| Excerpt | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Table of Contents
| Table of Contents | ||
|---|---|---|
|
...
Figure: an iterative approach to develop the guidelines and standard methodology for IAM TCO measurement
Distinguishing IAM
...
TCO from IAM Program Cost
When considering IAM costs from the perspective of the overall organizational efficiency, it is presumably more meaningful to consider the costs of IAM independently of we take an enterprise-wide perspective, use the TCO approach and do not consider who is responsible for what.
In effect, an organization that has no IAM program, no IAM manager and no clearly defined IAM processes is still Let’s make the following thought experiment and consider the Failed Acme company. This organization does not run an IAM program, has not appointed an IAM manager, has no documented IAM processes. Still, this organization is doing IAM in the sense that the organization still provisions (and hopefuly deprovisions) identities identities are somehow being provisioned and some people somewhere do grant access to systems. The organization does not incur the costs associated with a traditional IAM organization and infrastructure but does incur the costs associated with dysfunctional processes, slow staff onboarding, failed audits and security incidents. For this organization, measuring the IAM TCO indicator makes perfect sense.
In contrast, let’s consider Winning Acme company. This organization runs an IAM program, has a competent IAM manager in place and runs efficient IAM processes. This organization incurs the cost of its IAM organization and infrastructure but does not (hopefully) incur costs of dysfunctional processes, slow staff onboarding, failed audits and security incidents. For this organization, measuring the IAM TCO indicator makes perfect sense.
Hence, the IAM Total Cost TCO should capture the overall cost of IAM independently of the organizational structure that supports it or the maturity of its processes.
Definition: IAM Total Cost TCO is the total cost of the overall IAM-related activities within the organizationorganization’s IAM services, independently of the organizational structures supporting them.
...
is the IAM Program Cost
is the set of activities assigned to the IAM program by its organization
IAM Direct Cost versus IAM Indirect Cost
For cost measurement purposes, the distinction between direct costs and indirect costs is important because the measurement methods are distinct (Foussier, 2006, chapter 2, Cost Measurement).
...
It should be noted that what’s a direct cost for one organization may be an indirect cost for another. For example, an organization may have a dedicated IAM support team (direct cost), another organization may solely rely on a central IT Service Desk (indirect cost) while a third organization may compose with both.
Measuring the IAM Total Direct Cost
The direct cost of an activity is straightforward to measure: it is the sum of all the corresponding expenditures. This gives us the following trivial equation:
...
For the sake of simplicity, we skip the complexities linked to accounting periods and foreign exchange.
Measuring the IAM Total Indirect Cost
Indirect costs are more complex to measure and methods may vary between organizations. For instance, some organizations will rely on roughly estimated allocation keys while others will use fine-grained accounting schemes. It is presumably outside the scope of IAM cost measurement to redefine the accounting methods used by organizations, hence we should accept a level of inconsistency when comparing these costs between organizations and keep this in mind when interpreting measurements. To enable proper interpretation of results, organizations engaging in benchmarking activities, organizations should transparently disclose their high-level accounting methods.
...
The list of IAM activities will be maintained on the following wiki page:
Measuring the cost Cost of IAM - Activities & CostsCost Categories
Bibliography
...