This article outlines the main factors and approaches that will help you build a compelling business case and return on investment model that will secure executive buy-in to your Single Sign-On and Enterprise Password Management initiatives.
Typically, Identity and Access Management (IAM) projects are driven by cyber-risk mitigation, compliance challenges, operational efficiency, and user productivity.
The business case for products such as workforce Single Sign-On and Enterprise Password Management needs to effectively articulate how IAM challenges can be addressed and demonstrate how the business benefits will outweigh the costs to deliver a return on investment. The financial benefits of the cyber-risk mitigation can be less tangible but there are methods for deriving these. Here we share the key areas that contribute to the return on investment (ROI) model and provide a link to a ROI calculator that will support your financial business case.
Introduction
IAM architecture is a key foundation of an enterprise’s digital capability and is more important than ever given that identity defines the perimeter of the network.
There is no ‘one size fits all’ approach to building the business case for IAM however it is critical that the business case aligns with your executives’ goals and objectives for the organisation. Here we will review the key factors that are relevant to consider across most organisations when mapping out the business case for IAM, Single Sign-On, and Enterprise Password Management solutions and these can be tailored to suit your own organisation.
The specific areas that will be considered as factors that drive upside value in the business case are the:
- End user productivity – downtime from forgotten passwords and time taken to log into applications
- Service Desk Administration - password related incidents
- Reduction in IT/Departmental onboarding and offboarding costs
- Rationalisation of existing/potential IAM, Single Sign-On and Password Management systems
- Reduction in software license pool costs and subscriptions
- Level of cyber-risk mitigation
- Elimination of phishing risks
- Compliance requirements addressed
Aligning the Business Case with Strategic Business Objectives
Aligning your business case with board and executive objectives may sound straightforward but in reality, it is a learned skill. Executives will be well accustomed to signing off on laptop or network refresh projects that are essential in maintaining BAU technology availability but the process of buying “new tech” needs a more considered approach when securing board approval.
There are multiple sources you can use to understand the business’ objectives and gather evidence to support your case. We will review these below. One of the most impactful ways to articulate the benefits of an IAM solution is to create a table of the relevant exec priorities and provide the detail of how the IAM initiative will support achieving that objective or reducing a risk.
Board Objectives
The board do not want to buy new technology. Their priority is to deliver the business objectives and they will be focussed on a number of strategic priorities in order to do this. When positioning an IAM project with the board, it is critical the strategic priorities of the organisation are understood and that the business case documents how the outcomes of the IAM project will support achieving these priorities. This point cannot be understated. Look out for board objectives and priorities that are relevant to your IAM project. Examples of this might be:
- Increase revenues/profit
- Reduce costs
- Build brand
- Increase efficiency
- Digital transformation
- Remote and flexible working
- Improve workforce morale
An effective IAM solution can align with any, or all, of the above priorities and it is critical your business case aligns with your own organisation’s executive objectives. Ask your IAM vendor how their solution supports the board objectives and ensure this is very clearly articulated as part of your business case.
Corporate Risk Register
Another reference source to consider is the corporate risk register – there is a very high likelihood that a number of key risks on the register can be mitigated with IAM solutions. There may be obvious risks such as cyber-risks mentioned but there may be others that are relevant to your IAM project such as:
- Business continuity and protection against service interruption
- Delivering more with less
- Brand damage / information assurance
- Revenue assurance
- Leavers offboarding process
- User friction and morale
Understanding who is accountable for the risk can also help as in some cases the message needs to be put across more succinctly to executives to ensure they have a comprehensive understanding of the impact and, in particular, the consequences of not taking any action. This can often be a conversation or presentation to the board along the lines of:
- Here is the risk and impact of it
- We either do nothing and accept the risk or we do this project and mitigate the risk
- How would you like to proceed?
Stakeholder Insights
Finally, gain insights from stakeholder departments on what their key challenges are when it comes to passwords and accessing systems. This information can help evidence how the current set-up is impacting achieving the overarching executive objectives.
IT departments can be guilty of looking at the problem through the lens of the IT team. An example would be that the IT team may perceive they have solved identity management because all of the core business applications already integrate with an existing Single Sign-On product. However, this often is not where the problem resides, the problem resides with the tens or sometimes hundreds of other, non-core, cloud applications that are used by the workforce across the organisation. These, shadow-IT apps, are the ones that are most vulnerable to attack and therefore most likely to lead to corporate data being breached if the risks are not managed effectively. Speak to departments across the business and be cognisant of their needs that might support your IAM business case. IAM might not be top of their agenda but they might have relevant requirements that your business case could support such as:
- Preventing data breaches
- Meeting audit and compliance requirements
- Productivity
- Efficiency
- Improving user experience
- Reducing costs
- Mitigating phishing
- Auditing application access and detection of shadow-IT risks
- Remote working
- Sharing access to specific passwords (i.e. procurement portals, corporate social media accounts)
- SSO for line of business apps (HR, Marketing, Sales, Finance, Suppliers Portals, Government portals etc)
Aligning your business case with cross departmental needs such as the ones listed above will help generate Company-wide support for your project from influencers across the business generating momentum in the IAM project.
Building the ROI Model
When it comes to the ROI model, you can build this up in a spreadsheet that outlines the key areas where value is created for the organisation, and you can access ours below if you need a head start. Some of these areas can be subjective but most can be quantified. This section provides some advice on how to calculate the value delivered by an IAM product so this can be weighed up against the cost.
End user Productivity: Downtime from Forgotten Passwords and Time to Log in to Apps
These are relatively straightforward to calculate. The easiest way to gauge this is to take your average hourly salary rate including on-costs (this can usually be found by taking the payroll figure from your annual report or accounts and dividing it by the number of employees) or with input from your Finance department. Once known you can calculate:
User Downtime: The number of password related incidents per annum multiplied by the average salary rate multiplied by the average downtime per user per incident. We have included some industry stats for this in our ROI modeller that might help.
= No. of Password Incidents Per Annum x Avg. Salary x Avg. User Downtime Per Incident |
Time to Log Into Apps: The average number of times users log into applications per day, multiplied by the average time it takes to find and log into the app, multiplied by the average salary rate. Again, we have included some industry-wide figures that can help in our IAM ROI modeller.
= No. of Times Users Log Into Apps Per Day x No. of Working Days per Year x Avg. Time to Login x Avg. Salary |
Service Desk Administration: Password Related Incidents
Your service desk should be able to determine the number of password related incidents per annum and your Finance team should be able to calculate the average cost of a service desk call/incident (including on-costs and management overheads). We have also included some industry standard from analysts research in our IAM ROI modeller that might help you.
= Avg. Cost of a Service Desk Call x No. of Password Related Incidents per Annum |
Reduction in IT/Departmental Onboarding and Offboarding Costs
User lifecycle management can be complex and costly, particularly when looking at the risks related to offboarding users. Your IAM solution should enable you to automate user account lifecycle management where this functionality is supported on applications. It should achieve this by allowing policies to be created that control both the provisioning of user accounts on cloud applications and the revocation of access automatically. These automated provisioning and revocation policies should be configurable, based on the upstream ‘single source of truth’ or directory to align with role-based access controls.
Using Just-in-time (JITP) provisioning functionality supported by many enterprise apps that use SAML provides an easy-to-deploy link between your corporate directory, your Identity Provider (IdP) and the cloud applications being accessed. This ensures users are automatically provided with access to the right apps at the right time and can eliminate the administrative costs associated with provisioning and de-provisioning users contributing further to you ROI.
= No. of apps that support JITP x (No. of Users Onboarded + No. of Users Offboarded) x Lifecycle Admin Costs |
Rationalisation of IAM, Single Sign-On and Password Management Systems
Review the systems that are already in place and the costs that can be released by streamlining the number of IAM systems you use. Can some of your Microsoft Office 365 subscriptions potentially be scaled back to free up the substantive costs associated with their identity product? Do you have Privileged Password Management where a more cost effective, and widely compatible, Enterprise Password Management solution would fit the need instead? What legacy SSO solutions are in place that can be de-commissioned? Are there pockets of the organisation using locally adopted password management solutions?
If you choose a modern, leading IAM solution that offers a range of products including SSO for Web, SSO for legacy desktop and Enterprise Password Management, you can free up the 3rd party costs and internal overheads of supporting a wide range of corporate IAM systems and benefit from the synergy of a single solution delivering multiple products.
= Annualised cost savings from rationalising other IAM products |
Ability to Enable Reduction in Software License Pool Costs and Subscriptions
If your chosen IAM solution is effective at integrating all types of applications, including: password-based, cloud, Windows desktop, and on-premise custom apps, then you will be able to derive accurate Management Information (MI) that provides a centralised audit trail of the extent to which various applications are being used across the organisation within a defined period. This can easily be reconciled against the number of subscriptions or licenses the enterprise is paying for on each of these applications to identify opportunities for cost savings from redundant licenses and subscriptions. Whilst this figure may be difficult to quantify in advance, it’s not unreasonable to target a 10% saving across all licenses and subscriptions as a result of the improved MI on actual application usage.
= Estimated savings from annualised equivalent of current software subscription, license and maintenance costs |
Level of Cyber-risk Mitigation Provided
There are various schools of thought on how to define the return on investment from mitigating data breach risks. One way to quantify the upside benefit is to consider the following question:
What would be the financial impact of a data breach and consequential reputational damage?
Think about revenue from lost customers, future risks to sales, fines from regulators etc. and then consider how often you think it’s likely that a data breach might occur – for most organisations it’s not a matter of “if”, or a matter of “when”, it’s “how often”.
There are an abundance of resources available online that will help you quantify this, based on companies of your size, sector and geography.
Based on industry estimated costs of a breach, and the frequency with which this could happen, you will have a quantifiable figure that you can average out as a per year cost to the organisation.
There’s no silver bullet to addressing all cyber-risks but we do know that passwords are cited as the root cause for typically 60-80% of corporate breaches. Therefore, it could be argued that the effective cost benefit of addressing these risks is 60-80% of your annualised cost of a breach.
Application compatibility is important when considering the level of cyber-risk mitigation offered. Not all IAM systems work with all types of applications, many only work with a restricted subset of applications i.e. apps that use SAML or OIDC. Some solutions don’t provide integrated Enterprise Password Management functionality and fundamentally, this impacts your true ROI when it comes to mitigating the costs of a data breach.
User experience also makes a significant difference here. If the IAM solution requires the user to actively engage with it, either by them having to log in to it or even making the use not mandatory, this creates a barrier to adoption and use and will impact the extent to which the solution is being used to genuinely protect against cyber-risks and deliver ROI.
In summary, in calculating the cyber-security benefits aspect of your ROI, different IAM products can have a wide-ranging level of genuine ROI. The factors you should consider here that would provide a gauge of the %age Effectiveness of your IAM solution are:
Range of Compatibility with Apps
- How widely compatible is the IAM (i.e. Single Sign-On & Enterprise Password Management) solution with different application types?
User Experience of Single Sign-On and Enterprise Password Management
- To what extent can the IAM (i.e. Single Sign-On & Enterprise Password Management) solution work in the background, without the user having to actively engage with the product?
Extent to which User’s Adopt the Solution for Corporate Apps
- To what extent can the IAM be configured to detect all applications (including Shadow-IT apps being used by users) and enable these to be integrated without the user requiring to take an action?
For more detailed approach to measuring how the ROI achieved from the Cyber-Security component of your business case is impacted by the above factors and how to estimate a %age Effectiveness for your chosen solution, please see our article: Identity and Access Management: What Matters Most When it Comes to ROI?
So, to calculate the financial benefit of the cyber-security risk mitigation aspect of your ROI model, if we assume that passwords are at the root cause of 70% of breaches (i.e. 60-80% mentioned above) you could calculate this is follows:-
= No. of Password Incidents Per Annum x Avg. Salary x Avg. User Downtime Per Incident |
Time to Log Into Apps: The average number of times users log into applications per day, multiplied by the average time it takes to find and log into the app, multiplied by the average salary rate. Again, we have included some industry-wide figures that can help in our IAM ROI modeller.
= Annualised Cost of a Breach X 70% X %age Effectiveness |
Elimination of Phishing Risks
If your IAM solution provides combined Single Sign-On and Enterprise Password Management functionality, you can use this to eliminate phishing. A good Enterprise Password Manager will enable administrators to set strong password policies for external applications, automatically update the password on these applications, then hide the new password from the user on the IAM system but still enable the user to log in using SSO. The SSO will not divulge credentials to a spoofed URL and if the user does not know the password, how can they be phished for it? How much cost and effort are you currently investing on anti-phishing technologies, training, and phishing simulation exercises across the workforce and how much of this could be reduced if you were preventing phishing at source, by detecting the applications users still need passwords for, and removed these passwords from the users so they can’t be phished?
Add a line item in your ROI model for reduction in effort and cost that can be achieved as a result of eliminating phishing at source by removing passwords from users. Also consider the extent to which your IAM solution can provide this functionality as part of your overall cyber-risk Mitigation calculated above.
= Annualised Cost of Anti-Phishing Training |
Compliance Requirements Addressed
What relevant (IAM, Password related and Multi-Factor Authentication) audit controls have the auditors flagged or failed, and what is the cost impact of failing to address these? What would be the cost of any administrative workarounds that need to be established to ensure compliance? Are there fines or risks to revenue if you fail on compliance?
= Annualised (Compliance Fines Mitigated +Insurance Cost Reductions) |
Summary
There are other factors you can consider such as cyber insurance premium reduction, and reduction in user friction which can impact employee satisfaction and even retention. However, the above provides a reasonably comprehensive list of the main aspects you should consider in your ROI model for Identity and Access Management solutions. It is written in the context of value delivered from SSO and Enterprise Password Management solutions, so you might want to fine-tune it if you are looking at other types of IAM products.
We have compiled the above into a convenient ROI model for Identity and Access Management which you can download. We would also be happy to offer free advice on building your business case and discussing the above points in more detail if that would help.
If you’d like help with your business case, or how to position your IAM project to board executives, then reach out to us for free advice. We can also help provide you with a basic or advanced ROI model spreadsheet that will help save you time in building your business case.