Identity Management Metrics your Board of Directors Will Care About

We are living in the age of the data breach. There were more significant data breaches this year than ever before—873, according to a report from the Identity Theft Resource Center.

In many of these high profile breaches, hackers used weak identity management policies as their point of entry. For example, the perpetrators of the 2013 Target data breach gained access to the corporate network through login credentials stolen from an HVAC contractor.

Following that breach, advisory firm Institutional Shareholder Services recommended replacement of seven of 10 Target board members for failing to oversee cybersecurity risk. Since then, cybersecurity has been top of mind for board members at companies big and small.

In fact, in a recent NYSE survey of nearly 200 directors of public companies, more than 80 percent of participants said that they discussed cybersecurity at most or all boardroom meetings.

All of this would seem to make the need for a strong Identity and Access Management (IAM) solution obvious, but as any C-level executive can tell you, selling IT programs to leadership is never easy. You can only win with quantifiable benefits.

Attacking The Bottom Line

One of the best ways to get through to your board members is to appeal to their sense of fiduciary duty. Make them ask themselves: are we acting appropriately about cybersecurity for our customers and shareholders?

You need to make it clear that while your company may be saving money in the short term by avoiding investment in IAM technology,  in the long run, you’ll continue to overspend on costs caused by manual processes. According to Forrester Research’s cost-model for IAM, a company with 3,300 employees will spend more than twice as much on manual processes over three years than they would on automated ones.

There are a number of metrics that can demonstrate what your company is spending on manual IAM processes in real terms:

Failed Login Count

This is a simple metric to collect and track, and an easy indicator of the success or failure of your IAM processes.

In rare cases, an enormous uptick in the volume of invalid login attempts can be an indicator of a brute force attack. Most often, though, a large number of invalid login attempts indicates a failure of policy–either your users need more training, or they’ve got more accounts than they can handle, which relates to our next metric.

Unique Accounts Per User

An easy key performance indicator (KPI) for your IAM processes, the closer this number is to zero, the better. The more unique login and password credentials your users have to juggle, the more likely they are to forget those credentials, causing costly help desk calls and time wasted supporting, resetting, and managing these accounts.

What’s worse, the more credentials a user has to manage, the more likely they are to fall back on bad habits such as reusing passwords or using weak passwords. And when 97 percent of the top 1,000 global companies have leaked credentials available on the web, bad password hygiene is a serious problem.

This metric alone is a substantial justification for Single Sign-On (SSO) platforms, which let users present just one set of credentials, rather than learning or remembering separate credentials for each application.

Password Resets Per Month

Examining monthly password reset numbers is a reliable way to gauge the effectiveness of your IAM program and password policy.

77% of firms require quarterly passwords changes for employees, according to Forrester, and while that’s certainly a recommended best practice, it can mean lots of help desk calls. An average 15-minute help desk call resolving an identity administration case costs $31, according to Forrester. Those costs add up quickly for businesses with large user bases.

Additionally, every minute an employee has to wait for a password reset before they can do their job is a minute of productivity lost.

Self-service password resets can alleviate those concerns and reduce the amount of time that your help desk staff spends manually resetting passwords.

Time Spent Provisioning and De-Provisioning Users

As noted above, help desks spend a lot of time dealing with IAM issues, and a good chunk of that time is spent at the ends of the identity life-cycle: provisioning new accounts for joiners, and disabling or deleting accounts for leavers.

Just like password resets, account provisioning affects two people: the person that has to create and provision new accounts and the person who has to sit idly and wait to have key accounts provisioned. So it’s crucial to keep the process as efficient as possible.

Forrester estimates that the average user spends 300 minutes per year waiting for the help desk to manually provision or change their access; this is reduced by 200 minutes per year when using an IAM system for automated provisioning and de-provisioning.

This is especially important for retail organizations, who often experience large holiday hiring rushes that can leave contingent workers waiting days to access necessary systems, resulting in a tremendous productivity loss.

Demonstrating Security Risks

Metrics proving the cost-benefits of IAM solutions are valuable, but in some cases ROI alone may not be enough to convince hesitant board members to take on the upfront costs of a new IAM solution.

However, as noted in the NYSE survey, many board members are now in charge of managing cybersecurity as a risk area. In fact, nearly two-thirds of survey respondents indicated a strong preference for either risk metrics or high-level strategy descriptions, as opposed to descriptions of security technologies.

In our next post, we’ll take on the metrics and techniques that will help you effectively communicate security risks and priorities to the board.