IAM Teams Always Seem To Be Stressed, Over-budgeted or Lagging Behind

Thank you and good morning everybody and thank you for your time today as we talk about running a successful I Am program. Now you will definitely ask me as to who I am and why do I know about running an successful I Am program. So I will tell you that I am just an I am practitioner.

Throughout the last two decades of my career, I've been fortunate enough to have looked at over a hundred I am programs both successful, mildly successful, and some that could have used some help throughout this have identified eight or nine signals or eight of nine indicators that were always true for all the successful I am programs. So I'm not going to have an earth shattering revelation here that would give you a magic formula of what an I am successful I am program needs.

But I'll give you some thoughts as you go back in terms of what needs to be done and what we need to be intentional about. So that is why it's not about wow, but about what and how most of these things would be known to you. But are we truly being intentional about it in our daily lives as we go about leading the I Am programs is what we are here to discuss.

Again, I would appreciate any questions that you folks have and once again, I would thank you for the time now without any daily, let's deep dive into it. So the indicator number one is can you define the identity of your identity team and this Simple, but can you really define why does your identity team exist in the organization? Because an identity team for a travel company would be very different for an identity team of an insurance company. A thousand percent identity team would be very different from a a 50% identity team.

Also, if your CIO has a tech background, it would be very different if your CIO has a GRC background per se or is coming from the industry. So you need to answer this. What is the problem that your identity team is trying to solve? Why do we need your identity team? What happens if your identity team did not exist, right? If you are solving for the business, how are you solving for the business? So identifying these core value questions of why do we exist as a team in the organization? Because more often than not, we are not revenue generating is something that all of us needs to answer.

Moving on, this seems like a buzzword culture, right? Every company has got their culture document published, but what is the culture of your team? As I read somewhere once, culture is omnipresent, right? So if you don't define it, it'll define itself. I see so many people including myself talking about bias for action is our culture, but it when actually it comes down to it. We have another meeting scheduled when we do not make a decision now, and that meeting in is in the next two weeks or one month or or six weeks and whatnot. That is not truly your culture.

Then you would really have to define what your team culture is. What do you want your team to be?

For me, it has been pursuit of excellence and bias for action and don't be a jerk, which are none of none of the things that I have invented myself. These were all taken up from the Netflix culture document. If you haven't looked at it, I would strongly suggest to look at it because that is probably the best thing that came out of Silicon Valley or one of the best things. But you have to define your team culture and then you have to live it every day.

You cannot fault once because every time you fault, that is the time that your team will notice it and you have, we have to be very intentional in defining our team culture of what we want our team to be. Do you want them to be very aspirational? Do you want them to be transformational? Do you want them to be safe and secure and making sound decisions? How do you want your team to be is something that we have to be intentional about and define.

This is a topic that HR hasn't really liked in the past, but I have been trying to convince them and have successfully convinced them of this is about continual hiring. What are the odds that when you need a great person or a resource to join your team, that is the time that that person is available? So this concept of continual hiring is you always have a generic job posting out. You always spend some time in interviewing candidates who are applying, who are just great. And when you find those candidates, you find place in your team to hire them.

Now, the biggest reservation I've heard about this is, but what about the budget? And in the past two or three years that I have been practicing this, the budget has taken care of itself by the means of attrition or any other new business priorities, right? So let's say I done hiring budget of a hundred thousand next year I hire somebody this year, that means I need to pay for six at additional months that $50,000, but somebody else in the team is leaving, somebody else in the team is retiring. We have additional new budget coming in because of a new project and things tends to even out.

But what I would say is if there is a great candidate out there in the in the market, hire them and we will find a place for them otherwise, with the economic going up and down, but there is definitely a lack of identity and access management talent in the market. So you do not want to miss out on that great candidate who is looking for their next gate. Then there are some must haves. These are the things that you absolutely should have or every identity and access management thing team should have. These are your service catalog.

Do you know the services that we as an identity and access management team are selling to the organization? Imagine if Apple as a company did not know what is the product that they are selling. They have a vague idea that they sell iPads, but we, I'm not sure about iPhones or do we sell music devices and whatnot. That would have been bad business, right? If we look at any business not understanding what their services truly are, that doesn't really leaves a good taste in our mouth. So why do we expect us to have sort of finicky service catalog? We really need to identify what our services are.

What is it that we are providing to the organization? Do people know what are the services that we are providing? So the service catalogs needs to exist. It needs to be very tight and it needs to be published and you have to ensure that stakeholders are looking at it. Second thing that you need to have are the control solutions. So as an application developer, I don't want to learn about OAuth any more than I really need to. I don't want to learn how to integrate to Azure active directory any more than I need to. So give them that control solutions so that ask for exceptions is minimized.

Make the right thing also the easy thing to do. So it is, it is a line that is always told. And how do you do that is by creating those control solutions. If you have an reasoning system in place, if you have a certification system in place, how do applications integrate with that systems? What are the questionnaires? How do applications integrate to your active directory? How do somebody who is creating a new platform or a new database vault those credentials, right? All these things needs to be having a control solution.

If it on, how do you start? You start at the service catalog for every service that you need, you are providing to the organization, you need to have a control solution for it. So service catalog, a control solutions or a a bunch of control solutions and also your road shoe deck. So nobody is invested in identity and access management as much as the identity and access management team, right? Unfortunately for us in most of the organizations, we are not revenue generating.

So we need to have a road show deck, something that we are going and something that we are taking to the different part of our organizations. Getting into those leadership meetings, syncing up with the platform team, the Kubernetes team, the cloud team, and making them aware of the services that we have and then in an architecture community is another thing that we need to have even inside our teams. We cannot be working in a silo. This is especially true for the larger teams. A PAM engineer should always be working with an IGA engineer or an IGA architect.

So that safe design that you are creating is not created in the silo. So an internal architecture community is always good to have and an external facing identity and access management committee. Now committee is very formal, but there needs to be a place where the business leaders and the practitioners can come in, voice their opinions on the pilots, on the things that you are doing, on the things that you are doing good and maybe not so good. So these are all the must haves that you need to have to run a to absolutely run a successful IM program. Next is the strategic partnership.

So we, we hear so many times about teams not helping identity and access management team out as much as they need to, right? And then it gets escalated. Somebody is provision to the project and whatnot, but trust is never built during the time of crisis. So that is why we need to build this strategic partnerships. Now everybody knows about them, but we have to be intentional about pursuing them in the time of peace per se, right?

So reach out to your different stakeholders, identify who your different stakeholders are, classify them into verbally supportive, verbally unsupportive, nonverbal, but supportive, nonverbal and non-supportive and really put them into those criteria and build those relationships up. You need to build this relationship with different STA business leader and also practitioners so that when it is time for you to work with them and relationship has already been established, this is another thing that we really need to think about.

The work intake model meeting our goals and really identifying and establishing our value are two very different things. You could be working round the clock around the year, meeting every OKR or KPI that we have established, but still we would not be a business enabler. So we as a team have to identify our work intake model depending on how you answered, what is the identity of your identity team. If if something comes out as a business enabler, you have to be able to have that dynamic work intake model. You cannot just put a pin on it and say, Hey, we are covered for 2024 or 2025.

We have no bandwidth. Find a work intake model that allows you to match the velocity of the business. Set an expectation with your executives that IMS runway should always be dynamic in nature. You cannot be very rigid in the amount of work that you take in or deny or allow. You have to be very flexible. So identify 20 to 30% of your team's capacity as a thing that you need to do. Identify your, keep the lights on work, identify your foundational work, but at the same time, identify capacity for your audit work. That would be coming in. Identify capacity for the ad hoc business.

Ask that would be coming in and find a way to say yes to the business depending on your work intake model. And for that, two things would be required. Setting expectations with the identity and access management executives telling them that this would be fluid. And the second thing is identify a work intake model that works for you. It could be something like an open sourcing model. It could be working through the work intake, the work that we would be doing in the next quarter with the business leaders and whatnot, but identify that. So we are always working at the velocity of the business.

Next thing is maximizing resourcing. Now we are always short of people and that is the truth and that is not going to change. But that does not mean that asking more from the people that we have. That does not mean making our ingenious also act like an BA or a manager and whatnot. Maximizing resourcing means minimizing context switching, right? So I've always found that identity and access management practitioners are already doing too much and then we are asking them to do a little bit more. Maximizing resourcing means to minimize their context switching.

Let ingenious ingen ask more from your bas. Give them a framework that is consumable by your ingenious. Ask more from your managers. They cannot simply be just the people's manager. They have to be great people's manager, but they also need to be good engineering managers. Ask more from your executives. Your executives are your salespeople, right? So it is not just about getting the status, it is about building those strategic relationships. So everybody in this hierarchy needs to contribute to make sure that we are minimizing context switching.

We are very, very specialized in the jobs that we are doing and this is how we are maximizing resources normally. I have found that for every two or three people that are actually doing the job, there are other three or four people that are just taking statuses and that is not a bad thing, but we need to minimize this as much as we can.

Last, but not the least is identify your sticks and carrots. So everything that I have defined or we have spoken about so far are all carrots, right? We will match your velocity. We will create great relationships with the, with you and all the good things. But in the real world, it just doesn't happen like this. So what are your sticks? Why should somebody here to our identity and access management team and what do we want to do? The number one of them is identifying your mistakes. And how do you do that? Is define those standards. You should know those standards by heart.

You absolutely need to know what your IM standards are, who own it, what are the exceptions, right? Use audit team and use GRC team to your advantage. Identify what are the audits that are planned for this year and next year and how I am plays out work with your GRC team on those exceptions, the risk acceptance and the risk exceptions. So working with the standards, your GRC team and your internal and external audit teams will give you enough stick so that you can actually enhance the maturity of your IM program as well. When there is a lack of business, buy-in.

So you need to identify your sticks and you need to identify your carrots. Thank you all for sticking along and giving me this time to talk this through with all of you. I appreciate your time. Thank you so much. Rahi. One quick question while we still have you. How would you ensure in whatever work intake model that you design to leave enough capacity for innovation and strategy? Absolutely, yes. So have those buckets defined.

So those buckets that we have defined in the past have been keep the lights on, the foundational capabilities, the remediation of the technical debt, the enterprise strategic alignment, the r and d and innovations. So you have all of these things and every quarter or every month when you are planning out the work, it could be every PI or every sprint, you need to make sure that you are checking most of these boxes. You are being intentional about it.

So if you see a couple of sprints or the three sprints where you are not able to work on innovation because A, a fire needed to be put out, then you need to start asking yourself, what is it that I'm not doing while capacity planning, right? So there is no mathematical formula to it. Obviously capacity planning is mathematical, but it doesn't really work out ever. What you need to do is be intentional about it, create those buckets, and then track if any work was done for those buckets.

If not, identify, how can we make it happen? Thank you so much. Help me thank Rohit again.