| Excerpt | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Table of Contents
| Table of Contents | ||
|---|---|---|
|
The Business Case for IAM Cost Measurement
Surprisingly, a 2009 survey in Europe found that 49% of its respondents didn’t know nor measure their IAM service delivery costs (KPMG and Everett, 2009, p. 30).
...
Finally, top management should have a strong interest in benchmarking IAM costs. In effect, without any point of comparison, top management is blind and does not know if they allocate a low, average or high level of resources to IAM relative to their competitors. Without comparable cost measures, top management is left with FUD and guts feeling.
Barriers and Negative Effects
There are barriers to cost measurement and the implementation of TCO in particular. These include: the difficulty to gather the data and cultural issues such as resistance to change. Top management support is understood as a key element to overcome these barriers. (Hurkens et al., 2006)
...
Even if cost analysis is exempt of mistake, a sound cost analysis may be subject to misinterpretations or misuse to support political agendas. (Foussier, 2006, chapter 2, Cost Measurement)
Benchmarking and Measurement Scales
The absolute TCO of IAM (IAM TCO (Indicator - IAM)) is not a comparable indicator. For instance, if organization A manages 150’000 core IAM active identities while organization B manages 3’000, absolute costs are incomparable and thus meaningless. But absolute costs may be used as a base metric to compute a comparable indicator, Identity Average TCO (Indicator - IAM), that is expressed as average cost per active identity being managed by the organization.
An Iterative Approach to Standardize the Measurement of IAM TCO
To obtain valid figures that are adequate for performance measurement and benchmarking purposes, it is necessary to develop guidelines and standardize the method. At the same time, it is obviously out of the scope of IAM cost measurement to align the detailed accounting practices of organizations throughout the world. Thus a balance need to be found and we should ask ourselves what is an appropriate method of measurement function of its intended usage and the level of reliability that is needed. (Foussier, 2006, chapter 2, Cost Measurement)
...
Figure: an iterative approach to develop the guidelines and standard methodology for IAM TCO measurement
Distinguishing IAM TCO from IAM Program Cost
When considering IAM costs from the perspective of the overall organizational efficiency, we take an enterprise-wide perspective, use the TCO approach and do not consider who is responsible for what.
...
Definition: IAM Program Cost is the total cost of a program designated as IAM that has a defined scope. That scope may be distinct from the organization’s overall IAM scope, that is some activities traditionally linked to IAM may be out-scoped and other activities traditionally not linked to IAM may be in-scoped.
Accounting Periods
For the sake of simplicity, we skip the complexities linked to accounting periods.
Direct versus Indirect Cost
For cost measurement purposes, the distinction between direct costs and indirect costs is important because the measurement methods are distinct (Foussier, 2006, chapter 2, Cost Measurement).
...
It should be noted that the measurement of indirect costs may also vary between activities. For instance, some activities may have varying costs and may thus be charged (e.g.: the consumption of a workload in an IT infrastructure or cloud) while others may have fixed costs (e.g.: general administration).
IAM Investments and Depreciation
The implementation of Enterprise IAM is known as a complex, demanding and expensive undertaking (e.g.: Royer, 2013, p. 4). Hence, measuring the cost of IAM must not only factor in operating costs but also capital expenses such as IAM projects (deployment of IAM processes and/or systems).
...
When this is not feasible, we recommend that organizations engaged in IAM benchmarking disclose their high-level depreciation methods to facilitate the interpretation of their measures by peer organizations.
Listing IAM Cost Components
Inventorying IAM cost components is key to make measurement comparable between organizations. FOr instance, if PAM is considered an element of IAM by organization A but not by organization B, the cost of IAM will be higher for organization A because their scopes are distinct.Considering that 1) there is no definitive definition of what IAM is, 2) that process modeling is more an art than a science (Reijers et al., 2010, p. 171), and 3) that we may list IAM activities at varying levels of granularity, the following approach is being considered:Once established, this list may be documented with cost estimation methods and used as a checklist by IAM practitioners to measure their IAM TCO.
From literature review, establish an initial list of known IAM activities with corresponding expenditures or costs.Augment this list using cross-checking with the activities expected from the entries in the IAM Process Map. Cf. IAM Process Map.
Establish a beta version 1
Survey IAM professionals to review, comment and enrich this list.
Mark as conditional activities those activities for which there is no obvious consensus in the profession as to whether it should be considered as within or outside the scope of IAM . When engaging in benchmarking, organizations will need to expressly clarify whether these activities were within or outside their IAM scope.Survey IAM professionals asking them to review, comment and enrich this list.
Initiate a first round of benchmarking measurement between voluntary IAM professionals
Adapt the approach as needed.
...
Measuring the Cost of IAM - Cost Categories
Bibliography
...