How to write a business case for IAM
Creating a business case for an Identity and Access Management (IAM) solution is a pivotal step in getting your project off the ground. All too often, IAM is seen merely as a necessary expense and functionality. However, a well-constructed business case can show stakeholders the value IAM brings to the table.
At its core, an IAM solution manages user accounts and safeguards access to applications and data. However, by making the right choices, you can also automate many costly manual tasks and significantly save on unnecessary license and storage costs. Besides these direct cost savings, a modern IAM solution makes it much easier to stay compliant with various security and privacy standards, potentially avoiding hefty fines linked to data breaches. Moreover, by providing employees with quicker, simpler access to their tools and information, IAM directly contributes to increased productivity. A robust IAM business case provides a clear overview of these various benefits, quantifying them wherever possible.
Avoid reducing the business case to a dry list of costs and benefits. While financial clarity is a must for the finance department, clearly articulating why the new solution matters is equally important. This approach not only adds context to the numbers but also clarifies choices, interdependencies and helps prioritise actions. The best business cases can distil their narrative down to a simple, compelling story that fits on the back of a napkin, using detailed figures as support.
This blog post provides an overview of various IAM costs, savings and gains. Where possible, we will offer examples and indications of amounts, though the precise business case will vary based on your organisation’s unique situation and needs.
In this article
Breaking down the costs of your IAM solution
The cost side of your IAM business case generally consists of one-time investments and recurring expenses. We have compiled a list for you.
Initial investment
With a modern Software-as-a-Service solution like HelloID, there is no longer a need to invest in on-premises servers and software. The available standard functionality is activated, and the initial investment is limited to the necessary installation and consultancy work, as well as integration with source and target systems. The amount of work required depends on the modules used:
- The Provisioning module creates a link between the HR system and the user accounts in the network, automating the entire process of employee onboarding, transitions and offboarding.
- The Service Automation module allows users to request online access to additional applications or data themselves. Managers can give approval online with a single click, following which the change is processed automatically.
- The Access Management module provides employees, partners and possibly customers with simple and uniform access to cloud applications.
For HelloID, many standard approaches and blueprints have been developed, which means that a few half-days or days of consultancy are often sufficient to activate the various modules.
Returning costs
In terms of the use of the software and its maintenance, under the SaaS model, a monthly fee per user will be charged, depending on the modules used. This ‘Pay-per-Use’ model gives you continuous control over the monthly expenses. This flexibility is particularly important for organisations with frequent changes in staff numbers, such as those employing temporary workers with their own accounts. A similar situation applies to educational institutions with many guest lecturers and rapid changes in student numbers.
Direct savings on processes, licenses and storage
With a modern IAM solution that automates the provisioning and management of user accounts, several direct savings can be realised. Not only does it significantly reduce the need for costly manual tasks, it also cuts down on expenses related to accounts, licenses and storage space. Let’s delve into this further.
Automatisering tasks
First, we will identify the savings on manual tasks. The new IAM solution automates the processes of onboarding, transitions and offboarding. Thanks to integration with the HR system, accounts are automatically created for new employees, and Role-Based Access Control (RBAC) ensures that each employee immediately receives the correct permissions according to their role. If someone changes roles, the associated permissions are automatically updated, and when someone leaves the organisation, no manual steps are necessary to deactivate the account. Many other service processes can also be automated, such as requesting and approving access to specific applications or processing a name change.
The financial advantages of this can be calculated rather precisely. Most organisations are well aware of their employee turnover rates, while the internal movement to different roles is increasingly being tracked. This could easily represent 20 percent of the total workforce on an annual basis. This percentage is likely to increase as organisations move towards more flexible working arrangements with temporary employees, contractors, autonomous teams and partners.
Traditionally, it has been the job of the IT helpdesk to create, manage or deactivate these accounts and permissions. By analysing ‘helpdesk metrics’ such as the number of tickets, time taken to resolve tickets, and the effort involved, we can pinpoint exactly how much we stand to save by reducing the number of manual tasks. The onboarding, transitioning and offboarding tasks alone often require about half an hour each. Plus, there are many additional tasks like changing account names, updating special permissions and fixing manual errors.
And that is a conservative estimate, considering only helpdesk hours, because, in practice, coordination between HR, team leaders/managers and the helpdesk is often required for issuing and managing accounts and access rights. Therefore, in an organisation with several hundred employees, it is not uncommon for an IT helpdesk worker to spend a significant portion of their time on account and permissions management.
Reduced license and storage costs
Manual processing of employees leaving the company often leads to delays and misunderstandings between IT, HR and team leaders/managers from different departments. As a result, user accounts are frequently ‘forgotten’ and remain active unnecessarily long, including the associated costs for data backup and application licenses. At the same time, manual management often leads to employees gradually accumulating unnecessary application rights; they request an application for a new role or temporary project, and such (expensive) licenses are never revoked. This leads to a structural accumulation of sometimes dozens of unused licenses and accounts within organisations.
This inefficiency can be quantified with an inventory of HR and account data. By linking access management to an individual’s role and automating the departure process, ICT resources are kept to a minimum, thereby reducing this cost item to the lowest amount possible.
The relationship between IAM costs and savings
With a SaaS-based IAM solution like HelloID, the majority of the costs are directly tied to the number of users. As we outlined above, many savings opportunities also relate to user numbers. As an organisation grows, so do the costs of the IAM solution, but the cost savings directly increase as well. It is important to highlight this clear relationship in your business case.
Additional benefits for the organisation
We have discussed tangible cost benefits that can be quantified. However, your IAM business case is not complete with just these. IAM also helps demonstrate compliance, potentially mitigating financial damage from data breaches and boosting your organisation’s productivity. These advantages might have an even greater financial impact on your organisation, but at the same time, it is more difficult to accurately quantify them.
The automation of IAM service processes not only cuts down on expensive manual work and reduces unnecessary expenses on licenses and storage, but also removes many operational delays and obstacles. The task of manually setting up, deleting or modifying accounts and permissions might seem quick, taking just about half an hour, but that doesn’t reflect the real turnaround time. Coordination with HR and departmental leaders or managers can add hours or days to the process. Delays that prevent employees from doing their jobs are not only frustrating but also costly. Additionally, such inefficiencies can damage your reputation as an employer. A new employee who still does not have a working account after two days is likely to disengage before they have even started. These scenarios, though hard to quantify directly, are crucial to take into account. If your new IAM solution eliminates these issues, this is an essential component of your business case.
Compliance with privacy and information security guidelines
Every IAM solution manages user accounts and access permissions. However, a comprehensive and future-focused IAM like HelloID goes much further, supporting various information security and privacy measures. These measures are essential to comply with standards such as ISO 27001, BIO, NEN 7510 and GDPR. By fully automating various IAM processes and employing Role-Based Access Control, we truly uphold the ‘least privilege’ principle. This prevents errors, unnecessary accumulation of rights and inadvertently leaving open old accounts.
The added value of this cannot be overstated. With the measures mentioned, you are demonstrably well-prepared to prevent hacks and data theft. Additionally, the platform logs all user actions for reporting and audit trails. This is crucial because, for example, the Data Protection Authority can issue fines of up to 20 million euros or – if higher – 4% of the global annual turnover. Although translating the prevention of fines and reputational damage into concrete figures for your business case is challenging, it involves ‘serious money’ either way.
Getting started with your IAM business case
A clear and comprehensive business case helps engage stakeholders in the IAM project. It is not just about the numbers and the bottom line. It is about demonstrating the various business benefits of your IAM solution and the interdependencies, quantifying them as much as possible. At the same time, it is crucial to highlight other potential business benefits, even if they are less straightforward to quantify. Our Tools4ever consultants are ready to help you tailor your specific business case. Feel free to contact us for more information!