Knowledge Corner - Measures & Metrics :: SEC: Strategic Security Advisory Services for CSOs

Security Barometer

What are the top security concerns with BYOD?

Top Downloads

Security Operations Control Center Metrics

Dealing with Security Budget Challenges

Defining Best Practices in Global Security Operations Centers

Business Continuity Program (BCP) Checklist

Corporate Security Maturity Assessment Peer Comparison

Take a sneak peek at our new Knowledge Corner resource pages. We’re working on making SEC resources easier for you to find what you need including resources related to security strategic planning, influencing senior management, risk assessment, leadership strategies and security metrics.

Contact us if you want to know the ways we assist security practitioners.

Tools
	Performance Dashboard Tool Created By: The Security Executive Council This tool was developed to apprise the enterprise of Security's efforts and value in a way that resonates with the Board and/or senior management. It can also be used as a tool to gather feedback from management on how they perceive Security's performance. Program data is fed into "dashboard dial" indicators of success based on enterprise risk concerns that can be used in presentations. Click here to view a short video describing this resource in more detail.	Resource is for Tier One Leaders only

Research & Benchmarks
	14 Effective Solutions for Creating Successful Security Programs Created By: Security Executive Council This paper highlights brief case studies that depict solutions using Security Executive Council tools and processes. These are based on what the SEC has gleaned in the last 10 years working with security practitioners. At the end of the document don't miss 10 Tips You Can Learn from our Experience with Successful Programs.

	A Preview of Measuring & Communicating Security’s Value, A Compendium of Metrics for Enterprise Protection Created By: George Campbell, Security Executive Council Emeritus Faculty This preview of Measuring & Communicating Security’s Value, A Compendium of Metrics for Enterprise Protection covers such topics as risk reporting to influence corporate policy and behavior, using metrics in partnership with core business strategy and process, and building metrics for impact and results.

	Case Study: Risk Management and Security Metrics at Boeing Created By: Greg Niehaus, Security Executive Council Board of Visionary Leaders; Professor of Insurance and Finance, University of South Carolina Here is an opportunity to get the inside story on building a superior metrics program for a world class enterprise security program. This first ever business case study focusing on security risk is being used at South Carolina's Darla Moore School of Business to introduce students to the security metrics program that is used by Boeing to improve decision making. It also provides insight into their workplace violence program.

	Corporate Security Maturity Assessment Peer Comparison Created By: Security Executive Council The SEC has established, as an initial draft, a set of corporate security maturity assessments for five different security programs. The goal is to provide corporate security practitioners a tool that can be applied relatively quickly, but also to retain enough of the core of the maturity model process to provide actionable results.

	Corporate Security Organizational Structure, Cost of Services and Staffing Benchmark Created By: The Security Leadership Research Institute The Security Leadership Research Institute (SLRI) has published ground breaking results of their Corporate Security Organizational Structure, Cost of Services and Staffing survey. The full report covers such metrics as security budgets, staffing, program drivers, governance and oversight. This executive summary provides a glimpse into some of what is contained in the full report. If you participate in the SLRI surveys you can receive the next edition of the full report. For more information about SLRI click here TIER 1 LEADERS: Log-in to obtain your copy. OTHER VISITORS: Click the title to order this SEC resource.	Resource is for Tier One Leaders only

	Driving Excellence in Enterprise Security Created By: George Campbell, Security Executive Council Emeritus Faculty This paper provides a starting place for security leaders who are interested in operational excellence or are considering applying it within their programs. It includes: Range of approaches gathered from discussions with a number of Tier 1 Leaders™; insight into how to achieve a critical baseline assessment of security’s value; potential measures of excellence in security programs; and a template to help investigate and identify initial targets for application of operational excellence.

	Enterprise Security Metrics: A Snapshot Assessment of Practices Created By: George Campbell, Security Executive Council Emeritus Faculty This report provides a snapshot assessment on the current use of metrics in corporate security management. This report is limited to the state of security metrics exclusive of information security metrics. While our collective knowledge experiences do include InfoSec - that area of metrics development agenda is more than effectively documented in any number of excellent books and industry sources. This report specifically summarizes our earned experience from corporate security measures and metrics initiatives. Tier 1 Leaders™: Log-in to instantly receive your copy.

	Finding Value in Security Benchmarking - The Current State of Comparison Research in the Security Industry Created By: George Campbell, Security Executive Council Emeritus Faculty; and Kathleen Kotwica, EVP and Chief Knowledge Strategist, Security Executive Council This executive summary by metrics guru George Campbell and contributing editor Kathleen Kotwica, examines current security management benchmarking practices with the goal of identifying opportunities that maximize the value of collaborative initiatives for the sponsoring organization and its participating partners.

	Persuading Senior Management with Effective, Evaluated Security Metrics Created By: Security Executive Council ASIS just published their well funded survey of available literature on measures and metrics. The most often referenced original material in the report came from the Security Executive Council (SEC). The ASIS publication makes clear to those in the know that the SEC has been leading the industry in research on corporate security measures and metrics for the last ten years.

	Security Performance Measures and Metrics Created By: Security Executive Council A total of 156 survey participants, including Security Executive Council (SEC) Tier 1 Leaders, answered questions about performance measures security practitioners are using in this benchmark.	Resource is for Tier One Leaders only

	Security's Most Meaningful Metric Created By: Security Executive Council These are the results of a security barometer quick poll the Security Executive Council conducted asking what would be the single most meaningful metric for the security function.

	What Benchmark Data Do You Want? Created By: Security Executive Council A recent Security Barometer polled a large number of security practitioners to gather a list of benchmarking metrics they desired. It also investigated the top reasons why people want to benchmark their programs and services.

	Who's the Judge? Created By: Security Executive Council Are your security programs as far along as you think they are? How do you know for sure? What is the best way to assess progress?

Presentation Materials
	Building a Security Measures and Metrics Program, 1st Edition Created By: George Campbell, Security Executive Council Emeritus Faculty Building a Security Measures and Metrics Program discusses the need for and benefits of a corporate security measures and metrics program. This 40-minute video presentation of narrated slides makes the case for a security metrics program: metrics provide invaluable insight on program effectiveness, the means to influence business strategy and policy, and the ability to demonstrate the value of security services to business leaders. TIER 1 LEADERS: Proven Practice presentations were created to be guidelines or training tools. This version is an Adobe file but you may contact us at contact@secleader.com for an online version with audio included from the subject matter expert.	Resource is for Tier One Leaders only

	Companion to Measures and Metrics in Corporate Security, Series1 Created By: George Campbell, Security Executive Council Emeritus Faculty The companions to the book Measures and Metrics in Corporate Security are two series of presentation templates designed to save you time and provide you guidance as you prepare to present metrics information to senior management. The comments provided with every template are messages that the Security Executive Council’s emeritus faculty recommend communicating to executive management during the presentation. A Tier 1 Leader item available for purchase. Visit our store. Click here to view a short video describing this resource in more detail.	Resource is for Tier One Leaders only

	Companion to Measures and Metrics in Corporate Security, Series2 Created By: George Campbell, Security Executive Council Emeritus Faculty The companions to the book Measures and Metrics in Corporate Security are two series of presentation templates designed to save you time and provide you guidance as you prepare to present metrics information to senior management. The comments provided with every template are messages that the Security Executive Council’s emeritus faculty recommend communicating to executive management during the presentation. A Tier 1 Leader item available for purchase. Visit our store. Click here to view a short video describing this resource in more detail.	Resource is for Tier One Leaders only

	Security Metrics Presentations Created By: Security Executive Council Use these customizable presentation slides to communicate as managers and advisors on risk. All of our presentation materials have been field tested by experts and were found to resonate with senior management. A Tier 1 Leader item available for purchase. Visit our store.

	Using Benchmarking Information to Enhance and Improve Your Hotline Program (Presentation) Created By: Security Executive Council & The Network A webinar provided by The Network,Inc. and Kathleen Kotwica discussing how to use the information in the 2006 Corporate Governance and Compliance Hotline Benchmarking Report to enhance and improve your hotline program.	Resource is for Tier One Leaders only

Books/Guidelines/Manuals
	A Guide for Building Your Corporate Security Metrics Program Created By: George Campbell, Security Executive Council Emeritus Faculty George Campbell, former CSO of Fidelity Investments, shares some of his experience and expertise in this short primer for security managers. This short guide will set forth a set of steps that security managers should use in building a basic metric program.

	A Preview of Measuring & Communicating Security’s Value, A Compendium of Metrics for Enterprise Protection Created By: George Campbell, Emeritus Faculty This book picks up from where "Measures and Metrics in Corporate Security: Communicating Business Value" left off. It builds on what you learned with real world, practical examples that may be considered, applied and tested across the full scope of the enterprise security mission.

	Measures and Metrics in Corporate Security Created By: George Campbell, Security Executive Council Emeritus Faculty The revised second edition of Measures and Metrics in Corporate Security is an indispensable guide to creating and managing a security metrics program. This book shows how to improve security’s bottom line and add value to the business. It provides a variety of organizational measurements, concepts, metrics, indicators and other criteria that may be employed to structure measures and metrics program models appropriate to the reader’s specific operations and corporate sensitivities. TIER 1 LEADERS: Log-in to obtain your copy. OTHER VISITORS: Click the title to order this SEC resource.	Resource is for Tier One Leaders only

	Measuring and Communicating Security's Value Created By: George Campbell, Security Executive Council Emeritus Faculty A Compendium of Metrics for Enterprise Protection. This book picks up from where "Measures and Metrics in Corporate Security: Communicating Business Value" left off. It builds on what you learned with real world, practical examples that may be considered, applied and tested across the full scope of the enterprise security mission. TIER 1 LEADERS: Log-in to obtain your copy. OTHER VISITORS: Click the title to order this SEC resource.	Resource is for Tier One Leaders only

Articles
	Are Your Metrics Connected to Top Management’s Agenda? Created By: George Campbell, SEC Faculty The non-financial board metrics should really inform decisions on which security metrics we target for reporting up.

	Assess the Probability of Business Loss Created By: George Campbell, SEC Faculty Estimate the probability of loss in areas of concern, given known vulnerabilities.

	Be a Learning Organization Created By: By George Campbell, SEC Faculty Root cause analysis is an established process in quality management, engineering and risk management. The objectives are: to objectively, relentlessly identify the factors that created a failure of a control or set of controls so that those conditions may be prevented in the future.

	Benchmarks Aren’t Magic, They’re Tools Created By: Bob Hayes, Managing Director, Kathleen Kotwica, Security Executive Council Security executives frequently come to us to request assistance in benchmarking their processes or performance metrics with similar companies. Usually we find that their interest is at least partially driven by a strong push from management. Business leaders recognize benchmarking as a proven business practice that can identify competitive strengths and vulnerabilities as well as opportunities for improvement. Benchmarking can inform corporate goal-setting and can play a significant role in strategic planning.

	Build a Risk Indicator Dashboard Created By: George Campbell, SEC Faculty Provide a single display of the key information a manager needs to monitor a set of measures and effectively communicate the status of those measures.

	Building a Metrics Program that Matters Created By: Security Executive Council Staff Those of us who read this magazine regularly know about security metrics. We have read about their value and seen monthly examples of useful metrics and what to do with them. But, ladies and gentlemen, we are still missing the proverbial boat. Some of us are running alongside as it pulls from the dock, waving our arms and begging it to slow down so we can figure out where the ramp is. Others are across the street at the ticket booth wondering why there are so many people in line.

	Delivering Meaningful Metrics Created By: Marleah Blades, Security Executive Council If security continues to mature as a business function, senior management will likely ask for a set of metrics to measure performance. Security leaders should prepare meaningful metrics that inform management and improve security effectiveness. Marleah Blades reports on insight shared from the Next Generation Security Leader program's exploration of the development and communication of meaningful security metrics.

	Demonstrating Security Program Value to the C-Suite Created By: Dean Correia, SEC Faculty Dean Correia, Emeritus Faculty - Canada, participated in a panel with other security practitioners to discuss how to demonstrate security program value to the C-Suite.

	Exploring Our Value Story Created By: George Campbell, Security Executive Council Emeritus Faculty Our value has to be connected to our success in measurably impacting risk. What are the measures, and how are you communicating the critical messages? Sure, every program is delivering some statistics — typically lists of incidents or activities that they sell as “metrics.” But real metrics inform by creating a storyline that implies the need for action. Lists are just the nails you use to build these stories.

	Global Survey of Workplace Hotline Reports Shows Significant Improvements in Some Key Industries – Data Obtained from 650 Companies Created By: Security Executive Council The Security Executive Council's 2007 Corporate Governance and Compliance Hotline Benchmarking Report provides a key set of benchmark data for corporations in 10 industries.

	How to Influence with Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty How will you use the "must have" metrics - both key risk indicators and value indicators - in your organization. You have the data and the results, now how will you use them to influence your business? Think about the results you are seeking, how the measures and data you are communicating are achieving some improved state of security or safety.

	How to Use Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty CSOs generate security data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.

	Is it Time for a Corporate Security Maturity Assessment? Created By: George Campbell, SEC Faculty Maturity is about reliability and indicates levels of acceptance and established practice. A mature process has proven practices that have consistently delivered valued results to the organization. Understanding the current levels of proficiency and acceptance of security processes within an organization should be essential steps in building and maintaining a Corporate Security business plan.

	Metrics For Success: Working with Customers for Better Access Control Created By: George Campbell, Security Executive Council Emeritus Faculty If you have been reading this column each month, you know of my passion for testing and reporting on the effectiveness of the safeguards we have installed to protect our people and assets. You will not influence anyone with metrics that just count things, but you will with ones that really measure how well you and your customers are meeting your responsibilities to protect the company.

	Metrics for Success Created By: George Campbell, Security Executive Council Emeritus Faculty Creating security metrics is so important that nearly all security leaders interviewed by the Security Executive Council (SEC) for a recent survey stated it was a top priority for them.

	Metrics for Success - Nuisance alarms are more than a nuisance Created By: George Campbell, Emeritus Faculty The reliability of our programs is an essential ingredient of executive confidence and support. If you are looking for a place to focus your quality assurance, shine it consistently on alarm system reliability and response. Whether they be experienced or uninitiated, customers find frequent invalid alarms unacceptable, and they make your responders distrust the validity of calls. When they occur at off-site facilities dependent on law enforcement response, false alarms often cost the company in fines.

	Metrics for Success - What is a reportable security violation in your organization? Created By: George Campbell, Emeritus Faculty How serious is the notion of compliance in your company? Is your reputation in the marketplace linked to conformance to an established set of laws, rules or standards? Are there protection mandates in the contracts you have with your customers and key suppliers? What are the implications of inadequate security with regard to your insurance? We are a key player in the governance of these internal controls.

	Metrics for Success - What's state-of-the-art in security metrics? Created By: George Campbell, Security Executive Council Emeritus Faculty File this in the opinion folder. I have always pinned my metrics hunt to that day very early in my CSO career when the boss asked what kind of metrics we had in the can. As I stumbled for a defensible answer, he said, "I want you to think about what metrics we should follow in our organization and why you think they are important for the senior management team." But the more I dig into this security space, the more I have found that measuring and plotting program performance has been an expectation of every boss I've worked for over these past (gulp!) 50-plus years.

	Metrics for Success: Accuracy & Integrity Created By: George Campbell, Emeritus Faculty There is an old saying that there are three types of lies: “lies, damn lies and statistics.” I won’t dwell on the obvious downside of lies or damn lies in our job, but I will underscore that statistics, when calculated hastily or from poorly managed data, are no better than lies. We must have accuracy and integrity in our use of data and statistics, or we will undermine our initiatives, our programs and our own standing with senior management.

	Metrics for Success: Business Alliances and Security's Due Diligence Created By: George Campbell, Security Executive Council Emeritus Faculty Mergers with or acquisitions of other companies, outsourcing of key business processes to vendors and other strategic alliances may align external organizations with the reputation and well being of your company.

	Metrics for Success: Demonstrate the Effectiveness of Emergency Response Created By: George Campbell, Security Executive Council Emeritus Faculty Employee and invitee safety is a core mission of corporate security. Unfortunately, both business and local government resources are under budget pressure that could potentially impact emergency response. We need to encourage continued support by keeping management apprised of our high performance and readiness to respond.

	Metrics for Success: Good metrics tell a story Created By: George Campbell, Emeritus Faculty I am constantly hunting for metrics examples, and I am intrigued by the variety of ways experienced organizations present data. One vital measure of good data is its ability to inform and drive action in a specified direction.

	Metrics for Success: It's Time to Get Security Metrics Savvy Created By: George Campbell, Security Executive Council Emeritus Faculty Security-related metrics are a must. Every business needs to develop and deliver measurable results, including security.

	Metrics for Success: Security Issues in Leased vs. Owned Property Created By: George Campbell, Security Executive Council Emeritus Faculty A company's leasing arrangements may lack the risk-based due diligence appropriate to a standard of protection enjoyed by owned space.

	Metrics for Success: Security Operations Controls Center Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty There are few functions performed by a corporate security organization that are more critical than the operation of the security operations control center (SOCC). It is here that customer service, first response and risk management combine to provide the most visible and essential corporate security services.

	Metrics for Success: The Risks of Outsourcing Information Security Created By: George Campbell, Security Executive Council Emeritus Faculty Outsourcing has become a fundamental business strategy for most major corporations, but they often overlook the risks that accrue due to the loss of effective business controls over sensitive activities.

	Metrics for Success: Who's Accountable for Metrics? Created By: George Campbell, Security Executive Council Emeritus Faculty Where does accountability lie for the maintenance of a proactive measurements and metrics program?

	Metrics for success - What is the cost of a bad employee? Created By: George Campbell, Security Executive Council Emeritus Faculty The knowledgeable insider is at the top of the list of threats to any organization - public or private. Part of our job is to make business leaders aware of the seriousness of this threat by using metrics that catch their attention. This month's graph measures one small aspect of reputational risk: the time involved in resolving an insider misconduct case resulting in termination for cause.

	New report offers benchmarks for security budgets, staffing Created By: Whit Richardson, Security Executive Council Staff The average security budget as a percentage of an organization's total revenue is 0.07 percent, according to a new benchmark report released by the two-year-old Security Leadership Research Institute, the research arm of the Security Executive Council.

	Operational Excellence in Contract Security Performance Measurement Created By: George Campbell, SEC Faculty The focus of this thought leader paper is on measuring the performance of security service providers. The Security Executive Council believes that there needs to be a more in-depth consideration of what constitutes "excellence" in these operations given the consistent growth of outsourcing to guard service companies.

	Ranking Security Performance Created By: Security Executive Council If you assess and rank your performance proactively rather than waiting to be asked, you may be exempt from management requirements to perform ranking assessments their way later. A maturity assessment is one way to do this.

	Security Metrics in Context Created By: George Campbell, Security Executive Council Emeritus Faculty An excerpt from George Campbell's Measures and Metrics in Corporate Security.

	Security Metrics: Measuring Performance Created By: Security Executive Council Staff These articles cover the use of tools such as Key Performance Indicators (KPIs) and balanced scorecards to help you set long-term goals and to evaluate and monitor your progress toward achieving those goals, along with sample charts to generate ideas for KPIs.

Forums
	Faculty Advisor: A Missed Opportunity… Selling Your Program and Yourself at a Moment’s Notice Created By: Kenneth Kasten, Security Executive Council Emeritus Faculty I missed a perfect opportunity the other day to sell my department’s security program and myself. I was in line at the company cafeteria when the new Chief Operating Officer got in line behind me and asked who I was and what I did. Unfortunately, it didn’t go as well as I would have liked and now I’m determined to ensure it doesn’t happen again. Any advice? Read Security Executive Council Emeritus Faculty member, Ken Kasten's, answer.

	Faculty Advisor: Communicating Risk Avoidance to Management Created By: George Campbell, Security Executive Council Leadership Faculty How can I maintain management’s attention to the risk that hasn’t happened yet without becoming the "Chicken Little" of the corporate governance team? Read Security Executive Council Leadership Faculty member, George Campbell's, answer to this question.

	Faculty Advisor: Communicating the Value of Security to Management Created By: Nick Proctor, Security Executive Council Emeritus Faculty I'm fairly comfortable that the security function is aligned with our business strategies. However, I'm not convinced that many on the company's management team fully understand the value we deliver. Any suggestions on how best to accomplish this? Read SEC Emeritus Faculty member, Nick Proctor's, answer to this question.

	Faculty Advisor: Defining the Value of Security During the Current Economic Downturn Created By: George Campbell, Security Executive Council Emeritus Faculty My company has done fairly well through the growing pressures of the current economic downturn but it has been made clear that we need to be in for the long haul; management is asking us to identify prioritized targets for cost reductions. Where should I focus my efforts? Read SEC Emeritus Faculty George Campbell's answer to this question.

	Faculty Advisor: Measures and Metrics in Security Created By: Kathleen Kotwica, Security Executive Council EVP and Chief Knowledge Strategist and Bob Hayes, Security Executive Council Managing Director What metrics system might an executive use to monitor the strategies of a business? Read Security Executive Council's Kathleen Kotwica and Bob Hayes' answer to this question.

	Faculty Advisor: Running Security as a Business: Measuring Performance Created By: Herb Mattord, Ph.D., Security Executive Council Content Faculty Expert I recently read something from the Security Executive Council that used the term "running security as a business." Can you elaborate on what that means as it relates to security and what is an example of this approach? Read our SEC Content Faculty Expert, Herb Mattord's, response to this question.

	Faculty Advisor: Security’s Failure to Communicate Value Created By: J. David Quilter, Security Executive Council Emeritus Faculty Like many of my peers, I struggle with the issue of how to effectively demonstrate the bottom-line value that security’s efforts bring to the business. Thoughts? See Security Executive Council Emeritus Faculty member, J. David Quilter's, response to this question.

	Faculty Advisor: Time Utilization and Staffing Capacity Analysis Created By: Bob Hayes, Security Executive Council Managing Director My company is in the midst of a reduction in force (RIF) and security is one of many areas being required to provide senior management with an analysis of time, cost of services and programs and staff utilization. What is the most effective way to approach this exercise, keeping in mind that the goal is to maintain our current level of full-time equivalents (FTEs)? Read Bob Hayes' answer to this question.

	Faculty Advisor: Using Value Metrics to Make the Case for Security’s Return on Investment Created By: Francis D’Addario, Security Executive Council CSO Emeritus Faculty We always strive to show the business side that corporate security is more than just “security tactics.” That what we do is strategic and makes a business contribution. Any thoughts on this? ReadFrancis D'Addario's response to this question.

	Security State of the Industry May 2015 Briefing - Metrics Created By: Security Executive Council The Security Executive Council's Security State of the Industry briefings provides an opportunity for our Tier 1 Security Leaders™ to participate in an in-depth discussion about specific topics or issues affecting their security risk mitigation programs. This session concentrated on security metrics and the path from "counting activity" to demonstrating business value and ROI. These meetings are for SEC's Tier 1 Security Leaders(TM) only.

Multimedia
	Building A Security Measures & Metrics Program Created By: George Campbell, Security Executive Council Emeritus Faculty This presentation is focused on providing the audience with a basic grounding on why measures and metrics are important (and should be expected), what basic elements comprise a security metrics program and using examples to demonstrate potential value. Measurement is a core competency of management and security programs need to be held to the same standard of performance measurement as all other business functions. This presentation should be of value to a security management team or group of security (and related) professionals who understand the need to provide for a performance measurements and metrics and need a roadmap to tailor their own approach. TIER 1 LEADERS: Log-in to obtain your copy. OTHER VISITORS: Click the title to order this SEC resource

	Hallmarks of Security Leadership Created By: George Campbell, Security Executive Council Emeritus Faculty George Campbell, emeritus faculty member of the Security Executive Council, discusses the traits he looks for in a security leader, as well as how metrics can be used by security practitioners to get buy-in from the organization. (Recorded at The Great Conversation in Seattle, Wash., March 4 &5, 2013)