Metrics for Success

Security practitioners often equate security awareness programs with posters in break rooms, intranet alerts and informative brochures on the risk of the month. While these media serve a useful purpose, Security's risk awareness strategy must be significantly more disciplined and structured than a periodic communication exercise.

Strategy: The test of sufficient awareness is found in the midst of crisis. You may recall my frequent reminder that as security professionals, we are paid to anticipate. We must proactively identify what could go bump in the night and determine how to prevent, detect and respond to it. Risk awareness is the result of planful action involving multiple steps:

1. Planning: A risk-aware organization has an established, enterprise-wide risk assessment process that provides qualitative information on the vulnerabilities of enterprise assets and mission-critical business processes. It tests the resilience of safeguards and eliminates plausible denial through focused analysis with up, down and sideways reporting. It addresses the concept of likelihood by understanding the degree of exposure gleaned from testing, incident post mortems and intelligence. It understands how combinations and multiples of risks can interact and thereby increase exposure.

2. Preparedness: The risk-aware organization operates the radar on high strength but carefully avoids what we may call the "Chicken Little" syndrome. It looks for the cues but exercises caution by testing and qualifying the data being received. It uses metrics as detective indicators that serve to inform and alert on changed risk conditions. It has pushed accountability for risk awareness down and out within the enterprise and set clear expectations on timely escalation of concern. Business processes are prioritized, risk tolerances set and responsibilities assigned. Plans that address the range of consequential events are developed and tested.

3. Training of response resources: Awareness has to be ingrained at the beginning and tested over time. Both general and business-specific orientations of new employees and resident contractors incorporate a fundamental understanding of risk and obligations of response. Because this is a learning organization with educated, knowledgeable players in key positions, awareness is reinforced through training exercises that dissect incidents to identify root causes and test to affirm that the players know the plays.

4. Incident response: The risk-aware organization is proactive. This is about the interdiction of risk due to foreknowledge. If our awareness efforts enable someone to identify and report or respond to conditions that will likely lead to an incident, we have a powerful measure of security program effectiveness.

But we are here because the business recognizes that bad things will occur and the organization has to be prepared to take definitive steps to minimize the consequences. Risk awareness provides the foundation of our ability to react with timely competence. This is a key performance measure of our preparedness to minimize the consequences of the risky event.

5. Consequence analysis and follow-up: Measureable reductions in risk exposure may be found in a disciplined lessons-learned or after-action analysis. This is a key element of maintaining a responsive risk awareness program. It's about learning. Through this process, we identify the gaps in our protective measures and the competence of our response.

Awareness is synonymous with watchfulness, vigilance, responsiveness and alertness. These terms work well within our security mission. Where we enable our clients to be knowledgeable of risk and their responsibilities to prevent and respond to the indicators, we have an incredibly powerful multiplier effect in the ability to deliver measurable value to the enterprise we serve.

George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, "Measures and Metrics in Corporate Security," may be purchased through the SEC Web site. The SEC is a problem-solving research and services organization that works with Tier 1 Security Leaders(tm) to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices. Through its Collective Knowledge(tm) approach, the Council serves all aspects of the security community. To learn more, e-mail or visit The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.