I am sure I am not the only one who has been in a role where I felt "pressured" to steer a product selection decision around a major analyst firm’s recommendation (i.e. Gartner, Forrester, IDC, KuppingerCole etc.). As an information security professional, this can be extremely frustrating because identity management security is not a black or white endeavor. When it comes to information security, user provisioning or access governance specifically, it is critical that these popular reports are simply used as another research tool rather than a tool that determines the final decision.
This blog, however, is not about discounting the value of identity and access management (IAM) and identity and access governance (IAG) analysts’ research. It is a recommendation to all analyst firms to take their Marketscape, Wave, Leadership Compass and Magic Quadrant-style reports to the next level to better serve their clients. What is truly needed is dynamic identity management reporting that is driven by customers rather than a static evaluation against static variables. Every organization has unique information security and access management needs along with unique reasons behind why they may be looking for a user provisioning or access governance software solution, and those unique needs should drive the positioning of vendors.
So what is the ideal solution? Analysts should continue to review product capabilities as they do today and with more granular individual ratings for solution capabilities, vendor details, innovation, complexity, etc. Once there are unique ratings across a large number of criteria, then a dynamic reporting tool is needed that allows clients to choose what is important to them while the ratings change dynamically.
For instance, if ease-of-use is more important than technical complexity due to my organization’s non-technical user base, I could then drag a slider higher for the "Ease-of-use" rating to see new ratings relating easy-to-use products positioned higher in the report. As another example, if I only have offices in the US, I should be able to remove any ratings relating to international support to level the playing field with global vendors. Or, if lower Total Cost of Ownership (TCO) is most important to me after being burned by an overly-complex IAM solution that was expensive to maintain and modify, I should see the ratings change to fit my needs when I choose TCO as a desired capability.
In speaking to a variety of information security professionals, I am amazed to see how many are unhappy with their current identity manager implementation of a supposedly top-tier user provisioning software. While a solution may technically accomplish a strategic goal, an identity management solution falls short if extremely important business criteria such as supportability, end user adoption, adaptability and innovation are neglected. If decision-makers could get custom research by easily adjusting the importance of certain criteria, it would dramatically increase the value an analyst report provides in helping organizations make better decisions.
Hopefully, analyst research reports will begin transitioning to this model, as this will definitely enhance the ability of technology decision-makers to select the best product for their organization. Until analysts’ reports contain business relevant criteria, stress to your CIO or other strong proponents of analyst report ratings that information security is not a one-size-fits-all capability. At the same time, sell them on your ability to interpret external research in the context of your business requirements and the value brought to your organization, because once deployed you ultimately must live with your identity management product choice for a two to three year minimum.
Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at https://twitter.com/ryawarr
Watch the Avatier Identity Analyzer Product Introduction video:
Learn the Top 10 Identity Management Best Practices for successful Identity and Access Management (IAM) implementations. Use this Identity Management planning guide to sidestep the challenges that typically derail IAM projects.