KPIs in Cybersecurity Roadmaps

March 29, 2021

What does good access security look like for your organisation? This is unique for every organisation depending on factors such as size, budget, regulatory requirements. IT security is critical to data handling, compliance, and company reputation, so certainly you want the best security possible. But what does that mean? The process of reaching that target state needs to be broken down into manageable and measurable chunks.

Before you can answer the question “what does good look like for my security?”, you need to understand your current state, then define your target state, then work out the steps in a roadmap to achieve this. Along this journey, you need to define Key Performance Indicators (KPIs) to ensure the roadmap is achieving the risk reduction and operational efficiencies you are trying to accomplish. This is important at both day-to-day operational level and to senior management to show the value of an Identity and Access Management (IAM) program.

Here’s an example

Let’s take the example of single sign-on (SSO) as an access management solution. Perhaps you want a single sign-on platform for your applications, so your employees aren’t spending half their day remembering passwords for each one. Ultimately you want all the applications used by your employees to be included in that platform.

But first: what does your current infrastructure look like?

Once you have established your current situation, you can start planning where you want to be and how you are going to get there. Here’s where KPIs come in to measure the progress and performance of an initiative. You can decide on a block of time, like 4 months, and how much you want to improve by in that time. 

KPI graphic

So, in the SSO example, you would set yourself a target KPI – for example, 80% of your applications are onboarded to a centralised SSO solution, which brings you within risk appetite. Now you would track progress in a roadmap against this KPI and once achieved, you would continue to use this as a metric to ensure you do not fall below this level.


As well as the value evidenced by a KPI (e.g. 80% of applications are onboarded), it is also important, if not more important, to indicate the outliers (the remaining 20% of applications that are not onboarded), as these outliers pose a risk. This is the metric your CISO needs to know, as that is the gap for attack.

Choosing your KPIs

With so many measurable data points, here are three pieces of advice for choosing the KPIs to measure for your security:

  • Align stakeholders – KPIs will only be useful if the metrics inform decision-making for business performance improvement. This remains the same for security KPIs.

  • Regularly review – priorities might change and the selection of KPIs should be flexible for this.

  • Actionability – what does “good” security look like for your business? How can KPIs inform the actionable steps to reach the desired outcome?

Some Useful KPIs in Security

Here are a few useful KPIs in access security to have a think about for your organisation:

  • The number of your applications under a centralised SSO
  • The percentage of employee access controlled by multi-factor authentication (MFA)
  • The number of employees with root/admin access
  • The percentage of privileged access only available through break-glass access
  • The percentage of automated leavers with access disabled within the day

Intragen Dashboards

Business leaders want productivity first and foremost, as this drives performance and progress. As we advance further into a world of 30-second attention spans and information overload, it only makes sense to keep pace with digital evolution and bring simple visualisation into the IT security space. Simplify your path to compliance and security through visibility with a dashboard.

Apps covered by SSO

And let our team of experts do the hard work for you. Our security assessments include dashboards with varying depths of detail to fulfil the needs of each level of seniority, delivering clear and accurate visibility of policy violations, licence count, joiners and leavers, ticket requests and more.

Download our security assessment guide for more information or talk to one of our team to start a security assessment.

Download your IAM assessment guide