EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
An effective IAM metrics program needs to link specific IAM key performance indicators to broader IAM and organizational goals.
Government agencies are implementing Zero Trust plans mandated by President Biden’s Exeucitve Order on Improving the Nation’s Cybersecurity and the Office of Management and Budget (OMB) memorandum M-22-09. Zero Trust programs require the need to effectively measure identity and access management (IAM). To build or enhance an IAM metrics program, we recommend the following steps:
EY helps government agencies address IT risk, cybersecurity and data privacy. Explore services that can transform outcomes for public sector organizations.
An effective IAM metrics program needs to link specific IAM key performance indicators (KPIs) to broader IAM and organizational goals. As shown below, we will reference the Zero Trust M-22-09 Identity strategic goal: “Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.”
Start by identifying the strategic goals of the IAM program. IAM strategic goals should align with the broader objectives of the organization, such as enhancing security, improving user experience and achieving regulatory compliance. Examples of strategic goals for IAM could include reducing the risk of unauthorized access, streamlining user provisioning processes or enhancing identity governance.
Once strategic goals are identified, then define supporting goals. These supporting goals represent specific areas or aspects that contribute to achieving the strategic objectives. For instance, if the strategic goal is to reduce the risk of unauthorized access, supporting goals could include strengthening authentication mechanisms, implementing role-based access controls or enhancing privileged access management.
Using the M-22-09 Identity strategic goal above, supporting goals could be “Agency staff use enterprise-managed identities to govern authorization to applications they use in their work” and “Agency staff use phishing-resistant MFA to access Agency resources.” There can be multiple layers of supporting goals, if needed.
After supporting goals have been defined, establish specific IAM KPIs that measure the progress and effectiveness of the IAM program. KPIs should be specific and measurable and expressed as a proportion (percentage) so that various dimensions (departments, branches, regions, time periods, etc.) can be compared against each other. KPIs indicate the success or areas of improvement for each supporting goal. Examples of IAM KPIs could include the average time taken to provision user accounts, access policy violation rate, percentage of failed authentication attempts or MFA adoption rate.
In the example above, KPIs include “Percentage of employees with a centralized digital identity” and “Percentage of cloud resources that require phishing-resistant MFA to authenticate.”
To learn more about establishing new IAM metrics programs, download the whitepaper here
Summary
By aligning strategic goals with supporting goals and KPIs, organizations can establish IAM metrics programs that focus on measuring outcomes and tracking progress toward desired objectives. This structured approach facilitates effective monitoring, evaluation and continuous improvement of the IAM program. In the ongoing effort to mature IAM within the Zero Trust framework, establishing and integrating IAM reporting and metrics is critical to success.
EY US Government and Public Sector Cybersecurity Partner/Principal
Author on topics such as identity and access management, security analytics and machine learning. Long history advising government clients to successfully deliver long-lasting, transformative impacts.
Zero trust is a security model that moves from static, network-based cyber defenses to a continuously validated security configuration across five key pillars.
