technology as the technical or operations staff involved for the technical delivery of the artifacts. The key to this piece is making sure the technical staff understands the business side of things as well.
Attempting to “Boil the Ocean”
When designing your projects, it is important to keep things measurable and realistic. This ensures the project is something that can be attained in the time you have planned. To help keep the project both measurable and realistic, there are certain components you need to create.
Requirements and Goals
The requirements and goals for each project need to be high level and dictated by the program’s roadmap, while also being prioritized to continue to give incremental success back to the identity program. As you’re creating the requirements and goals for the project, keep the scope simple and you’ll have a better chance of delivery back to the business.
Expectations and Assumptions
As with all pieces of each project, it’s important to keep your expectations realistic. You need to encourage a high level of data quality, but you also need to plan for what you will do should you receive any bad data. Additionally, assume that you will need to find information about the systems your business uses and plan accordingly. If you do not have to source this information, it will only enhance your timeline and chance of success.
Map out the dependencies for the project, including those it may have with other projects in the program or resources the project will tax. List the dependencies other parts of the business will have on this project, including the forecasted impact the project will have when it is completed.
Be realistic with respect to a project’s timeframe and remember to not overpromise or under-commit. Specifically, be cognizant of the areas of hardware procurement, resource constraints, and outsourcing that may delay the project and put it off-track.
SailPoint Can Help
While implementing identity governance is a daunting task, it’s not one that you must face alone. In addition to gaining the right supporters within your organization, SailPoint is poised to help your identity program succeed. We have helped hundreds of organizations just like yours migrate from older, legacy programs in addition to creating brand new systems where there were none before.
Trusted market leader. SailPoint is 100% focused on identity. You won’t find us dabbling in all aspects of security. We have deep roots in identity governance technology, implementations and best practices. We hire the best and brightest in our field, and with us, you get guidance and support from one of the strongest teams in the world.
Consistently high user satisfaction. With a consistent customer satisfaction and retention rating of 95%+, we set the customer service standard for the identity industry. We are committed to providing a mutually-rewarding experience that extends throughout the relationship lifecycle.
Proven ROI. At SailPoint, we help our customers achieve measurable business results. As an example, a leading process manufacturer saved over $1 million by implementing SailPoint.
Extensive partner network. SailPoint builds strategic partnerships with companies around the world to ensure we have trained sales and delivery partners to best serve our customers.
Analyst validation. SailPoint has been recognized by top industry analysts for market leadership and technology innovation for multiple years. We are the largest and fastest-growing independent identity company in the world, with offices all over the world.
You might also be interested in:
Find out how SailPoint can help your organization.