Security Barometer
Are Security Policies more prevalent than Security Guidelines? 
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Articles | ||
2011 Annual Report for the Security Executive Council  Created By: Security Executive Council This year's report covers activities, initiatives and resources in a three page condensed document. The information may be used to learn the kinds of support the SEC can offer you as well as a glimpse into what its members are tackling. |  745KB | |
 | ||
A Security Metrics Story: Turning Data into Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty |  Resource is for Tier One Leaders only | |
| ||
| Benchmarks Aren’t Magic, They’re Tools
Created By: Bob Hayes, Managing Director, Kathleen Kotwica, Security Executive Council Security executives frequently come to us to request assistance in benchmarking their processes or performance metrics with similar companies. Usually we find that their interest is at least partially driven by a strong push from management. Business leaders recognize benchmarking as a proven business practice that can identify competitive strengths and vulnerabilities as well as opportunities for improvement. Benchmarking can inform corporate goal-setting and can play a significant role in strategic planning. | 236KB | |
| ||
| Building a Metrics Program that Matters
Created By: Security Executive Council Staff Those of us who read this magazine regularly know about security metrics. We have read about their value and seen monthly examples of useful metrics and what to do with them. But, ladies and gentlemen, we are still missing the proverbial boat. Some of us are running alongside as it pulls from the dock, waving our arms and begging it to slow down so we can figure out where the ramp is. Others are across the street at the ticket booth wondering why there are so many people in line. | 449KB | |
| ||
| Defining the Cost of Security
Created By: Security Executive Council Staff Security professionals discuss techniques for determining security budgets in a world without benchmarks. | 213KB | |
| ||
| Delivering Meaningful Metrics Created By: Marleah Blades, Security Executive Council If security continues to mature as a business function, senior management will likely ask for a set of metrics to measure performance. Security leaders should prepare meaningful metrics that inform management and improve security effectiveness. Marleah Blades reports on insight shared from the Next Generation Security Leader program's exploration of the development and communication of meaningful security metrics. | 630KB | |
| ||
| Exploring Our Value Story Created By: George Campbell, Security Executive Council Emeritus Faculty Our value has to be connected to our success in measurably impacting risk. What are the measures, and how are you communicating the critical messages? Sure, every program is delivering some statistics — typically lists of incidents or activities that they sell as “metrics.” But real metrics inform by creating a storyline that implies the need for action. Lists are just the nails you use to build these stories. | 359KB | |
| ||
| Global Survey of Workplace Hotline Reports Shows Significant Improvements in Some Key Industries – Data Obtained from 650 Companies Created By: Security Executive Council The Security Executive Council's 2007 Corporate Governance and Compliance Hotline Benchmarking Report provides a key set of benchmark data for corporations in 10 industries. | ||
| ||
| How to Influence with Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty How will you use the "must have" metrics - both key risk indicators and value indicators - in your organization. You have the data and the results, now how will you use them to influence your business? Think about the results you are seeking, how the measures and data you are communicating are achieving some improved state of security or safety. | 337KB | |
| ||
| How to Use Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty CSOs generate security data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves. | 81KB | |
| ||
| Measuring the Business Value of Security Created By: Geoff Kohl The Security Executive Council weighs in on why security metrics are important to your job. | 328KB | |
| ||
| Metrics For Success: Empower Customers Through Awareness
Created By: George Campbell, Emeritus Faculty Security has a unique perspective on risk that comes from gathering, analyzing and understanding threat and risk data. This insight obligates us to make our customers aware of the risks that could affect them, especially when those customers control the most sensitive and essential business processes in our companies. | 147KB | |
| ||
| Metrics For Success: Working with Customers for Better Access Control Created By: George Campbell, Security Executive Council Emeritus Faculty If you have been reading this column each month, you know of my passion for testing and reporting on the effectiveness of the safeguards we have installed to protect our people and assets. You will not influence anyone with metrics that just count things, but you will with ones that really measure how well you and your customers are meeting your responsibilities to protect the company. | 143KB | |
| ||
| Metrics for Success Created By: George Campbell, Security Executive Council Emeritus Faculty Creating security metrics is so important that nearly all security leaders interviewed by the Security Executive Council (SEC) for a recent survey stated it was a top priority for them. | ||
| ||
| Metrics for Success - Are your metrics connected to top management’s agenda?
Created By: George Campbell, Emeritus Faculty An interesting article from the January/February issue of Financial Executive magazine was sent to me recently. It was written by Ken Daly, the President and CEO of the National Association of Corporate Directors (NACD), the nation’s largest member-based organization for corporate board directors. Those are the guys who sit in judgment of your CEO’s performance, so what they are thinking should be on our radar. | 164KB | |
| ||
| Metrics for Success - Measuring guard force operations
Created By: George Campbell, Emeritus Faculty One of the largest line items in most corporate security budgets is expense for what I call ""Security Operations"" and what others may refer to as ""guard force"" costs. I am often amazed at the answers I get when I ask, ""What metrics do you have for these activities?"" Typical answers include hours of training, turnover rates, compliance with state certification, rates of conformance to pre-assignment standards and guard tour checks. A deeper dive may reveal hours on patrol or hours of various post assignments. | 159KB | |
| ||
| Metrics for Success - Nuisance alarms are more than a nuisance Created By: George Campbell, Emeritus Faculty The reliability of our programs is an essential ingredient of executive confidence and support. If you are looking for a place to focus your quality assurance, shine it consistently on alarm system reliability and response. Whether they be experienced or uninitiated, customers find frequent invalid alarms unacceptable, and they make your responders distrust the validity of calls. When they occur at off-site facilities dependent on law enforcement response, false alarms often cost the company in fines. | 206KB | |
| ||
| Metrics for Success - What is a reportable security violation in your organization?
Created By: George Campbell, Emeritus Faculty How serious is the notion of compliance in your company? Is your reputation in the marketplace linked to conformance to an established set of laws, rules or standards? Are there protection mandates in the contracts you have with your customers and key suppliers? What are the implications of inadequate security with regard to your insurance? We are a key player in the governance of these internal controls. | 193KB | |
| ||
| Metrics for Success - What's state-of-the-art in security metrics? Created By: George Campbell, Security Executive Council Emeritus Faculty File this in the opinion folder. I have always pinned my metrics hunt to that day very early in my CSO career when the boss asked what kind of metrics we had in the can. As I stumbled for a defensible answer, he said, "I want you to think about what metrics we should follow in our organization and why you think they are important for the senior management team." But the more I dig into this security space, the more I have found that measuring and plotting program performance has been an expectation of every boss I've worked for over these past (gulp!) 50-plus years. | 183KB | |
| ||
| Metrics for Success-Create a Measures Map Created By: George Campbell, Security Executive Council Emeritus Faculty We have limited time with senior management, so we need creative ways to influence change, to inform and demonstrate our competence. The “measures map” is a visually engaging method of presenting findings from an incident postmortem. | 364KB | |
| ||
| Metrics for Success: Accuracy & Integrity
Created By: George Campbell, Emeritus Faculty There is an old saying that there are three types of lies: “lies, damn lies and statistics.” I won’t dwell on the obvious downside of lies or damn lies in our job, but I will underscore that statistics, when calculated hastily or from poorly managed data, are no better than lies. We must have accuracy and integrity in our use of data and statistics, or we will undermine our initiatives, our programs and our own standing with senior management. | 181KB | |
| ||
| Metrics for Success: Assess the Probability of Business Loss Created By: George Campbell, Security Executive Council Emeritus Faculty Help management to recognize that the business contains vulnerabilities that may affect customers. | 362KB | |
| ||
| Metrics for Success: Be a Learning Organization Created By: George Campbell, Security Executive Council Emeritus Faculty Scrutinizing failures using Root Cause Analysis will likely prevent them from happening again. Root cause analysis (RCA) is an established process in quality management, engineering and risk management. | 333KB | |
| ||
| Metrics for Success: Build A Risk Indicator Dashboard Created By: George Campbell, Security Executive Council Emeritus Faculty How to provide a single display of the key information a manager needs to monitor a set of security measures. | 322KB | |
| ||
| Metrics for Success: Business Alliances and Security's Due Diligence Created By: George Campbell, Security Executive Council Emeritus Faculty Mergers with or acquisitions of other companies, outsourcing of key business processes to vendors and other strategic alliances may align external organizations with the reputation and well being of your company. | 148KB | |
| ||
| Metrics for Success: Create a Business Unit Scorecard Created By: George Campbell, Security Executive Council Emeritus Faculty A scorecard can help assess the security of various business units and effectively communicate our findings and recommendations to business leaders. | 333KB | |
| ||
| Metrics for Success: Create a security awareness dashboard
Created By: George Campbell, Security Executive Council Emeritus Faculty One of the fundamental obligations we have in corporate security is to understand the potential for “what if” and communicate our knowledge and concerns to 1. those who could be affected; and 2. those who have accountability for protecting the assets of the enterprise. | 217KB | |
| ||
| Metrics for Success: Demonstrate Security's Alignment with Business Objectives Created By: George Campbell, Security Executive Council Emeritus Faculty It's important to identify products, services and positive results that the security organization brings to help meet the enterprise’s business goals. | 155KB | |
| ||
| Metrics for Success: Demonstrate the Effectiveness of Emergency Response Created By: George Campbell, Security Executive Council Emeritus Faculty Employee and invitee safety is a core mission of corporate security. Unfortunately, both business and local government resources are under budget pressure that could potentially impact emergency response. We need to encourage continued support by keeping management apprised of our high performance and readiness to respond. | 352KB | |
| ||
| Metrics for Success: Determine the Exploitability of Selected Security Defects Created By: George Campbell, Security Executive Council Emeritus Faculty You can establish standards for protection at key locations and within routine business operations by measuring and tracking weaknesses in those areas. | 169KB | |
| ||
| Metrics for Success: Do Business Units Value Security Recommendations?
Created By: Marleah Blades, Security Executive Council Staff Our ability to influence internal customers starts and ends with their perception of the effectiveness and value of security programs. We have to test this perception on a periodic basis, because the results provide opportunities to consider the effectiveness of our programs and alternative approaches to both risk and relationship management. | 145KB | |
| ||
| Metrics for Success: Don’t Neglect Key Performance Indicators
Created By: George Campbell, Emeritus Faculty Key performance indicators (KPI)can be so much a part of a corporate management business strategy. In corporate security, we may employ KPIs in any of several security program areas. | ||
| ||
| Metrics for Success: Gain Support by Illustrating Security's Response Time Created By: George Campbell, Security Executive Council Emeritus Faculty You can present security value by showing that security is able to respond most quickly to emergency calls from within the company, thereby saving lives. | 358KB | |
| ||
| Metrics for Success: Good metrics tell a story Created By: George Campbell, Emeritus Faculty I am constantly hunting for metrics examples, and I am intrigued by the variety of ways experienced organizations present data. One vital measure of good data is its ability to inform and drive action in a specified direction. | 197KB | |
| ||
| Metrics for Success: How good is your customer connection? Created By: George Campbell, Emeritus Faculty The deeper I dig to find the reasons for the lack of workable, meaningful metrics within security organizations, the more I find myself tripping over both institutional and security-imposed roadblocks. Let’s remember that I am talking about security organizations within companies that live and die on performance indicators. What’s up with this? | 199KB | |
| ||
| Metrics for Success: Incident Analysis Identifies Business Practice Risk Created By: George Campbell, Security Executive Council Emeritus Faculty Through incident post mortems, we can identify categories of perpetrators and trends in incident type. | 321KB | |
| ||
| Metrics for Success: Increase Influence and Protection through Proactive Risk Assessments Created By: George Campbell, Security Executive Council Emeritus Faculty We security professionals cannot sit back and wait for an incident to happen. We are paid to anticipate risk and engage in preventative activities that will eliminate hazards at best, or at least minimize the impact on business operations and employee safety. | 325KB | |
| ||
| Metrics for Success: Investing in Security’s ROI Created By: George Campbell, Security Executive Council Emeritus Faculty We hear a lot about the difficulty of documenting Security’s return on investment. Well, take a look at this example. | 316KB | |
| ||
| Metrics for Success: Is Your Security Program Viewed as Effective? Warning Signs of Security's Decreasing Influence Created By: George Campbell, Security Executive Council Faculty This article examines signs that security is losing influence with management decision-makers. | ||
| ||
| Metrics for Success: It's Time to Get Security Metrics Savvy Created By: George Campbell, Security Executive Council Emeritus Faculty Security-related metrics are a must. Every business needs to develop and deliver measurable results, including security. | 174KB | |
| ||
| Metrics for Success: Leading Indicators
Created By: George Campbell, Security Executive Council Emeritus Faculty A leading indicator signals a future event — it measures the current state of the market or the business, as well as the future state, in the form of already planned or projected changes. In our world, leading indicators signal future risk of security-related events. They are measurable factors that change before the risk starts to follow a particular pattern or trend. | 373KB | |
| ||
| Metrics for Success: Measure Influence by Tracking Recommendations Created By: George Campbell, Security Executive Council Emeritus Faculty Measure security's influence by tracking the recommendations security makes to other business units and determining what percentage are accepted. | 151KB | |
| ||
| Metrics for Success: Measuring Security Awareness Created By: George Campbell, Security Executive Council Emeritus Faculty By testing and affirming employee awareness of security responsibilities, we can make sure no one is uncertain of his or her role in enterprise protection. | 146KB | |
| ||
| Metrics for Success: Measuring Security Management Performance Created By: George Campbell, Security Executive Council Emeritus Faculty How satisfied are you that your guard services contract has really effective and measurable quality and performance management requirements around prevention and response to incidents? George Campbell gives insight into operational excellence within your security vendor's on-site team. | 328KB | |
| ||
| Metrics for Success: Meeting Contract Standards Created By: George Campbell, Security Executive Council Emeritus Faculty Contracted guard force teams are the Security organization to the average customer today and their competence and quality is both highly critical and evident in their interactions. | 319KB | |
| ||
| Metrics for Success: Neglect and Apathy - Your Worst Enemy
Created By: George Campbell, Security Executive Council Emeritus Faculty Risks become avoidable when we put effective safeguards in place to counter them. They become inevitable when we fail to do our jobs — that is, when we disable or fail to enable essential security measures. This article takes a look at a large retail chain as one example. | 321KB | |
| ||
| Metrics for Success: Security Issues in Leased vs. Owned Property Created By: George Campbell, Security Executive Council Emeritus Faculty A company's leasing arrangements may lack the risk-based due diligence appropriate to a standard of protection enjoyed by owned space. | 388KB | |
| ||
| Metrics for Success: Security Operations Controls Center Metrics Created By: George Campbell, Security Executive Council Emeritus Faculty There are few functions performed by a corporate security organization that are more critical than the operation of the security operations control center (SOCC). It is here that customer service, first response and risk management combine to provide the most visible and essential corporate security services. | 616KB | |
| ||
| Metrics for Success: Showing the ROI of Contract Security Forces
Created By: George Campbell, Emeritus Faculty It is great to get feedback on my metrics columns. Let me share some thoughts on a recent e-mail I received from a thoughtful security manager in Arizona: "I can’t think of a more relevant issue for physical security than a series of metrics regarding contract security costs. The one item we’ve never been able to tie down during benchmarking was the ROI related to contract security. Obviously there are many moving parts to the issue, but when my director asks about value vs. cost regarding contract security, we get back to proving the negative (minimal losses to theft, no intrusions, etc.).” | 115KB | |
| ||
| Metrics for Success: The Risks of Outsourcing Information Security Created By: George Campbell, Security Executive Council Emeritus Faculty Outsourcing has become a fundamental business strategy for most major corporations, but they often overlook the risks that accrue due to the loss of effective business controls over sensitive activities. | 149KB | |
| ||
| Metrics for Success: The risk-aware organization Created By: George Campbell, Security Executive Council Emeritus Faculty Security practitioners often equate security awareness programs with posters in break rooms, intranet alerts and informative brochures on the risk of the month. While these media serve a useful purpose, Security's risk awareness strategy must be significantly more disciplined and structured than a periodic communication exercise. | 185KB | |
| ||
| Metrics for Success: Tracking Leading and Lagging Indicators
Created By: George Campbell, Emeritus Faculty Senior management and analysts in the businesses we serve are constantly tracking and evaluating a host of economic and programmatic indicators to provide alerts on changes in market conditions that need to be addressed. A leading indicator signals a future event — it measures the current state of the market or the business, as well as the future state, in the form of already planned or projected changes. A popular analogy is the traffic light: A yellow light is a leading indicator of a red light, because yellow always precedes red. | 152KB | |
| ||
| Metrics for Success: What is the Return on Your Company’s
Security Investment? Created By: George Campbell, Security Executive Council Faculty Having a solid grasp on the likelihood and financial implications of risk directly feeds your ability to gauge the level of protection you should provide. What’s the tradeoff between the cost of protection and the likely consequence of a variety of security incidents? | 152KB | |
| ||
| Metrics for Success: What’s the Endgame? Created By: George Campbell, Security Executive Council Emeritus Faculty In a recent security barometer quick poll conducted by the Security Executive Council (SEC), respondents were asked what they thought would be the single most meaningful metric to have for their security function. The overwhelming selection – almost four to one -- was to achieve a “measurable reduction of targeted risk attributable to security initiatives.” | 324KB | |
| ||
| Metrics for Success: Who's Accountable for Metrics? Created By: George Campbell, Security Executive Council Emeritus Faculty Where does accountability lie for the maintenance of a proactive measurements and metrics program? | 267KB | |
| ||
| Metrics for success - What is the cost of a bad employee?
Created By: George Campbell, Security Executive Council Emeritus Faculty The knowledgeable insider is at the top of the list of threats to any organization - public or private. Part of our job is to make business leaders aware of the seriousness of this threat by using metrics that catch their attention. This month's graph measures one small aspect of reputational risk: the time involved in resolving an insider misconduct case resulting in termination for cause. | 194KB | |
| ||
| Metrics for success: Measuring alignment using key risk indicators
Created By: George Campbell, Security Executive Council Emeritus Faculty Security's "alignment" with the business objectives we serve seems to have some traction in our communications and literature these days. In my various venues of engagement with colleagues, I get a lot of questions about how we can demonstrate with our metrics that we have a positive connection to the core business strategy and objectives. | 236KB | |
| ||
| Metrics for success: Security awareness - A few key indicators
Created By: George Campbell, Security Executive Council Emeritus Faculty Security's ability to educate and empower their customers in their risk management responsibilities is a fundamental element of any business protection strategy. | 207KB | |
| ||
| Metrics for success:Threat assessment: Measuring likelihood
Created By: George Campbell, Emeritus Faculty When you think about security threats to your business, which do you think are likely to manifest? What are the probabilities of a specific type of event occurring at a particular location? How do you convey your concerns to management without sounding like Chicken Little yelling that the sky is falling? It is essential that we keep our eye on “what if.” | 231KB | |
| ||
| New report offers benchmarks for security budgets, staffing
Created By: Whit Richardson, Security Executive Council Staff The average security budget as a percentage of an organization's total revenue is 0.07 percent, according to a new benchmark report released by the two-year-old Security Leadership Research Institute, the research arm of the Security Executive Council. | ||
| ||
| No Size Fits All
Created By: Marleah Blades, Security Executive Council Staff Corporate campus security is often considered a no-brainer. Some access control, some cameras, maybe some CPTED and a guard force. Some CSOs delegate it entirely to their directors and managers and focus instead on more complicated business issues. But corporate campus security is not one-size-fits-all. Campus size, location and demographics, as well as business sector, facility type and risk factors of nearby businesses and landmarks, are all integral parts of an effective and appropriate corporate campus security plan. Microsoft, for example, makes its home base on one of the world’s largest corporate campuses. With more than 130 buildings spread over more than 15 million square feet centered around Highway 520 in Redmond, Wash., Microsoft’s headquarters campus looks imposing on paper. In all this openness, Mike Howard, General Manager of Global Security, has carved out a role for security that honors the company’s creative, casual culture while protecting the people and assets that make up one of the most recognized brands in the world. “You may spend a day at Microsoft and not be aware of security guards,” Howard says, “but that doesn’t mean Security hasn’t noticed you." | 1MB | |
| ||
| Performance Metrics: Why Businesses Want Them and Security Needs Them
Created By: Security Executive Council Staff Performance metrics are “critically important” to business leaders, says Greg Niehaus, Professor of Finance and Insurance for the Moore School of Business, University of South Carolina. “In my view it’s very important for business functions to have metrics that tie back to the objectives of the organization – that measure the impact on value and value creation.” If a function fails to develop and effectively communicate performance metrics, says Niehaus, “their contributions to the organization will likely be not appreciated, which, in down times, could lead to cutting of responsibilities or jobs and hurting the value of the organization.” | 213KB | |
| ||
| Security Contract Compliance Auditing Created By: George Campbell, Security Executive Council Emeritus Faculty Contracts with product and service suppliers are an integral part of many corporate security service delivery programs; in fact, many companies spend millions of dollars annually for thousands of hours of service from contract guard vendors. Ensuring the effectiveness of performance terms and related compliance monitoring is a critical management objective that requires knowledgeable and engaged resources, along with the right data for performance measurement. | 340KB | |
| ||
| Security Executive Insight: Marking the Yardstick Created By: Kathleen Kotwica and Marleah Blades, Security Executive Council Staff The benefits of benchmarking for security are many, but the process has limitations. The council’s International Security Research Database hopes to address benchmarking weaknesses to make it a more valuable and reliable tool for security professionals. | 677KB | |
| ||
| Security Metrics in Context Created By: George Campbell, Security Executive Council Emeritus Faculty An excerpt from George Campbell's Measures and Metrics in Corporate Security. | 356KB | |
| ||
| Security Metrics: Measuring Performance Created By: Security Executive Council Staff These articles cover the use of tools such as Key Performance Indicators (KPIs) and balanced scorecards to help you set long-term goals and to evaluate and monitor your progress toward achieving those goals, along with sample charts to generate ideas for KPIs. | ||
| ||
| The Total Cost Of Security - Accounting For All Security Expenses Created By: Security Executive Council In 2011, a survey by the Security Executive Council’s Security Leadership Research Institute (SEC-SLRI) found that security costs are often vastly underestimated. | ||
| ||
| The Value of Metrics Created By: Security Management George Campbell, Emeritus Faculty Member at the Security Executive Council - a consulting firm specializing in security-risk mitigation - discusses his new book, Measuring and Communicating Security's Value, published by Elsevier. | 837KB | |
| ||
Login
Find It For Me!
Can't find what you're looking for? Likely we have what you need. Click the Find It For Me! button and we'll help you out.
