Over the years, identity management has escalated from a mere productivity nuisance to now representing a significant security risk. In fact, the Verizon 2024 Data Breach Investigations Report reveals stolen credentials have played a role in almost one-third of all breaches in the last decade.

Because identity management was historically viewed as an IT issue, most programs focused on the ease and speed of granting access. This strategy led to a huge wave of unnecessary permissions, birthright access, misconfigured (or nonexistent) authentication measures and overprivileged users. 

Cybercriminals took advantage of this largely unsupervised attack surface, contributing to a new epidemic of identity-based attacks. This is demonstrated by IBM’s 2024 X-Force Threat Intelligence Index, which found a 71% spike in cyberattacks caused by exploiting identities. Similarly, the 2024 Identity Security Outlook Report showed that 77% of businesses experienced security incidents in the past year due to improper access. 

Thankfully, modern organizations recognize the potential dangers of poor identity practices and are now embracing a security-first approach. As enterprise security leaders work to improve their identity security postures, they are turning to new metrics to benchmark their efforts and measure success. 

Targeting the right identity security metrics

According to the Identity Security Outlook Report, 75% of security leaders today are currently using some kind of benchmark to measure the success of their identity security initiatives. That percentage is sure to increase as more identity-based attacks make headlines, such as the recent breaches involving Snowflake customers that did not have multifactor authentication (MFA) enabled.

To effectively demonstrate the success of their identity security programs, security leaders must first identify the best metrics for their organizations. A good starting point is to select an appropriate metric across three critical aspects of identity security: authentication (verifying who someone is), authorization (determining what that person is allowed to access or do), and access lifecycle (managing access rights from the initial provisioning to ongoing management and eventual deprovisioning). 

Here are three metrics that can be used to measure the success of identity security initiatives:

1. Percentage of user access covered by MFA

Accounts with two-factor authentication (2FA) are inherently more protected than those without, and MFA takes it a step further by combining multiple authentication methods. When it comes to MFA, however, the problem is less about knowing how effectively it can reduce attacks, and more about how to implement it effectively. 

Especially in large organizations that have a complex mix of cloud, on-prem and homegrown systems, it can be technically challenging to ensure MFA coverage across all apps and resources. That complexity is compounded by organizational resistance, especially from employees who need access (right now!) to these resources to do their jobs.

Measuring the percentage of user access covered by MFA provides a clear picture of how well the organization’s authentication efforts are working. While 100% coverage may not be achievable right away, this metric can serve as a valuable benchmark for success, as well as shed light on any technological or organizational friction that may be slowing down efforts. 

2. Percentage of time-constrained privileged access

Privileged accounts are prime targets for attackers, since they have access to some of the most sensitive data and critical infrastructure within the company. One surefire way to drastically reduce the level of risk associated with these accounts is to introduce time constraints. 

Time-constrained or just-in-time (JIT) access involves only granting privileged access when absolutely necessary, and limiting that access to the bare minimum required for a person to perform their job function. After a set period of time (or when the task is completed), that access is then revoked.

By measuring the percentage of privileged access that is time-constrained, businesses can significantly minimize the potential security risks associated with standing access privileges, birthright access and overprivileged accounts. This metric can also provide security leaders with a useful benchmark to demonstrate progress towards 100% time-constrained privileged access.  

3. Average time to deprovision sensitive access

In a perfect world, an employee’s access would be immediately revoked at the exact moment they leave the company or no longer need access to a certain resource. As any enterprise security leader knows, this process is much easier said than done, requiring significant cross-departmental coordination, a lot of automation and a little bit of luck. 

As part of a security leader’s efforts to streamline the user access lifecycle, the efficiency of deprovisioning should be a top priority. By quickly deprovisioning sensitive access, businesses can close any potential security gaps before they can be exploited. 

Measuring the average time to deprovision sensitive access provides a solid indicator of how efficiently the organization can address these security gaps. A good goal to shoot for would be to deprovision sensitive access within 24 hours, and less if possible.

Setting up a modern identity security program

A security-first approach to identity is now essential. While standing up a modern identity security program may seem daunting, the good news is that 95% of identity security is just about nailing the basics — things like conducting regular access reviews, avoiding birthright access and offboarding employees promptly when they leave the company. Once these essentials are in place, it becomes a matter of measuring the success of the program and making continual, incremental improvements to strengthen the organization’s security posture.