Skip to Main Content
Identity and Access Management (IAM) is a key enabler of enterprise businesses: it supports automation, security enforcement, and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision-makers' issues, at the business level. Organizations are experiencing an increasing number of internal and external threats and risks: there is scarcity of resources and budget to address them all. Decision-makers (e.g., CIOs, CISOs) need to prioritize their choices and motivate their requests for investments. This applies for investments in IAM vs. other possible security or business investments that could be made by the organization. In this context, a range of possible IAM investment options has an effect on multiple strategic outcomes of interest, such as assurance, agility, security, compliance, productivity, and empowerment. We have developed a repeatable approach and methodology to help organizations work through this complex problem space and determine an appropriate strategy, by providing them with decision support capabilities. The proposed approach, validated in collaboration with security and IAM experts, couples economic modelling (which explores decision-makers' preferences between the different outcomes) with system modelling and simulations to predict the consequences (likely outcomes) associated with different investment choices and map them against decision-makers' preferences, in order to identify the most suitable investment options. We illustrate how this methodology has been applied in an IAM case study, in a business-driven context with core enterprise services. This work is in progress. We discuss current results and next steps.