WHITE PAPER

The business case for identity

and access management (IAM)

© 2017 Oxford Computer Group

WHITE PAPER

As organisations look to take advantage of the opportunities digital offers, traditional

IAM solutions are under increasing strain. A modern IAM strategy can provide the
foundation to propel a business, enabling them to take advantage of today’s dynamic
business landscape. In today’s cloud-first, mobile-first world, IAM enables the right
people to access the right information, anytime, anywhere, and on any device. But how
many businesses have taken the time to analyse the short, medium and long-term
business benefits that can be derived from a modern IAM strategy?

Introduction Having an executive sponsor, who supports the long-term

vision and has responsibility over multiple business functions,
Organisations often see IAM as a number of discrete IT is crucial to the process of justifying the investment, ensuring
projects that offer ‘quick-fix’ operational solutions or a ‘tick-in- it is equitable and, later on, removing roadblocks to the
the-box’ for compliance. When modernising an IAM strategy, project. That said, it is still critical that the business case is
bolting additional technologies to your original solution may compelling in its own right.
seem like the easy answer. However, whilst implementing a
combination of tactical solutions is a perfectly valid approach, With the continued drive towards cloud and mobile working,
it may compromise your IAM strategy and put your business businesses are considering modern and secure IAM as more
at risk. It is only by taking a holistic and updated view of IAM important than ever. The ability to enable seamless and
that you can deliver an effective and secure solution that flexible user access whilst keeping corporate data secure is
provides real return on investment (ROI) to the business. now a compelling element of the business case.
The purpose of this white paper is to provide a suggested
approach for analysing the business benefits that can be Key business challenges
derived by deploying a modern IAM strategy, providing a
useful matrix to help justify the costs. It is not intended to To analyse the business benefits, first we need to understand
be a complete ‘how-to’ guide, rather a helpful discussion on the key business challenges that an effective IAM solution
methodology, issues to consider, and areas of your business and strategy can support and overcome. These business
to examine. As identity is now widely regarded as a crucial challenges can be categorised into four areas:
element in the defence strategy against proliferating cyber
attacks, it should be given the same priority at board level as 1. Compliance
investing in a cyber security strategy.
Regulatory compliance continues to be one of the main
business drivers for IAM. Companies must be in a position to
How to approach the ROI calculation know who is accessing what data and when throughout the
organisation, and to be able to provide attestation to that
While IAM projects typically affect many, if not all, fact. Failure to do so can lead to significant sanctions, fines
departments in an organisation, the catalyst for a project and legal action.
may often come from only a single one of those functions.
When calculating the ROI, it is important to look at the long-
term benefits across the entire organisation, and not to overly 2. Operational efficiency
focus on the initial and obviously tangible operational savings Providing people with timely access to the tools, systems and
made in the early phases. devices they need to do their job effectively is crucial. The
While it certainly is important to realise benefits early, if these costs of managing people and their associated access rights
wider and longer-term issues are not considered, it may be and credentials can be high. It is thought, for example, that
difficult to form an adequate cost justification. One business 1 in 4 help desk calls are password-related, and automated
function may have problems funding the license and initial account provisioning alone can save £30 per user per annum
implementation costs, whereas - in reality - subsequent (Datamonitor).
business functions will also be able to leverage the platform.
The risks this brings to the project include:
■■ A perception of unfairness about funding (which affects With the continued drive towards cloud and
the co-operation necessary in such projects) mobile working, businesses are considering
modern and secure IAM as more important
■■ The project not being funded
than ever.
Security
■■ Underfunding, which can lead to a failed project

White Paper The business case for IAM oxfordcomputergroup.co.uk Page 2 of 5

© 2017 Oxford Computer Group

WHITE PAPER

3. Security 1. Known and measurable benefits

Security has always been a key driver for IAM and as users These are actually the easiest and most tangible benefits to
expect to access data at anytime, from anywhere, and on identify, as you can calculate a specific cost-saving for them and
any device, identity and security has become a top IT priority. run through a spreadsheet. Examples of these include:
During recent years, we have seen an increasing number of
high profile security lapses, which have resulted in the theft ■■ Reduced administrative effort, which cuts the requirement
of IP, data, and other valuable resources. Suffering a security for FTEs
breach can also lead to significant industry fines, as well as ■■ Reduction in help-desk calls (password resets, group
damaging the reputation of a valued brand. A modern IAM management, etc.)
solution can combine efficiency and security to both enable
its employees and to protect its corporate assets. ■■ Reduced downtime - contractors and employees don’t
lose time waiting for system access
■■ Immediate ‘switch-off’ of cloud services or other licenses
4. Business agility
when no longer needed
Agility is all about business innovation and competing in a ■■ Appropriate enablement - only paying for the services
highly competitive global economy. There is a fundamental and licenses required
business imperative to connect with customers and partners
in new ways, using new cloud-based applications and ■■ Reduced costs for user account provisioning and de-
allowing anytime-anywhere access. For some organisations, provisioning/management, in the case of both logical and
being able to respond quickly and efficiently to changes to physical access systems
the business environment - such as mergers, acquisitions and
re-structures - is also vital to their competitive advantage.
2. Known but not measurable benefits
These are benefits which are very obvious to all involved, but
It is important to note that these business challenges
very difficult to quantify and measure accurately. Examples
are common to all organisations irrespective of their
industry sector, although the relative importance of include:
the factors will vary. For example, compliance is often ■■ Staff redeployed to more productive work
more important for financial organisations, whereas
operational efficiency may be the key driver for public ■■ Users spending less time waiting for access issues to be
sector businesses. Ultimately, an IAM solution should resolved
address them all. ■■ Group memberships always matching current permissions
■■ Less effort to perpare for audits
Identifying the business benefit ■■ Users being able to access data securely from any device
Now we have identified and categorised the key business ■■ Fewer security breaches
challenges that an IAM solution can address, we need to
identify and quantify the specific business benefits derived, so
that a compelling case can be presented, or, indeed, refuted.
This is often the stage where projects fail before they even
get started, as unrealistic expectations are presented in
order to secure funding. It is this that often leads to projects
being prematurely pulled as the reality of the results are far
removed from the initial expectations.
It is therefore crucial that you set realistic expectations in
your business case, encouraging management to understand
the business benefits and ROI in relation to the long-term
business vision.

Categorising the benefits

For each of the four elements discussed above, we need to
ascertain the specfiic benefits that will be derived from having
a robust and modern IAM strategy. There are four elements
to consider when making this calculation.

White Paper The business case for IAM oxfordcomputergroup.co.uk Page 3 of 5

© 2017 Oxford Computer Group

WHITE PAPER

3. Future benefits A proven way to achieve this is to run an envisioning

session that includes all key stakeholders from IT and across
Future benefits relate to the fact that once you have an up-to-
the wider business. During the session, you can review
date IAM platform or infrastructure in place, it makes life a whole
business pains, imperatives and priorities, producing a Vision
lot easier to address future business requirements. Examples Statement that can form the basis of a subsequent strategy
include: and action plan.
■■ Adoption of new line of business applications, much easier
to provision users
Vision Statement
■■ Adoption of cloud services, much easier to provision and
manage users (data is more accurate) Your Vision Statement should define what your organisation’s
long-term goals are in relation to IAM. While the vision will
■■ Shared services or federation with partners, suppliers or often not be achievable in one go, it can be broken down
customers into bite-size projects that independently add value while
■■ Agile organisation being able to adopt new structures and aligning to the long-term goal. Usually an organisation will
approaches (acquisition etc.) set a timeframe of 2 to 5 years to achieve their vision, with a
number of 3 to 6 month engagements combining to achieve
this.
4. Side effects Examples of vision statements may be:
Finally, side effect benefits, which again are very difficult to ■■ Enable all users to access all systems (relevant to their
quantiify but are also important, should be addressed within role) from any device
the business case. These often relate to the avoidance of
■■ Provide all users with a single set of credentials to access
consequences, such as other (non-quantifiable) security
all IT systems
breaches, or penalties for non-compliance with external
regulations. Examples would include: ■■ Provide a secure collaboration experience for employees
with key partners and suppliers
■■ Not having your organisation’s reputation damaged in the
press ■■ Provide a secure and consistent user interface for all
employees to access IT services, irrespective of the devices
■■ Not losing your job
they are using
■■ Directors not facing legal action
■■ Maintaining competitive edge by protecting and using IP Strategy
Once an organisation has defined their vision, there will
Next Steps be a number of strategic decisions that need to be made.
Common examples of these would be:
It is important to note that a reasonable amount of work
is required in order to fully analyse and properly prepare ■■ Selection of technology vendor
a business case for IAM. However, when you consider that ■■ Selection of systems integrator
an IAM solution should be seen as a strategic business
■■ Definition of a cloud strategy
opportunity, rather than a tactical IT solution, then it makes
sense to invest the time needed to define a vision and create ■■ Definition of an enterprise mobility strategy
a detailed business case.

Known & not

Known & measurable Future benefits Side effects
measurable

Compliance

Operational efficiency

Security

Business agility

White Paper The business case for IAM oxfordcomputergroup.co.uk Page 4 of 5

© 2017 Oxford Computer Group

WHITE PAPER

Action Plan
Finally, an action plan can be built to define the tactical About Oxford Computer Group (OCG)
projects, which will independently add business value whilst Oxford Computer Group helps businesses facing identity
delivering the overall vision.
management, cloud transformation and enterprise
Examples of these may include: mobility challenges stay in control. With employees,
■■ Provision of a white pages application partners and consumers active anytime, anywhere and
on any device, we ensure it’s not just anyone who has
■■ Self-service profile management
access to your corporate data.
■■ Self-service password reset
Technology and the way people work are changing fast.
■■ Automated joiner/mover/leaver process
Although cloud computing and a mobile workforce offer
■■ Role-based access control substantial productivity and cost saving benefits; they also
■■ Single sign-on bring complexity and security concerns.

■■ BYOD/CYOD Oxford Computer Group works closely with its customers

to deliver solutions that better manage relationships,
Now you can use the approaches suggested in this
document to build your benefits analysis and associated simplify IT and mitigate risks posed by significant
ROI. This will help you to maximise the success of your IAM technical and organisational change.
project and the business benefits derived. Our ability to achieve real business value for our
customers has been recognised by Microsoft. We have
Conclusion been awarded either Winner or Finalist status for the last
10 years in either the Identity and Access or Enterprise
Stepping back from the pressing day-to-day issues and Mobility categories. As Microsoft’s Alex Simons says,
taking some time to consider all the ways in which your
“There is no other partner in the world we work more
organisation could benefit from a modern approach to IAM
is important. Those who do, find it easier to gain executive- closely with than OCG.”
level sponsorship and to obtain appropriate levels of funding. Microsoft provides the market-leading technologies;
They are also better-equipped to deal with the inevitable we provide the vision and innovation to ensure our
short-term requirements that can arise within a business, customers harness the opportunities new technology
while still moving towards their strategic IAM objectives and brings.
vision.
Conversely, the risk for organisations without a clear vision
and strategy is that when the inevitable short-term business
requirements do arise, sub-optimal decisions may be made
which can waste signifcant budget, time and resources.

When you consider that IAM is a strategic business

opportunity, rather than just a cost, surely the
benefits of investing some time to define your
modern strategy makes good sense?

Oxford Computer Group T 0800 044 5009

6th Floor, Seacourt Tower F 0800 044 5003
West Way, Oxford E [email protected]
Oxfordshire @OCGUKOfficial
OX2 0JJ

White Paper The business case for IAM oxfordcomputergroup.co.uk Page 5 of 5

© 2017 Oxford Computer Group