Demonstrating Security Program Value to the C-Suite
Created by Dean Correia, Security Executive Council Emeritus Faculty
Dean Correia's Advice Based on SEC ResearchDean Correia cautioned that when security leaders are asked for metrics by the C-suite, it often means management has already lost confidence in Security's ability or willingness to provide meaningful data. Security needs to develop metrics programs before they are asked for them -- presenting them proactively and focusing on communicating meaningful and actionable information gleaned from these programs.
Metrics should address questions such as
Many security leaders start out by counting activities, events or tasks. The next critical step in the evolution of your Metrics Program is to demonstrate operational excellence.
If you are conducting "counts" for your metrics, Dean recommended you think like senior management: Ask yourself, "So what?" Do your counting metrics answer management's pressing questions, such as What is the cost per case? What are retention rates? What is the impact on risk? What are the root causes? How well do you do your job? Is the risk picture improving? Simple counting seldom answers these questions. Security needs to demonstrate and articulate meaningful information to the owners of the risk.
Dean provided some security measures and metrics resources:
Rita Estwick's Case StudyRita Estwick shared how Security at Canada Post used metrics to successfully transition to a new role in a changing industry while adding value to the organization.
Electronic mail and digital communication have been major business model disruptors for mail delivery organizations. Canada Post found opportunities to adapt to this new environment, shifting to primarily parcel post, which required new technology, equipment and training; developing new retail partnerships; fostering innovation such as drive-through parcel post; and focusing on the customer experience including flexible delivery and digital apps.
Rita quickly realized Security would also have to refocus to align with the organization's new goals, and they would need to be able to measure success in their new environment.
Combating fraud became a significant driver. "Card not present" fraud represented 76% of all fraud in Canada, and it had increased 205% between 2010 and 2015. She spoke to other businesses about how to help mitigate this as a way to improve the customer experience.
They approached one retail partner to pilot a fraud parcel intercept program. The partner would identify fraud after an order had been fulfilled, then would tell Canada Post. The postal service would track the shipment and return it to the merchant. The program was so successful it grew to other partners and then to other industries outside of retail.
From the outset, Rita asked partners for data to develop metrics that showed the program's impact. In one year, one customer logged $2.5 million fraud cost avoidance. She shared such meaningful metrics with executives and partners' executives, and the response has been so positive that now the program is on track to become a marketable corporate solution.
Silvia Fraser's Value-Based FrameworkSilvia Fraser discussed her value-based security framework.
Silvia defined value as "the capacity of a service to satisfy a need or provide a benefit to a person or entity". Value is determined by:
Metrics related to actual services include internal key performance indicators (KPIs), with data from incident reports, trend analyses and employee performance. Metrics for expectations are tied to organizational and business unit values – what have security services prevented and what is the cost savings? Metrics for perception involve education and awareness, such as number of training hours.
Her framework includes a scale to quantify value. If a security organization focuses only on its actual services, it may score a three on the scale. Focus on services and expectation and it may provide value at a score of seven. Only by managing services, expectations and perceptions together can an organization provide value at the highest level.
She echoed Dean's earlier warning that counting metrics alone will fail the "So What?" test. Metrics must work together to address all three elements of value in a meaningful way.
Some lessons learned:
Next StepsThe Security Executive Council has assisted some of the worlds most admired organizations to create and optimize their security measures and metrics programs. Counting activities may be a start, but we can show you how to demonstrate the value you are adding to the organization's bottom line.
For more information on this topic see Security Metrics: Business Alignment
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: November 25, 2018
You can download a PDF of this resource below.