Organizations are experiencing an exponential increase in the number of identities and access points as businesses continue to grow and adopt advanced technologies. As the number of identities increases, so does the complexity of safeguarding sensitive corporate information. To address this challenge, many businesses have turned to Identity and Access Management (IAM) solutions to protect their assets and ensure compliance with relevant regulations for their respective industries.
The implementation of the IAM solution is just the foundation and an essential first step on the journey to centrally managing identities. However, after initial implementation, many organizations struggle to develop a roadmap or adopt industry best practices, which would allow them to continue to mature their IAM programs to the highest levels. This in turn prevents them from fully realizing the potential cybersecurity benefits and organizational Returns of Investment (ROI). With years of experience implementing various IAM solutions, Aujas has identified Key Performance Indicators (KPIs) to be a central tenant of cybersecurity programs at organizations that thrive with their IAM implementations. By establishing KPIs, organizations can efficiently pinpoint areas for improvement and measure the success of their IAM initiatives. In fact, NIST’s recently released Cybersecurity Framework (NIST CSF 2.0), the NIST likewise emphasized the criticality of KPIs to align organizational objectives with cybersecurity controls.
Aujas recognizes that any framework a company adopts will evolve. This is important, as it allows the framework to keep pace with the evolving technological landscape. A contemporary example is the addition of Artificial Intelligence (AI) to many cybersecurity frameworks and maturity models. AI allows organizations to gain the highest level of efficiency and cyber preparedness. Aujas realizes the importance of well-established KPIs and has developed its own IAM KPI framework to ensure organizations stay current with the ever-advancing pace of technology.
Aujas’ 6 Pillar IAM KPI Framework
Aujas’ Key Performance Indicators (KPIs) are designed to take an organization’s IAM program from its foundation to the highest level of maturity. The IAM KPIs framework primarily falls under the following 6 pillars:
The KPIs within these categories are specifically designed to help organizations operate and enhance their IAM programs with a 360-degree view. These KPIs allow management to quickly gauge and communicate the impact of various changes to leadership in real time. KPIs provide a means of measuring IAM performance to keep track of and understand IAM effectiveness and identify potential areas for improvement.
Aujas developed the IAM KPI benchmark framework by deriving insights from clients who are top performers in their industry. The framework is designed for organizations looking to digitally transform their Identity and Access Management processes. The framework was designed with the recognition that there must be a balance between various competing business demands. Successful execution will lead organizations to a more secure and automated digital future.
Through times of technological expansion, enterprises look to optimize their digital business initiatives. IAM KPI benchmarks help in executing and measuring activities to gauge progress toward the program’s goals. To support and enable those objectives and goals, Aujas’s IAM KPI benchmarks allow CXOs to understand their progress in comparison with industry peers.
The data analysis through KPIs helps to create a scorecard that gives the CXOs visibility to measure and track the critical digital KPIs for engineering and operational initiatives and efforts. In addition, it allows CXOs to identify the challenges for their top performers and remove obstacles to allow their teams to achieve organizational objectives.
Essential IAM KPIs and Positive Impact
IAM KPIs enable organizations to monitor the effectiveness of the IAM Programs and pain point areas for improvement and meet organizational goals. However, identifying issues is just to determine the need for improvement. Actionable insights and detailed information are necessary to address the identified top performers. For instance, in many organizations, the number of roles without members increases rapidly due to changing requirements for access. Once this issue is identified, role managers must access the relevant information to determine whether unassigned roles are temporary or can be safely removed, addressing security and operational concerns.
Although every organization is different, IAM KPIs can generally be divided into key functional areas. These functional areas naturally relate to the Objectives of the IAM Program and the Enterprise Goals. Using these functional areas as the foundation and by leveraging these key indicators as a starting point, enterprise IAM leaders can create metrics tailored to their organization's specific technological landscape and strategic goals.
Digital Advancement and Acceleration
Digital Advancement: A well-defined roadmap can streamline organizational progress toward achieving IAM maturity. Meanwhile, risk vector management assesses the enterprise's ability to identify and mitigate risks within the IAM framework, offering insights into the effectiveness of risk management strategies.
- Culture and Skills
- Design Thinking Adoption
- Product Centric Culture
- Focused Skills for Business Performance
- Agile and Iterative Ways of Working
- Agile Methodology
- Adapt Sec DevOps
- Continuous Integration and Development
- Frequent Releases and Delivery
- Ecosystem and Integration
- Product Centric Adoption
- API and Modern UI Adoption
- Secure Cross Platform Data Access
Acceleration: KPIs for accelerated track on engineering and operational efficiencies are introduced from technologies designed to speed up IAM Adoption and scale faster with accuracy.
- Use tools to Minimize Teams Dependency
- Use Automation to Increase Efficiency
- Aujas has developed numerous in-house accelerators, and the use of these accelerators can be augmented with IAM KPIs that track efficiency gains and help identify areas for improvement. KPIs can include statistics on ease of integration, length of time per application onboarding, how many applications are in the development stage, how many applications are in the QA stage, and how many applications are ready for production release.
- PALM: Platform for Access Lifecycle Management (PALM) is a software tool that helps optimize the lifespan of the IAM Program and allows for a great reduction in the requirements analysis and development time for application integration with the IAM solution. The PALM tool creates a centralized collaboration where various teams can collaborate to achieve a common goal.
- Katana: The Katana framework helps organizations create a risk-based prioritization and efforts for application integration. The framework targets critical applications that are high value to onboard.
Awareness and Adoption
KPIs such as the increase in organizational awareness track the success of top-down communication efforts in enhancing awareness about IAM within an organization. Engagement rate through People Pulse sessions provides insights into employee participation in educating users about IAM benefits. User adoption rate measures the percentage of users embracing IAM changes post-training, reflecting effective user enablement. Lastly, assurance with reliability and promotion of engagement for onboarding evaluates trust in IAM solutions and the effectiveness of promotional activities during onboarding, which is crucial for successful adoption.
- CXOs Consistent Support
- Strategic Priorities
- Accelerated Business Decision
- Top-Down Continuous Communication
- Active and Viable Leadership
- Proactive and Regular Communication
- Business Enablement
- Business Aligned Priorities/Performance
- Business Aligned Security Metrics
- Teams Pulse
- Product Agnostics Reduction
- Conduct Workshop & Show Me Session
- Operational Readiness
- User Enablement for digital IAM Adoption
- High Availability and DR
Excel User Experience
Improving user experience drives the highest adoption rate for IAM solutions and processes and meets the IAM compliance rate. The defined KPIs for the excel user experience track are primarily focused on achieving high user satisfaction surveys through automation, centrally managed identities, and Continuous Technology Expansion. A few examples of user experience KPIs are as follows.
- User Satisfaction Survey
- Measure Incident Rate
- Automated Workflows
- Single Request User Interface (UI) Adoption
- Business-aligned IAM operations
Governance and Compliance
Governance KPIs help an organization maintain a grasp on how internal policies are being enforced on the IAM solution. Similarly, Compliance KPIs track an organization's adherence to regulatory requirements, for example, SOX, CMMC, ISO 27001, PCI DSS, GDPR, or HIPAA standards. Example KPIs include:
- Percentage of test controls without deficiencies
- Count of SOX testing cycles free from significant IAM-related deficiencies
- Number of non-unique or shared IDs
- Rate of access granted with documented formal approvals
- Percentage of roles or entitlements meet Segregation of Duties (SOD) criteria
- Percentage of Role-Based Access Control vs Excess Access
- Percentage of disabled accounts within SLA for terminated users
When it comes to compliance, it is important to note that not all frameworks provide specific guidelines. Often, organizations define, implement, and measure their control by adopting standards like SOX.
Taking SOX as a reference, here is a basic list of controls for compliance and KPI measurement. Typically, 'X' represents a time frame, often 24 hours, but you can adjust it based on your organization's needs.
- Disable accounts of terminated users within X hours of their last day
- Obtain documented, formal approval before provisioning accounts
- Periodically review access to ensure it remains appropriate
- Disable accounts within X hours if found inappropriate during access reviews
- Define application entitlements that could lead to Segregation of Duties concerns (known as 'toxic combinations')
- Implement compensating controls if access would create an SOD violation
Operational Efficiencies
The Operational Efficiencies KPIs aim to measure the platform and operations performance and provide visibility to the CXOs to correct their priorities for constantly improving security postures. These KPIs aim to gauge the IAM program's and team's operational performance.
Aujas’s strong recommendation for continuous security improvement is crucial in maintaining a resilient IAM environment. Implementing well-defined KPIs helps CXOs to gauge the efficacy of operational improvements and enables enterprises to identify areas to strengthen the overall risk posture. In addition, data analysis through KPIs will help enterprises address the identified vulnerabilities promptly and foster a culture of ongoing improvement and resilience against cyber threats.
Some of the KPIs examples are outlined below to gain operational efficiency.
IAM Operations KPIs
- Percentage of access requests fulfilled within SLA
- Percentage of access requests accurately fulfilled
- Count of Periodic Access Reviews completed within SLA
- Count of access revocations completed within SLA
- Frequency of periodic Access Review for constant Improvement in Security
IAM Program KPIs
- Accelerated Time to Value
- Speed to Complete the Deliverables
- Speed to Realize Priorities doesn’t meet the Timeline
- Process Deployment Rate
- Percent of applications not connected to the IAM System
- Percent of applications that perform access reviews on Privileged Access
- Percent of applications that are fully integrated with RBAC and JML Processes
Constant Improvement
A sixth metric to measure your IAM success is your IAM improvement rate, which measures how much and how fast your IAM program improves over time based on your IAM goals and metrics. Your IAM improvement rate can be calculated by dividing the change in your IAM performance by the baseline of your IAM performance in each period and multiplying it by 100. By measuring your IAM improvement rate, you can evaluate and celebrate your IAM program progress and achievements and adjust and refine your IAM strategy and tactics.
- Security Posture Improvement
- Optimize Assets Utilization
- Artificial Intelligence (AI) and Data Analytics
- Security DevOps and CICD Pipeline Tools Integration
Key Takeaways
Embracing SLAs
Service Level Agreements (SLAs) are organizational policies that define the timeframe within which actions will be completed. Establishing SLAs for your IAM team is crucial for accountability and setting clear expectations across the enterprise regarding IAM Program Objectives, Goals, and Deliverables. SLAs ensure timely and accurate actions are taken to protect the organization.
Prioritize Visibility
Maintaining visibility into access permissions and activities is essential for the success of IAM. Lack of continuous insight into organizational identities poses challenges to effective management. Just like IAM gives an organization visibility into identities and access, KPIs give an organization visibility into the IAM program. Analytics can be leveraged to make better-informed decisions.
Automation is Key
One of the primary challenges in IAM is the number of different accounts that need to be kept in sync for a given identity. For instance, when an employee leaves an organization, it should trigger numerous actions to disable accounts and revoke access. Automation becomes essential to efficiently manage enterprise identity sprawl. While having a skilled IAM team is valuable, automation is indispensable to keep up with these complexities.
The Way Forward
Aujas Cybersecurity specializes in providing KPI-driven IAM solutions. We provide strong support structures, such as top-down communication and user empowerment initiatives (such as People Pulse). We define a roadmap aligned with organizational goals and industry best practices. Rapid Application Onboarding accelerators and proprietary tools like PALM and KATANA simplify integration and reduce the length of time to see value. Program and technical governance are at the core of IAM services, providing strong policy implementation and regulatory compliance. We focus on operational KPIs and swiftly address findings to tackle emerging threats. We empower clients to constantly refine their IAM strategies and strengthen their security posture with our 40+ operational KPIs.