Q: I would like to engage my security function in some sort of Operational Excellence framework so I can show my organization, in terms that already resonate with our executives, how we meet and exceed expectations. Do you have any recommendations for measurable targets we can set as we get started?
A: As professionals, we can all agree that achieving excellence in our work is our goal. And it goes without saying that excellence is an expectation of those we serve. It is important first to talk with executives and other internal partners about how they define excellence, to ensure that your targets are aligned with the objectives and ideals of the organization. Is excellence considered from a financial perspective, an internal business perspective, an innovation and learning perspective, a customer perspective, or a combination of all of these?
There are multiple OpEx frameworks that businesses can apply, including Kaizen, Six Sigma, and Total Quality Management. There are some common key elements of these, which run along consistent themes of continuous improvement, leadership and team involvement, and a total engagement with the customer.
Here are a few examples of security operational excellence process outcomes to aim for.
1. When incidents require thorough investigation, management is consistently supportive of independence and excellence in the process. Executive stakeholders take ownership of investigation results, including the root causes. Stakeholders take required steps for mitigation based on these results.
Think about what this says about corporate integrity and culture. This CSO has executive support to do the right things and knows that those things need to be done with integrity and finesse. Executives appear to have a growth mindset – meaning investigative findings are viewed as learning opportunities that should result in positive change. Taking the time to identify root causes says volumes about the quality and drive of the investigations team. This security function measurably minimizes business risk exposure.
2. The function consistently meets or exceeds established response time standards for critical and emergency calls. This service demonstrably saves lives and enables measurable reductions in victim impact.
This is the cornerstone of our duty of care mission. We know a faster response saves lives and measurably reduces incident impact. A lot of security managers talk about response time, but how many specify it in their policy framework, adequately staff for it, or make it an absolute requirement in their service vendor SLAs, and then measure and report every critical call response?
3. The security program demonstrates such effective alignment and contribution to the success of a business process that it measurably enables the business to do what would otherwise be too risky or non-competitive.
Good security is a productive business process. When we can quantify our effectiveness in understanding the security risk exposure our stakeholders have in their operations, we can anticipate, develop, and tailor preventive and mitigation solutions that enable rather than inhibit.
4. Qualitative performance measures – such as stakeholder confidence and perception of continuous improvement – are consistently applied, with positive results.
When I ask security practitioners for metrics, I typically get spreadsheets that count tasks or events. These counts tell nothing about what an operationally excellent process has provided to its valued stakeholders. A qualitative measure tells a story about how that excellence delivered results that made a difference for the customer. It sells us as an integral part of their business process. That story serves to instill confidence and support for our services and mission.
Answer by George Campbell, SEC Emeritus Faculty