Posted by Chris Zannetos - CEO on Thu, Aug 13, 2009
LINK TO PART 1 - Creating Budget Where None Exists
Last week I introduced "Company X", a Courion customer that is delivering improved risk management and security via automated access compliance and attestation, and automated provisioning for over 100 applications - without spending a single budget dollar. I discussed understanding the multiple budgets of your organization" as Part 1 of a 4-part process for achieving this. And now....for the rest of the story.
2. Understand Operations via Activity-based Costing
There is, of course, more to the story of Customer X. Spending over $1 million with a vendor would surely result in an Expense Budget Impact of over $20,000 in 2009 and $0 in 2010, wouldn't it? The next thing that Customer X did was evaluate its operations to determine what level of savings was attainable via this project's automation of manual provisioning and attestation processes.
In the first phase of automating provisioning and access compliance, Customer X knew that the organization was spending over 50 person years' manually adding, changing, deleting accounts across the first 100 applications which they addressed. They automated the provisioning and access verification for those applications, eliminated the admin staff positions, and booked the savings.
As Company X moved on to begin addressing the other 700 applications used by the organization, they did not have firm figures regarding the cost of administration and verification. So they did what I would advise every organization to do: they executed a thorough activity-based costing effort.
- Document the flow of the work - starting at the business action that drove the provisioning or compliance activity (hiring, promoting, introducing a new application service, SAS70 audit, semi-annual SOX attestation, etc.)
- Identify all activities - who is responsible for them, how much staff time is required to execute them, how much time elapses from start to finish of the activity
- Cost the activities - spread staff members' fully-burdened cost across all of the activities that they are responsible for executing
And once they understood the costs and cost drivers, they took a deeper dive into the company's accounting policies.
3. Understand their Accounting Policies
Disclaimer: Accounting was my least favorite subject at business school. Accounting rules seek to provide a comprehensive, accurate view of organizations' financial health, but there are times at which accounting rules drive behavior that is inconsistent with these goals. I have always found that difficult to accept, but as I repeatedly tell my children: "just because it doesn't make sense to you doesn't mean that you can ignore it!"
One of your first actions should be to sit down with your finance team, or the finance professionals in your IT organization - and learn about the rules.
What are the rules regarding amortization of capital expenses? What is the definition of useful life for software (at least software that works!), and is there a maximum useful life? (For the record, Courion customers have illustrated that the useful life of Provisioning Software (at least software that works!) is at least 10 years....Note that you will probably have a maximum. Some other areas of focus:
- Software capitalization policies. Software costs not only can be amortized, but they typically are not applied to your IT Operating Budget until the software is implemented. In the case of Customer X, Courion has been delivering 50 Connectors over the course of 9 months. The amortized license and maintenance cost of each connector does not show up on the IT Operating (Expense) Budget report until it is implemented.
- Services capitalization policies. You may be able to capitalize services consulting expenditures. Ironically for we in the techie world, this is a situation in which words really do matter! Services such as design, configuration, testing and installation may be eligible for capitalization. But be careful of your terms because services such as consulting, project management, data conversion, overhead are typically not eligible.
- Vendor contract options. Talk to your vendor about providing a term or subscription contract if your organization's policy for "maximum" useful life of software is very short (18-24 months)
4. Step up to the plate - Extract the costs
Now comes the hard part - when you put the budgeting information, Activity-based Costing and Accounting Policies together to create a plan. In order to "make budget" where none exists, you have to be willing to extract the costs that you have identified via the Activity-based Costing. And you and your vendor partner will have to commit to achieving concrete objects within agreed upon timeframes - so that you can book savings when you need to in order to not use budget dollars.
In the case of Customer X, they eliminated sufficient manual administrative work by automating the provisioning and attestation process for an additional 100 applications to reduce staff to pay for the entire project. And while the manual work was most time intensive for applications that were not "Key Financial Applications", by bundling the work for those with Key Financial Applications, Company X was able to significantly improve controls around these key applications and improve their management of risk (and audit position).
So there you have it. Four simple steps to self-funding IAM initiatives:
- Understand the budgets
- Perform activity-based costing
- Understanding your organization's accounting policies
- Make the hard decisions and extract the cost
If a CISO follows this approach, he or she will drive considerable value to their organization by reducing risk and streamlining operations. But more important even than delivering the value of this sort of self-funded initiative, the CISO will also transition from insurance salesman to business enabler.
Posted by Chris Zannetos - CEO on Wed, Aug 05, 2009
In my last Blog I mentioned that that many customers had no formal IT budget. In these volatile economic times, budget has become irrelevant as CFO's and other business executives are doling out money spoonful by spoonful, just as Captain Queeg doled out strawberries on the ill-fated USS Caine (yes, I realize that referencing a Humphrey Bogart movie dates me!).
Some customers adapted to this new reality by finding ways to continue to improve the security of their business operations via "self-funding" access provisioning and compliance automation projects. One such organization - let's call them Customer X - recently executed a $1 million+ program with Courion to "get ahead of auditors" in access control and improve service to the business that will not use a single budget dollar!
This was possible because the customer's staff
- were very smart about how they structured the project
- knew their "provisioning and compliance attestation" operations deeply
- were willing to make and execute some difficult decisions
- worked with a vendor (Courion) whose product and services could deliver concrete business results - and that was willing to sign up to achieve operational milestones
I can understand that this may be difficult to believe....one million dollars spent, but no budget dollars spent? It might be even harder to believe knowing that this customer had already automated provisioning for 30,000+ end users across 100 applications and in support of hiring, termination, promotions/role changes, and acquisitions. This new project called for the addition of some provisioning and attestation workflows - and the development and implementation of 50 connectors (software) to industry-specific third party and homegrown systems which managed access to 210 applications.
So, how did they "make budget" where none exists? They used a 4-part formula:
1. Understand the Budgets
The first thing that Customer X understood was that there wasn't one budget...there were multiple budgets. They, like most organizations, had an Expense Budget which outlined the areas in which the IT organization would spend during the year. Often called the IT Operations Budget, this is typically what people view as "The Budget", and it sets Financial Executives' expectations on what expenses from IT will be reflected in the organization's Income Statement.
They had a Capital Appropriations Budget, which identified investment in assets which would benefit the organization beyond just one fiscal year. Items on the Capital Appropriations Budget are reflected in the IT Operations Budget, but the costs are "capitalized". That is, the value is amortized (spread out) across the useful life of the asset. So what might appear as $120,000 in the Capital Appropriations Budget, would be represented by $60,000 in the IT Operations Budget for an asset with a 2 year useful life.
And finally, they had a Capital Expenditure Budget, which details the expected outflow of cash throughout the course of the year.
Most importantly they understood that their organization's goals and time-frame of relevance were different across these budgets. When they first approached executive management about this project, the response was "we have no budget." What that meant was that there was no placeholder in the Capital Appropriations Budget. They had made their plans for the year 6 months prior, and they were not willing to change priorities to place these 50 Connectors higher on the list.
But the sponsoring Executive did not let the effort stop there. He knew that the company was focused on the overall Income Statement, and not on the Cash Balance or Capital Budget. He told the team: "bring me a plan that has a maximum hit on the IT Operations (Expense) Budget of $20,000 in 2009, and a net positive effective on that budget and cash flow neutral by mid year 2010."
This Executive understood that cash is different than expenditure (agreement to pay) which is different than expense. For example, if a company licensing $600,000 of software that is delivered immediately and has a useful life of 3 years, with an agreement to pay 50% on signing and 50% 18 months after signing (for this example, we will assume no maintenance or services costs), the resultant impact would be:
|
|
Year 1 |
Year 2 |
Year 3 |
|
Capital Expenditure Budget Impact |
-$300,000 |
-$300,000 |
$0 |
|
Expense Budget Impact |
-$200,000 |
-$200,000 |
-$200,000 |
|
Capital Appropriations Budget Impact |
-$600,000 |
$0 |
$0 |
The moral: keep reminding yourself that cash isn't agreement to pay which isn't expense. And make sure that you understand the varied goals and management time-frames your organization puts around the Expense Budget, the Capital Appropriations Budget and the Capital Expenditure Budget.
LINK TO PART 2 - The rest of the formula (Steps 2-4) to Create Budget Where None Exists - Understanding your operations, Understanding your firm's accounting rules, Extract the cost!
Posted by Chris Zannetos - CEO on Wed, May 27, 2009
Many years ago when Courion introduced self-service to the identity management market, I used the Automated Teller Machine as an analogy to explain the concept and value. The ATM, I explained, succeeded so dramatically because it embedded security policy in a business process - enabling that business process to move faster and at a lower cost. Security was improved, yes - but under the covers (by removing people from the process). The ATM succeeded in changing the nature of banking because it delivered service that was faster and easier for customers at a lower cost to banks.
In today's economy, the business lesson of the ATM is more relevant than ever. Last week Courion held its 7th Annual Customer Conference, CONVERGE 09, at which we brought together over 110 CIO's, CISO's, security managers and IAM experts to discuss how to turn today's challenges into opportunities. During my keynote I commented that Courion was seeing that customers weren't just challenged by having fewer budget dollars, many essentially had no IT budget at all. As I looked out at the audience, I saw a sea of vigorously nodding heads.
Now, I don't mean that there isn't IT spending. Courion has been fortunate to see continued growth in this difficult time, so we know that there is spending. The issue is that organizations' financial executives have their fingers so directly on spending that it doesn't matter whether there was a plan or an IT budget approved at an earlier date. The IT budget is in essence approved piecemeal when the financial executives feel confident to spend money based on a combination of the organization's and the general market's performance. One Fortune 1000 CISO told me that his organization re-forecasts the entire company's budget monthly!
The implication of this trend is that customers are fighting every day to get spending approved. Customers are reporting that they have to get confirmation of approval for a project repeatedly- at conception, prior to RFP, prior to Proof of Concept, prior to negotiating contracts, and prior to signing those negotiated contracts.
It is unclear how long this will last, however security executives are beginning to understand and adapt to this fundamental change in financial management process. For example, some customers have asked Courion to fully negotiate a contract even though funding has not been approved. This way, the documents can be signed the day funding is approved without letting even one day of the market's performance impact confirmation of approval to spend.
Perhaps the most important adaptation is that customers are laser-focused on how to deliver measurable business value, not just security value, by automating access governance, provisioning and compliance (what we now call Access Assurance). They are coming back to the lesson of the ATM and focusing on how to help their businesses move faster at a lower operational cost - not just deliver improved security. They aren't selling security insurance. Instead they realize, as the CIO of a global 2000 manufacturer told me recently, "the business has no patience for us unless we tell them what we are going to do for them."
As a result, customers are looking for security software vendors who are willing to engage them to build a plan to deliver real business value. They are willing to open up their financial and accounting processes to trusted business partners to build business cases that detail improved business agility and cost savings that are both comprehensive and believable. Business cases to which they and the trusted partner are willing to be held accountable. Some customers have even built - and delivered on - self-funding projects.
If this trend is the outcome of today's challenges, perhaps not having an IT budget is a good thing after all.
Posted by Chris Zannetos - CEO on Thu, Mar 19, 2009
In her recent blog posting titled, Is a bad economy good for identity?, Lori Rowland of the Burton Group writes that the poor economy has actually been good for the Identity and Access Management market. She offers evidence that a number of companies, Courion included, reported record sales and revenue in 2008. Lori suggests that the unfortunate wave of layoffs and increased productivity requirements have driven demand for automated provisioning - to ensure that departed staff cannot access information and systems and that new hires are productive as soon as possible.
These are accurate observations from what Courion has seen in its business. But as the late Paul Harvey used to say...let's talk about "the rest of the story".
The reality for CIOs is that they have budgets that are flat at best, and more likely decreased from 2008. The impact on new projects is more severe. As all of us in the software industry know, a flat budget means a reduction in new project spending...a 10% budget reduction actually means a 30-100% reduction in new project spending.
This was confirmed for me when I spoke with 20 CIOs and CISOs in Courion's customer base earlier this year. The response across all industries and company sizes was that they would have at most a small handful of new projects this year. But they were all faced with the same challenge: "how do I respond to increasing access compliance pressures - whether regulatory- or internally-driven - with a budget less than last year's?"
This is the driver of the increased demand that Lori Rowland identified. Customers are demanding products that can automate administrative processes to reduce staff (and costs) while at the same time ensuring compliance with security policies and regulations.
They have to be compliant, and they have to reduce costs. It's that simple.
It is not surprising that the two examples that Lori provided were Access Provisioning examples. More than any other part of the Identity & Access Management market, Access Provisioning provides customers with the opportunity to reduce hard costs while improving security. This - along with Provisioning's ability to speed business processes - is why CIOs view Provisioning as a strategic platform for their operations.
So does this mean that Access Provisioning and Compliance projects are always among the 1 or 2 projects above the line to get budget? While Courion's sales force might wish they were...the answer is "sometimes". What makes Access Provisioning & Compliance projects unique among security projects, however, is that they can actually help IT organizations increase budget. I'll offer a recent Courion customer project as an example.
Courion recently signed an agreement with a customer to provide automated provisioning/de-provisioning and access verification for over 50 applications - even though the customer had no budget. How could we do this? Did Courion all of sudden lose its moral bearings and start to employ the bait and switch "free" approach of some vendors? No it didn't.
Even though the project cost is over $1 million, the project will never negatively impact the customer's financial statements. Or as my CFO likes to say, the project creates "P" instead of "L" on the Profit & Loss statement. The customer is able to begin reducing administrative staff within a few months of the project start, and is always able to reduce staff faster than the cost of the project that hits the P&L. And they end up ahead of their auditors - delivering the security the business needs but doesn't want to pay for.
I have been working in the Identity & Access Management market for over 15 years now, from before it was called the IAM market. I've been through the recession of the early 90's. I've been through the Tech Meltdown of 2001. Never before have I seen customers need vendors more to help them improve security and reduce costs. Automated Access Provisioning & Compliance provides both.
And that....is the rest of the story.
Posted by Chris Zannetos - CEO on Wed, Feb 18, 2009
As reported in CSOonline, Art Coviello, the president of RSA, the security division of EMC, noted in his overview of RSA's research report "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy", these are difficult times for IT security executives. Regulations that require organizations to implement strong access and compliance management controls are not being relaxed just because the world economy is in a recession. In fact, given the history of the US Congress, such regulations are likely to increase. Hacking, business espionage and the like aren't decreasing, they are increasing. So how can Chief Information Security Officers (CISOs) deliver on their responsibilities - and dare we say, enable their businesses to be more successful - within current budgetary constraints?
Mr. Coviello offers some very sound advice to CISOs. Top on his list is "prioritize based on risk/reward". Underlying this and his other recommendations is a revolutionary thought for most IT security departments: that the security organization must mature from an insurance provider into a business enabler. Now, this is much easier said than done of course (as my long-time CTO and co-founder Brian Milas is fond of saying: "If it was easy, everyone would be doing it!"). However, Mr. Coviello provides some pragmatic points of advice, to which I would add two:
- Communicate business value. Very clearly identify the impact of your security programs on the business in terms of business speed, revenue generation and cost savings. Do not shy away from identifying hard cost savings attainable by eliminating manual activities through automation of security functions that are required by today's business operations and regulations.
- Take a phased, portfolio approach. Do not approach your CIO and Executive Team with individual projects, but rather present a portfolio of projects/capabilities and their aggregate value to the organization, that is delivered in phases. A dirty little secret of our industry is that while many vendors try to convince practitioners that the world revolves around point solutions, CISOs are faced with protecting the company against a portfolio of risks.
And while some might try to convince practitioners that a monolithic stack helps them manage all the risks, 2009 is clearly the year of "incremental improvement over delayed or unattainable architectural perfection". CISOs need to create a portfolio of capabilities to manage risks effectively, that can be delivered and expanded over time.
By taking the portfolio approach and including the sort of projects that deliver clear cost saving and business agility value (such as automated provisioning) along with security projects that protect the organization against difficult to define events of unknown probability, the CISO can build credibility and gain acceptance to his or her entire program. And by delivering "incremental progress" measured in business value, CISOs will create the credibility and political capital for the continuing rollout of their portfolio of security operations.