- That the driver for IAM investment is shifting from IT cost-savings to regulatory compliance and governance.
- And that IAM and GRC are converging.
Certainly this view was reflected in the vendor displays, many of whom touted their products' support for "policy" and "compliance".
But in the customer case studies, discussion of "compliance things" like access certification, SoD and identity risk remediation was almost completely absent. When I described some of my IAM/GRC convergence ideas to one of the Gartner analysts, he gave me the feeling I was talking pie-in-the-sky. Earl Perkins scolded "us" in his presentation that in 2010 implementing even basic IAM functionality like user provisioning is still a risky venture for a company. Perhaps we should not be aspiring to "fancy" things while customers are still struggling with the basics.
But I'm not convinced of this - I don't think it is too soon to offer the benefits of IAM technology to GRC customers. My hunch is that if you try to automate many reporting, audit and governance processes, the "last mile" will often be in IAM, particularly entitlement management. But we need to begin with GRC business processes and work down to the technical plumbing, instead of the other way around. We need to start thinking of IAM as business infrastructure, instead of IT infrastructure.
I'd like to speak with non-IT people responsible for GRC business processes, but I did not find people like that at the Gartner IAM Summit. Maybe I need to start hanging out at different conferences.
0 comments:
Post a Comment