A Guide for Building Your Corporate Security Metrics Program
Created by George Campbell, Security Executive Council Emeritus Faculty
A Short Primer for Security Managers(Abbreviated version - full report is available for download bottom of page.)
Over the past decade, my SEC colleagues and I have worked with hundreds of corporate security executives and managers who have either discovered or have been told they need to have a set of performance measures and metrics for their programs. These epiphanies or directives come in a variety of wrappers. Here are a few that summarize the frame of reference for beginning the metrics journey:
"Where to start" is the issue for all three of these managers. Regardless of the composition of their corporate security program, they all have been generating reams of data 24/7 but have neither organized nor focused the data on the stories it can tell. They have been counting activities but haven't been measuring performance value. This short guide will set forth a set of steps that security managers should use in building a basic metrics program.
AssumptionsLet's begin with a few assumptions that may serve as key success factors:
ConsiderationsWe have seen the factors listed below add up to the difference between success and failure of a security metrics program. Everyone who has a role to play needs to believe this is a part of how Security will be managed going forward. Consider each one in the unique context of your organization and then go start your metrics initiative.
Why do you need security metrics program?
You need to have a solid rationale for building security metrics. Where we’ve seen real success from Chief Security Officers in this space, there were a few inter-related motives driving their journey:
If you don’t know why you need metrics, I'd advise putting this more serious journey aside until you reach this state.
Who are your customers for your metrics?
Who are your customers? What do your key stakeholders really need to know from your metrics? What metrics could engage their more informed participation in enterprise risk protection and enable their success? You have a diverse array of internal stakeholders who need to hear and see the metrics that are meaningful to them. Ask them! Good, customer-focused metrics are central to our ability to influence and engage our customers in their role in corporate security and brand protection.
Metrics are a key part of your communication strategy. They contribute to a coherent set of messages focused on a targeted audience. You cannot over-emphasize the importance of understanding the diversity of perceptions about risk and how each of your constituents view your role in its management.
Good metrics are SMART
Specific to what is required and understandable,
Measurable from available data,
Actionable/Achievable - driving change and positive results,
Relevant to what is important and
Timely because verifiably reliable data is there when you need it.
You can't manage well without measuring well. Be SMART. Don't waste time building a metric unless there is a solid reason for what you want it to achieve. Remember that what we want to measure is the focus of the process; the metrics are the outputs of the process.
Objectives for MetricsYour initial objective in building a basic metrics program must be to find the metrics that really resonate for your program. In our corporate security realm, I see risk, program performance, value and influence providing mutually supportive boxes in a metrics four-square. Here is a brief discussion on each of these.
Quality and IntegrityConsider these two key objectives for our security measures and metrics: 1) materially impact exposure to specific risks and 2), positively influence action, attitude and policy. These objectives require an established and clearly communicated set of internal controls focused on the integrity of the data that is gathered, the quality of the analysis and assessment applied to that data and the assurance of data security and protection.
Imagine the potential consequences of drawing conclusions and formulating recommendations to management on inaccurate, unreliable data overseen by flawed, poorly supervised sources. Failing to embed data integrity within your metrics program will go directly to the credibility of the security program and its management.
ReportingMost organizations have established requirements for the type, format and frequency of departmental reporting to include specified metrics updates that typically include one or more topical dashboards. As noted earlier, you will also need to determine the when and what of more customized metrics reports to your key customers and those you want to inform on specific findings or recommendations. It's critical to establish a monthly routine for delivery of metric reports from your program managers and contracted service providers, and you must include an assessment of the quality of their reporting in your measurement of their performance.
Unless you are an “army of one,” you will rely on designees to deliver high-quality metric reporting based upon reliable data and conclusions. What measures of quality assurance are in place to give you confidence in the results that you must have?
In ConclusionCorporate security owns a unique database of business performance measures and metrics. Collectively they enable and support a key value proposition: the ability to positively influence enterprise protection, corporate policy and behavior. Enterprise protection is measurable, as are the benefits that accrue to our diverse protection programs. A well-defined security metrics program demonstrates to management how we are probing the weak spots, informing, educating, and influencing change.
As a manager, you are expected to be a good communicator. S.M.A.R.T. metrics can provide the storyboard and the script you need to for a quality connection with management and your customers.
For more information on this topic see Security Metrics: How to Get Started with Security Metrics
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: October 15, 2018
You can download a PDF of this resource below.