Created by George Campbell, Security Executive Council Emeritus Faculty member.
Let’s say you develop some must-have metrics in your organization. You have the data and the results; now how will you use them to influence your business?
Think about the results you are seeking. How are the measures and data you are communicating achieving some improved state of security or safety? Remember that one of the key requirements of an effective security metric is that it is actionable. It shouldn’t just count things; it needs to inform and create a storyline that leaves the audience with the need to address what you consider risky conditions or root causes. Let’s look at a sample metric and ask a few questions about how you would use it to influence.
In the example above, a new security director has determined that relationships between Corporate Security and several business units are either non-existent or seriously deficient. One obvious consequence is some fairly significant underreporting of incidents in the Sales & Marketing Division. A referral from the Purchasing Department indicated a consistently high run rate for laptop purchases within this division over the past 10 quarters, so an inquiry was initiated.
Nine laptops have been reported stolen from sales office spaces across the company since the beginning of 2010, and 10 were reported stolen from employee vehicles or on travel in the same period. However, when investigators tallied purchased laptops against those stolen, they found significant variances:
Fourteen laptops were somehow lost after assignment to the division but apparently replaced; 18, not 10 as reported, were lost in transit; and seven were stolen from employee residences.
Using available benchmark data against known on-board data content, investigation and replacement cost, this division alone accounts for a $900,000 loss to the company. Clearly, there is more than non-reporting going on here.
If you are this security director, you know there are notable risks that likely go beyond this specific case. Is this an opportunity to influence on a broader scale, or are you just an investigator closing out an investigation? How can you use this snapshot to influence behavior?
Think about the following questions:
• What conclusions would you draw from these findings?
• How would you relate these findings to the division SVP?
• Who are the supervisors who own these yahoos who are asking for new laptops?
What questions are being asked about the negligence that led to their loss?
• How would you propose to influence the SVP’s decision on addressing the implications of these findings?
• What sanctions should be applied to those who failed to report?
• If the SVP doesn’t see the problem (“I think most of these were encrypted...”) and thinks this is just part of the cost of doing business, how are you going to escalate to his manager?
Perhaps there are deeper opportunities to influence policy and behavior here as well, such as the status of IT policy around laptop security and accountability; and checks and balances on purchasing requests.
How could you use this example to influence the enterprise risk management agenda? Metrics provide both the vehicle to identify problems and the tools to address them through business influence.
