How to maximize business value with an IAM maturity assessment

Global spending on Identity and Access Management (IAM) has continued to grow rapidly in recent years. 

Spending is projected to total US$20.75 billion by the end of 2023, up from $9.84 billion in 2019. While this is a strong sign of adoption, it’s also crucial to underscore the importance of spending strategically to really drive value. IAM isn’t something you’ll inherently do well if you spend enough — spending must be tactful.

Another study projects the total market size for IAM will reach $34.52 billion by 2028, an impressive CAGR of 14.5%. It’s become clear organizations are seeing the potential of IAM to drive business value, making it well worth the time and resources.

What’s driving the rapid adoption of IAM technologies and services? Increasing awareness of compliance, evolving compliance requirements, and the need for strong cybersecurity are primary drivers behind IAM adoption.

Assessing IAM Maturity

IAM isn’t a single technology, but an entire framework consisting of policies and technologies that work together to enhance how organizations manage identities. As a result, implementing and maturing an IAM program is a significant undertaking.

Have you already implemented an IAM program? Assessing the program’s maturity helps you identify how to strategically advance key areas to drive greater value. If you haven’t yet deployed a program, it’s still helpful to understand what determines a mature program.

Gartner developed the below five categories to dictate how organizations can assess and enhance the maturity of IAM programs:

  1. Engage and Support Stakeholders: The CEO and other C-suite executives must be on board with implementing and enhancing an IAM program. Executive support allows for better decision-making, establishing accountability and ownership, and is crucial to delivering business value.
  2. Manage the IAM Function: This category focuses largely on the planning and reviewing phase, describing the development of an overarching vision, budget planning, and design architecture. Properly defining your specific IAM program is necessary for future governance and ongoing enhancement.
  3. Manage Risk and Enable Trust: Supporting risk management is central to a mature IAM program, which includes supporting cybersecurity risk management, fraud management, and compliance. Additionally, enabling workplace performance and fostering trusted relationships fall into this category.
  4. Deliver IAM Operational Capabilities: A central goal of IAM is to enhance capabilities, so this category encompasses practices with an operational focus. This category is where a lot of the nuts and bolts come together to establish identity authentication, life cycle management, managing access levels, and measuring functional performance.
  5. Manage Talent and Workforce Strategy: Every IAM program depends on engaging the workforce alongside having the right talent in place. Recruiting talent and training IT staff is crucial for ongoing management and refinement. Additionally, it’s important to promote the culture shift to IAM, including providing training in new tools or systems.

You can see how these categories are generally a linear flow, from planning to execution. Still, it’s important to note that most organizations don’t check all the boxes in one category before moving on to the next. 

Instead, organizations evaluate their specific business goals and capabilities and then return to further mature the program after implementation. Prioritizing exactly what steps to undertake when maturing in your program is of the utmost importance.

Common Top Priorities in IAM Maturity

What are the most important elements of IAM maturity? Gartner indicates the top three and next four activities recommended to establish a mature IAM program. We’ll include the category numbers from the above section to demonstrate where these activities are in the overall process.

The top three maturity activities are:

  1. Deliver business value (Engage and Support Stakeholders)
  2. Develop vision and strategy for (Manage the IAM Function)
  3. Manage privileged access (Delivery IAM Operational Capabilities)

Once those are complete, the next four activities are:

  1. Design architecture (Manage the IAM Function)
  2. Enable compliance (Manage Risk and Enable Trust)
  3. Manage access (Delivery IAM Operational Capabilities)
  4. Measure functional performance (Delivery of IAM Operational Capabilities)

Organizations can implement and enhance an IAM program that better provides meaningful value by focusing on these seven activities.

Using Your Maturity Assessment to Drive Business Value

A maturity assessment will highlight deficiencies or mistakes in your IAM program. However, it’s entirely too common for organizations to use maturity assessments and similar guidance as a linear, one-size-fits-all checklist. 

It’s crucial to understand that the maturity assessment categories and other related guidelines are intended to inform your own decisions, not dictate them precisely. Keep the following in mind to use this information to drive meaningful value:

  • Focus on business priorities: Step back from IAM — what is your current overall priority for your business? How can those priorities relate to IAM? For example, bolstering security is a common priority for many industries, so with that in mind, you can inform how you mature your program.
  • Improve highest value activities first: Evaluate which specific activities will drive the most value. We discussed how this might look in the above section, but it’s necessary to look at your specific deficiencies to assess what will drive the most value.
  • The overall goal is to increase business value: Your goal shouldn’t be to check all the boxes but to continually drive business value with your IAM program. For some industries, focusing on compliance might drive the value. For others, streamlining employees’ workflows might drive the most value.

The above perspective keeps you focused on value, but sometimes businesses fall into a detrimental perspective that includes:

  • Viewing everything as critical
  • Taking a checklist approach
  • Try to eliminate every gap

Taking this approach will certainly still drive value, but it will be unfocused, diminished, and slower realized than taking a strategic approach.

Keep Compliance and Security In Focus

A significant driver of IAM adoption is the growing need for stronger security and abiding by evolving compliance requirements. Don’t get lost in the weeds of all the moving pieces in IAM — security and compliance are central to maximizing business value.

The National Institute of Standards and Technology (NIST) has developed freely-available guidelines to help organizations improve security. NIST SP-800-53 is designed for general cybersecurity, while NIST SP-800-63 focuses on identities.

These frameworks can help guide how you strategize, design, and implement your IAM programs. NIST’s frameworks also give you the tools to evaluate the effectiveness of your IAM program so you can continue maturing key aspects. 

At Indigo Consulting, we often refer to these frameworks to guide and evaluate our client’s unique needs, then tackle them head-on with proven strategies.


An Example of Connecting IAM Maturity to Business Value

Let’s look at how everything we discussed looks in action to help demonstrate how it all comes together.

Company A decided its maturity focus is to deploy an effective method for Privileged Accounts Management (PAM). A privileged account includes anyone with higher access levels than typical, including IT managers or executives. 

Security is the overall priority for Company A, so properly managing these types of accounts can quickly drive business value.

The path to maturity with this focus might look like this:

  1. Establish a process to rotate and securely store passwords for privileged accounts.
  2. Define, document, and share approaches for effective PAM. Remove permanent privileges for everyone, beyond system admins.
  3. Consistently implement new PAM practices across all assets, including web, cloud, and in-house systems. 
  4. Evaluate and monitor PAM effectiveness and performance. Implement MFA for all PAM-related tools and systems.
  5. Consistently evaluate PAM metrics to identify any areas of concern. Remove permanent privileges for system admins.

This example goes from beginning to end, and Company A is now in maintenance mode with PAM. Now, the company can move on to its next priority.


Team Up With Indigo to Establish or Mature Your IAM Program

Strategically planning, deploying, and maturing an IAM program is no small undertaking. IAM requires adopting core technologies, creating new policies, and re-designing several aspects of the entire organization — from how users log in to how non-human identities access IT resources.

Ideally, your IAM program will drive significant value once established, which can then be increased over time by maturing the program. However, it’s also possible to create new problems, invite risks, and consume resources if the program is not properly designed and deployed. That’s why it’s crucial to have IAM specialists in your corner. 

Indigo Consulting is a leading IAM consulting firm with a track record of helping our clients succeed. Our team of developers and project managers know what it takes to have an IAM program that maximizes business value at every step.

Ready to discover how we can help your organization? Contact us today to talk to an IAM expert to learn more.