The SEC is often asked to share its top five or top 10 security metrics. Over the years I myself have compiled more than 700 security-related metrics. So while I could give a short list of commonly applicable metrics that are capable of delivering actionable, measurable value, my honest answer to this request would have to be, What should your top metrics be?
You see, even metrics that are commonly useful are not universally useful, and even if they’re useful to you, they may not be the metrics your organization most needs. How do you determine, then, what your organization most needs to be measuring? Your top metrics can only be determined at the culmination of a process of organizational introspection.
You don’t have to have a compilation of 700 metrics to create a chart like this that is unique to your company’s needs. You can build your own by asking just three questions.
1: What is the structure or what are the key elements of an enterprise security program? In this case, I identified seven elements, including Investigations, Critical Incident Preparedness, and the element shown in the top row of this example chart, Safe and Secure Site Operations. You may identify different key elements depending on your security structure and your organizational culture.
2: What are the key policy statements around risk management for each of these elements? When I started at Fidelity, there was no existing defined framework for the security program. I went to the Chair and read him a series of policy statements that I had drafted, asking whether he could get behind each statement. Those statements became the core of our protection strategies. In the chart, the guiding policy statement for this security element is row two: We will proactively assess risk to ensure safe and secure workplaces for our employees and invitees.
3: What are the risks that could hinder our achievement of these goals, and how do we measure whether we are achieving these goals? The metrics you will identify here need to include both risk indicators and key performance indicators. We can talk about KPIs all day long, but we have to know how they fit into risk management. So we start by asking What is the risk?
In the chart, I’ve marked the risk indicators in red and the performance indicators in green. In this example, the key risk indicator is the percent of risk events for the period that meet the proximity/impact/severity threshold – that is, those that are frequent or likely enough and severe enough to be ranked as high-priority events. Now we know more about our risk picture.
From our risk indicators, we can create performance indicators that answer whether we are achieving our stated policy goal – are we proactively assessing risk, and are we ensuring safe and secure workplaces? We can measure assessment with KPIs like the percentage of top 10 high-risk sites with completed risk assessments & approved mitigation plans. And one measure of safe and secure workplaces is prompt response. If we use the percentage of workplace violence incidents as an example, we can say a standard response within five minutes is our acceptable threshold. Then we have another performance metric.
Remember that your most valuable metrics will be the ones that go beyond counting and drive the process and the executive to qualitative judgements.
There is no need to make your chart a certain length. You may end up with one risk and two KPIs per element. That’s manageable. There’s no need to feel like you’re boiling the ocean. But even a few targeted metrics that really get at the key risk and performance priorities of your organization can make an exponential difference in your program.
You can develop a metrics chart like this on a whiteboard with your team and talk it over with your senior management. Thoughtfully consider your taxonomy – the top two rows. Get their input on the program elements and policy statements. What risks most concern your business? Where is your data and how is it deliverable? This exercise is about much more than just metrics. It’s about ensuring your security program services line up with the missions and goals of your company.
Response provided by George Campbell, Security Executive Council Emeritus Faculty.
If you’d like to use the full chart from which this example was pulled as a starting point, email firstname.lastname@example.org.