As budget planning is in progress, many organizations are thinking about their 2021 budget, and what percent of their budgets will be allocated to security and Identity and Access Management (IAM)? If this sounds like you, here are some interesting data points to consider.
Is your organization spending too much (or too little) on IAM solutions but not maximizing the return on investment?
According to Gartner, security spending makes up only about 5.6 percent of overall IT funds. Despite the frequent occurrence of large-scale data breaches around the globe, IT leadership struggles to justify security investments and effectively spend the allocated budget. There are many segments within the security budget such as Application Security, Data Security, Cloud Security, Network Security, Infrastructure protection, IAM and more. We will focus on IAM in this short blog, as within the security budget, many organizations overlook the necessity of budgeting for an appropriate Access Management and Identity Governance program. The following are a couple key aspects that influence the security budget and in turn impact the IAM budget.
Finding the right-size:
Remember the story of Goldilocks and the Three Bears? Goldilocks enters the bears’ house and struggles to find the right size. In the same way, many organizations have developed risk evaluation processes that are too big and unwieldy, generating too much data with too little relevance. Others adopt data collection efforts that are too small, yielding insufficient information to determine the potential impact of a cyber incident to the critical assets and systems. Organizations are becoming more aware of the impact of cyber incidents/breaches and role of the IAM in preventing these threats. The growing number of internal as well as external threats has pushed organizations to implement robust Identity and Access Management systems. When it comes to IAM spending, it is never a “one size fits all” situation!! Here are a few pointers to consider while budgeting:
Determine your IAM budget when you estimate your security budget.
Determine the areas in which to invest and ensure the right risks are adequately managed.
Determine if your spending will be for OpEx or CapEx (this may limit the type of solution you select).
Determine the specific IAM components that will address not only your short term considerations but also a longer term security strategy. It is expensive to switch from one solution to another within a few years.
Compare your IAM spending to those of your industry peers.
Choose the right vendors (checkout our previous blog on “Looking for the right IAM SaaS vendor”)
Please be aware that your cybersecurity or IAM program’s effectiveness is not inherently a direct correlation to your spending. As you analyze opportunities for investment, do consider not only how much they cost, but also how much they could save the company or add in value.
Achieving better time to value proposition
A successful IAM implementation requires a solid foundation, a mindset of a program and developing a multiple year plan. A well-crafted multi-year program should incorporate costs for both implementation and business operations to achieve better time and value proposition. Along with this, when determining the security investment, you should align the IAM budget with your business goal. This includes:
alignment with the IT roadmap
thorough evaluation of the organizations’ IAM requirements
good understanding of the company’s IAM program goals relating to compliance, security, efficiency, and automation
investing in security culture and building a risk posture
Additionally, it is important to identify return on investment or business value proposition such as faster on-boarding process, security of unstructured data, and remote access security capabilities. So, what are some of the cost drivers?
Initial assessment cost includes product evaluation, proof of concept, and other internal pre-work
Software license and maintenance cost
Implementation cost involves software installation and setup both from vendors as well as the internal team
Operational cost includes regular maintenance of the software, resource management, infrastructure upgrades, and organization change
Interesting data to consider as you plan your 2021 IAM budget.
Please be aware that your cybersecurity or IAM program’s effectiveness is not inherently a direct correlation to your spending. As you analyze opportunities for investment, do consider not only how much they cost, but also how much they could save the company or add in value. We have been observing that with sub-optimal utilization and a lack of insight into the best practices, many organizations struggle with “where to start?”
At Formmi, our mission is to ensure that our customers get the most out of their IAM program. Our product, AssessIAM, was developed for just this reason. We have successfully helped organizations reduce or eliminate customizations (reducing costs) and develop their IAM roadmap based on both business and security requirements. We have held many educational sessions on Identity and Access Management so that organizations can take informed decisions while purchasing IAM products.