How to develop your business case for investment in identity and access management

There is no doubt that identity and access management (IAM) offers a multitude of business enhancement opportunities. It is crucial that this management discipline is not regarded as simply another tool to repair technological problems. However, it’s clear that Chief Information Security Officers (CISOs) and other members of the IT Security team often encounter a serious lack of organisational understanding and difficulties in communicating the business values offered by IAM.

Its commonplace for narrow IAM solutions, with limited capabilities, to be deployed by organisations to fix specific access control issues. It’s these deployments that can severely damage and foster mistrust towards IAM projects to fulfil business requirements.


By pursuing a business-centric approach to managing digital identities and authorised users’ access, IAM projects can then better focus on fulfilling business objectives. Taking this route ensures consultations are conducted with all relevant stakeholders, internal departments and, in some cases, external entities, to properly identity business needs, constraints, risks and benefits.  

Before look into a business-centric approach to IAM, it’s crucial to establish some of the difficulties associated with certain types of IAM business cases. The drivers for instigating the development of a business case for an IAM project stem for four main business challenges:

  1. Risk reduction
    Increasing fraud and associated losses or changes in risks profile, from a discovery of vulnerabilities, threat intelligence and possibly attitudes towards risk appetites, could result in initiatives to revise access controls to an organisation’s information assets. The organisational perception of IAM projects, based solely on addressing risks, is that IAM is a cost to be controlled rather than a business capability in which to invest. The management of business risks however, is a business activity. Knowledge of who has access to which organisational assets to perform various business activities informs risk management processes, e.g. periodic risks assessments.
  2. Regulatory compliance
    Regulatory authorities, particularly in the finance and health care industries, have increased their regulatory requirements to ensure that organisations closely manage and control user access. Nevertheless, an organisation’s executive committee is unlikely to initiate long-term IAM initiatives based solely on the need to comply with regulations while minimising costs. Therefore, strategic IAM initiatives based solely upon risks reduction and compliance drivers need to be complemented by other tangible business benefits.
  3. Productivity improvements
    While potential productivity gains may be realised over a protracted period, e.g. 5 years, it is difficult to construct a viable business case based upon return on investment (ROI) calculations because costs savings and, particularly reducing employee numbers, are rarely realised. It is also difficult to justify potential productivity gains when the costs of the IAM project itself need to be accommodated.
  4. Business enablement
    The introduction of new business capabilities is a compelling driver to many executives for establishing a business case to enhance IAM capabilities. The articulation of introducing new business capabilities are easier to explain to executives than potential productivity gains, minimising of risks and/or reduction of operating costs. Organisations should pursue a business-centric approach, because the business values are articulated in business terms and the success of the IAM project is related to the fulfilment of stakeholders’ business objectives. The business’ requirements for an IAM system may then be expressed in terms which reconcile directly with the stakeholders’ objectives.

While it may be desirable to approach to produce a comprehensive business case for strategic investment in IAM, there are situations where practicality is key. Organisations should only work with solutions and suppliers that have a demonstrable track record of deploying an integrated set of foundational IAM technological components. This strategy enables an organisation to manage the identity and access of all types of user as its business needs evolve and also to respond quickly to an organisation’s business needs.