Home » Security Leadership » Metrics/Budgets

In Depth

How to Use Metrics

CSOs generate security data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.

By George K. Campbell

August 01, 2006 — CSO —

Why metrics?

The fact that established metrics and measures for the full range of security programs are few and far between tells a story about the historical disconnect between these functions and the core businesses they serve. The risk environment has changed significantly over the past 30 years, with shocking wake-up calls to CEOs, boards and shareholders. Attentive corporations have had to address the exposures uncovered in these times with more sophisticated and mainstream corporate security organizations. With this mainstreaming comes the obligation to measure performance and demonstrate bottom-line contributions. Metrics are a natural descendant of this process.

It is also essential that we recognize security's contribution to the corporate system of internal controls.

Internal controls, established to mitigate a variety of business risks, provide the dashboard to inform management on the status of core activities and to apply the brakes that keep the enterprise safely on course. The security organization plays a critical role in identifying, measuring, preventing and responding to a growing inventory of risks. We must be able to measure the probability and potential consequences of an identified risk, or management has no gauge to assess and prioritize what actions to take. Metrics are central to understanding the adequacy of security controls and where to focus our limited resources for the greatest contribution to the protection strategy.

This excerpt from the book Measures and Metrics in Corporate Security, Communicating Business Value gives a few examples of the ways CSOs can think about the data they collect as part of their security operations and identifies what is important to measure, and how to communicate with senior business executives about what the data indicates about their organization's risk environment and how it's being managed.

1. Aligning security metrics with business drivers

Security programs gather volumes of data every day. If we gather the right information, we generate unique and informative data that, for example:
Defines what, where and how risk is occurring
Emphasizes the accountability of business management for safeguarding the organization's assets
Directly aids in measuring service quality and customer satisfaction
Provides measurable support for new and existing programs
Contributes to a variety of value-based assessments

The successful security executive defines his business plan and the performance of resources and services around clearly articulated measures. Those measures should be aligned with core business strategy and priorities. Figure 1 (this page) illustrates how a CSO has evaluated the importance of various security metrics, based on their relevance to business drivers such as managing costs and risks, focusing on return on investment, complying with the law and company policies, and protecting the lives and safety of employees. Note the last column on the right, which is checked every time: internal influence. Effective use of metrics that matter to business leadership, demonstrating the value of security operations, wins a security executive important capital.