Cyberattacks often target financial institutions for extortion, theft, and fraud with The Center for Strategic and International Studies stating that Financial Institutions are the primary target of cyber-attacks. Studies show that since the pandemic banks have faced a 238% surge in attacks. According to the Boston Consulting Group financial institutions are 300 times more likely to be the target of a cyberattack. Not to mention due to the importance of its data, the frequency of its audits, and the severe fines and economic consequences of misconduct, the banking and financial services sector is subject to some of today's strictest rules and scrutiny. Technology platforms, methods, and policies that enable an organization's compliance and security are essential to staying ahead in the digital era. Identity and access management (IAM) solutions are the backbone of this critical technological framework. And while it’s important to have the right IAM solution, it is also critical to have the correct KPIs in place to assess the efficacy of an IAM system. All efforts, including time, might be for naught if there are no objective standards in place to monitor the efficacy of an IAM system.

The Value of KPIs

IAM KPIs are important to all organizations and are specifically used to monitor the organization's security health. To keep track of the most important metrics for the business specifically when evaluating it’s IAM strategy, organizations need to identify the core KPIs for their institution to determine a successful IAM deployment from an unsuccessful one.

KPIs also help organizations monitor their progression over time. As it relates to IAM, KPIs help organizations monitor important benchmarks such as employee retention, geographic locations, login hours, and frequency etc. By establishing goals at the beginning of each year and each quarter and then utilizing key performance indicators (KPIs) to monitor the progress towards achieving those objectives on a weekly basis.

KPIs help organizations make adjustments and stay on track. In addition to the outcomes an organization has achieved, financial institutions also need leading indications that can warn them when they're getting close to falling short of specific goals before it's too late to do anything about it. The use of leading indicators and key performance indicators (KPIs) can assist a company in accurately predicting future events and the outcomes of those events. They tell an organization whether they are on the right path to attain the goals they wish to acquire. A suitable KPI for an IAM deployment, for example, could be the number of systems it can connect to. The greater the number of systems for which it can offer authentication, the easier it will be for users to fulfill their job tasks.

KPIs are also invaluable in helping organizations solve challenging problems. A dashboard of KPIs to address issues or seize opportunities. Say it's been identified that users are taking too much time to log into multiple systems. Tracking how a new IAM system can reduce the amount of time it takes employees to access systems throughout the organization would be a valuable metric to monitor.

Lastly, KPIs identify trends and patterns. In finance, the ability to identify trends and patterns, which others cannot, is what separates a thriving organization from a floundering one.

What IAM KPIs Should a Bank Have?

Finding the appropriate metrics and key performance indicators is a prerequisite for developing a project KPI dashboard that is both comprehensive and actionable. Compiling thorough a list of actionable project KPIs is not a simple task, but if constructed correctly can help an organization maximize its ROI on its IAM investment as well as improve the maturity of its technology environment.

Consider the larger picture before digging into KPIs. Access management matters because access opens doors. If someone has the appropriate keys, they can bypass most, if not all, of the organization's security. If attackers have access credentials, they can access all your clients and the institution's financial and confidential information. With the rise of cyber threats in the financial industry, it is crucial that financial intuitions have the right KPIs in place to monitor and measure the effectiveness of their IAM framework.

At a high level the main objectives for KPI’s should be as followed:

To help get started, below are five methods that banks can use to measure the success of their IAM projects:

Improvement of Processes:

Account Management Time: Time taken to complete all lifecycle management tasks, including account creation, modification (e.g., new role), update (e.g., personal data), deactivation, and deletion

Number of Privileged Accounts: The number of new privilege accounts, the frequency with which they are accessed, the length of time it takes to ask for new privileges, and the length of time it takes to secure those new accounts are all relevant metrics.

Consequences: The longer it takes to create accounts and the more privileged accounts there are in the environment, the higher the probability of security breaches, exposure of private information, and potential misuse of company assets. More privileged accounts mean a larger attack service for malicious actors, and extensive account creation process, means a greater risk of mistakes and or inaccuracies.

Data Quality

How complete, how clean, and how accurate is the data that is stored in the system? A rather simple question, but one that sometimes goes overlooked by organizations. Below are some KPI’s that can help you get started in assessing your organizations Data Quality as it relates to IAM.

Number of Stale Accounts: The number of orphaned user accounts that have no owner

Number of Unused Security Groups: Groups, roles, and even entitlements that have no owner or configured access.

Former Employees / Vendors: Former employees and or vendors that are still in the system.

Consequence: It is harder to identify issues and problems if the data quality is poor. The complexity of determining which users and groups should have access to particular resources raises the risk of noncompliance and the expense of licensing, as inactive users will still be included toward the total.

Role Management

Segregation of Duties: Segregation of duties (SoD) violations to identify patterns, identify where you have SoD and determine patterns of usage, are there gaps?

Escalation of Privileges: Identify any combinations of access rights (roles, entitlements) that may give more access to individuals than they should be granted.

Role Permissions: Identify if any users have more access than they need compared to their team members.

Access to Privileged Information: How many users have access to sensitive and or confidential information.

Consequences: The greater the number of users who have excessive access or access to secret information or escalation of rights, the greater the danger of fraudulent access, as well as non-compliance, insider trading, and other similar offenses. Users should only have access to the information that is required for them to do their jobs and nothing more than that.

Application Access control

Number of custom application integrations: This metric helps identify different authentication and authorization patterns that exist within the organization.

Number of applications using Cloud vs on-prem IAM: Identify applications using modern authentication protocols to provide insight into SaaS aware applications.

Critical systems using strong authentication (%): This metric provides a view on % of critical applications that should be protected.

Consequences: The greater the number of applications that require modern and/or custom authentication patterns, the greater the complexity of the current IAM platform in meeting those requirements. A more flexible and scalable platform may be required.

Cost Savings

Identify the actual cost of the IAM solution.

Some firms look at just the annual cost of the subscription for the technical solution. For example, if an organization is utilizing Azure Active Directory as their Identify provider, they may just look at the annual cost associated with the subscription, but this is not accurate as there are numerous other hidden costs associated with the IAM solution. For example, engineers need to monitor and maintain the system. Logging needs to be configured, enabled, monitored, and maintained. Systems need to be configured to work with it, which requires more engineer time. In short, there are a lot of hidden costs both financially and time wise that must be identified to fully understand the actual cost of the solution. The more time and money it cost to maintain a system, the greater that chance of implementation error which introduce unnecessary risk. Below are some additional IAM KPI’s to reference:

Helpdesk Troubleshooting Time: Amount of time that is spent by the helpdesk in providing assistance to customers (e.g. password resets, role management, application access issues).

Resource Allocation: How many full-time resources (FTE) does it require to maintain the system.

Technical Solutions: What is the total number of extra solutions that are needed to support the IAM use cases? (e.g. MFA, identity bridges, role based access tools, provisioning, privilege accounts).

Overall Cost: Total sum of related expenses with each individual IAM solution (e.g. licensing, maintenance, hardware, support).

Consequences: The total cost of ownership (TCO) may be too costly if the current IAM solutions require more users to maintain it, along with a plethora of supplementary systems.

Challenges with Measuring Technology ROI

IAM can be a technology project that may not deliver on what it promised or, in worst-case scenarios, is partially implemented. A primary factor in these unsatisfactory results is the absence of performance metrics.

For example, the purchase of IAM tools and the subsequent implementation of the systems are two steps that businesses must take to ensure that users have the right access to information and resources. The project may be considered a success if the deployment was carried out as planned and within the allotted budget. Time and budget are valuable, however, that doesn’t explain to leadership how the solution is benefiting the organization.

Its likely stakeholders won't fully appreciate the deployment's potential or advantages until they have a firm understanding to the reasoning behind it. They won't know how the system is functioning or how to improve it for more value if there aren't any key performance indicators (KPIs) to track.

Without metrics to oversee the expected business outcomes, IAM investments may stagnate or fail. When businesses focus on identifying and measuring critical objectives for their operations, they get a better return on their investment.

KeyData can help you get started on your IAM journey

If you're interested in learning more about how your financial institution can better measure the effectiveness of your IAM solution KeyData can help. KeyData's flagship service is Identity and Access Management (IAM). We concentrate all our efforts on IAM. The KeyData advantage is based on our people and our knowledge. Our team is made up of a highly skilled group of engineers and consultants who specialize in Identity Governance and Administration, Privileged Access Management, Customer Identity, and Access Management, and Cloud Security Posture Management. Our team has a strong track record of providing end-to-end IAM services, from requirements gathering and roadmap development to full implementation, training, and managed support. Don't hesitate to get in touch with us right away for a free initial consultation.

References

16 Essential Project KPIs That Benefit Every Team. (2015, November 26). Scoro. https://www.scoro.com/blog/16-essential-project-kpis/

‌Author, T. (2019, December 11). IAM in Banking: Keeping Pace with Digital Transformation. Techfunnel; Techfunnel. https://www.techfunnel.com/fintech/iam-banking/

‌Cicchitto, N. (2018, December 5). The Identity and Access Management Blog. The Identity and Access Management Blog. https://www.avatier.com/blog/find-out-if-your-access-management-program-is-successful-with-kpis/

‌Financial Sector Cybersecurity | Center for Strategic and International Studies. (2018). Csis.org. https://www.csis.org/programs/strategic-technologies-program/archives/cybersecurity-and-governance/financial-sector

‌pradnya. (2022, July 22). Multi-factor Authentication (MFA) for Banks and Financial Institutions. Blog - MiniOrange. https://blog.miniorange.com/why-mfa-for-banks-and-financial-institutions/

‌Spiceworks. (2020, December 22). How to Measure the Success of IAM Deployment | Spiceworks. Spiceworks. https://www.spiceworks.com/it-security/identity-access-management/guest-article/how-to-measure-the-success-of-iam-deployment/