Access management metrics matter because IT security is constantly changing. The outside security environment changes every year. Attackers are increasingly impersonating popular brands that are harder to avoid. Inside your organization, employees come and go each month. According to U.S. government data, average employee tenure in America is about four years. So, the training and processes you built a few years ago may no longer be good enough.
One way to sustain IT security protection over time lies in using access management metrics.
Access Management Metrics: Why Does It Matter?
On their own, access management metrics do not create change or prevent attacks. Therefore, it is a fair question of why it focuses on metrics versus other types of action. Fundamentally, access management metrics are essential for a few reasons. First, they send a signal to employees and executives that access management issues are being monitored and that problems will be detected. Second, access management metrics help you measure progress against your goals and strategy. In IT security, success is sometimes difficult to identify. You can demonstrate success to show you have consistently met or exceeded your access management metrics.
Access Management Metrics To Complete Each Month
As a starting point, we recommend running a monthly reporting process to evaluate access management metrics. Some of these metrics may be automatically produced by finance or your IT security software. If the number of metrics is too much to handle, start slow with one or two metrics and add more over time.
1. Time To Provision New Users And Remove Access
This access management metric combines two business principles: risk and efficiency. Adding new user accounts on a timely basis is a critical way to ensure employees achieve productivity goals. After all, a newly hired employee without a user account will probably not achieve much of note! At the other end of the employee lifecycle, every employee ultimately leaves the organization. When those departures occur, it is essential to remove (or “deprovision”) user accounts.
Example access management metric:
Time to Provision New Users: Complete all user changes within 24 hours of receiving a request from a manager.
Time to Deprovision Users: Remove all user access within 12 hours of receiving a request from a manager or human resources.
2. Number of Inactive User Accounts
Also known as ghost accounts, this metric tracks a persistent problem for access. If there are more inactive user accounts in your company every month, those abandoned accounts could be misused. If you have many user accounts, you might use a percentage metric rather than an absolute number.
Example access management metric:
The total number of inactive user accounts. Track this figure each month and take action if the number keeps climbing.
3. Password Quality Metrics
Did you know that one of the most common passwords in the world is “password”? Such a low-quality password represents a high level of risk! There are a few different ways to measure and improve password quality. To inspire your access management metrics reporting, take note of these ideas.
Example access management metrics:
Percentage of passwords updated in the past 12 months. Report on the number of passwords updates per year.
Percentage of passwords meeting complexity rules. If your password rules include optional elements, measuring compliance with password complexity can be helpful.
4. Login Attempts (Successful vs. Failed)
Login attempts are a helpful way to measure access behavior. Specifically, a large number of failed access attempts alert you to a potential problem. A spike in failed attempts may indicate that your employees find your login system challenging to use. It may also signal that hackers are targeting your company. The metric alone will not tell you the underlying cause. Instead, it will alert you to a potential problem that will need further investigation.
Example access management metric:
The number of failed login attempts (or percentage) per month. Take note when this metric increases over time.
5. Password Reset Activity
This access metric gives you an alternative way to measure passwords in addition to the metric outlined above. Tracking password reset activity and fulfillment tells you about risk and efficiency.
Example access management metric:
Percentage of passwords reset within 60 minutes of a request being received. For instance, if password resets are frequently taking longer than an hour to fulfill, employee productivity may be declining.
6. Access Management Self-Service
Years ago, employees had to ask for access and then wait patiently for an answer. That approach is no longer good enough! Your employees are used to interacting with cloud services at home that provide password resets and set up in seconds or minutes. Therefore, measuring self-service performance is helpful.
Example access management metric:
Percentage of access management metrics completed through self-service. For example, you could track the number of requests completed through Apollo and the number completed through your help desk.
7. Cost Management Metrics
The IT function may make strategic contributions, but we have to keep cost considerations in mind. Creating a metric to measure your costs regularly means that you will be less likely to be surprised. The specific cost metrics you utilize will depend upon the sophistication of your organization’s finance team.
Example access management metric:
Percentage of access management projects completed on budget. This metric will help you achieve short term success when implementing new technology like single sign-on software. Besides, it will boost your long-term credibility as a responsible manager.
Access government budget requests submitted on time. Delivering your budget requests on time—or early—makes a big difference in ensuring access management needs are adequately funded.
Where To Go From Here
Building a full suite of access management metrics will help you detect problems quickly. After that reporting process is in place, keep a proactive mindset. In reviewing the metrics, ask yourself and other IT security staff questions like, “What action can we take based on this metric?” If there is no way to take action on a metric, consider whether it is meaningful to your company’s needs.