This blog series will explore how CIAM and Fraud teams can co-exist to achieve mutual success and the fundamental organizational changes that need to happen to make this possible.
Customer Identity and Access Management (CIAM) is a platform, or digital ecosystem, that enables organizations to manage and secure customer identities and their access to various applications, services, and resources. Different from IAM which focuses on protecting and managing internal resources, CIAM is designed to optimize the security and digital experience of customer-facing applications. CIAM technologies typically include user registration, authentication, single sign-on (SSO), multi-factor authentication (MFA), and consent management.
As organizations continue to expand their digital footprint, CIAM has been forced to evolve to address fraud and cybercrime risks to customer applications. However, with the adoption of new technologies and controls to mitigate these risks, organizations often find themselves walking a fine line between security and user experience (UX). Any measure put in place that has the potential to add friction or cause a user to abandon an action will often be met with great resistance. While security is embedded in CIAM, the UX part of the equation is dominant in measuring the success of the CIAM strategy.
How CIAM Success is Typically Measured
The success of a CIAM team can be measured using various key performance indicators (KPIs) and metrics that align with the goals and objectives of the organization. Here are some common metrics used to provide a holistic view of the CIAM team's performance and the effectiveness of the implemented CIAM solution:
- User Adoption: Measuring the percentage of customers who successfully register and engage with the CIAM platform. Higher user adoption indicates a successful implementation and positive user experience.
- Conversion Rate: Evaluating the conversion rate of anonymous or guest users to registered users. A higher conversion rate indicates the effectiveness of the CIAM team's strategies in attracting and converting customers. This metric is dependent upon solid Identity Verification which, somewhat ironically, is often not considered in the CIAM scope of responsibility.
- Customer Satisfaction: Conducting customer satisfaction surveys or collecting feedback to gauge users' satisfaction with their digital experience. Positive feedback and high satisfaction scores indicate a successful CIAM implementation.
- Security Metrics: Monitoring security-related metrics such as the number of security incidents, account compromises, or unauthorized access attempts. A lower number of security incidents demonstrates the effectiveness of the CIAM team's security measures. (Notice the lack of “fraud” in this description.)
- Time to Market: Measuring the time taken to implement new CIAM features, onboard new applications, or integrate with external systems. Faster implementation and integration times indicate an agile and efficient CIAM team.
- Cost Efficiency: Evaluating the cost-effectiveness of the CIAM solution by analyzing the total cost of ownership (TCO) and return on investment (ROI). The CIAM team's ability to achieve desired outcomes within budgetary constraints is an important measure of success.
- Compliance and Data Protection: Assessing the CIAM team's adherence to regulatory requirements and data protection standards. Compliance audit results and the absence of data breaches indicate a successful implementation of privacy and security controls.
But, there is one metric that is conspicuously missing from the list…
The Missing Metric in CIAM
Notice the definition of success above conveniently leaves out one of the most important metrics: the occurrence of digital account takeover fraud on the customer platform as well as the related losses.
Digital transaction volumes continue to grow and hit over 1 trillion globally in 2020, accelerated in part by the pandemic. That volume is expected to triple by 2030 (see figure below). At the same time, fraud volumes are unwavering. Banks, merchants and other businesses are estimated to lose 5-6% of annual revenue as a result of payment fraud.
But wait…didn’t we already agree CIAM is doing a great job protecting accounts?
Let’s break that down a bit further.
Despite the success we see in our CIAM metrics from a customer experience and friction perspective, digital financial fraud continues to be a significant challenge globally, affecting individuals, businesses, and financial institutions. It encompasses various fraudulent activities conducted through digital channels including online scams, identity theft, phishing attacks, card fraud, new account fraud, and account takeover.
The prevalence and sophistication of digital financial fraud has increased in recent years due to several factors:
- Digital Transaction Growth. The increasing adoption of online banking, e-commerce, mobile payments, digital wallets, and faster payments has expanded the attack surface for fraudsters, providing more opportunities for fraudulent activities.
- Advancements in Customer Technology: Our ever-accelerating pace to greater and greater processing power at increasingly lower costs are putting immense amounts of power in the hands of the average consumer, which includes children and the elderly. The more we can do with these devices, the more we can lose through them.
- Advancements in Criminal Technology: Fraudsters leverage advanced techniques such as social engineering, malware, artificial intelligence, and automation tools to carry out their attacks. These technological advancements make it challenging to detect and prevent fraud.
- Data Breaches: Large-scale data breaches expose sensitive information, such as usernames, passwords, and financial details. This compromised data often ends up on the dark web, fueling further fraudulent activities. There are tens of billions of stolen records for sale on the dark web right now.
- Cross-Border Nature: Digital financial fraud can be perpetrated from anywhere in the world, making it difficult to track and apprehend fraudsters. They exploit the anonymity and global reach of the internet to target victims across borders.
- Human Fallibility: Today’s most successful cybercriminals are leveraging good old-fashioned person-to-person trust (and then violating said trust) through impersonation scams, romance scams, charity scams, IRS threats, grandparent scams, investment scams, and the list goes on. These manipulation tactics can push customers into a state of temporary insanity where they willingly send their own money to criminals, albeit unknowingly.
Filling the Gap
One of the main reasons there is a disconnect between CIAM objectives and Fraud objectives is the pressure digitally enabled companies face from investors to deliver on revenue and/or user growth targets. This comes at the cost of weathering insanely high fraud losses as available resources are applied to maximizing revenue generation. However, in addition to financial risks, the myopic focus on growth and profits brings a whole new set of reputational risks.
So, how do we get fraud management to be prioritized?
In the second post of this blog series, I will delve into fundamental changes that need to take place in the executive ranks of organizations to get Fraud elevated to a strategic position within the digital risk ecosystem.