Q. We have a fairly new security metrics initiative. I am able to show how we are assisting the organization to be more secure but I don’t think we’re showing business-based value. How do I take incident-based data and make a more compelling “story” to senior management?
A. You ask a very critical question. Many security organizations today are confusing data collection with metrics, thereby, missing opportunities to demonstrate security’s business contribution to senior management and business units. Let’s talk about the processes related to incident analysis; namely, assessment, measurement and consideration of related metrics. Looking at risk this way helps form a more reliable assessment of root causes and the potential for making successful recommendations for security measures.
As an example, let’s suppose that one area of concern is that you have noted a disturbing trend of more frequent workplace violence incidents at a particular location. In the incident reports there is embedded data you can pull out, e.g., frequency, location, time, contributing conditions or circumstances, impact to the business, the perpetrator was an insider or outsider, and so on.
Now let’s move from an incident trend to metrics. What gaps in the security may be contributing to this increase in frequency and severity of workplace violence incidents? Is there a pattern that suggests a broader set of risks? What business processes may have failed, e.g., which ones should have mitigated these risks but did not and who owns these processes? We need to drill down beyond symptoms and reveal root causes. For example, you may discover Security was not informed by HR of pending terminations. Or 34 percent of incidents on the night shift involved alcohol.
This is serious business about known risk. We need to get to the business value metrics to show results of our mitigation efforts. For example, the resulting percent reduction in on-the-job violence incidents, the percent of reductions in alcohol-related cases and the avoidance of cost from potential litigation; the percent increase in reporting of restraining orders, which enables our protection strategy; and the fact that incident post mortems demonstrate that training and intervention techniques have thoroughly engaged shift supervisors and provided measurably improved incident response. The bottom line result is that employee surveys shows improved perception of safety.
Security needs to develop key business performance metrics. The next step is to effectively communicate these value “stories”. For graphical examples of presenting your findings, please see this page.
Answer provided by George Campbell, Security Executive Council Emeritus Faculty.
Editor’s Note: See George Campbell’s book on the topic: Measures and Metrics in Corporate Security.