The Reporting Lines of the IAM Manager (Doret, 2020)

The context

The objective of my research was to gain a deeper understanding of how organizations measure the performance of IAM and if good practices could be inferred from this discovery work. A question that quickly arose was:

What is the reporting line of IAM?

Stating the obvious, performance is not measured in a vacuum and the most critical stakeholders of IAM performance measurements must be those to whom the IAM manager reports, that is the IAM sponsors that shape the IAM strategy.

The original question

Consequently, the IAM Performance Measurement 2020 Survey asked the following question:

To whom reports the IAM manager in your organization?

The following non-exclusive answers were available:

• CFO

• CISO

• CIO

• COO

• CEO

• Other

• I don't know

When a survey participant selected the Other option, he could type in the function name in free text form.

A Visual Representation

Most of us work in matrix organizational structures, that is to say we report directly to several managers. And for decades the literature is filled with articles on the pros and cons of this setup (e.g. the 1978 non-ageing article Problem of Matrix Organizations ). Consequently, reporting lines are non-exclusive and the above survey question allowed participants to select multiple answers.

This raised a new question: how may we represent visually the non-exclusive reporting lines of the IAM manager? After a few trials and errors, I chose an Euler graph and here is the outcome:

Open

Of course I open sourced the R code and those who have a knack for data analysis or software development will find all details here: .

A primary focus on security and technology

Overall, the CISO function is the direct report of 58.3% of the IAM managers in this sample. The CIO comes next with 20.8%.

This suggests the following hypothesis:

IAM is primarily positioned to pursue an information security goal and secondarily positioned to pursue technological goals.

Which raises the following question:

In view of the transversal nature of IAM, exemplified by the great diversity of its goals (c.f.: ), is the CISO / CIO setup an adequate governance? Or put differently: are we limiting the added value of IAM by constraining it within narrow boundaries, and limiting its capacity to embrace for example customer (CIAM) and business partners (FIM) value propositions?

The following question should be further investigated:

If we compare the contribution of IAM in organizations where the IAM manager reports to the COO, to the its contribution in organizations where the IAM manager reports to the CISO and/or CIO, do we find any evidence that supports the above hypothesis?

What questions is it raising?

A stream of other questions are raised by this data. For instance, what correlations do we find between the IAM governance setup and the goals defined for IAM? Or between IAM governance setup and the process maturity level of IAM sub-domains?

Also, what were Other functions were reported by survey participants? Do we find the CRO? The CCO? These would be very well aligned with a significant subset of IAM goals (c.f.: )

These are the questions that we will investigate in future articles.

Limitations

These numbers cannot be used to blindly generalize the governance of IAM in organizations throughout the world, but they still provide interesting insights. The statistical limitations of this study will be discussed in a later article.

Bibliography