IAM Metrics Part 2 - Measuring Improvement in How We Do Business Now

It can be difficult to know what to measure at which stage of your IAM implementation.

In case you missed it, in Part 1 we talked about some IAM metrics you can use to measure Deployment Success and Risk Reduction. It makes a lot of sense to start there because it’s easy to see how IAM is providing tangible benefits to your organization even before it’s mature enough to noticeably affect your team’s day-to-day operations.

Pretty shortly thereafter, though, the IAM system will start improving day-to-day operations. This is a crucial benefit of an IAM system, and these performance improvements were probably some of the main selling points of your recent IAM modernization projects. If they were, it’s especially important that you circle back, measure, and report on the improvement in these areas.

In case you haven’t yet been too specific before about what operation improvements your organization could expect to see from an IAM system, now is a great time to get more specific by using the metrics listed below.

How To Execute

These performance metrics are relatively interesting on their own, but finding and linking to relevant Key Performance Indicators (KPIs) will always be better than reporting IAM metrics in a vacuum.

If your IAM team hasn’t already defined KPIs, reach out to adjacent/affected areas of the business to see what your stakeholders may have defined. IAM metrics often show operational changes in the day-to-day of IT Operations, HR Technology, helpdesk teams, compliance & audit organizations, and individual application & system owners.

  • Efficiency Metrics: How is the IAM system helping the IT and adjacent organizations do their jobs more efficiently?
    • Number of calls to password help desk
    • Password reset volume per month
    • Average time it takes to authorize a change
    • hint: these last two efficiency gains also represent a shift in the way the business runs overall. Part 3 of this series will have more metrics like these!
    • Administrative leverage delivered by roles
    • Percent of access-related transactions fulfilled via policies instead of access requests
  • Effectiveness Metrics: How is the IAM system enhancing data quality across the enterprise? Better data quality translates directly into lower risk in multiple dimensions.
    • Active identities with missing/multiple source records
    • Terminated employees with active accounts - Remediate these ASAP!
    • Contractor accounts with invalid expiration date
    • Identities with invalid supervisor
    • Dormant accounts
    • Never-logged-on accounts
    • Remediation of orphan/rogue accounts: - Timeliness, Outcomes (e.g., classification, owner assignment, removal).
    • Access certification metrics: - Uncertified request-based assignments, Uncertified privileged accounts.
    • Too-rapid attestations - these usually signal “rubber stamping” of certifications. Rubber stamped certifications aren’t effective certifications
    • Segregation of duties (SOD) risks: - report on active SOD risks (those with and without mitigating controls), and the timeliness of remediation (broken out by risk level).
    • Number/Severity of audit findings
  • Enablement Metrics: How is the IAM system improving user experience, and how does that improved user experience allow people to do better work?
    • Employee, developer and customer satisfaction survey results.
    • Time spent using the system - How quickly can someone find and request access? How long does it take to complete a certification?
    • Ease of onboarding new users
    • Additional reach of SSO solutions
    • Account/Application usage - Why are we paying for licenses for people who aren’t using them? Why do some people have multiple seats? Maybe we should adjust our licensing agreements.

This isn’t intended to be a comprehensive list of all IAM metrics, but hopefully demonstrates how you can (and why you should) incorporate metrics into your IAM deployment at various stages of maturity.

In the end, these metrics really aren’t rocket science. They mostly consist of taking anything you can measure and comparing it per month or per user! This can be more instructive than just looking at raw counts, so get creative about other things you can measure in your specific deployment scenario.