How to plan an IAM program strategy

IAM program scope

An effective IAM strategy starts with clearly defining the program scope and having preliminary conversations with key stakeholders to understand their objectives and priorities. Security leaders must define the scope of the IAM program in terms of the specific problems to address or opportunities being pursued. The scope should align with stakeholder support and expectations.

It is important that security leaders clearly lay out the scope of their program relative to the identity populations -- constituencies -- they intend to address, including workforce, customer, business partners and machine IAM. If the organization manages its user constituencies separately, it is important to note that some capabilities might overlap and should be tracked across both constituencies.

Business objectives

The heart of an IAM strategy is its analysis of, and how it addresses, stakeholders' needs and their success criteria. The stakeholder needs assessment is where security leaders determine the required outcomes and business objectives by analyzing the stakeholders and their needs. This serves as the justification for the program as a whole and, as such, is a critical component.

Ultimately, the overall IAM strategy should summarize the major themes and desired outcomes from the stakeholder needs assessments. It is recommended that they are in rank order, based on business priorities.

Some examples of business objectives include enabling and improving security risk management, business enablement, achieving and maintaining regulatory and audit compliance, and cost management.

Security leaders should also develop an executive summary. This should capture the essence of security and business innovation initiatives and be written for a senior business audience, board member or line-of-business leader. List any critical decisions that bind the effort here. The key objective is to establish a clear connection to key business outcomes and objectives identified through the stakeholder analysis.

Measuring business objectives

It is crucial for security leaders to communicate the value of the IAM program to executives. The best way to achieve this is through outcome-driven metrics (ODMs) for the business objectives themselves. Security leaders should have at least one ODM for each business objective that they identify.

A protection-level agreement is a contract between executives and CIOs/CISOs to deliver a target protection level for a planned cybersecurity investment. Combining ODMs with protection-level agreements creates transparency and enables ongoing communication to set priorities and inform better business decisions.

The best way for security leaders to prove value that focuses on security risk and how IAM can enable the wider vision and strategy for the business is to use IAM protection levels along with ODMs.

Vision statement

The vision statement articulates the intent of the IAM program in concise, brief text, free of technical jargon and consumable for non-IT professionals. Security leaders should craft a clear, aspirational and memorable statement of the IAM program's intent. It should cover what the IAM program aims to achieve in the mid- to long-term, consistent with the roadmap.

Strategy alignment: Program focus areas and priorities

In this section of the strategy, security leaders should describe coarse-grained capabilities that can serve as high-level business requirements, in rank order. These capabilities should transform stakeholder needs and objectives into tangible, measurable objectives that the program should accomplish. For example, "Establish a single point for access requests and fulfillment."

Current state assessment

Security leaders will need to assess and accurately describe the current state of their IAM capabilities, including the levels of operational support. They'll need to identify how these are or are not meeting their business objectives and/or addressing the problem statement.

As security leaders gain a sense of their current state of maturity, they can begin to define the associated tasks that will help them progress to the next level. This can be tracked in an IAM dashboard of initiatives. Stakeholders and security leaders should have insight into these tasks and help set priorities to best use available resources in the program.

Constraints and dependencies, alternatives and impact

Security leaders should identify environmental or organizational conditions that limit the effective execution and operation of the IAM program. These constraints and dependencies should be identified to ensure that they are evaluated against the selected program focus area.

It is also recommended that security leaders include potential alternatives and impacts that might affect other areas of the organization. One of the goals of the strategy is to demonstrate that the selected program objectives are reasonable for the organization and appropriate to the needs of the stakeholders. This is enabled by an evaluation of alternatives and impacts based on specific use cases because there is never just one way to satisfy a collection of needs.

The modern IAM foundation

Security leaders who strategically plan an IAM program using a structured, stakeholder-driven approach can create a modern IAM foundation that successfully provides the level of assurance and flexibility large organizations require. It helps security leaders deliver both enhanced security and business agility, empowering their organizations to respond rapidly to new challenges and opportunities.

Nathan Harris is a research senior director analyst of IAM at Gartner. Further insights into identity and access technologies and strategies will be provided at the Gartner Identity & Access Management Summits taking place December 8-10 in Grapevine and March 24-25 in London. Follow news and updates from the conferences on X and LinkedIn using #GartnerIAM.