Solutions Snapshot - May 2010

Question: Which security metrics have provided you the greatest benefits?

Cory Michal, Information Security Group Architect for Kohler Co.: Management of risk to information assets remains one of the most challenging issues for enterprise information security groups.

Information security professionals are often left trying to calculate risk based on non-standard rating scales in continuously changing vulnerability and threat landscapes. Inevitably, this inability to measure vulnerabilities and threats across a common scale leads to inaccurate risk calculation and misalignment of risk mitigation resources.

Quantitative and accurate vulnerability assessment metrics are key to solving your risk assessment woes. To establish these metrics, start with a good vulnerability management foundation. Deploy an assessment system that uses a standard model to give vulnerabilities a numeric score based on severity, and conduct full assessments of IT assets on a regular basis.

Your assessment data will give you the ability to identify and track vulnerability levels of IT assets, application types and user populations across the entire enterprise, on a common playing field. From these metrics, you can create tactical vulnerability reduction goals and reduce risk to enterprise information assets by way of large-scale vulnerability removal.

Sean Dettloff, Senior Manager of Partner and Asset Protection for Starbucks Coffee: Several years ago, my organization assigned a business value to point-of-sale (POS) theft investigations.

We collaborated with Finance to study sales activity pre/post investigations. While a successful investigation led to an admission and recovery, the study illustrated financial performance improvement often far greater than the actual theft admission. This led to the development of a profit improvement metric that represented the business value of future POS investigations, articulated the security department's value proposition, and linked back to operation's profit and loss (P&L).

Another valuable metric is in the making within our physical security program. Alarm reports [enumerate] the frequency of alarms and police responses with the hope of curbing false alarm activity. We add to this data by developing root-cause analysis reporting for all alarms leading to a police dispatch. Further, we connect fines and patrol costs for these same events so as to map the alarm activity to the P&L.

This gives our operations team relevant metrics to manage their business with a clear connection to their bottom line.

Karl Perman, Manager of Corporate Security for a major energy company: Security metrics should be geared to the objectives of the organization.

Metrics can be customized according to the issues that are important to key stakeholders, including senior executives.

Some of the metrics I use are personnel costs for particular projects and vendor cost per project. The total cost of the security function compared to revenue is also reviewed.

Metrics are implemented or revised based on regular meetings with senior management to discuss performance and organizational objectives. Senior management expects the security function to meet financial goals and to be on budget.

Performance is compared to baseline metrics and there are questions when there are deviations from a financial or productivity standpoint.

I believe that, in general, metrics should measure specific issues or objectives that are important to meeting critical deliverables and/or assisting the organization in meeting objectives. Metrics that measure specific issues/items that are important to key stakeholders hopefully will assist the security department in being viewed by senior management as a value added function of the organization.

George Campbell, Emeritus Faculty of the Security Executive Council and former CSO of Fidelity Investments: Our Security Executive Council (SEC) Security Metrics Working Group is focused on exploring a common set of objectives for our metrics. They fall within three targets.

First is to measure change from a desirable to undesirable state of risk or vice versa. This provides information to impact exposure to specific risks, focusing on the core risk management mission of the security organization while acknowledging that information should be pushed to those at the appropriate level to positively impact exposure.

The second objective is to measure successes and failures of past and current security program investments, which underscores the need to embed measures and metrics in security program objectives.

Third is to demonstrate security's value through clear alignment with business strategy and objectives. We enable the business to do what would otherwise be too risky.

One member summarized the goal of a value-based metrics program as "the ability to demonstrate to senior management the current state of security across the business, to define measurable performance targets and to document verifiable improvements to security service delivery."

Next month's question: What threat protection and what value can interoperable physical and logical access control provide that strong but separate physical and logical access control cannot?

For more information about the Security Executive Council, please visit The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.