First is to measure change from a desirable to undesirable state of risk or vice versa. This provides information to impact exposure to specific risks, focusing on the core risk management mission of the security organization while acknowledging that information should be pushed to those at the appropriate level to positively impact exposure.
The second objective is to measure successes and failures of past and current security program investments, which underscores the need to embed measures and metrics in security program objectives.
Third is to demonstrate security's value through clear alignment with business strategy and objectives. We enable the business to do what would otherwise be too risky.
One member summarized the goal of a value-based metrics program as "the ability to demonstrate to senior management the current state of security across the business, to define measurable performance targets and to document verifiable improvements to security service delivery."
Next month's question: What threat protection and what value can interoperable physical and logical access control provide that strong but separate physical and logical access control cannot?
For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.