When business is about the bottom line, ROI often has to be justified for infrastructure or products that aren’t perceived as revenue generators, and organizations can be reluctant to approve budget for improvements and additional security measures beyond minimum requirements. In many organizations, security is viewed as a cost center rather than a value-add. Especially in the case of averted crises, it’s very difficult to measure the number of things that didn’t happen and justify why it was important to continue to spend on those defenses.

That’s why proving the business case for Identity and Access Management (IAM) calls for a different approach. If businesses seem reluctant to release precious budget in the name of security alone, it can leave IT pros open to questions such as, “If it hasn’t happened, why are we paying for it?” or “If we did pay for additional measures and we still experienced issues, why should we continue spending?”

Though these questions are common, shifting the discussion beyond these types of concerns and pairing security with measurable business outcomes can help show the value of IAM.

Metrics that matter: Benefits of pairing IAM and business outcomes

One of the best ways to prove the value of IAM is by pairing security with strategic metrics that boost the entire business. That means looking at IAM benefits that support and optimize operations and limit risks rather than just enhance security posture alone. By carefully selecting these metrics, IT and security teams can:

• Match investments in security to business outcomes
• Measure the impact of security investments that aren’t security alone
• Offer visibility into the ways that IAM supports the broader business
• Collaborate with the business to agree and align on protection and risk tolerance levels

Quick wins: Access management use cases

Employees need access to applications, data and systems to complete their tasks. Between onboarding, provisioning, accessing third-party tools and requiring service desk support, there are multiple ways to mitigate risk while bolstering business outcomes. Let’s explore some use cases along with some suggested metrics from across the employee lifecycle.

Use case 1: Streamline onboarding and offboarding of users

Modern infrastructure is distributed, users are dispersed, while SaaS applications and associated systems are decentralized. The associated threats are similarly distributed across cloud configurations, where monitoring is less unified and where gaps can appear.

Add in enterprise-level staff movement and turnover and things get even more complex. An organization with a 10,000+ workforce will automatically have a great deal of high-value identities and accounts, often with varying levels of permissions that need to be secured from hire to exit.

That’s when it’s time to explore solutions that offer real-time syncing and mapping of roles and identities to access and permissions. It often starts with classifying attributes, such as membership status in an integrated Active Directory or LDAP, so that when a user’s role is moved, their attributes are automatically moved too.

There also needs to be granularity that goes into authorization and assigning entitlements, to easily view licensing and provisioning levels.

Suggested value-led metric

Employees should have access to all key applications from day one. Manually issuing those permissions or working with an uneven provisioning process can limit access to key applications. A key metric to pair security operations with business outcomes could show how quickly employees have access to the right applications with the correct level of permissions.

This could also be adapted for offboarding, with metrics showing the time taken to close an account and check that there are no orphaned resources. Also, depending on length of an employee’s service, an assessment could be done to see if there’s been privilege creep during their employment.

A remote workforce is likely to result in the creation of accounts in cloud applications, which should require access to be centralized and identity to be monitored from a single portal. Combine with Single Sign-On and users no longer have to login to each individual application.

Use case 2: Reduce tickets submitted to the IT service desk

Alongside troubleshooting, IT support teams field support tickets ranging from password resets to access requests. The costs of these soon add up. Each password reset cost has been estimated at $70, and also the subject of up to 50% of helpdesk inquiries. Overall, these cost companies average $480 of productivity per employee each year. Growth is good, but it also brings more password reset requests. Those requests pile up and can create an endless barrage of helpdesk tickets, introducing other security risks and negatively impacting staff – and the reputation of the IT team – if they can’t be resolved quickly.

Suggested value-led metric 

Reduced ticket volumes and resolution times are metrics that can help show the impact of investing in improved security measures. An analysis of the current state of password reset tickets can further allow a business to understand the value in eliminating the time an IT team spends resolving these types of tickets.

Offering self-service password resets can eliminate a significant number of helpdesk requests, allowing the team to work on higher value objectives. Additionally, implementing Single Sign-On (SSO) ensures users only need to enter one set of credentials to access their apps in the cloud and behind the firewall via laptops, smartphones and tablets. For SSO with additional MFA prompts, it asks users to verify identity via an additional factor to prevent phishing or user enumeration via password requests.

Use case 3: Reduce resources required for provisioning and access requests

In theory, the principle of least privilege business case is a no-brainer. Granting access only to the resources employees need and no more ensures that only those who need a seat or license for a software product get access. In practice, the business case must factor in the steps and labor involved with granting, removing, enforcing and changing privileges – without bottlenecks and while keeping the business productive.

Suggested value-led metric 

Choose metrics relating to access requests when using manual resources. For example, the time taken to approve or deny access to an application, how many escalations were needed – along with the urgency of the request – gives a sense of the time spent and the cost involved. Compare these with the metrics after implementing an admin delegation model. Of course, before delegating, action should be taken to resolve vendor and application sprawl.

Additionally, potentially allowing department heads to own delegated administration over select applications can help prove value too. IT teams can have overall oversight over every application in the business’ ecosystem, but individual departments can own the assigning of privileges to users as they need them.

This can free up IT teams from being hands-on with departments for standard requests, or for specific apps. It also allows higher tier teams to focus on edge cases, provide more specialized support and give privileges with the right levels of effect, action and scope.

Use case 4: Consolidate vendors and streamline third-party application usage

The modern enterprise may use anywhere from 40 to 200+ applications. All those vendors come with costs for procurement, setup, implementation, and support. While many of these applications are adopted and used, it should be balanced with strict governance to avoid joining the ‘one-third of platform ecosystems’ that reportedly ‘fail due to poor management.’

Getting a handle on application sprawl involves assessing what value can be gained in terms of operational efficiencies and overhead costs. For example, getting a handle on the time it takes to onboard and offboard users, advantages that come with a reduced pool of third-party applications, or the time and efforts needed to conduct compliance and risk assessments, can give organizations a bit more of a picture of what applications are used, versus ones that are taking up time and space.

Suggested value-led metric 

By identifying usage of SaaS apps and metrics relating to payments and subscriptions, organizations can get a better feel of what is being used and whether users have excessive permissions. Some helpful metrics may include license and user details, frequency and a description of why it is needed. Use that visibility of application usage to assess and identify savings and places where app overlaps may offer potential for consolidation.

Organizations can identify non-critical apps that aren’t being used and stop or limit subscriptions and payments where appropriate. Then decide which of the remaining apps to consolidate and measure costs saved over the typical billing cycle.

The benefits of IAM: Optimizing across the business

While it is reported that only 53% of application leaders’ business cases get approval, these metrics offer a way to prove the business value of IAM. The focus on aligning with business use cases offers additional benefits beyond enhancing overall security.

By measuring the impact and communicating the IAM benefits in this way, recognition for time and savings flows beyond the needs of the IT team to secure the business to the rest of business operations, strengthening connections and further communicating the value of IAM. Security is applied as an integrated part of the business rather than just at the perimeter or as a disjointed afterthought to maintain compliance. This helps mitigate the risks that come from expansion, such as lack of standardization, which can leave gaps in processes.

Managed correctly, IAM can achieve improved productivity and usability alongside improved security. By taking a few first steps with these metrics, IT teams can start proving the business case and value of identity and access management.