Before you embark on gaining budget and approval for any IT project, it’s critical that you clearly and precisely articulate its business value. At a time when IT budgets remain tight, you need to stand out from the crowd and make sure your project gets the right level of management prioritisation.
Key to this is presenting a strong business case based on demonstrable needs, realistic goals, and a compelling financial model that clearly justifies the investment – and one that clearly identifies business benefits as the priority.
A carefully constructed business case for an identity management project is essential to moving past the funding barrier. The business case needs to demonstrate how your project will help the CIO and/or CISO to achieve their goals by lowering costs, creating efficiencies in business processes, or improving the level of service to business users.
At the same time, the more this case is related to specific business issues the corporation is facing, the more likely it will be successful. The following four-part process is designed to help you justify the potential budget required, and ultimately, demonstrate the value of the project to the business.
Step 1. Conduct an Internal Needs Assessment
The business case for any proposed project always starts with one fundamental question: Why do you need it? More specifically, what business challenge or problem do you intend to solve with it, and how will that ultimately deliver value to the organisation? The first step in building a business case is assessing internal needs to identify and prioritise challenges that are likely to drive the most value. For identity management projects, you should consider areas such as:
- How much risk is your organisation exposed to by not having a clear picture of who can access what data and applications?
- How long do business users have to wait to gain access to the systems they need to do their jobs?
- Are you facing any issues related to security audit deficiencies?
- How many calls to the help desk are you handling related to forgotten passwords?
- How much are you spending on proving compliance with regulations?
- Are you removing access for terminated employees in a timely manner?
The general drivers for action are well recognised – compliance mandates, business enablement, cost reduction, risk reduction – but identifying the specific issues within your organization is essential to laying the foundation for a strong business case. The rest of the steps in the process all build on the needs assessment conducted at the very beginning.
Step 2. Determine the Baseline
A baseline works much like the “current location” function of a GPS. To map out a path to your goal, you must first know your starting point. Subsequent steps will build on the first two, because they are based on a clear understanding the current situation – current capabilities, processes, participants, and costs. Only with that understanding is it possible to set goals for an identity management project going forward.
Too often, organisations underestimate the scope of an identity management process – whether in terms of the number of employees affected, the number of systems included, or the complexity of detail hidden within application security models. This often will lead to a failure to understand how a project will impact the overall business, which is a recipe for disaster when it comes to implementation and may also water down the business justification for the project to begin with.
To ensure that a good baseline understanding for a project is gained, it’s important to identify all key participants – from the IT operations team, to helpdesk staff, to the security team, to business users – and how they are impacted by your current processes. For example, you should consider the following:
- How many users do you support, including employees, contractors, partners, consultants, etc.? What is the user churn rate?
- On average, how long does it take your organisation to provision a new user?
- What is the average time taken to approve an access change?
- How many password resets are performed per month?
- How many access certifications are performed by the organisation and how often? How effective is this?
- How much time does your organisation spend on policy (such as separation-of-duty) enforcement?
Once your current processes and participants are understood in detail, that information can be used to begin to document the baseline cost of the current approach.
Step 3. Establish Tangible Goals for the Project
Persuasive business cases are built on business goals and benefits. While the selection of a particular technology solution may come down to its architecture or another technical aspect, decisions at the business-case level are made based more generally on the type of solution, the cost and the business value. This should be relatively easy to determine, since much of the work of documenting and quantifying the specific needs, processes, and participants will have already been done in the first two steps.
Most importantly, the business case goals must be measurable. For example, if the business case claims that a new identity management project is going to save the business $10 million over the next five years, you need to know exactly where that money will come from and how you will measure the accomplishment of that goal over time. If you can’t measure it (because you don’t have visibility to the relevant information), it’s best not to include the goal in the business case.
For these reasons the goal setting must also be realistic, which usually means starting small and showing incremental value over time. It can be broken down into multiple phases, rather than being undertaken all at once. Successes in the first phase can be used to document and validate the assumptions that drove the project to begin with and establish that the projected benefits are indeed realistic and attainable. This can help unlock funding for future phases – potentially in far greater amounts than might have otherwise been available initially.
Step 4. Create the Financial Model
If you think of calculating business value as the process of weighing the benefits of a project against its costs, then the obvious first thing to do when creating a financial model for the project is to quantify the benefits you determined in step three. Specifically, you should consider how much money the project will ultimately save the organization and how much more productive it will make employees.
Admittedly, there are some aspects of the business case that will be easier to do this for rather than others. For example, calculating the value of automating access certification processes is infinitely more straightforward than calculating the value of shutting down errant access. However, these benefits are real and therefore should be included in the justification as well.
Another component of the financial model is to estimate the projected costs. This is a matter of thinking through how the project will unfold and what costs will be associated with each aspect. This can be a range of factors including:
- What type of software/hardware technologies will you require?
- What will the cost of implementation services to deploy the project be (whether they be out-sourced or staffed internally)?
- What sort of ongoing support and maintenance will be needed for the project?
Once the potential benefits and costs associated with a project are understood, there are several ways to measure value. Every organisation has its own preferred metrics, but the key is to align the financial model with the benchmarks that management expects to see. Payback period and ROI (better yet, IRR) are typical metrics used by many organisations, and both are easy calculations to include as part of a financial model.
Paying Off the Business Case
Too many projects get turned down because of lack of information to justify their need and value. By taking the steps above, you are arming yourself with the information required to thoroughly and efficiently educate your senior leadership on why the business needs to implement an identity management project by highlighting the current challenges and potential ROI. A well-developed business case can ensure that you get the right support and appropriate funding, and can help show that you are a forward-thinking member of the organisation.
As you kick-off your identity management project, it will be beneficial to take a phased approach looking for projects that can be deployed and show value in just a few months. After demonstrating the pay off by improving security, and/or compliance and reducing costs, you can then build on that success in future phases. By quickly kicking off your identity management projects and demonstrating value, you can gain credibility and help lock in support for further development and funding.