A Short Primer for Security Managers
(Abbreviated version - full report is available for download bottom of page.)
Over the past decade, my SEC colleagues and I have worked with hundreds of corporate security executives and managers who have either discovered or have been told they need to have a set of performance measures and metrics for their programs. These epiphanies or directives come in a variety of wrappers. Here are a few tend to summarize the frame of reference for beginning the metrics journey:
- "My new is boss asking for our key performance indicators and I’m not sure where to start."
- "We're under pressure to show where Security contributes to the bottom line and add value."
- "We have been delivering our numbers but they don't seem to have any impact with our stakeholders."
"Where to start" is the issue for all three of these managers. Regardless of the composition of their corporate security program, they all have been generating reams of data 24/7 but haven't organized nor focused the data on the stories it can tell. They have been counting activities but haven't been measuring performance value. This short guide will set forth a set of steps that security managers should use in building a basic metric program.
Let's begin with a few assumptions that may serve as key success factors:
- You have an incident reporting system or framework for collective capture of reported event data. "Collective capture" means that the full scope of your program's service offerings may be routinely tallied in a common database (like Excel) on demand.
- You have the scope of authority to set the rules for metrics maintenance and reporting.
- You can identify a member of the corporate senior management team to serve as a metrics mentor.
- You can identify an individual on your team with good analytical skills and hands-on knowledge of the tools the company utilizes for data management.
- You have engaged the Security team and they understand this is a part of the way we will manage and they have a key role in metrics success.
- Your Security programs can identify a body of accepted policies and performance standard to serve as guides for metrics development.
Why do you need security metrics program? You may or may not be in the same place as those three managers mentioned above but you do need to have a solid rationale for building security metrics. Oh, sure, I know you already have them in those spreadsheets ready for counting day-to-day activity but that's only the fuel for the metrics engine. Where we’ve seen real success from Chief Security Officers in this space is where there were a few inter-related motives driving their journey:
- They believed in what metrics could do for the incremental improvement of their programs
- They wanted to be able to better tell (sell?) Security's value story
- They had a vision for how good metrics could better connect them to their stakeholders and the business. You need to believe that some good metrics from your organization and for your employer will deliver similar benefits.
Who are your customers and what information do they need from Security? You have a diverse array of internal stakeholders who need to hear and see the metrics that are meaningful to them. Ask them! Good, customer-focused metrics are central to our ability to influence and engage our customers in their role in corporate security and brand protection.
Metrics are a key part of your communication strategy. They contribute to a coherent set of messages focused on a targeted audience. You cannot over-emphasize the importance of understanding the diversity of perceptions about risk and how each of your constituents view your role in its management.
Objectives for Metrics
This discussion is about building a basic program so we need to focus on the few measures that can establish the relevance and acceptance of security metrics for your program and stakeholders. The initial objective must be around finding the ones that really resonate for your program. In our corporate security realm, I see risk, program performance, value and influence providing mutually supportive boxes in a metrics four-square.
Quality and Integrity
Consider these two key objectives for our security measures and metrics: 1) materially impact exposure to specific risks and 2), positively influence action, attitude and policy. The visibility of these objectives imposes the highest standards of program quality and data integrity. The ability to craft strategy and tactics that effectively target specific risks relies upon reliable data processed by competent and highly disciplined analysis. But imagine the potential consequences of drawing conclusions and formulating recommendations to management on inaccurate, unreliable data overseen by flawed, poorly supervised sources. At the end of the day, the data culled from those spreadsheets and put into fancy charts and graphs should be grounded in the best possible analysis and conclusions.
Most organizations have established requirements for the type, format and frequency of departmental reporting to include specified metrics updates that typically include one or more topical dashboards. As noted earlier, you will also need to determine the when and what of more customized metrics reports to your key customers and those you want to inform on specific findings or recommendations. It's critical to establish a monthly routine for delivery of metric reports from your program managers and contracted service providers and that you include an assessment of the quality of their reporting in your measurement of their performance.
Corporate security owns a unique database of business performance measures and metrics. Collectively they enable and support a key value proposition: the ability to positively influence enterprise protection, corporate policy and behavior. Enterprise protection is measurable as are the benefits that accrue to our diverse protection programs. A well-defined security metrics program demonstrates to management how we are probing the weak spots, informing, educating and influencing change. As a manager, you are expected to be a good communicator and SMART metrics can provide the storyboard and the script you need to for a quality connection with management and your customers.
Copyright Security Executive Council. Last updated October 31, 2016.
Contact us if you would like to take an operational security metrics self-assessment at email@example.com
Download a copy of the full report below.