How do you know if you’re making progress in Identity management? Unlike other parts of cybersecurity, such as crisis management, there’s no definitive end point. If you’re the manager responsible for identity management, this lack of measurement is frustrating. How can you show that your department is successful?
The Traditional Identity Management Approach Is a Mess
The standard approach to identity management is decentralized, inconsistent, and manual. Some managers follow the process religiously with each employee: approving access, logging changes, and removing access as needed. Other department leaders are too preoccupied with their daily work of meeting customers, preparing slide decks, or managing the financials. They don’t see the point in making identity management a priority.
The result of this variable approach to identity management is that the entire company, especially the overworked IT security department, suffers from weaker security protection. Hacking attempts do much more damage. Even worse, the potential impact of employee fraud is much higher. You need to measure your identity management program to know where you stand.
Why Measure Identity Management Efficiency?
Without measurement, there’s no way to improve. Even worse, there’s no way to know whether you’re reaching your goals. In the short term, a lack of measurement is demoralizing. Why go into work every day when it’s impossible to measure progress? In the long term, lack of efficiency measures makes life harder for the IT security department when it comes to budgets and hiring.
Every other department in the company can show evidence of its efficiency. Finance can show monthly reports completed on time and with accurate data. The human resources department has measures relating to recruitment. IT security managers, especially if they want greater support for increased security, need to monitor and track their own efficiency. Tracking identity management efficiency is a great place to start.
Five Ways to Score Identity Management Administrative Efficiency
You can give yourself a score on identity management administrative efficiency by looking at a few factors each month. Consider the five variables noted below into a scoring system.
1. System Coverage Percentage
List all the apps and systems your company uses. Next, track which of those systems are covered by your identity management system. If you have 100 apps and have 80 of them in your system, this metric would be 80% coverage.
2. Employee Coverage Percentage
Similar to the measure above, you track your efficiency in covering employees. You have 1,000 employees and only cover 500 of them in your system. In that case, this score would be 50%. That would be understandable if you had just implemented your identity management system.
3. Time to Complete Identity and Access Change Requests
Speed matters! That’s why you need to track how long employees and managers have to wait to get their identity management requests approved. If you use an identity management software solution, you’ll always have a high score on this measure. On the other hand, if you rely upon a manual approval process, it’ll be tough to score well here.
Set a standard for change request responses of one business day. Then, you track the percentage of requests that are responded to in that time frame.
4. Time to Respond to Audits
Nobody looks forward to audits. The best outcome you can hope for when you face an IT audit is completing the entire process with no findings as quickly as possible. That’s why you need to track your response time to IT security audits. With Compliance Auditor, identity management requests and approvals are automatically logged. That means you’ll have all the records you need in one place.
5. Compliance to Company IT Security Standards
Review your IT security standards to identify specific, measurable requirements. For example, you might have a requirement that privileged users have to explain why they still need such access every quarter. In that case, you can build a score on tracking those attestations. If you don’t like what you see in privileged user access, check out our post: “Cut Your Cybersecurity Risk Exposure By Managing Privileged Users.”
Putting Your Score Together
Your identity management efficiency score will then summarize each component into a report card. For example, an average IT department might have the following scores:
- System coverage percentage: 95%
- Employee coverage percentage: 80%
- Time to complete identity and access change requests: 50% of requests take more than one day
- Time to respond to audits: 30% of audit information requests are responded to in one day
- Compliance to company IT security standards: 40% of company IT standards are fully implemented
