Before you embark on gaining the budget and approval for any IT project, it’s critical that you clearly and precisely articulate its business value. At a time when IT budgets remain tight, you need to stand out from the crowd and make sure your project gets the right level of management prioritization. The key to this is presenting a strong business case based on demonstrable needs, realistic goals and a compelling financial model that clearly justifies the investment – and one that clearly identifies business benefits as the priority.
The business case is your ticket to getting your identity program in the paths (& minds) of your executives.
A carefully constructed business case for an identity management project is essential to moving past the funding barrier. The business case needs to demonstrate how your project will help the CIO and/or CISO achieve their goals by lowering costs, creating efficiencies in business processes or improving the level of service to business users. At the same time, the more this case is related to the specific business issues the corporation is facing, the more likely it is to succeed. In order for your program to be successful and make its way from planning to funding, you need to build it right. The four-part process that we’ll go over in the following pages is designed to help you justify the potential budget required and ultimately, prove the value of the project to the business.
The Four Steps to a Successful Business Case
Step 1: Conduct an Internal Needs Assessment
The business case for any proposed identity management project always starts with one fundamental question: Why is it needed? Or, more specifically, what business problems do you intend to solve with identity management? And how will that ultimately deliver value to the organization? The first step in building the business case is, therefore, assessing internal needs to identify and prioritize challenges that are likely to drive the most value. It’s important to be extremely specific about the challenge or area to be addressed.
The general drivers for action are well-recognized – compliance mandates, cost reduction, business enablement, risk avoidance – but identifying the things that are specific to your organization is essential to laying the foundation for a strong business case. The rest of the steps in the process all build on the needs assessment that’s conducted at the very beginning.
For instance, if you are in a highly-regulated industry, compliance and risk avoidance is going to be a major concern for the executives in your organization. Knowing who has access to what applications and systems in the company should be a top priority in order to show the organization is compliant with regulations and is effectively managing risk.
Other organizations may be focused on cost management and seek to lower the burden on the helpdesk by automating password resets and access requests. Improving business productivity can be another important goal if slow, inefficient processes are barriers to getting your business users the access they need.
Ask yourself these questions:
- How much risk is your organization exposed to by not having a clear picture of who can access what data and applications?
- How long do business users have to wait to gain access to the systems they need to do their jobs?
- Are you facing any issues related to security audit deficiencies?
- How many calls to the help desk are you handling related to forgotten passwords?
- How much are you spending on proving compliance with regulations?
- Are you removing access for terminated employees in a timely manner?
Step 2: Determine the Baseline
Establishing a baseline requires you to analyze what’s working and what’s not in your current environment. Creating a map that thoroughly documents the process – identifying which parts are done manually, which are automated, how long they take and so on – will ultimately make it possible to understand how the work gets done and the associated costs. A clear understanding of the current situation – current capabilities, processes, participants and costs – will make it possible to set goals for an identity management project going forward.
The baseline almost works like the “current location” function of a GPS; to map out a path to your goal, you must have a starting point. Too often, organizations underestimate the scope of an identity management process – whether in terms of the number of employees affected, the number of systems included, or the complexity of detail hidden within application security models. This often will lead to a failure to understand how a project will impact the overall business, which is a recipe for disaster when it comes to implementation. It may also water down the business justification for the project at the start. To ensure that a good baseline understanding for a project is gained, it’s important to identify all key participants – from the IT operations team, to help desk staff, to the security team, to business users – and how they are impacted by your current processes.
Ask yourself these questions:
- How many users do you support, including employees, contractors, partners, consultants, etc.?
- What is the user churn rate, and how long does it take to provision a new user?
- What is the average time taken to approve an access change?
- How many password resets are performed per month?
- How many access certifications are performed by the organization and how often?
- How effective is this?
- How much time does your organization spend on policy (such as separation-of-duty) enforcement?
- Is single sign-on a concern for your cloud and on-premises apps?
Step 3: Establish Tangible Goals
That may sound like an obvious point, but it can be easy to get bogged down in technical terms and lose sight of the business benefits. The people who make funding decisions are generally business-oriented rather than technology-driven. So while the selection of a particular technology solution may come down to a technical aspect, decisions at the business-case level are made based on what kind of solution the organization is acquiring, its cost and what its ultimate business value will be.
A second point to remember in setting goals is that they must be clearly measurable. If, for example, you’ve projected that you’re going to save the business $1 million over the next two years, you have to be able to show how you’re going to attach specific measurements related to that goal.
Similarly, if you’ve projected that you’re going to reduce help desk calls for password resets or provisioning requests, you must be able to show how you’re going to measure the reduction.
Make sure you include:
- Financial goals: costs recouped, reduced or avoided, and where these costs are being saved.
- Time savings: how much time you can expect your IT and business staff to save from some tasks being automated.
- Measurements: Put concrete numbers on your goals so you’ll know if you’re on track.
- Time frames: specify time frames for each phase of the project, with incremental goals.
The final point for goal-setting is to be realistic, which can mean starting small and showing incremental value over time. This allows the project team to establish credibility by not overstating the expected benefits. For example, a project can be broken down into multiple phases, rather than be undertaken all at once.
Successes in the first phase can be used to document and validate the assumptions that drove the project to begin with, establishing that the projected benefits are indeed realistic and attainable. This can help unlock funding for future phases – potentially in far greater amounts than might have otherwise been initially available.
Goal-setting should define an actionable plan to get the results your business needs.
Step 4: Create the Financial Model
Calculating business value involves the process of weighing the benefits of a project against its costs. Estimating costs is a matter of thinking through every aspect of how the project will unfold and any associated costs. You need to first account for implementation: the hardware, software, personnel or other resources you’ll need to get the identity management solution up and running. Once that phase is complete, the maintenance costs you expect to incur from those same areas (or any additional ones) also need to be included in your model.
Your next step is to quantify the project’s benefits. You will need to document the specific improvements and how you will save the organization money with a new identity management solution. How much will you save by reducing compliance costs? How much will you save by reducing help desk incidents? How much time will you save users waiting for access? Assigning a value to each of the areas in which you will add value to the organization – compliance, IT operations, user productivity and security risks – will add a measurable value to the business case that executives can not only understand in a moment, but also get excited about.
Cater the business case to what your executives expect and want from an identity management solution while also satisfying the needs of the organization.
Once you understand the costs and benefits associated with a project, there’s more than one way to measure its value. Every organization has its own preferred financial metrics. It may be based on the payback period, i.e., how quickly the investment in the project can be paid back in terms of months or years. It may be based on the return on investment (ROI), i.e., how quickly it can be paid back in terms of the valued time or funds invested. The key is to align the financial model with the benchmarks that management expects to see. Payback period and ROI are typical metrics used by many organizations and are both easy calculations to include as a part of your financial model.
Ask yourself these questions:
- What does the implementation phase look like in terms of both costs and benefits?
- How will the benefits of implementing identity management impact your current team’s workload?
- What kinds of costs are you currently incurring that you may be able to avoid?
- How is IT and the business going to maintain the program after initial implementation?
- What type of software/hardware technologies will you require?
- What will the cost of implementation services to deploy the project be (whether they be out-sourced or staffed internally)?
Paying Off the Business Case
Too many projects get turned down because of lack of information to justify their need and value. By taking these four steps, you are arming yourself with the information required to thoroughly and efficiently build a business case for implementing identity management in your organization. A thorough and thought-out business case will educate your senior leadership on why the organization needs to implement an identity management program by highlighting the current challenges and potential ROI. These steps can ensure that you get the right support and appropriate funding, and can help show that you are a forward-thinking member of the organization.
As you kick-off your identity management project, it will be beneficial to take a phased approach: look for projects that can be deployed and show value in just a few months. Using a short-term, iterative process rather than a long drawn-out “all or nothing” one will help the business realize the value of your program more quickly and aid in its future development.
After demonstrating the payoff by improving productivity and/or compliance and reducing costs, you can then build on that success in future phases. By quickly establishing your identity management projects and demonstrating value, you gain credibility and help lock in support for further development and funding.
Need some help determining what your important metrics might be? Print out this list and use it while you make your business case.
Checklist: Including the Necessary Metrics
It’s important to quantify the financial benefits of your identity management project. Here are some common metrics you should consider including in your business case:
- Reduced time to compile access certification reports
- Reduced time to review and complete access certifications
- Reduced time to detect and remediate access policy violations
- Reduced time to compile audit reports
IT Operational Efficiency
- Reduced number of help desk incidents relating to paswords
- Reduced number of help desk incidents relating to access requests/changes
- Quicker help desk resolution times
- Fewer help desk escalations
- Reduced number of access changes performed by application administrators
- Quicker new hire provisioning
- Quicker ad hoc access changes
- Quicker approval times on change requests
- Quicker resolution of password incidents (forgotten password, resets)
- Expanded access certification coverage – more applications/users
- Quicker deprovisioning of terminated workers
- Quicker detection and removal of orphan accounts
- Higher number of excess privileges revoked during certifications
- Higher number of service and duplicate accounts revoked during certifications
- Expanded number of applications with enforced password policy
- Reduced number of passwords for users to remember via single sign-on
- Expanded number of applications with multi-factor authentication
You might also be interested in:
Find out how SailPoint can help your organization.