Identity and access management: CIOs discuss the trials and pitfalls

How hard is IAM to properly control and implement? Twelve Computing IT Leaders Club members give their views

Computing welcomed 12 of the UK's top CIOs and IT leaders to London's iconic Shard building this month to enjoy a three-course meal and discuss identity and access management.

The guests were joined by Dell, who contributed to the research being discussed.

The event was held under Chatham House rules, which means none of the quotes below have been attributed.

Once the discussion got under way, it was quickly apparent that most of the 12 were surprised by Computing's finding that 38 per cent of IT leaders have been involved in or affected by an IAM project that either was never fully completed, took much longer than expected, or simply failed to meet expectations.

"I'm surprised that the number is so high," said one CIO. "Maybe it's to do with how you define a project... If you're talking about [end users] simply getting access to the network, then I'd have thought it was getting easier, with lots of new tools available now."

But another IT leader was surprised that the other 62 per cent of respondents have apparently had no problems with IAM.

"If you do IAM properly it's very, very complex, and to have 62 per cent to be fine, I'm surprised," they said.

"My experience is that the market is changing very rapidly, and one of the things we're trying to do is match what we want to do against the software that's available, and slicing up our projects to fit products out there in the market," they continued.

Several agreed that the pace of technological change posed problems.

One CIO said it took nearly three years to devise their strategy "and by the time we came round to implementing, we had to tear it up completely [because the technology landscape had changed so much]."

"I'd like to think that what's feeding the 62 per cent is that as an industry we've learned quite a bit since back in the day," one participant said.

The definition of "success" in IAM projects was also questioned.

"If people have transferred from department A to department B, they just want to access it," suggested one CIO.

"So measuring success is interesting - if [the project] transferred the money, then it was a success. But was it a business success for us, as the IT lead?"

"People don't understand the security side," agreed another. "They just want to do their job. And we see people more and more bypassing security. Not maliciously, they just want to get on."

Most agreed that shadow IT is a growing problem, saying they felt they were in a never-ending war to stem the tide of rogue applications. But not everyone around the table shared this feeling.

"I'm sitting here a bit puzzled as people say applications are coming out of the woodwork," said one IT chief.

"I'm not saying they aren't using [shadow IT] - I've got a pile of guys doing a ton of stuff, but not on anything I don't know about, that's all."

Another IT boss suggested that something as seemingly innocent as people attempting to "drive business decisions" on unauthorised Excel spreadsheets could have calamitous consequences for a business and that they would have no qualms about stamping it out.

"I'm sure there's stuff they do that I don't know, but if I put in a system that would disable that system I didn't know about, it would be tough luck," they said.

"If I break an Excel spreadsheet, I don't give a damn - they have to be brave enough to come and see me about it."

Adam Clegg, UK sales director for identity and access management at Dell Software, discussed the importance of auditing, and keeping track of IAM projects on a product licensing level.

"You'd see some unbelievable behaviour [in delayed projects] that makes you ask, 'Why was the project begun in the first place?' More scoping needs to happen.

"We've seen a project still failing two years in, and there was never even any scoping done. Plus CIOs can move on every 18 months. Sometimes, nobody can remember why they actually bought something."

If a CIO moves on an average of every 18 months, it was agreed across the table that must be "a lot of CIOs out there that last only one month".

A sobering thought indeed, but a fascinating and entertaining evening nonetheless.