Created by the Security Executive Council
There are many ways to assess how your program is doing. Surveys and benchmarks are common methods employed by organizations. You can use surveys and benchmarks to:
- Find gaps in current programs or services
- Influence management decisions, e.g., buy-in for a new program
- Determining the ability of the organization to respond to issues or situations
- Benchmark the current state against select peers
- Perform confidence surveys
The Security Executive Council (SEC) has guided organizations in the building or enhancing of hundreds of security and risk mitigation programs. During this time, we have conducted extensive research and analyzed what makes programs successful. Based on this work, the SEC has been recommending a particular kind of survey recently—what we call a confidence survey—which is used to assess the level of confidence the organization has in your programs and services. One of the things our research has shown is that leaders of successful security risk mitigation programs know how familiar internal customers are with their services and how they feel about them.
Don’t Be Afraid of Finding Out the Truth
Positive results are always good, but negative results can actually be more helpful. It may mean Security is not living up to its intended goals, or it could mean you need to do a better job of communicating what security is doing and the internal customer's role in securing the organization. Also, negative results based on what those in the organization feel is lacking can be used to influence management’s decisions regarding addressing gaps in risk mitigation. Think of confidence surveys as a customer risk assessment. What elements of security risk mitigation are not meeting expectations? What risks are your customers most concerned about?
How Best to Conduct a Confidence Survey
There are two absolutely critical elements in all surveys:
1) Create a survey that will return results that are meaningful and worth the effort.
To accomplish these goals you need to identify the right set of questions to ask. Select questions that will generate insightful responses. Phrase the questions in an unambiguous and non-leading way.
2) Get a sufficient number of people to respond to the survey with their honest opinions.
Do not select so many questions that it becomes a chore to the complete the survey. Choose questions that the respondents can answer given the information available to them. If the people you want to take your survey are outside your sphere of influence, try getting executive sponsorship; this can help influence your intended respondents to take the time to provide their feedback.
To some conducting a survey might seem like an easy thing to do, but there is a surprisingly huge gap between deciding on using SurveyMonkey and getting results that will help you accomplish your goals; especially when it comes to presenting the results to your sponsor or senior management to best affect change
. The SEC has the expertise in doing research as well as the experience and knowledge necessary to help you use the results effectively within your organization.