IAM Business Cases One Step Back

Over the years I have repeatedly heard that security people in general need to produce better business cases, better analysis (as ROI) if they wish to increase their budget.  I have tried to do just that with minimal results.  Recently, I have changed my approach and now believe that the single most important skill that security people can learn is how to pitch their ideas.   It is getting past this first step that is critical.  It’s the domain of social dynamics  and the perception management of value. What is business really about after all?

As IAM practitioners we live in the domain of first order predicate logic, of complex systems and mentally taxing analysis.  When you become an expert in any field, things that were once difficult to understand become second nature.  So when you go before those who control the budget, those who do not understand the vagaries of identity and access management as a discipline, if you come at them with cognitive fatiguing analytical business cases, it’s going to be a lot easier for them to say no (legal compulsion notwithstanding) than to go through the effort of understanding.  Now you may say to yourself, that it is the manager’s responsibility to understand these things and make rational decisions.  That is true without reservation but we all have limits.  If it’s 4:00 PM in the afternoon, and you are mentally tired is it easier to read something about a field you understand or start a course on statistical physics?  The question is not what is more interesting but was is easier (mentally).   We are all cognitive energy conservationists so to speak.

Before I proceed any further, let me be explicit about the assumptions I am making.

  • It is cognitively less taxing to make a decision based on emotion and justify it after the fact with analytical models.
  • People have a cognitive limit to what they will pay attention.
  • People won’t pay attention to things they find boring.
  • Highly technical discussions or complex topics are boring outside of a fairly small group.
  • This group rarely controls the budget.
  • Even if they do, they may be mentally taxed when you present your business case and find it easier to check-out and say no.
  • Even if they find something completely boring, they might pay attention if consequences of failing to do so are severe enough.

Since the foregoing is qualitative, it will never be proven empirically.  And if you think any of the assumptions are false feel free to comment.  If all the foregoing are true or mostly true then stands to reason that before we ever present a business case, we need to persuade first.  And this is where I have consistently fallen short.

Back in February, I began to work with a boutique investment bank focused on the middle market, and as part of getting a better understanding of that business began looking into their formal processes for winning and pitch decks.  In the process of doing the research, I stumbled upon Oren Klaff’s book Pitch Anything.  It was his book that made me realize that business cases are merely the due diligence portion of the idea you are presenting and if you can’t hold the attention of the room, and get them hooked you will never get to that point.   Since I have made the change, my success rate has greatly increased.   Before I was getting blown out 8 out of 10 times.  I have cut that in half and some of those cases I took a pass because I didn’t want to do business with the client.

IdM Reader’s Choice Awards

Information Security Magazine Readers Choice awards are out.  For Identity and Access Management it went Microsoft, IBM and RSA.  I think if you asked professionals who have worked with more than one IdM product, you would have a markedly different response.  In many cases readers vote, not based on actual experience, but with a “go with what you know” heuristic, that is, they vote on names they recognize. These kinds of votes are useful if you have to make a choice within 1-2 days.  It’s a safe bet.  If you actually have time to decide and evaluate, it would be malpractice.

The most accurate answer could be had by having people wager on the best product as measured against a set of metrics.  When people are asked to risk their own money, it becomes more than a trivial exercise.

Steve Balmer on Efficiency & Decision Making

There is an interview with Steve Balmer in the International Herald Tribune and he makes a statement in response to a question about what’s it like to be in a meeting with him to wit;

I’ve changed that, really, in the last couple years. The mode of Microsoft meetings used to be: You come with something we haven’t seen in a slide deck or presentation. You deliver the presentation. You probably take what I will call ‘‘the long and winding road.’’ You take the listener through your path of discovery and exploration, and you arrive at a conclusion.
That’s kind of the way I used to like to do it, and the way Bill [Gates] used to kind of like to do it. And it seemed like the best way to do it, because if you went to the conclusion first, you’d get: ‘‘What about this? Have you thought about this?’’ So people naturally tried to tell you all the things that supported the decision, and then tell you the decision.
I decided that’s not what I want to do anymore. I don’t think it’s productive. I don’t think it’s efficient. I get impatient.
So most meetings nowadays, you send me the materials and I read them in advance.
And I can come in and say: ‘‘I’ve got the following four questions. Please don’t present the deck.’’ That lets us go, whether they’ve organized it that way or not, to the recommendation. And if I have questions about the long and winding road and the data and the supporting evidence, I can ask them. But it gives us greater focus.

There is a lot of missing information that I wish the interviewer had followed up with but let’s assume a charitable course.

What Mr. Balmer says does not really tell us anything about efficiency,  but speaks volumes about his mind.  He states quite clearly he is impatient and the does not like the “long and winding road”  Most likely this because he does not learn well or efficiently sitting through a presentation.  It could also be that he is intellectually lazy but this seems unlikely.   If he really  is intellectually lazy then most likely Microsoft will perform poorly under his leadership.

Note that he recognizes that Bill Gates took the “long and winding road”.  That should tell you something and if we want to go back in history and look at great  leaders they did too:  Andy Grove, Andrew Carnagie, General  George Patton, General Douglas McArthur to mention a few.  The ability to sit and listen with attention to detail does not mean analysis paralysis, it means understanding the situation properly, the context and the interrelation of it’s elements.  It means avoiding a specious understanding.  Perhaps he is doing this but it is not clear.

He states that he gets the information in advance and let us hope he did not mean in PowerPoint slides.  There are serious limitations to the kinds of information that can be put into slides.  The overwhelming majority of information in a slide deck is distilled and frequently lacking context.  This information must be communicated and explained verbally.  You wouldn’t read the table of contents of a book and draw conclusions.  Yet, if you are reading PowerPoint that is exactly what you are doing.  Its focus is on the presenter,  not on the audience and not on the content.  There is a “sales pitch” aspect to PowerPoint that destroys neutral fact based information.

Now the downside to this interview and its  lack of clarity is right now somewhere in America a mediocre manager who prides himself on efficiency  is out there somewhere instructing his subordinates to send him a slide deck in advance and he’s drawing up his four questions because Balmer uses PowerPoint in advance and four questions.

Finally, we will never really know if it is more efficient.  If he had recorded all of his decisions under the ‘ “long and winding road” ‘ method and then recorded all his decisions under the “efficient” method we may have learned what works best for Balmer.  We will certainly never learn what works best for everyone else, unless they start recording their own decisions.

note: updated for typo

The other side of the article

It’s seldom that I publish more than one blog post on a single piece, but Mark Diodati’s article “Changing times for identity management ” (login required) spoke of two main themes that I felt needed to be discussed.  In an article on IdM Thoughtplace, I looked into some issues of what composes “New School” Idm.

In this piece, I’d like to comment on a couple of points that Mark makes that I particularly agree with.

First off, Mark mentions that thorough analysis and review of IdM offerings is essential.  The selection team/steering committee  needs to remember that no IdM product exists in a vacuum.  Testing against ERP, enterprise LDAP/AD and other key systems is essential, and involving a pilot group is key as well.  I’d go a step beyond what Mark specifies, by adding that your pilot group needs to be multi-disciplinary. Just IT or Help Desk folks won’t cut it here.  Make sure there’s some HR and ERP users along with other “typical” users in your organization.  You’ll need to do a little more hand holding and training earlier that you’d like, but you’ll get better responses and metrics in return.

I’m also in agreement that you should review all offerings and available features/upgrades from current infrastructure. That “buried treasure” could be the key to keeping your infrastructure secure and compliant. Also find every way possible to use and reuse your current infrastructure., it can pay off in the long run.

It’s a tough economy out there, but that does not mean that you should stop your review of  IdM improvements.  Use the current time for evaluation and planning.  Bring some vendors in for a PoC to make sure it fits into current infrastructure.  The best place to start looking is right in your server rooms and data centers.  Go to it!

Perception of Risk is Influenced by Ease of Pronunciation

I missed this study earlier  (HT: Bruce Schneier).  The result is exactly what one  would expect.   There has always been a general distrust of the alien, fear of the unknown.  The impact on IT is that when they bring new items up for review they can expect higher scrutiny for anything containing hard to pronounce names.  Experience teaches us that most innovations fail so when we encounter something unfamiliar we consider it more risky.   Difficulty in pronouncing its name  amplifies this effect.   In fact this is why we have proof of concepts, pilots and test markets for innovations.   When faced with three choices to make under time pressure we will tend to choose the one that is most familiar because cognitively we map what is familiar to safe.  Difficulty in pronouncing a name, can also slow the time it takes process the choice.   Look how long it took Linux to gain acceptance in the executive suite despite the cost differential and ease of pronunciation.  The experience of using it in the data center is now sufficiently broad that except in the most conservative companies, it is no longer considered risky.  Imagine how much longer it would have taken if the name was something like Lydrarjickavar.

Keep it on One Sheet

When IT personnel seek approval  for a project or to purchase software, they spend a lot time preparing a document which is often restricted to a single page summary.  Many managers today insist that everything be crowded onto  1- 1.5 pages before they will make a decision.    I have  sat in meetings in which they didn’t even look at the paper because they had the responsibility for deciding an issue but not the knowledge or experience.   At first glimpse it may be seen as  intellectual laziness (and in some cases it is), but far more often it is a resource constraint.  “I don’t have the bandwidth” you hear people complain so ‘no’ is the safe decision.  Late adoption of new, beneficial technologies normally occurs in companies with technical managers of below average technical understanding or where the CIO still reports to the CFO.  This is not meant as a slur, but simply what I have observed.  One could argue with access to capital you don’t have to be an aggressive user of new technology.  The choice is reasonable if frustrating to innovators in the company.

Returning to our single sheet requirement, it becomes apparent one cannot present all the information.  The relevant data will be  selected  so that it communicates the facts from sender to receiver but only the facts the sender wants to show.  If the level of trust is high it won’t be questioned.    This process practically guarantees a tendentious analysis.  This simply does not serve the best interests of the company.  I intentionally chose an innocuous example.  Far worse are the complexity of internal politics, turf wars  or outright corruption.  These are real risks and when things are going well they are glossed over or accepted.

To work around these problems and risks, it is necessary to properly set the context.  Starting with our time horizon, drilling into corporate strategic goals, looking at our internal systems,  and finally at the product or project we are analyzing.  The frame we create profoundly impacts our decisions.  If the goal is to make the best choices possible, this is where we start.

context