Reflections on my First Year as an IAM Analyst
At the RSA Conference two weeks ago, a common question from both clients and former colleagues — “So, what’s it like being analyst?” — led me to write this blog post.
In the interest of full disclosure, there were no massive epiphanies during my first year, but the transition from being on the vendor side for 15+ years to an analyst provided some perspectives, listed here in no specific order:
· The security industry is massive. Some former colleagues who learned of my new role often joked, “So you’ve gone to the dark side.” The irony is that analysts are actually removed from the penumbra of the four to six competitors that you obsess about when you work for a vendor. Once removed from this tunnel vision, you become more aware of the diversity of the infosecurity ecosystem. As an example, the number of exhibiting vendors at the RSA Conference is up 45% since 2014, to over 550 vendors. This reflects the ongoing vitality and demand for cybersecurity but also presents challenges to today’s security and risk professionals who have to evaluate an increasingly large and dynamic vendor landscape.
· There are tremendous greenfield opportunities for IAM. In the past year, I interacted with clients of all shapes, sizes, and geographies, and a consistent theme was that many had deployed very few IAM technologies. There might be some two-factor authentication or employee SSO to the intranet, but many are still relying on manual processes and spreadsheets to manage or govern access. The good news for enterprises is that there is a robust IAM ecosystem able to provide a range of IAM capabilities such as user provisioning, authentication, access governance, and web single sign-on. Demand for these organizations will help sustain IAM market growth in the coming years.
· Many organizations struggle with IAM. Related to the previous point, my client interactions in the past year often have a common theme — while the CISO teams see the value and need for IAM, they struggle to champion it internally. Many IT projects can suffer a similar fate, but IAM’s role as a centralized platform means that it touches many organizational functions including audit, HR, application development, enterprise architecture, and infrastructure and operations. Organizations that focus on the tools/technology and overlook the people/processes usually have flawed or underwhelming deployments. This reinforces the need to maintain a cross-functional approach with all relevant stakeholders and to build a compelling (and reasonable) business case to get projects funded.
· I never knew there were so many web and teleconference alternatives. Coming from the vendor side where my experiences primarily involved WebEx and GoToMeeting, I continued to be amazed at all the different options available, proving that even a mature market like teleconferencing is still quite competitive. For the record, the simplest (and most fail proof) method consists of a landline and PDF of the slides!
This was a great first year, and I appreciate the support and guidance of my Forrester colleagues as I completed the transition. And for those intrigued by the analyst life, yes, we are hiring for security and risk analysts, so reach out to me if interested.