The survey, which was based on 128 respondents from organisations in 23 European countries, reconfirmed the 2008 IAM survey: that “IAM is here to stay”. Almost 90% of the respondents said they have initiated one or more IAM projects during the last three years, and around 70% have a specific IAM budget.
KPMG and systems integrator and consultancy firm, Everett, found that the financial services sector continues to be an early adopter of IAM, but that the infrastructure, government and healthcare sector has also emerged as an early adopter in 2009 from being a ‘laggard’ in 2008. Despite the economic climate, the financial sector still has the highest IAM budgets.
This does not mean that IAM has escaped the impact of the economic crisis, however. A quarter of respondents reported budget cuts of 5-50%, whereas 13% reported IAM budget cuts of more than 50%.
Despite this, over half indicated that they have not seen any significant impact on their IAM budget. Projects did, however, see an impact on IAM project scope.
The three main drivers for IAM were found to be:
- Governance, risk and compliance (being ‘in control’ and able to prove it).
- Operational excellence (cost control and user experience).
- Business agility (being ready for change).
Governance, risk and compliance is becoming ever more important as the main driver of IAM for all sectors, but perhaps particularly for the financial services, infrastructure, government and healthcare, and communication and entertainment sectors.
Operational excellence is also of reasonable importance for the consumer markets and industrial markets.
KPMG and Everett pointed out that “investing in business agility and operational excellence can reduce IAM costs in the mid to long term” and that “we expect these areas to be an opportunity when the economy recovers”.
Despite the perceived importance of IAM, the survey found that implementation of complete IAM solutions halved to 35%. This could indicate a shift from an extended preventative approach toward “a more detective approach focusing on an organisation’s ‘crown jewels’” – probably due to the economic crisis.
There was also a gap between expected and realised benefits of IAM projects. Less than half of those expecting significant benefits from access attestation and certification realised these benefits, according to the IAM survey.
The most prominent reason for failure was reported to be that the business was not ready for the proposed IAM solution, and the lack of support from the business. Despite the gap between expected and realised benefits, half of the respondents were still satisfied with their IAM project outcome.
KPMG and Everett concluded that the value of IAM is apparent to businesses as they are still investing in IAM, but that “the challenge for the upcoming years is to realise the expected benefits”.
ISSE 2009 IAM discussion
In a panel discussion at ISSE 2009, John Hermans, associate partner at KPMG IT Advisory and Peter Valkenburg, member of the board of Everett Group invited the following panellists to discuss the IAM study findings: Paul Heiden, founder of enterprise authorisation management vendor BHOLD; Steve Farrage, specialist presales director at business software vendor Oracle; and Brian Cleary, vice president products and marketing at IAM company Aveksa.
Cleary agreed that compliance requirements drive some IAM business, but that there is also an emergence of a class of customers that bypass traditional IAM.
BHOLD’s Heiden agreed, saying that customers want to differentiate products according to their main drivers for implementing/maintaining IAM. However, he warned organisations that they must address all three IAM drivers (governance, risk and compliance, operational excellence, and business agility).
Asked who should drive IAM implementation, Oracle’s Farrage said that the business impact of implementing IAM is best understood by IT, but as Cleary pointed out, the business management as a whole must participate in the process.
Ending on a warning point, Heiden concluded by saying that as the recession is likely to stay with us for one to three years, businesses “will have to do more with IAM – more than you expected – or else we have a very dark future”.