The easiest way to show success is through tangible measurement. When you roll out a new project or implement a new system, you can say that you think it’s working, but without evidence, you really can’t be sure. That is why metrics are so important to a business. Metrics enable an organization to know if productivity is up or if costs are down. They can also measure whether security has improved and identify opportunities to enhance processes. These reasons are precisely why it is so crucial to track identity and access management (IAM) metrics.
Unfortunately, when companies get on the data and metrics bandwagon, it is easy to overdo it. However, trying to boil the ocean doesn’t help show how successful your IAM solution is or any other project, for that matter. Instead, these overambitious attempts to utilize data and metrics often tie up valuable IT time when a department tries to measure too much too soon.
Instead, it’s best to start small and show early successes. These early wins help to build a business case for increased investment in the solution, especially when you can prioritize the metrics you’re measuring to align with the most pressing needs within your organization.
As mentioned, there are near infinite pieces of business data that can be tracked, measured, and analyzed. All businesses have their own internal priorities, and will weigh metrics with varying levels of importance. However, we feel that measuring the following five metrics makes for a strong first step towards reaching your IAM goals:
1. The number of agent-assisted password resets per month
Gartner, Inc. research estimates that password issues make up between 20 and 30 percent of all service-desk calls, and Help Desk Institute research shows that just the labor cost of responding to a single support ticket averages around $22. For retail organizations that rely on large numbers of seasonal employees, Help Desks can expect to see a large volume of these calls within the first few weeks of their busy seasons, which puts a heavy burden and price on IT support. This does not even take into account the opportunity cost of what else an IT professional could be doing if he or she wasn’t helping reset passwords.
If you put an IAM solution with password self-service in place, this is one metric that can quickly swing in your favor and show early success. Allowing users to reset forgotten passwords on their own reduces service-desk calls and thus, reduces password related support costs by as much as 50 percent. Measuring the number of IT-assisted password resets per month—both before and after implementing an IAM system—is an effective way to monitor the effectiveness of the solution, in terms of both cost and time savings.
2. The number of add, change, or remove activities each month
Making changes to a user account, such as granting privileged access or changing a user’s role, may seem like a small task, but it is something that IT professionals have to do every day. Oftentimes, it is something that has to be done several times per day. However, these processes can be automated with the right IAM solution, greatly reducing the amount of time spent addressing routine user accounts updates, so that IT can focus on more strategic initiatives. In fact, business rules and automation can completely eliminate IT’s role in managing such changes.
However, in order to show success, you need to establish a benchmark of how much an average system change costs your organization in terms of staff labor prior to automation. You can then measure this again after your IAM solution is in place to see how well the system helps reduce time spent on these tasks and the associated cost savings
In the retail world, this can be extremely important, as seasonal employees may quickly shift roles or become full-time workers, requiring different access.
3. The average time it takes to provision a user
User account provisioning affects two people. First, the person required to create the account(s) for the different applications needs to set everything up and then take time to make sure that it is setup correctly. Second, the person for whom the account is being created has to sit and wait for access, unable to do any work until everything is done. Reducing this timeframe is important for any business.
With an IAM solution, not only can you use this metric to show where there may be bottlenecks in the organization’s processes, but you can also show how automated provisioning can get this process down to zero-day onboarding for new users. Reducing this timeframe can happen even during large hiring rushes that would normally cause workers to wait days for access to necessary systems.
4. The number of accounts with weak passwords, old passwords, or non-expiring passwords
Poor authentication processes put your organization at risk. If your password policies are not strong or are being circumvented by employees, then you are making it easier for attackers to break into your systems. Additionally, you may identify an area where more training and education is needed in regards to security and company policies.
By putting the right tools in place, you can drastically reduce these numbers. Using an IAM with single-sign-on (SSO) capabilities will quickly reduce the number of accounts with weak passwords, old passwords, or non-expiring passwords to nil because only one password is needed.
Strong password policies and authentication practices, such as one time passwords, biometrics, and context based authentication, prevent large-scale data breaches that erode customer trust. By protecting customer data and privacy, a retailer improves the customer experience and perception of the company.
5. The number of orphaned accounts
Just as with account provisioning, deprovisioning accounts manually is a time-consuming endeavor. Doing this manually leaves room for error, as it is easy for IT to overlook a specific entitlement, specifically when a user has access multiple systems.
Sometimes, IT just doesn’t have time to remove all of an ex-employee’s access right away, leaving unmonitored accounts open. These orphaned accounts pose a huge security risk, as they not only give a person access to your systems, but they are also sought after by attackers who target legitimate accounts, so as not to draw attention to their activities. If these are privileged accounts, the damage can be even worse.
Again, security is key for retail organizations, and by eliminating these orphaned accounts, the risk of data breaches can be reduced and customer trust increased.
An organization should inventory the number of orphaned accounts prior to implementing a modern IAM solution and then again afterwards to show the system's value once the process is automated.
Anytime you track metrics, there is extra work required to plan and collect data. This also requires ongoing diligence in order to keep showing results. However, by tracking the right metrics, you can help your organization’s security posture, while also helping to control costs and identify areas of improvement across your company.