A Guide for Building Your Corporate Security Metrics Program
A Short Primer for Security Managers
"Where to start" is the issue for all three of these managers. Regardless of the composition of their corporate security program, they all have been generating reams of data 24/7 but haven't organized nor focused the data on the stories it can tell. They have been counting activities but haven't been measuring performance value. This short guide will set forth a set of steps that security managers should use in building a basic metric program.
Let's begin with a few assumptions that may serve as key success factors:
Why do you need security metrics program? You may or may not be in the same place as those three managers mentioned above but you do need to have a solid rationale for building security metrics. Oh, sure, I know you already have them in those spreadsheets ready for counting day-to-day activity but that's only the fuel for the metrics engine. Where we’ve seen real success from Chief Security Officers in this space is where there were a few inter-related motives driving their journey:
Who are your customers and what information do they need from Security? You have a diverse array of internal stakeholders who need to hear and see the metrics that are meaningful to them. Ask them! Good, customer-focused metrics are central to our ability to influence and engage our customers in their role in corporate security and brand protection.
Metrics are a key part of your communication strategy. They contribute to a coherent set of messages focused on a targeted audience. You cannot over-emphasize the importance of understanding the diversity of perceptions about risk and how each of your constituents view your role in its management.
Objectives for Metrics
This discussion is about building a basic program so we need to focus on the few measures that can establish the relevance and acceptance of security metrics for your program and stakeholders. The initial objective must be around finding the ones that really resonate for your program. In our corporate security realm, I see risk, program performance, value and influence providing mutually supportive boxes in a metrics four-square.
Quality and Integrity
Consider these two key objectives for our security measures and metrics: 1) materially impact exposure to specific risks and 2), positively influence action, attitude and policy. The visibility of these objectives imposes the highest standards of program quality and data integrity. The ability to craft strategy and tactics that effectively target specific risks relies upon reliable data processed by competent and highly disciplined analysis. But imagine the potential consequences of drawing conclusions and formulating recommendations to management on inaccurate, unreliable data overseen by flawed, poorly supervised sources. At the end of the day, the data culled from those spreadsheets and put into fancy charts and graphs should be grounded in the best possible analysis and conclusions.
Most organizations have established requirements for the type, format and frequency of departmental reporting to include specified metrics updates that typically include one or more topical dashboards. As noted earlier, you will also need to determine the when and what of more customized metrics reports to your key customers and those you want to inform on specific findings or recommendations. It's critical to establish a monthly routine for delivery of metric reports from your program managers and contracted service providers and that you include an assessment of the quality of their reporting in your measurement of their performance.
Corporate security owns a unique database of business performance measures and metrics. Collectively they enable and support a key value proposition: the ability to positively influence enterprise protection, corporate policy and behavior. Enterprise protection is measurable as are the benefits that accrue to our diverse protection programs. A well-defined security metrics program demonstrates to management how we are probing the weak spots, informing, educating and influencing change. As a manager, you are expected to be a good communicator and SMART metrics can provide the storyboard and the script you need to for a quality connection with management and your customers.
Copyright Security Executive Council. Last updated October 31, 2016.
Contact us if you would like to take an operational security metrics self-assessment at firstname.lastname@example.org
Download a copy of the full report below.