IAM Business Cases One Step Back

Over the years I have repeatedly heard that security people in general need to produce better business cases, better analysis (as ROI) if they wish to increase their budget.  I have tried to do just that with minimal results.  Recently, I have changed my approach and now believe that the single most important skill that security people can learn is how to pitch their ideas.   It is getting past this first step that is critical.  It’s the domain of social dynamics  and the perception management of value. What is business really about after all?

As IAM practitioners we live in the domain of first order predicate logic, of complex systems and mentally taxing analysis.  When you become an expert in any field, things that were once difficult to understand become second nature.  So when you go before those who control the budget, those who do not understand the vagaries of identity and access management as a discipline, if you come at them with cognitive fatiguing analytical business cases, it’s going to be a lot easier for them to say no (legal compulsion notwithstanding) than to go through the effort of understanding.  Now you may say to yourself, that it is the manager’s responsibility to understand these things and make rational decisions.  That is true without reservation but we all have limits.  If it’s 4:00 PM in the afternoon, and you are mentally tired is it easier to read something about a field you understand or start a course on statistical physics?  The question is not what is more interesting but was is easier (mentally).   We are all cognitive energy conservationists so to speak.

Before I proceed any further, let me be explicit about the assumptions I am making.

  • It is cognitively less taxing to make a decision based on emotion and justify it after the fact with analytical models.
  • People have a cognitive limit to what they will pay attention.
  • People won’t pay attention to things they find boring.
  • Highly technical discussions or complex topics are boring outside of a fairly small group.
  • This group rarely controls the budget.
  • Even if they do, they may be mentally taxed when you present your business case and find it easier to check-out and say no.
  • Even if they find something completely boring, they might pay attention if consequences of failing to do so are severe enough.

Since the foregoing is qualitative, it will never be proven empirically.  And if you think any of the assumptions are false feel free to comment.  If all the foregoing are true or mostly true then stands to reason that before we ever present a business case, we need to persuade first.  And this is where I have consistently fallen short.

Back in February, I began to work with a boutique investment bank focused on the middle market, and as part of getting a better understanding of that business began looking into their formal processes for winning and pitch decks.  In the process of doing the research, I stumbled upon Oren Klaff’s book Pitch Anything.  It was his book that made me realize that business cases are merely the due diligence portion of the idea you are presenting and if you can’t hold the attention of the room, and get them hooked you will never get to that point.   Since I have made the change, my success rate has greatly increased.   Before I was getting blown out 8 out of 10 times.  I have cut that in half and some of those cases I took a pass because I didn’t want to do business with the client.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.