We have all heard examples of business deals closed on the golf course or a bar. When it comes to security software, that informal approach to selecting an identity management vendor is high risk. The better approach is to set up a small group of stakeholders — including technical staff — so you can evaluate vendors effectively. In this article, we will run through the key roles and responsibilities you need to make good vendor selections.
Selecting an Identity Management Vendor: Who Needs to be Involved?
In larger companies, making a mistake on your security arrangements is painful. That’s why we recommend organizing a group of people to provide advice and input on the process. You will need to tailor this list to suit your circumstances.
1) Business Sponsor
Start at the top of the food chain. The business sponsor is the executive — such as the chief information officer — who has overall responsibility for the area. If your request is delegated to another person, make sure that alternate person has adequate authority to sign contracts, approve spending and make related decisions.
2) Technical Representatives / Subject Matter Experts
How do you know if a new identity management vendor will integrate with your systems? To answer that question, you will need technical experts in the group. Their role is to ask questions, compare vendor capabilities and organize pilot tests if applicable.
Tip: If early signs suggest you face a complex implementation, consider inviting an IT project manager to the process.
3) IT Auditor
If your organization has an audit division, seek their input in selecting an identity management vendor. Your auditors may ask questions about records, internal controls and other factors that may not occur to you. Inviting an audit representative to the vendor selection process is also an excellent way to deepen your connection with your auditors.
Tip: Ask your audit representatives to bring examples — from your company or other situations — that illustrate audit challenges with identity management. This evidence will help to keep risk on the table as a selection criterion.
In larger firms, procurement plays a role in coordinating the buying process. Ask procurement to contribute insight on the contract, service levels and ongoing management. Keep in mind that some procurement techniques — such as creating requests for proposals (RFPs) — may not be suited to complex software.
If your company does not have a procurement department, ask finance to participate instead. While finance has a different perspective, finance professionals tend to understand risk and control issues as well.
5) End User Representative
At the end of the day, somebody in your organization will have to use the identity management solution you select. That’s why end users for identity management need to be involved in selecting your identity management vendor. There are two specific ways for end users to contribute.
- Describe their current process. To ground the business case for identity management in reality, ask your business users to describe their current process. Don’t be surprised if you hear that people are manually managing identity and accounts with Excel.
- Participate in pilot programs. Your IT stakeholder may design the pilot program, but they cannot be the only ones involved in it. Ask your end users to get their hands dirty by completing a few typical transactions with the identity management solutions on your short list.
Selecting Your Identity Management Vendor: Responsibilities
If you have followed along closely, you have assembled the dream team. Now what exactly should these people do? You know that you need an identity management solution. Use these steps to
1) Select a sole decision maker
Role: Assess input from others and make the final decision.
Select a single individual to make the ultimate decision on which solution to use. This person will use their judgement and input from other people. In my experience, it is usually best to choose an executive such as the business sponsor outlined above.
2) Request assessments from business support functions
Role: Define needs, evaluate solutions and provide input to the decision maker
You want assessments from procurement, finance and other support functions on the identity management solution. For instance, finance may comment on the total cost of ownership and how the product will fit into the budget. Procurement may ask for changes to the vendor’s agreement. Of course, audit will raise questions about how the identity management solution impacts your internal controls.
Tip: Make it clear to your support functions that you expect a final opinion on the solution: buy or do not buy. The “keep investigating” option should only be accepted if there is a clear time limit.
3) Request a technical assessment
Buying a technology product is like buying furniture for a house. For the best results, every element has to work successfully with everything else. In the case of an identity management solution, integration with your sensitive systems, such as those relating to finance, HR and customer information, should top your list. Further, you will want to carry out a cybersecurity assessment of the solution.
4) Decide on a pilot test
At this stage, your decision maker may see value in adopting a solution. Before committing to a launch, reduce your risk by holding a small pilot test. If you anticipate 100 managers will use the system, set up a pilot test with 10 managers to seek their input. At the end of the best, send a questionnaire about their experience. In particular, ask whether the pilot system brings productivity gains.
5) Make the full purchase decision
At this point, you have gone through a detailed assessment and a pilot. It is time to make a final decision on which identity management solution to buy. By going through this process and involving multiple stakeholders, you will be confident in your decision.