Using KPIs to Redefine IAM Success, Part 1

“The global identity and access management market is expected to swell to $24.55 billion by 2022, according to a new report from Grand View Research, Inc.” – Grandview Research, “Identity And Access Management Market Analysis By Deployment, By End-Use and Segment Forecasts To 2022″

dit-iam-kpi-pt1-1 Organizations are prioritizing investments in identity and access management (IAM). In a recent survey of IT security professionals conducted by research firm Decision Analyst, 79 percent of respondents said that their organizations plan to implement IAM for externally focused applications, portals and mobile apps. Almost half (47 percent) said that their IAM projects are currently funded, while 32 percent plan to invest in IAM within the next year. Another 13 percent will invest in IAM at some point in the future, but do not have a specific timeframe. Only 8 percent said they have no plans to invest in IAM.

These organizations recognize that traditional network perimeter security is no longer sufficient protection against cyberattacks. Odds are high that a hacker will breach the perimeter. In most cases, however, the hacker still needs user credentials to complete his mission. That explains why more than 90 percent of successful cyberattacks are executed using compromised user credentials.

According to 78 percent of Decision Analyst survey respondents, data protection and security are the top priorities for IAM implementation, outweighing concerns about cost and the user experience. The importance of IAM is magnified by decentralized access patterns due to the cloud, mobile computing and the Internet of Things. The perceived perimeter has been redefined, which in turn increases the dependency on data protection and security.

The survey results suggest that IAM will be an easy sell across the organization. Once users and upper management understand the security benefits of IAM they will be fully on board for the project.

Why IAM Projects “Fail”

Experts say “identity management projects often fail,” but is that the truth? Not always. IAM projects are often labelled as unsuccessful because success criteria are ill-defined.

The changes brought about by IAM also play a role. Users may lose certain access privileges they feel they’re entitled to. Managers may be frustrated with the time required to provision credentials for employees. Executives may not be convinced that all the cost and complexity are worthwhile. Despite IT’s emphasis on the security aspects of IAM, a poor user experience and lack of executive buy-in often results in IAM being deemed a failure.

Another common problem is a tactical, project-based approach to IAM. In this instance, IAM is viewed as a necessary component of a larger initiative — the implementation of an online portal, for example. IAM technology decisions are made without adequate consideration of people and processes. Success criteria are poorly defined. When the overarching initiative fails, IAM becomes an easy scapegoat.

Redefining IAM Success

But has IAM really failed? That all depends upon how you define success. Going back to the Decision Analyst survey results, IT teams are initiating IAM projects to boost security and data protection. However, the failure of IAM is often declared by individuals outside of IT who are looking at parameters other than security.

In most cases the myopic view of defining an indicator can itself be attributed to failure. Because an IAM project often span across many departments and business units, restricting the scope of the indicator to operational aspects will limit visibility.

In order for an organization to accurately determine the success or failure of an IAM initiatives, key performance indicators (KPIs) must be properly defined and measured. KPIs help organizations determine what’s important, resolve any problems that arise and work toward continuous improvement. The question is not whether users are dissatisfied with IAM but why they might be dissatisfied. Where did “people” fail the “process” that is driven by “technology”? Has IAM achieved its primary goal of preventing, detecting and containing cyberattacks?

In our next post, we’ll take a closer look at KPIs that can help redefined IAM success.


Arun Kothanath, Chief Security Strategist for DIT, presented on “KPIs for Identity Governance: Achieving Performance Maturity in IGLM,” at RSA Charge in New Orleans, Oct. 27.

Leave a Comment