Making the Business Case for IAMHow to Get Buy-In From Senior Leadership
Recently I was asked to participate in a discussion with several very knowledgeable individuals on the need for identity and access management tools in today's healthcare environment. I was happy to participate in this discussion because I know first-hand the challenges our clients face each and every day in trying to manage the identity and the access of their many workforce members.
Identity and access management is one of the most fundamental tasks healthcare organizations have to accomplish with tremendously broad operational and compliance implications - real, tangible business implications.
Identity and access management is one of the most fundamental tasks healthcare organizations have to accomplish.
In that recent discussion, we enumerated many of the factors affecting identity and access management, the primary focus areas addressed with IAM tools and the multiple operational and compliance implications involved. At the end of the session one question stood out - it's one that I hear over and over again from audiences around the country: How do you persuade leadership to approve an investment in these types of solutions?
The answer is to respond with the business case for investing in this technology, and not simply quote security doctrine, threat information or compliance risks. Today's healthcare leaders are busy people with tremendous responsibility and many competing priorities; managing risk - business risk - is their domain.
Return on Investment
The good news is that unlike some other security or compliance related technologies, IAM solutions have a clear return on investment and a positive impact to the business that can be described for business leaders. For example, the tools generate a substantial savings in the time that it takes to get a new employee or workforce member set up and working.
The average healthcare workforce member may have as many as two dozen accounts they need to have set up at an average of 5 minutes per site for a whopping two full hours for provisioning per person. Time is an important issue with any business, but one that can be critical for a healthcare organization that needs an emergency room nurse on duty right away and wants to do so without putting their compliance at risk.
Now add to this the number of people waiting to be provisioned, let alone pending changes and terminations. Additionally, consider the amount of time users spend dealing with multiple unsynchronized passwords that they are forced to remember and manage, plus the time it takes help desk workers to assist staff members who forget those passwords.
Supposedly the average user calls the help desk four times a year, and I've heard those calls can cost from $35 to $70 each. That adds up quickly.
But there are other IAM intangible impacts, as well. That includes a reduction of risk by the elimination of errors due to manual practices, or the more timely and accurate changing or elimination of access when workers change positions, get promoted or are terminated. This - combined with the compliance benefits, such as more accurate access management, better auditing and monitoring of user access and the reduction in time spent on handling compliance inquiries and investigations - presents a clear picture of benefit to leadership.
IAM solutions not only provide better protection for sensitive information; they enable operations, simplify processes, create efficiencies and promote compliance.
Making the Case
However, the problem is we don't always do a good job of making the case for the investments in security technologies or communicating why organizations need to make the investment in order to meet today's data protection challenges. All too often, chief information security officers attempt to make their case based on some security or compliance requirement or threat information.
The problem is that while these can be legitimate reasons for investing in a security technology like IAM, they don't always resonate directly with the challenges and objectives of the business. They make the risk management case for the investment, but not the business case.
If we want senior leadership to sit up and listen to requests for investments in security, we need to explain why and how those investments will further the business objectives of the institution - not just improve our security posture. Senior leaders are often faced with tough budget decisions, and absent a clear picture of the value of a solution to the business, the discussion may be over before it ever begins.
Mac McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based consulting firm specializing in information security and regulatory compliance.