It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM).

Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users’ perception of the value of the IAM platform. But how do you measure the business enablement of IAM? Is the cost of a Service Desk call really the $75? And how do you measure customer satisfaction during an authentication journey?

IAM programs tend to penetrate the entire organization resulting in many business-side stakeholders bringing disparate requirements to the table. Talking to those stakeholders in technical terms is a sure-fire way of getting them to switch off and disengage. Statements like “OIDC SSO followed by FIDO2 auth will revolutionize your user journeys” will be returned with a blank expression (at best). A re-framing of the message such as “re-use of existing credentials in order to reduce the footprint of passwords combined with a simple fingerprint swipe will remove user frustration and improve your security standpoint” may be more meaningful. But can the value of these capabilities be measured? Yes, they can.

What Should You Measure?

Like everything in life, doing a good job is not enough. The evidence of your doing a good job has to be visible, tangible. Capturing the reduction in number of password reset calls received by the Help Desk is a good start, but there are other simple and powerful metrics for measuring the value of an IAM platform, including:

  • Timeliness of identity life-cycle activities (particularly Joiner & Leaver actions)
  • Speed of onboarding applications into both IGA and AM integration patterns
  • Number of successful automated provisioning/deprovisioning actions based on policy rather than manual requests
  • Certification/Attestation campaign effectiveness including speed of reviewer responses, number of deprovisioning actions executed, and the overall reduction in security exposure as a result of entitlements being removed
  • Number of failed registration attempts (or put more positively, the increased effectiveness of onboarding and registering new users)
  • The overall number of entitlements assigned before and after rollout of the IAM service (with the hope that there is a reduction in entitlement drag because policies, mover processes, and certification campaigns are effective)
  • Risks identified, categorized by mitigating controls assigned, and the speed of remediation

These metrics, combined with basic measurements, can provide real insight into the effectiveness of the IAM platform and can provide a visual representation that will be meaningful to all stakeholders.

Note that there are other basic measurements for providing both IAM scope and output, including (A) total number of accounts, (B) accounts split by owner type, (C) accounts split by active/inactive state, (D) account dormancy levels, (E) logins, (F) logoffs, (G) number of visits, (H) number of pages visited per session, and (I) number of journey abandonments, etc.

And of course, there is always room for non-tangible measurements such as user satisfaction across the various user communities, whether that is end-user, stakeholder, administrator, or application developer.

Know What You’ll Measure, Before You Invest

Modernizing and consolidating IAM platforms doesn’t come cheap (although it’s definitely cheaper than it used to be). The ROI might be quantifiable for certain user actions, but the likelihood is that the benefit of any IAM platform may be more difficult to quantify in monetary terms.

Determining the measurements that will be critical for your business and your stakeholders should be done prior to any investment in technology — how else will you know that you have achieved your aims?

Learn more about IBM Security Verify here.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…