Measures and Metrics in Security

Q. What metrics system might an executive use to monitor the strategies of a business?

A. I will assume you are asking specifically about security executives given this Q&A's topic area. There are many metrics that can be used (in fact we have identified 375. See the description of our book we published, Measures and Metrics in Corporate Security. However, the issue many security practitioners incur is a) not measuring at all or b) measuring things by simply counting them (e.g., workplace violence incidents or lost laptops), rather than demonstrating the value Security brings to the business. By way of example, convey savings to the company by your program's reduction of workplace violence issues (the cost of managing an event and lost employee time; or cost savings by reducing any potential acts because of your background due diligence program).

Unfortunately, there are no measures and metrics standards in security because factors vary widely; for example, type of industry, size of company, corporate culture, level of regulatory pressure, etc. However, the Security Executive Council created a tool to help security executives understand and communicate what they are doing in terms of what risks are of concern to the Board. The Board Level Risk image and presentation shows the main categories of risk concerns based on our research of many companies’ enterprise risk assessment results to find "commonalities." These categories are matched to security program mitigation efforts. Using this tool security practitioners are now "talking in the terms of the business," which helps brief senior management on how security fits into the organization's overall risk management program. For more information see the article:  Managing Enterprise-Wide Board Risk; also view the Council's Solution Snapshot video: Board Level Risk Categories & Security Program Elements (v.3).

Answer provided by Kathleen Kotwica, PhD, Security Executive Council EVP and Chief Knowledge Strategist and Bob Hayes, Security Executive Council Managing Director

Communicating the Value of Security to Management

Q. I'm fairly comfortable that the security function is aligned with our business strategies.  However, I'm not convinced that many on the company's management team fully understand the value we deliver.  Any suggestions on how best to accomplish this?
 
A. You've done well to align the function with your company's strategic direction and business principles.  Nonetheless, it's not uncommon that security may not be fully understood both at the Board level and throughout the company.  You should develop a communication strategy that targets those you wish to educate - in this instance, your management team.  Focus on what security has done to "add value" such as loss mitigation, intellectual property protection initiatives, for example.  Also focus on initiatives that keep your function aligned with the business.  Board members may embrace the notion that nothing matters if it can't be measured.  The Security Executive Council has many resources devoted to security-specific measures and metrics that can help put numbers to some of your initiatives to help paint a clear picture of security's value.  Your metrics program should demonstrate how security favorably protects or contributes to profitability. 
 
Your communication strategy should include a regularly scheduled (quarterly or semi-annual) written report to the management team on the results you've achieved.  If you're not already doing so, you might wish to seek time to brief the full Board on key issues in which the security function is engaged.  The key in any written or verbal product is to be succinct and to the point.  If the written product is overly verbose, you risk the chance that they will take only a few moments to peruse it, if at all.
 
Should you have a large global function, a communication strategy may include a regularly published report intended to keep the security function connected and informed.  Copies to your management team can help keep them in the loop on what you're doing and how the security function adds value.
 
Let us know if we can help further.  Good luck. 

Answer provided by Nick Proctor, Security Executive Council Emeritus Faculty.

Editor's note:

Related Council resources
Measures and Metrics in Corporate Security - Special Package  
Knowledge Corner: Measures & Metrics

Defining the Value of Security During the Current Economic Downturn

Q. My company has done fairly well through the growing pressures of the current economic downturn but it has been made clear that we need to be in for the long haul; management is asking us to identify prioritized targets for cost reductions.  Where should I focus my efforts?

A. Even when our mission is clearly understood and accepted, it is unrealistic to believe we will be exempted from the commitment to contribute to expense reductions.  In both good and hard times we need to have data to support what we believe is valued and essential work.  Good data will provide support to a business case that demonstrates which programs, if eliminated or gutted, would reduce protection below an acceptable threshold of risk.  Your metrics need to support the concept that cost reduction efforts that fail to discriminate between programs that provide clear risk reduction results versus less productive activities will add to cost rather than reduce cost of doing business.

Regardless of the state of the economy we demonstrate value when we enable the business to do what would otherwise be too risky.  Consider what programs you now have in place that clearly address the specific risks you have identified for your company while implementing a contraction strategy.  Then consider how you propose to address the currently unaddressed vulnerabilities that could be exploited, including the greatest threat during this stressful time -- the disgruntled and knowledgeable insider.  Working with your HR and other business unit colleagues develop a protection strategy to mitigate potential threats based on the data you have gathered on the ability of your safeguards to detect and respond to likely risk events.

Answer provided by George Campbell, Security Executive Council Emeritus Faculty.

For more information on metrics or measures that may be applied to reliably define and communicate the value security, visit our store at:
https://www.securityexecutivecouncil.com/secstore/index.php?main_page=product_info&cPath=77_65&products_id=180

What Security Program Data to Track

Q. I'm responsible for physical security and investigations and want to better understand how to monitor our performance in these responsibilities.  I believe metrics may be a solid way to do this.  Where do I find sources of data for this effort and how should I build the framework for the program?

A. Sample a few key senior executives on what metrics might be of interest to them; discuss this with your general auditor colleague and see what metrics the CFO or others are presenting on a routine basis.  Make sure you are gathering incident and case data accurately.  Some examples to track are: cost trends, comparing number of incidents this time period vs. several prior, losses vs. recoveries, polling your customers for satisfaction with your department, and last consider plotting incidents and more serious cases for common vulnerabilities.

Answer provided by George Campbell, Security Executive Council Emeritus Facuty.

Starting a Security Metrics Program

Q. I understand the value of measuring my security program and developing metrics to "tell our story," however, I don't know where to start. I have responsibility for physical security. Can you give me an example of a measure/metric I should be developing?

A. Often, the "story" is initially about cost until you have a more mature metrics program that can really dive into value.  If you have been transitioning from manned posts to electronic access control, show how this program has enabled reductions in headcount or contract services.  Identify several colleagues in other companies and do some benchmarking around cost per post to see how you stand and what steps you might take to better manage cost.  Measuring the quality of response to incidents is an early measure of value to consider.

Answer provided by George Campbell, Security Executive Council Emeritus Facuty.

Developing a Security Dashboard

Q. My boss doesn't use metrics but I'd like to develop a basic dashboard to demonstrate a few key measures to present to him.  I think this would help us improve the organization’s understanding of our value.  How would you approach this challenge?

A. You’re already in the right mindset and I’ll bet you have some good data that you could consider for early discussion.  Pick a couple of measures that you think will resonate with your boss (for example, cost containment, quality of response, customer satisfaction) and use the PowerPoint chart utility to build two or three charts.  Identify someone in the financial side of the business that does monthly reporting and get some tips on what works in your company.  Then go to the boss with your ideas and nail down the dashboard he/she’d like to see periodically.

Answer provided by George Campbell, Security Executive Council Emeritus Facuty.

Editor’s Note: See George Campbell’s book on the topic: Measures and Metrics in Corporate Security.