How to Build a Roadmap for Identity and Privileged Access Maturity

Review the Full Session Transcript

No time to watch the session? No Problem, Take a read through the transcript.

Carolyn Evans (00:00):

We're going to go ahead and get started. Thank you for joining our conference session, how to build a roadmap for identity and Privileged Access maturity. Today we are joined by our partner, iden House, who provides consulting services in the area of strategy analysis, requirements and design of identity access management solutions. From EEN House, we have Hano Al. He is the founder of EEN House and Ron Boron, who is the director of identity access management and governance, and also Bart Allen, who is reverse securities chief operating Officer. So EEN House has many customers in financial services, consumer packaged goods, healthcare, retail, manufacturing, various levels of government, and they really excel at helping organizations design and implement effective identity and cybersecurity management strategies. So with that, we're actually going to hand it over to Ron to kick off our session.

Ronald Bowron (01:04):

Thanks, Carolyn. If we could go to the next slide. So part of the reason we're here today is to talk about what it takes to actually engage an organization to develop an effective roadmap. But what we know is getting identity and access management solutions and privileged access management capabilities integrated into the existing environment is actually a fairly complex process. And so trying to leverage it primarily from an IT position versus looking at the organization as a whole and understanding the organizational needs can be a challenge for some organizations that take on these technologies. So one of the things we're going to talk about today is what does it mean to define the scope and scale of an identity management program as well as its roadmap so that that program can be successful? What are the levels of maturity that we measure and how do we measure them?

(01:58):

What does it mean to have a mature program? The other thing we're going to look into is what are the pieces and parts that you have to collect and pull together to assess and measure whether or not you're actually ready to take on the roadmapping effort? How do you do the analysis? How do you align that analysis to measurable activities? And then how do you put them into a roadmap itself? And then finally, we'll talk about developing the program's roadmap overall and what are the activities and what should be the expected outcome of that roadmap when you're done. So next slide.

(02:35):

So one of the first things you need to understand when you first approach this is it's not an IT problem, it is a organizational problem when it comes to identity management. So what you want to understand is that there are the complexities around the business processes today as you're hearing more and more, everything requires, everything is based on identity. Identity is the new boundary for granting access to all resources within an organization. Digital transformation efforts, identity management's the key foundation for digital transformation, whether your identity as a service account trying to grant access to third party application or whether it's in-house or whether it's even granting physical access to a building. So you don't want to be aware of what are the business capabilities that this program needs to support, and how broad is that capability? What organizations do you need to talk about to understand their needs?

(03:29):

And then you want to look at the functional capabilities. What are they actually doing day-to-day? What are those operational process flows and what skill sets are being used to do that and what resources are being allocated to do that? And then the other area you want to look at is who's actually doing it? Who are the actors? How many resources, how many people, what roles do they play? What tools are they using? Only after you've gathered your people process and technology information, are you now ready to actually start talking about your identity lifecycle? What does it really look like? How does it go across the entire organization? So as you can see, this can be a complex situation to assess, but if you follow a methodic process, you'll find that you can gather all your requirements, prioritize them, and coordinate them effectively.

Hanno Ekdahl (04:17):

Yeah, I think that was nicely said, Ron. So the takeaway for me from this slide is identity and access management touches everyone and everything. You can think about your first day of work with any organization. You had to show up, you wanted your laptop. Can you log into the network? Do you have access to your applications? Do you have a place to sit? All those things. And if you think about all the people and resources that had been marshaled and organized around your identity to make that a seamless, effective onboarding experience, then I think you realize the processes and the components that all have to come together. Identity governance is the model under which the standards and the processes that define how that all comes together so that you have the right assets and the right access.

Bart Allan (05:06):

And really, I mean, I think one of the key takeaways from this is it's really people and process before technology. As excited as we might be about a new tool, if you don't pay attention to the people in process behind that, that's not going to result in a successful program.

Hanno Ekdahl (05:25):

Absolutely.

Ronald Bowron (05:27):

So we can go onto the next slide. So let's talk about that journey a little bit in a little bit more detail. What do we mean by it's a program and what are the activities to analyze and gather the information to understand what maturity level that program is at so that you can determine whether you're even in a position to fully roadmap out all the opportunities you've identified? The first thing I want to help you understand is when you're assessing an organization, a lot of times you'll hear problems, you'll hear issues, you'll hear errors and bugs, you'll hear all these things in a roadmap exercise. They're not problems, they're not issues, they're opportunities. It's an opportunity to mature the program. So that's all assessment criteria, a requirement or any other issue that you identify. You have to word it in terms of an opportunity for your roadmap.

(06:17):

So be prepared to do that. And then you look at the capability scoring model. How do you want to rank those different opportunities? You got to have a conversation and understanding of how to rank it, and we're going to provide you a model that we use to help you do that. And then what are the capabilities and functionalities and how do they align? What's their priority in terms of within, for example, something as Hanno pointed out earlier, if I'm going to onboard somebody, if I've got this onboarding process, I can call that my access management capability on day one. What are the things that I want to prioritize as the need to happen in order for that to be successful? And then the next thing you want to look at is ranking them such that whether they have any dependencies on other opportunities. And then finally, you're actually going to align your strategy for what you want to actually accomplish with identity and privileged access management to your program through the roadmap. Okay.

Hanno Ekdahl (07:19):

Yeah. So this analysis is a key input. I mean, I think your point, Ron, about uncovering issues, and those are really the opportunities to improve and understanding your maturity begins by understanding how well things are working, right? So if you don't have well-defined processes for a particular element of your identity program, you're going to be at a lower state of maturity than something that's fully automated. And so understanding where you are on that continuum allows you to set a baseline understanding of your current maturity and then start thinking about your goals. Where would you like to be in the future? And that should all tie back, as you were saying, to business value and priorities.

Ronald Bowron (08:05):

Yeah. One of the things that we tend to find, you have these implicit assumptions about, they think they know something, but once you go through this exercise, those problems become explicitly known.

Hanno Ekdahl (08:25):

Sorry, Ron, I didn't mean to cut you off. My one is data quality. I hear this one all the time. Our data's great. It's fine. And then you get in there, it's like you don't have half the data you thought you did, and most of it's wrong. And then you're struggling to automate things because you can't build a rules-based system if you don't have the data there to actually execute the rule consistently. So yeah, data quality is usually one of the ones that people always swear, oh, we've got the best data quality ever. And you're like, well, it could be a little bit better.

Ronald Bowron (08:56):

Consistency of process is also the same thing. You may find that you thought you only had one onboarding process, then you find out that your contractors come through a spreadsheet, your third party administrators and service accounts come through a ServiceNow ticket. And accounts aren't all really going through the same onboarding process. So it can be very complex, but once you find those issues, it is just another, where's the business value? How complex is it? And how do I make sure I properly identify where it aligns on my roadmap with all the other opportunities that I have?

Hanno Ekdahl (09:33):

Okay,

(09:33):

This will indulge me. Actually, I'll tell you a quick story just because it triggered a memory for me. So I had a customer and their marketing team had built an application, and that application was designed to serve up marketing materials for different countries or regions depending on where you were located. So local targeted media campaigns in the language with the right branding. And they had looked in the directory and saw, oh, well, we store country. Well, it turned out that country was actually not collected by collected and synchronized into their directory. So while there was a country attribute, it was only populated about 5% of the time. So for the vast majority of users, they saw no localized content whatsoever because that data element was completely missing. And so then they had to go back and figure out how do we collect it, how do we sync it so that our application will work? A little bit of upfront analysis can save you a lot of pain on the backend.

Ronald Bowron (10:33):

Yep. Excellent. Next slide. Now you've got this list of opportunities. You've gathered all this information, and again, it's key that you don't just gather it from people who understand the technology. It's critical that you've gathered those opportunities from a business perspective for two reasons. One, they're going to provide you information and insight into how the business speaks about identity, not how technology speaks about it. And two, they're going to give you insight into what their pain points are. That may have nothing to do with what the technology's even able to offer. So they're going to show you things and explain things to you as to how painful it is for them to leverage or adopt the technology. Which means the next step is you can ask them, Hey, when we get ready to score all these opportunities, would you be willing to participate in our survey so we can get your feedback?

(11:35):

By doing that, they're going to want to adopt the technology as their portion and their problems get solved, they're going to line up. And then you can ask them, would you like to pilot that for us? I mean, when they know they can contribute to bringing business value to the company, that's where things really start to line up for you. And that's the next step is understanding now that I've got these opportunities, what model am I going to use to score or to measure these things? Now, some of you may be involved in A-C-M-M-C exercise. Some of you may be involved in NIST 53 or NIST 1 71, compliance reviews. All of those activities actually are finding opportunities for identity management controls to be improved from the technology perspective. You'll need to go outside those in some cases to get the business opportunities. But those metrics and those models are what you can somewhat leverage to help you understand what scoring you want to use. And what I want to do is I know that Vera actually has a self-assessment, but before we go there, Hano, did you have any comment on the scoring

Hanno Ekdahl (12:40):

Model? I always have comments, Ron. You know that about me. So I have another anecdote. So this is a higher education. So we were doing a strategy engagement and we talked to a ton of people across the organization and towards the end they said, Hey, you want to talk to the continuing education folks? And we're like, sure, we'd love to talk to the continuing education folks. And so they came in and we were chitchatting for a while and we're saying, well, what's one of the things for you about your job that you see some challenges in or would be a nice to have or a value add? And they said, we are interacting with all of these high school students. They come to our summer programs, they might take a class that they're interested in, they might participate in a sports camp. And for us, those are potential students.

(13:26):

And so we want to establish an identity for them and we want to have the opportunity to interact with them, but we have no way to do that right now. And so we said, aha, well actually identity management, we can create some registration workflows and we can put some processes in place and we can start to collect those identities and manage them. And for them, they said, well, if you enroll in additional 50 students at $10,000 a year, that's a half a million dollars. And suddenly the conversation went from cost savings and efficiency to value add and how do we enable the organization to improve its enrollment? So those kinds of things are, the fun part to me is where you identify something that you hadn't considered and someone pops up with an idea and you're like, Hey, we can help you with that too.

Bart Allan (14:11):

I think that business value aspect is so important, right? Many companies that we work with will get into the identity and access management journey and they'll start to see a flood of requests, but trying to triage and assess what's going to bring the most business value and how do we justify that not only by, hey, it's going to improve our maturity or cybersecurity posture, but hey, here's actually this opportunity where we can save money or make money that's even better.

Ronald Bowron (14:45):

Yeah. And each of those things, a lot of times people look at these efforts where they're compliance efforts and what they don't realize is when you find a weakness in your maturity or you haven't figured out or you see something that's complex, sometimes people struggle with identifying where it's actually going to be operational efficiency to the organization because you're now applying a new control or you're changing the way a business process works because now you're introducing a tool that automates what the end user seems to think is a very complex process of using spreadsheets and all these special queries and all these CSV files and passing around emails all over the place. Imagine if you could say, we're going to collect that into a data model and present you a yes no screen. People don't. Eventually you got to go. There's some value in that. It's not just the technology. There's some value in making those business processes less complex for the end users.

Hanno Ekdahl (15:45):

Well, I think that's where automation comes in. So we talk about the continuum of maturity, right? You start off with ad hoc and spreadsheets, as you were saying, which gives me goosebumps and makes me feel a little queasy if I'm honest. And we move into full blown automation. And so access reviews I think is a great example of that where nobody wants to do the access to you. Everyone complains, oh, the manager's just going to rubber stamp because they don't want to take something away from their user. They don't understand what they're doing. And so if you're using things like role-based access control and I say, well, you're in the role, it's already been defined. We grant that access. Nobody has to review it. The system is automatically putting you in the access that you should have for your job role and responsibilities. We've taken that burden off the managers.

(16:28):

They don't have to go back and review that, right? And we can also look at things like patterns and permissions, and that's where it gets a little bit sexy. So you talk about automating something that's hard to get insight to, you really talking about decision support here, and it's like, oh, well, ha's access has been the same for the last three years. He's in the same role. We shouldn't have to audit and report on that anymore. And so you can get out of these reviews which people don't enjoy doing, and they quite frankly are not a huge benefit. You should be focusing your energy on reviewing the exceptions, not the boring routine things that should really be managed by the systems. So the exceptions are where we should spend our attention, not the routine

Ronald Bowron (17:13):

And finding those and understanding what the business value is. As we go through this process, we're going to show you how each of those opportunities can be scored both on their value and their complexity. So Bart, I know that you've got an actual maturity scoring model that's a self-assessment. Do you want to go ahead and let's go to the next slide and go ahead and take the floor?

Bart Allan (17:35):

So one of the things we've done really to try to give customers, prospects, anybody who's doing identity and privilege access management, an opportunity to baseline themselves is we've developed really starts at level zero, which if we could go to the next slide, Haley, that'd be great. Awesome. Really starts at level zero, which is I'm doing nothing all the way up to level four, which is quite unheard of. But some companies definitely get there. It allows companies to kind of baseline where you're at in that journey. And not only that, it allows you to actually see where your biggest opportunities might lie. Where are you a level, maybe you're a level zero in one area. Oftentimes getting from zero to one or zero to two is pretty easy. Where it gets hard is going from two to three and three to four. That's where you end up spending a lot more time.

(18:32):

So we've got a tool out there that we through at Gartner Peer Insights last year and got over a hundred companies to actually go in and respond and do a self-assessment. It's actually kind of interesting. We thought folks would be a little bit less far along the maturity curve, but overall out of a hundred companies we surveyed, we saw that people were sitting at about a 2.3 at a four. So somewhere between what we would call unified and contextual, which really means you haven't really started to take into a lot of account where the user is, what they're doing, other factors that you can get from SIEM systems and other platforms. But your identity and access management model has started to become unified in the sense that, Hey, this is Bart, this is his role. We know that he gets access to these five things and that's okay, but hey, why is BART in China trying to access the system at midnight?

(19:33):

I mean, those are the things that we can start to do as we move toward kind of the adaptive level. And if we want to jump to the next slide, what we thought was really interesting as well is people were pretty consistent. So we broke this into five domains and this is really just a tool to kind of help you get started. You can use this at any point in your journey and can really help you make this a lot more robust. But what we've done is broken this down into five different domains centered around identity and privileged access maturity to kind of assess, Hey, where are your weak points? So we actually found that people's weakest points, although just barely was in identity governance. So talking about recertification and those things, it's something that is definitely a little bit further along the curve. But the point that I think DEN has is going to make and Ron's going to make is this is not a one size fits all. We try to do this so you can benchmark yourself, but really it's important to kind of figure out what this means to your company and has can really help you with program and roadmap development and including developing your own maturity scoring, which I think I'll let Ron talk about.

Ronald Bowron (20:59):

Yeah, thanks Mark. If we can move on to the next, oh, well, we'll move on to the next slide, but commentary's always welcome from hano and so if you have anything I'm trying to retrain myself

Hanno Ekdahl (21:10):

And get excited.

Ronald Bowron (21:13):

But yeah, so to back up, this is just another view of that maturity progression. This kind of follows along the line more of the combination of different standards, but the model that we typically rely on is he said zero to four is the ranking they bevera offers. Within our model, we chose a zero to five. And so the stages are fairly simple. The challenge is knowing how big and wide that scale should be with CMMC, they've actually knocked it down to three levels for their CMMC efforts. Well, three levels may not give you enough insight as to where you really are in your maturity and what the gaps are and where you're going to be able to move to next. But having 10, maybe too many incremental you, the positionings you're trying to identify, it's going to be harder to understand and communicate to management.

(22:04):

So we found that four to five ranking method to be one of the most efficient and most accurate. After doing this over 15, 20 years, you start to fall into these models and understand, hey, these are the questions you need to ask. These are the areas you want to cover. And then it will help you find where you align. So the goal of this is to know where you are today and understand Nirvana is always that optimized or that anticipatory model chances of getting there, that's like hitting the Olympic 10 out of 10. So your goal really is to try to hit that mature, that high three, low four score at minimum over a three to five year roadmap.

Bart Allan (22:51):

But I think what you'll find as a company, you need to figure out what makes most sense for you. I mean, some of us in high risk environments, financial institutions might be striving for an optimized environment, but other areas, other business types, other verticals, it doesn't really necessarily make sense to strive for that. Five, you might be striving to a three or even less depending on where you're at today.

Ronald Bowron (23:22):

And that curve is very similar to and hano, you'll know the term better than me. It's that returns, I'm trying to remember the term. It gets more expensive to get

Hanno Ekdahl (23:35):

To diminishing returns, right? Creasing investment with diminishing returns. Yes.

Ronald Bowron (23:40):

So trying to get to that fully optimized might cost you more per user. The actual results that you get is worth, right?

Hanno Ekdahl (23:49):

Yeah. Well, if you think about the data that financial services and healthcare have that they're protecting, it tends to be much more sensitive than perhaps a manufacturing plant. Not that someone who's dealing with it TOT boundaries, they certainly want keep their machines up and running, but there's no one trying to get social security numbers and healthcare information for your workers on the shop floor, and you don't have that information anyway. So to Bart's point, you should tailor your effort to the maturity level that you need that suits your organization and what it's trying to protect.

Ronald Bowron (24:26):

So let's go ahead and here's another example of a radio style diagram. I like to call it a web diagram or a spider web. But basically with the programs that we do, we actually cater the entire program and process of collecting this data to the organization. And again, whether it's a self-assessment or a guided assessment, the thing with the guided assessment is a lot of times we help draw answers out of the organization that the IT department, sometimes not intentionally, but they may not know to even ask just because they're not familiar with all of the business processes going on in the organization. So if you'll notice on this chart, we cover some additional domains that may not be covered by the vea, and that's just because, and we can tailor this to say, is that domain even needed to be part of the assessment? Do you even want to include it in this strategic roadmap? So that's why we allow ourselves flexibility and how big should we go? How wide do you want the roadmap to be? What categories do you want to cover with it? And so each time we go through this, we actually find that more and more customers are falling. They're like, keep those domains. We do want that insight.

Hanno Ekdahl (25:50):

Yeah, I think one of the things for me on this graph is it reminds me of one of my favorite sayings, what gets measured gets managed. So you may not even have awareness. We talked about the data quality, which is actually on this chart here. So data quality, my nemesis and my friend at the same time. So if the data quality is not, you think it's great, but because you're not actually touching it, and it gets back to that implicit explicit thing, we go in, we look at it and say, okay, well, it turns out that what's in active directory is different than what's in your HR system is different than what's in your IDM system because certain attributes are not syncing or there's other challenges, HR is not collecting it. Whatever those things are, now you're aware where the gaps are. You can understand the impacts on things you might want to do that will drive your maturity, whether it's role-based access control or other types of rule-based access. And now you can start taking steps to do something about it. And that understanding that yes, we have something that needs to be addressed and here's what the impacts are on the downstream systems. It's preventing us from fully automating, it's preventing us from managing security as effectively as we could. That also drives awareness as to what the business value is for taking on that initiative.

Ronald Bowron (27:10):

So now we've talked to the organization, we've gotten all their requirements and issues and convert 'em into opportunities, and we've identified how mature that area is in terms of its efforts. And now what we want to do is take all those opportunities and start figuring out how to prioritize them. So for example, here I can see as Hanno pointed out, data quality might be an issue. So I might actually create a data quality swim lane, and I might say, what are the things that, where is the data quality needing to be addressed the most? Where's it going to bring the business value and is it a complex problem to solve? So let's go to the next slide.

(27:53):

So what happens with those opportunities now is each opportunity gets evaluated based on as we explained, business value and complexity. So you'll see on the left side it's the business value and on the horizontal it's complexity. What you end up with is identifying each opportunity based on those two parameters. A lot of organizations have problems. They might be able to qualify the business value based on number of users impacted, based on budgets, based on licensing costs. There's all kinds of ways you can come up with business value metrics. A lot of organizations that we work with have difficulty with the complexity because they'll look at the opportunity and say, but we've never done that. We don't know how to measure that. That's where organizations like EEN House come in real handy. We've done it. And we can tell you either with the tools you've got, it's either yes, it's a two week effort, or maybe it's an eight week effort, or it might be a six month effort.

(28:50):

It could be very complex. So we help, that's where we offer a lot of additional value as in giving that complexity scoring and reviewing it with them. We also get the customer's input on the complexity and we measure those up to see where they fall. But in the end, as you're measuring those opportunities, your goal is to figure out what do you want to start now, start now are big issues. They're things that bring a lot of value, but they're also not very complex, or I'm sorry, highly complex. So you want to start 'em now because they take a long time to do, for example, do you actually even have an identity management governance program? If the answer is no, if you don't know who the committee is, you don't have a charter. That's a program. They're hard to start. They're big things, but they also can provide a lot of business value.

(29:38):

So you need to start it now, but that doesn't mean it's going to be in two weeks. But the other opportunities are called DO nows. They're high in business value, but low in complexity. And what that means is I can put them on my roadmap to things I want to do early and fast, my quick wins. And then you have the things to consider. They're low in business value, but also they're low in complexity, which those are the easy to do things. For example, branding on a webpage, somebody complained about the branding, I can change it in two hours. I can fix that quick, but I would need to consider it as opposed to the other do now, when do I want to put it in my roadmap? And then the defer are things you may never do or you may put them two to three years out on the roadmap. So the goal is to score the opportunity based on how much value and how complex it's,

Hanno Ekdahl (30:32):

I like to say that defer is where opportunities go to die. Anything that's high complexity and low value, you probably just want to keep on moving. One of the things that's important about a roadmap is to have a pragmatic approach. So the quick wins generate some visibility and momentum. You're able to say, Hey, we solved this problem and we solve that problem. We relieve this area of user stress. And people will say, oh, well, that makes my life a little bit easier. It's builds some goodwill and allows you to maintain or build some momentum in your program. On the business value side, the way we capture that typically when we're doing these is we actually like to survey the customers, whether our customers, whether we're using a survey tool like SurveyMonkey or whatever, and we'll actually ask the business and the IT folks to rate the impact of the opportunity against strategic drivers.

(31:35):

So one of those might be security, for example, or it might be efficiency, or it might be revenue growth or enrollment growth. Great. What is the impact of doing this opportunity on each of those three areas? And that's a nice way to break down business value into something that the end user can understand because security, oh yeah, we're going to put in multifactor authentication. Well that's definitely going to improve security. That's an easy one. That's a high, right? And so going through that process, the organization really informs the business value. And to Ron's point on the complexity side, having done so many of these implementations, typically were best to come in and go through the estimation on complexity, and we'll also work with the customers as well and get the team's input on what they think. So everything plots out value versus complexity, and it gives you a nice way to visually see how your opportunities chart out and makes it easier to digest a lot of information to take in.

Ronald Bowron (32:35):

Before we transition to the next slide, because I know it's quite an eye chart, so I don't expect everyone on the session to be able to read it, but it gives an example of how these opportunities, you'll notice the circle on the bottom that the bigger it is, the more business value it gives, the smaller it is, the less business value, but where it shows up on a bubble chart is where it sits in its priority against other opportunities. So let's go ahead and go to the next slide. And as Hano pointed out, notice these areas align with the categories on the web that we did. So we've got an identity governance program. We've got, what are we doing? I'm even having trouble reading it. But what are we doing in these different areas? Access management, right? Lifecycle management, what are the opportunities in there and how do they compete with each other for business value and complexity?

(33:30):

While this looks a little busy and a little difficult to read, believe it or not, this sets both your priority and your roadmap alignment. So once we can build a functional matrix based on this, based on where they fall on that chart and say, look for this category of activity, here's how these opportunities lay out based on their start. Now, do now consider defer, right? So we can line them up once we've lined them up, we're going to actually be able to put them in a roadmap. And with the roadmap we'll be able to show the dependencies. So I'm not going to spend a lot of time on this slide, but Bart, did you have any questions or Hano, do you have anything you want to say here

Hanno Ekdahl (34:15):

Go first since I've been jumping in a lot. Anything you want to say? I

Bart Allan (34:19):

Was going to say one of the important things I see on this slide that is so often overlooked is the actual setup of the identity governance program itself. That so often goes kind of, oh yeah, okay, we're going to jump straight to identity foundation. How do we onboard users? How do we move them? How do we exit them from the organization? But if you don't really set up that foundation and go through this exercise, it makes your life so much more difficult. And this really helps you understand as a business, because we often get asked, when we do proposals and RFPs, well give us our first four phases. And the answer is always different. It depends on what the business is going to get the most value out of. For some onboarding, a user might be such a high cost that carries a dollar figure business value for others, maybe it's partially automated. And so that can push that later down the phase. It's also important as I think you're going to show us here in a moment to consider interdependency because if you don't have hana's favorite thing, data quality, then forget about doing automation, right? I mean, it's just not going to work.

Ronald Bowron (35:34):

Right? Well, I'm sorry. Go ahead Anna.

Hanno Ekdahl (35:38):

I was going to say, so one thing that's important about these charts as well is really grouping. They're really organized around capabilities. And so you're grouping and evaluating opportunities against each other within a capability category. And so that translates into our functional matrix where we have swim lanes around each capability, and then you have a sense of priority within each capability. And then as Bart was pointing out, there's also dependencies. We start to map out how all the opportunities come together across the different capabilities in the functional matrix, which then informs the roadmap.

Ronald Bowron (36:14):

Yeah, I want to just point out a caveat here. Watch the colors when we go to this next slide. They are important. So we tried to color code everything so that you could follow along. But before we move on, Bart, you made it also another good point about where to start the journey. We also have what we call our capability functionality and foundational hierarchy of all the services and capabilities within identity management. And in that hierarchy, if you start on one side, you might be starting with Pam, or you might be starting with access management or provisioning deprovisioning on the other side, you might want to start with governance where you're just collecting everything to see what people have. But if you try to do both at the same time, you are going to get all kinds of resource conflicts and people stepping on each other trying to get their job done.

(37:12):

It's best to lay it out in a roadmap in a program where you can align it to the number of resources you have. Know that every roadmap you build has to eventually drive a project plan. And every project manager will tell you you're arguing over three things, resources, time, and scope. So if you put too much scope on the roadmap, you may not have the resources to achieve it and your program's going to fail. So just be aware of get along. That's one of the red flags. Look at how he's like, no, we never fail.

Hanno Ekdahl (37:43):

We all just get along,

Ronald Bowron (37:46):

Right? So we're going to move on to the next part of this. So now we've got within each capability or category, we've got where things are. But you'll notice across the top we've put the identity governance program again, and each of those bubbles now represents one of the boxes on the functional matrix. So we've now aligned from your radio maturity to your capability bubble chart to your functional matrix, and everything's tied together. So you got complete traceability as to why you put that bucket where you did.

Hanno Ekdahl (38:21):

And I think that for me, it was actually really nice to hear you say it that way and just something just clicked in my head. So I have to say it, there's a lot of complexity here. When we go through and we talk about the different dimensions of a maturity model and all the opportunities that fall out of the assessment, you can get a hundred opportunities. So how do you take something that starts off as being really unstructured and really broad, right? So you think the top of the funnel that's super wide, and then you want to bring it all in and coalesce it into a plan that actually makes sense, is optimized for the business value it delivers that uses the resources in an appropriate way and provides a reasonable scope. And that's what we're leading you through. Here is the process to take this big massive opportunities and then turn it into a cohesive effective plan.

Ronald Bowron (39:12):

Good point. And so for example, this functional matrix doesn't yet say what I should really do first, it just says, for each capability area, I know what I should start now, what I should do now, what I'll be considering in the future, and what I'll defer right for that swim lane. So it does put priority within the swim lane, but it doesn't show it as it relates to all the other swim lanes yet. Now that's when we build the roadmap. So Bart, did you have anything you wanted to comment on this or are we ready to go look at the aha moment?

Bart Allan (39:47):

Let's go look at the aha moment.

Ronald Bowron (39:49):

Very good.

Bart Allan (39:49):

I love this.

Ronald Bowron (39:51):

Woohoo. Move on. And now we can actually create a roadmap and get, this roadmap will be just based on all the statistical information that was provided, but now it gets into the expertise of your IAM team and knowing the interdependencies of these capabilities. So for example, we know we have to have policies and procedures in place before we can actually start implementing the policies and procedures in the technology. So that's why the governance program needs to be there. It needs to run alongside with you. I see. Raising his hand. Go ahead, Hannah.

Hanno Ekdahl (40:26):

What about data quality? What if we don't have the data we need?

Ronald Bowron (40:29):

Oh goodness. This particular roadmap, I dropped data quality, it's on the second part of the roadmap, this slide size, I'll give you that, but typically data quality does show up early on in the phase and foundational. Some people will combine data quality within the foundational capabilities, but foundational means I've got to stand up the infrastructure, I got to stand up the components, I got to lay down the plumbing before I can get to the automated processes. So that's why it'll see foundational if it's already in place, you may have to do repairs on the plumbing

Hanno Ekdahl (41:12):

Essentially. And I would argue too that the governance program typically applies to data as well. So someone's going to have to make a change. Is it HR that's going to have to either collect new information or start maintaining information that they haven't been, or is there some other system that's going to have to provide an input and they just need to be aware? We need to bring those teams in and help them. But not every organization has the same problems as s Bart's been keen and correct to point out. It's true. I mean, I talked about data quality because that's been a big one in my career that I've seen a lot. But it's true. I have gone into organizations that data quality is just fine. So when that happens, it wouldn't be a part of your roadmap because there's no cleanup to do. But I couldn't resist saying something about it since we've been kicking that dead horse.

Ronald Bowron (41:59):

And I also want to point out this roadmap is somewhat indicative of the beginnings of life. So if you're already three to five years into implementing IAM, this roadmap may not even be relevant to you because your opportunities are going to align differently. The business value or complexity of how you're going to achieve something may align completely different than what you're seeing here. But that's the point. It has to be your roadmap. You can't use a canned roadmap to be successful with IAM. It has to align with the business drivers and the business value, or your end users will probably not adopt it. They had no input as to how you're going to impact their day-to-day lives.

Bart Allan (42:40):

And I think an important takeaway in that is the process that you've outlined to get here. It doesn't really matter if this is a greenfield environment and you're starting to do identity for the first time ever, or whether you're a higher education institution who's been doing identity and access management in some form for 20 years and maybe moving on to a new platform or a new tool. This roadmap strategy can be done at any point in your journey. And you might have a hundred opportunities in front of you as many of our customers do. And they say, Bart, I have this Excel spreadsheet of a hundred things or this Jira backlog of a hundred things. What do I do? When do I do it? I want to do it all at once. And think one of our customers in an earlier session said she would probably step back and turn two phases into probably four or five.

(43:30):

And it's just that, right? I mean, it is trying to prioritize what is going to be most important, bring you the most value, and also where your quick wins. You might be five years into a program and still finding quick wins. Because look, the landscape is constantly changing. I mean, we talked about pretty much all day today, and we didn't really integrate it into this presentation, but where does AI sit in this? How can it help you? And I mean, one of the cool things is if you look at some of the opportunities in this deck, there's a lot that might change from high complexity to low complexity because we can throw it at ai, and AI can go say, oh yeah, I can go figure out all of your exceptions and all of the users who shouldn't have some access that none of their other team has, that's super easy for it to do. But when we have to write policies and regos and everything like that, yeah, it takes time. Fair point.

Ronald Bowron (44:29):

And I also wanted to point out, now that you've got your functional matrix laid out with the business value complexity and so forth, whether you need a 30 60 day or 90 day roadmap or whether you need a 2, 3, 5 year roadmap, you have all of the information out to produce whatever scale or scope of roadmap management's demanding of you. And so that's why it's a flexible exercise, but it's an important exercise. But it's also, as Hanno pointed out early on, it's a point in time roadmap. So then you have to ask, if I'm doing a 30, 60, 90 day roadmap, does that mean after that 90 days I'm going to do another refresh or do I do it every six months or do I do it every two years? Right?

Hanno Ekdahl (45:16):

Yeah. And I think we're seeing more and more of that. I mean, identity management's been around for a little while. We do see a number of organizations that just get stuck. They're not sure what to do next. They know they need to do something. And so the process of going out and talking to the business stakeholders, you are talking to higher education, you talk to the deans, you talk to different folks in administration and see what their pain points are, and you can refresh the roadmap and come up with a whole new set of opportunities and revitalize your program.

Ronald Bowron (45:51):

And I believe with that, we've got a closing slide, and I believe we're going to move after that. We can move on to question and answer. So just so you know, you can reach out to braa for that five minute self-assessment, or you can reach out to EEN house to collect information and register for an opportunity to discuss how we can help you build your roadmap on a custom basis. And so why don't we go ahead and move on to the q and a session. And I was curious, Haley, whether or not we've got any questions out there, or Carolyn, if you saw anything?

Carolyn Evans (46:29):

We do. I believe Shelby's going to run through

Shelby Whalen (46:31):

Them.

Hanno Ekdahl (46:32):

Oh, great.

Shelby Whalen (46:33):

Yes, we do have some questions here. The first one being, which industry standard model do you most frequently use?

Ronald Bowron (46:42):

Ah, that's a good question. So our methodology at EEN house is based on experience in leveraging both the SANS security assessment maturity model, which is a five point model, which you saw show there, but also leveraging the NIST controls against that model. So we combine in our methodology, the NIST standard standards along with the sand security capabilities and built a eHouse proprietary maturity model.

Shelby Whalen (47:16):

Thank you. Next question here is, when you look at your strategic roadmap, what comes after phase four?

Ronald Bowron (47:27):

Would you like to take that?

Hanno Ekdahl (47:29):

What comes after phase four? Yeah, I think maybe I addressed it a little bit on the last slide where we're talking about refreshing the roadmap. But yeah, so phase four, let's say we're looking at a two or three year time horizon that came out of the original roadmapping exercise. There's additional opportunities that fell out that just didn't make it within the timeframe, right? So Ron was talking about resources and people, resources, money. You only have so many things you can throw at the problem. So the question is, do we take the things that were left in our functional matrix that haven't made it onto the roadmap and put them in the next logical sequence? Or do we take a little bit of time and reflect on how our world has changed? There may be new technologies on the horizon like AI that require us to think about things differently, and we want to go through another strategy refresh that may be a little bit more lightweight, a week or two to realign our roadmap against current operating priorities.

Shelby Whalen (48:30):

Awesome, thank you. And to piggyback on that, once these opportunities and complexities have been identified, how do you help customers reduce that complexity?

Ronald Bowron (48:44):

Bart, I might let you take that one first since you're on the product side. How does your technology take something that may look very complex to the standard business owner, but through technology you're able to actually simplify the business process?

Bart Allan (48:58):

Yeah, a hundred percent. I mean, I'm going to pivot this back to the business, obviously, but the answer is, I mean, what we do is we patronize everything. We've done hundreds of identity and access management deployments, hundreds of privileged access management deployments, upgrades, refreshes, et cetera. And we have patterns that cover every particular functional area, right? From onboarding to changing managers or departments, role changes, R back, et cetera. We have kind of an out of the box playbook for pretty much everything. So when a customer comes to us and says, Hey, I have this really high business value thing, but it's really complex. How do I do it now? Our answer is always, well, let's change the business process. We have something that has worked at 50 other customers or 20 other customers. We're doing a lot with higher education right now, and a couple of marquee clients is really developing patterns that are used at a bunch of different institutions and could be reused. But it does mean that you've got to go back to the business and say, look, maybe we've been onboarding users for the last 25 years like this. Let's do it like this. And why? Because what you did 25 years ago probably doesn't make sense in today's context. But also because we can take this opportunity to, and then we can get value sooner and we can come back and we can revisit that in phase three, four, or whatever comes after four, maybe five.

Ronald Bowron (50:37):

And I'm going to add a little caveat here to coin off of what Hano pointed out early on. Many times when you start putting in standardized templated pattern processes, your data quality improves.

Hanno Ekdahl (50:50):

Yes, amen. Thank you for saying that, Ron. I feel better already.

Ronald Bowron (50:57):

Do we have any more questions?

Shelby Whalen (51:01):

It does not seem so right now.

Ronald Bowron (51:05):

Okay. Well, Bart, do you have any closing comments that you'd like to put out there?

Bart Allan (51:11):

Yeah, I mean, I just want to thank you Ron and Hanno for jumping on this webinar with me today and really appreciate your guys' partnership and to everybody who's attending, really encourage you guys to reach out to Ien house and take a look at what they can do in terms of roadmap building. I think this was even eyeopening for me, and I've been doing this for quite some time, but just the methodology and how they come to these conclusions really nicely aligns with something that's been near and dear to my heart, which is identity and privilege, access management maturity. So thanks again, Ron. And thanks Ano.

Hanno Ekdahl (51:55):

Thank you. Thanks for having us. Appreciate the opportunity. I thought it was an excellent discussion. I really enjoyed it.

Bart Allan (52:00):

Likewise. And we can continue backstage.

Hanno Ekdahl (52:04):

Alright, sounds good.

Bart Allan (52:05):

Cheers.

Hanno Ekdahl (52:06):

Thanks everybody.