Blog

Using Metrics for Security Management

21:43 27 September in Business Continuity Planning, Corporate Security

The effective utilization of metrics to manage your security department and strategically report accomplishments is one of the fastest growing areas of interest among Chief Security Officers.  Security practitioners in the area of IT security are intimately familiar with the practice and have a broad array of statistical data from which to select to develop powerful reporting dashboards that clearly demonstrate the performance and value of the program. Those of us who exist in the world of physical security struggle to find meaningful measurements that can be accurately and universally collected and then reported in a way that is valuable to executive leadership.

Much of the published material on the use of metrics in security speaks of sitting down with the CEO and identifying the top risks to the enterprise from the perspective of the board and developing your metrics around those risks. In reality though, in the world of physical security, the top risks associated with physical security normally do not intersect with the top enterprise risks as ranked by the board. For example, while the board is concerned with providing a workplace that is free of violence (always a top priority of Security) it is almost never viewed by the board as being on par with risks that can shut down the enterprise – risks such as issues of regulatory compliance or risks of creating widespread liability through poor quality of manufactured products or producing a dangerous or defective product.

Tips for deciding on meaningful metrics

Following are 10 tips to remember while developing your metrics program:

    • Identify your internal customers (entities within the organization you serve) and the services you provide to them.
    • Identify threats to your constituents and prioritize the threat using the formula – risk = likelihood x vulnerability x impact.
    • Prioritize your resources on those areas of greatest risk and develop metrics in those key areas.
    • Understand internal customers’ expectations to ensure your services align with expectations and your metrics clearly report on critical expectations.
    • Develop different sets of dashboards for different internal clients.
    • Report in terms relevant to your customers – dollars saved, cost avoided, etc.
    • Collection and integrity of data is critical in reporting outcomes.
    • If necessary, create measurable data through audits and surveys.
    • Establish your total cost of security and report as a percentage of revenue.
    • Seek to engage in the areas of greatest enterprise risk even if you don’t have responsibility and only contribute in those areas.  Measure those contribution outputs.  The greater the enterprise risk and the greater security’s contribution to the mitigation of those risks, the greater security’s value to the enterprise.

 

Metrics is about measuring performance. Heads of operational departments are expected to manage through metrics and routinely report departmental performance using key metrics dashboards.  As we seek to have the security department’s role identified as a contributor to the enterprise goals and objectives, we should seek to document our outputs of mitigating risk and contributing to the bottom line and report those outputs through the effective use of metrics.

Warm regards,

 

kathy-leodler-headshot-for-sidebarKathy Leodler
Chief Executive Officer
Email:kathy.l@rampartgroup.com
Phone: (360) 981-2703
PI License #3555
paul-leodler-headshot-for-sidebarPaul Leodler
Executive Vice President
Email:paul.l@rampartgroup.com
Phone: (360) 981-3397
PI License #4180

We at Rampart Group are committed to your security. Call 1-800 421-0614 or contact us today with your security or investigative needs.