Over time we have built up a knowledge base of a large number of methods and techniques that contribute to demonstrating value. We recently conducted a survey to get an idea of how widespread the usage of some of these indicators were amongst our community.
From our many years of research we have found that top scorers have…
A security metrics program that measures value.
When first initiating a security metrics program many rely on showing activity, e.g., how many badges issued or how many investigations have been completed; or a step-up, they show how their processes are becoming more efficient. This is a good start but the metrics that resonates with senior management are those that show a desired impact on business goals, some examples:
- Customers captured or retained, award fee contribution or client satisfaction acknowledged as attributable to proactive or reactive security measures.
- Reductions in employee interaction with time-consuming security measures.
- Reduction in cost of compliance with security-related regulations or cost to insure.
- Percent of reduction of security-related incidents attributable to improved security measures.
- Advertised and demonstrably effective security measures that enable customer satisfaction and are a potential draw for new customers and sales. Being "the secure choice" is a plus to the bottom line.
- Security department customer satisfaction survey that asks how well respondents understand security’s awareness messaging and how effective the communication medium is.
A framework for scoring risk, mitigation plans and calculating residual risk.
This provides a metric used by Security that measures the primary reason for having security in the organization.
A quantitative grasp on their resources and capacity and articulate this to senior management.
Security Leaders systematically collect, identify, analyze, and report security services and measure their business value. This process can include creating a master list of security services by program; FTE commitment by service by internal customer; criticality and/or satisfaction ranking of services by customer; cost of security calculation by service by customer; and results reporting. The SEC calls this process a critical part of "running security as a business."
A "brand" for security and tell the brand story to a diverse set of audiences throughout the enterprise.
This is more than the traditional mission, vision and strategy statements. In order to brand Security as a value service, security leaders:
- Make sure security programs and services are linked to significant corporate risks and the mitigation strategy demonstrates risk reduction value.
- Show specific examples where and how security programs are aligned with the business.
- Promote cross-function team roles that need to happen for the good of the enterprise.
- Define a way that risk owners and the mitigation team can work together by identifying roles and ownership.
- Build management confidence in capabilities and long term plan of the security function.
- Have a brand value story that defines Security’s philosophy and strategy in a way that builds executive confidence and support.
- Broadcast a brand value message in as many platforms as possible in the organization.
- Know the security leader is not the sole "story teller"; all of the security team can and should articulate the message
An alignment with their security services and Board-Level Risks™ and the organization's enterprise-level risk assessment.
Security leaders do this to create awareness of the Board-level risks and the role and boundaries of all staff groups (including Security) in mitigating risk. Security program services are defined and mapped against the corporation's most significant enterprise risks using the language of the Board (or senior management). This often results in eliminating duplication and confusion of services across staff departments, identifying gaps in risk mitigation and fosters effective working relationships between staff groups. They also use this alignment during Board-level presentations to show a direct connection between risks that the Board members concerned about and Security’s strategy in reducing those risks – that is, the value of Security.
Download a PDF of these recommendations here: Demonstrating_the_Value_Security_Brings_to_the_Business.pdf
Click here to take the self-assessment and score your ability to Demonstrate the Value Security Brings to the Business.
For More Information on the Topics Discussed Above:
Managing Enterprise-Wide Board Risk
Case Study: Risk Management and Security Metrics at Boeing
The Importance of Security's Brand Image
Turning Incident Based Data into Metrics
Discovering the Total Cost of Security to the Enterprise
The average score achieved by participants who took our survey was 6 out of a maximum of 17.
The intent for this survey was to provide some food-for-thought. Even some of the most talented demonstrators of value often find benefits in exploring novel methods of communicating and demonstrating the benefits of their programs.
Only 51% of respondents felt they have a security metrics that influenced management.
Of those that had metrics that influenced management only half had metrics that communicates the direct value added to the business. Some examples include demonstrating revenue enhancement, positive impact on brand reputation, and reduction of regulatory costs.
More than half of the respondents did not know their security organization’s cost per hour of service including overhead.
Even if not currently tasked to do so, it is wise to know how your costs are broken down by your internal customers. Do you know how much time of the typical day your security officers or analysts are spent simply watching, conducting surveillance of observing at a post versus activities resulting in a quantifiable impact? Many security departments get dismantled because they are unprepared to defend themselves against high-priced big name consulting organizations who are brought in by the executive team to come up with those numbers.
Half of the respondents were not confident of their capability to effectively communicate their value story to key stakeholders.
Effectively communicating what security does for the organization plays an important role in demonstrating the value of security. Disseminating information about what security does specific to the audience helps when it comes to gaining understanding and support for programs as well making it easier to implement new programs in the organization.