Defining the Value of Security During the Current Economic Downturn

Q. My company has done fairly well through the growing pressures of the current economic downturn but it has been made clear that we need to be in for the long haul; management is asking us to identify prioritized targets for cost reductions.  Where should I focus my efforts?

A. Even when our mission is clearly understood and accepted, it is unrealistic to believe we will be exempted from the commitment to contribute to expense reductions.  In both good and hard times we need to have data to support what we believe is valued and essential work.  Good data will provide support to a business case that demonstrates which programs, if eliminated or gutted, would reduce protection below an acceptable threshold of risk.  Your metrics need to support the concept that cost reduction efforts that fail to discriminate between programs that provide clear risk reduction results versus less productive activities will add to cost rather than reduce cost of doing business.

Regardless of the state of the economy we demonstrate value when we enable the business to do what would otherwise be too risky.  Consider what programs you now have in place that clearly address the specific risks you have identified for your company while implementing a contraction strategy.  Then consider how you propose to address the currently unaddressed vulnerabilities that could be exploited, including the greatest threat during this stressful time -- the disgruntled and knowledgeable insider.  Working with your HR and other business unit colleagues develop a protection strategy to mitigate potential threats based on the data you have gathered on the ability of your safeguards to detect and respond to likely risk events.

Answer provided by George Campbell, Security Executive Council Emeritus Faculty.

For more information on metrics or measures that may be applied to reliably define and communicate the value security, visit our store at:
https://www.securityexecutivecouncil.com/secstore/index.php?main_page=product_info&cPath=77_65&products_id=180

What Security Program Data to Track

Q. I'm responsible for physical security and investigations and want to better understand how to monitor our performance in these responsibilities.  I believe metrics may be a solid way to do this.  Where do I find sources of data for this effort and how should I build the framework for the program?

A. Sample a few key senior executives on what metrics might be of interest to them; discuss this with your general auditor colleague and see what metrics the CFO or others are presenting on a routine basis.  Make sure you are gathering incident and case data accurately.  Some examples to track are: cost trends, comparing number of incidents this time period vs. several prior, losses vs. recoveries, polling your customers for satisfaction with your department, and last consider plotting incidents and more serious cases for common vulnerabilities.

Answer provided by George Campbell, Security Executive Council Emeritus Facuty.

Starting a Security Metrics Program

Q. I understand the value of measuring my security program and developing metrics to "tell our story," however, I don't know where to start. I have responsibility for physical security. Can you give me an example of a measure/metric I should be developing?

A. Often, the "story" is initially about cost until you have a more mature metrics program that can really dive into value.  If you have been transitioning from manned posts to electronic access control, show how this program has enabled reductions in headcount or contract services.  Identify several colleagues in other companies and do some benchmarking around cost per post to see how you stand and what steps you might take to better manage cost.  Measuring the quality of response to incidents is an early measure of value to consider.

Answer provided by George Campbell, Security Executive Council Emeritus Facuty.

Developing a Security Dashboard

Q. My boss doesn't use metrics but I'd like to develop a basic dashboard to demonstrate a few key measures to present to him.  I think this would help us improve the organization’s understanding of our value.  How would you approach this challenge?

A. You’re already in the right mindset and I’ll bet you have some good data that you could consider for early discussion.  Pick a couple of measures that you think will resonate with your boss (for example, cost containment, quality of response, customer satisfaction) and use the PowerPoint chart utility to build two or three charts.  Identify someone in the financial side of the business that does monthly reporting and get some tips on what works in your company.  Then go to the boss with your ideas and nail down the dashboard he/she’d like to see periodically.

Answer provided by George Campbell, Security Executive Council Emeritus Facuty.

Editor’s Note: See George Campbell’s book on the topic: Measures and Metrics in Corporate Security.