IAM Business Cases One Step Back

Over the years I have repeatedly heard that security people in general need to produce better business cases, better analysis (as ROI) if they wish to increase their budget.  I have tried to do just that with minimal results.  Recently, I have changed my approach and now believe that the single most important skill that security people can learn is how to pitch their ideas.   It is getting past this first step that is critical.  It’s the domain of social dynamics  and the perception management of value. What is business really about after all?

As IAM practitioners we live in the domain of first order predicate logic, of complex systems and mentally taxing analysis.  When you become an expert in any field, things that were once difficult to understand become second nature.  So when you go before those who control the budget, those who do not understand the vagaries of identity and access management as a discipline, if you come at them with cognitive fatiguing analytical business cases, it’s going to be a lot easier for them to say no (legal compulsion notwithstanding) than to go through the effort of understanding.  Now you may say to yourself, that it is the manager’s responsibility to understand these things and make rational decisions.  That is true without reservation but we all have limits.  If it’s 4:00 PM in the afternoon, and you are mentally tired is it easier to read something about a field you understand or start a course on statistical physics?  The question is not what is more interesting but was is easier (mentally).   We are all cognitive energy conservationists so to speak.

Before I proceed any further, let me be explicit about the assumptions I am making.

  • It is cognitively less taxing to make a decision based on emotion and justify it after the fact with analytical models.
  • People have a cognitive limit to what they will pay attention.
  • People won’t pay attention to things they find boring.
  • Highly technical discussions or complex topics are boring outside of a fairly small group.
  • This group rarely controls the budget.
  • Even if they do, they may be mentally taxed when you present your business case and find it easier to check-out and say no.
  • Even if they find something completely boring, they might pay attention if consequences of failing to do so are severe enough.

Since the foregoing is qualitative, it will never be proven empirically.  And if you think any of the assumptions are false feel free to comment.  If all the foregoing are true or mostly true then stands to reason that before we ever present a business case, we need to persuade first.  And this is where I have consistently fallen short.

Back in February, I began to work with a boutique investment bank focused on the middle market, and as part of getting a better understanding of that business began looking into their formal processes for winning and pitch decks.  In the process of doing the research, I stumbled upon Oren Klaff’s book Pitch Anything.  It was his book that made me realize that business cases are merely the due diligence portion of the idea you are presenting and if you can’t hold the attention of the room, and get them hooked you will never get to that point.   Since I have made the change, my success rate has greatly increased.   Before I was getting blown out 8 out of 10 times.  I have cut that in half and some of those cases I took a pass because I didn’t want to do business with the client.

Identity Management Business Case Part II

I have previously posted a straight forward method for creating an identity management business case and based on the downloads I have had it’s been popular.  I also know it’s effective because it’s been proven.    Most people shy away from the real options part, however.  Everyone seems to understand discounted cash flows, but many do not understand real options.

I am now posting a stronger model that is complementary to the other one and can be used for other initiatives besides IAM.    It combines real options with Knowledge Value Added (KVA).  The methodology is derived from the work of Johnathan Mun so if you want to go back to the source start there.

As side note, some people think it is foolish to share methodologies that you have developed and all the big consulting firms protect theirs.  A methodology is just a process, and the only thing that matters is the execution of it.  It can be downloaded at the Risk Horizon website here.

Building a Business Case for Identity & Access Management

When I worked for a large corporation I was frequently tasked with building a business case without a budget, that is, I wasn’t able to hire any consultants to assist me.  In some cases deadlines were relatively short so it was fairly difficult to get it completed.  When the Internet came around more than once I was saved by people willing share business cases they had developed.  Therefore I have uploaded a economic impact model that comprises two documents, an excel spreadsheet and word document that should cover the basic needs of a user.  I have other more sophisticated models besides this one (for example, a business process and knowledge management re-engineering model that compares the economics of the current state versus the future state) but for the majority this should suffice to help you get started.  If you find it useful just leave me a comment.

It can be downloaded here.

Update 20120801:  Fixed the link again