The trouble with IAM is that it is dead


Back in college I took a date to Play it Again Sam’s (now that was a great place… beer and food served at your table while you watch a classic movie… but I digress). Alfred Hitchcock’s “The Trouble with Harry” was playing. Do you remember what the trouble was with Harry? The trouble with Harry was that he was dead. Various townspeople imagined that they had something to do with the death of a man whose body is found in the Vermont woods, and hide his body in a variety places so that the authorities would never know of their complicity.

In general, IAM (identity and access management) projects have not delivered the value expected to customers and there are a lot of discussions going on about “the problem with IAM”. If we in our industry — and I mean market analysts, vendors, and the IT/Security practitioners who are our customers — are not careful we will find the lifeless body of IAM in the woods. And realize that the trouble with IAM is that it is dead.

There is a lot of arm waving in our industry, and that is putting it nicely. There is a lot of brash talk, arrogant positioning and yes, flat out lies from vendors. I have to admit it bothers me. It bothered me when I was on the IT practitioner side of the equation years ago, and it bothers me now that I am building a company based on real customer success.

Thankfully the analysts have begun to call the industry on this. Earl Perkins of Gartner has publicly stated that 95% of IAM projects have not delivered business-usable value. Perry Carpenter, also of Gartner, has peeled the onion a bit further and stated that 50% of provisioning projects flat out fail.

This past week I visited London and the Gartner IAM Summit Europe. In the midst of some visionary discussion about Access Intelligence (we will discuss that in another blog), I went to a number of vendor sponsored customer presentations. I was interested to see how far our competitors’ customers have been getting.

I walked into a session led by one of the world’s largest companies, touting its success in IAM. And what did they talk about? Creating a white pages directory with “a single IT identity for every user.” The big example of value… phone numbers. I waited. There must be more I thought. This must have been the very beginning of the effort years ago. This is a customer put forth as a leading light. I waited.

I wrote an email to my CTO explaining what was going on in the session. I said I was going to wait to hear how they then moved to deliver value to the end user customers; you know “the business”. I waited some more. Well tomorrow never came.

That was it. Here at this leading edge conference. A vendor put up a customer as a leading edge customer who had created a white pages directory with phone numbers. Welcome to the early 1990’s.

Is this what our industry has come to? Already we can see the participants — analysts, vendors and customers — acting like the townspeople, feeling complicit and trying to hide the body. Analysts are talking about merging their market definition of provisioning with identity & access governance, and adding intelligence. They are arguing about what to call it… how to hide the body.

Well, I have another suggestion. Let’s fix it.

Analysts: Don’t let yourself be fooled by hucksters just because they are arrogant and aggressive. Continue on the path you are going in pulling the curtain back and holding the vendors accountable to deliver software that works in the real world of customers’ environments, that isn’t built for the vendor’s aims but for customer success, that doesn’t have implementation costs of 8 times the software cost. But hold customers accountable as well and don’t allow “white pages directory victory laps” at your conferences.

Customers: hold vendors accountable to deliver value. And don’t be a facilitator of bad behavior by mindlessly accepting “free” IAM software from a company just because you buy a lot of database software from them or are still beholden to their near-extortion for mainframe maintenance. (That’s sort of like taking the “free hot dog” from the gas station for filling up your tank with gas. Is it really a smart thing to do?).

Vendors: Well. What can I say? Don’t deliver a piece of the solution and claim it is the silver bullet that solves the whole challenge — and then change your tune when you add another piece (do you think the market doesn’t remember you bashed that other piece just last year?) If vendors don’t wake up and address the fundamental risk management challenges that customers face in a way that delivers real business value, we will sink below politicians, lawyers and hedge fund operators in society’s esteem.

And we will wake up one day to find that the trouble with IAM is that it is dead.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Chris is co-founder and CEO of Courion, a provider of Access Assurance solutions. Prior to Courion, Chris was a co-founder and partner at Onsett International, an IT service and security consulting firm. While at Onsett, he led IT operations re-engineering, enterprise security, and global network architecture programs for several Global 500 customers and led Onsett's marketing and sales efforts to achieve 90% annualised growth over the course of five years. He holds Bachelor of Science degrees in both Economics and Political Science from MIT and a Master of Science degree in Management from the MIT Sloan School of Management.