Metrics for success

April 28, 2010
Leading indicators

A leading indicator signals a future event — it measures the current state of the market or the business, as well as the future state, in the form of already planned or projected changes. In our world, leading indicators signal future risk of security-related events. They are measurable factors that change before the risk starts to follow a particular pattern or trend.

Objective: In the November issue of STE, I wrote about the importance of understanding the leading and lagging indicators security managers need to track. Since we are paid to anticipate risk, we should put a high priority on cataloging the leading indicators appropriate to the threat profile of our companies and the effectiveness of our security operations.

Strategy: Senior management and analysts in the businesses we serve are constantly tracking and evaluating a host of economic and programmatic indicators to provide alerts on changes in market conditions that need to be addressed. They are looking for clues from what they know now to strategize more reliably in the future. We can and should engage in the same analysis to drive our metrics program and contribute in meaningful ways to our planning. In the simple figure above, I have identified six examples appropriate to related management objectives.

- Addressing the obvious. You have classified a host of risks as preventable, and (hopefully) you have established a set of approaches to mitigate them. When you see a trend in both frequency and severity of preventable infractions, it indicates a pattern of a) clear intent, b) ignorance of policy or c) failure to communicate. You need to understand where the breakdowns are occurring across this spectrum and reset some switches quickly and competently.
- Managing competency. Speaking of competence, all corporate security programs rely on a host of inter-related competencies: first responders, business contingency planners, information security administrators, investigators and business unit personnel who are custodians of internal controls. Where we fail to assure competence in key positions, we should anticipate something going bump in the night.
- Protecting the supply chain. Virtually every business today relies on a supply chain, a significant portion of which is operated under the umbrella of regulatory standards. Convince me that the failure to impose contractual security requirements appropriate to the risk profile of the product or service is not a potential leading indicator of downstream risk.
- Managing “what if?” The “what if?” is why we have crisis, business continuity and contingency plans associated with our critical business processes. Do we develop detailed plans, pre-position backup resources, and wait to see how well we perform as a crisis unfolds? Untrained planners and responders coupled with untested plans are highly reliable leading indicators of future risk.
- Managing accountability. Increases in unresolved risk assessment or internal audit findings related to security vulnerabilities are about as good a set of leading indicators as you will find. The facts are on the table, the owners of the risky processes are identified, and the schedule for response is set. Or is it? Your ability to deliver a quality risk assessment that drives responsive corrective action is a test of your influence and your competence.
- Managing system reliability. Even the most casual skimming of this magazine underscores the incredible array of technology we may employ in our efforts to secure our sensitive business assets and operations. However, our investment in technology can become a liability when routine maintenance and testing procedures go wanting for lack of priority. How do you affirm the reliability of your protection strategy in the face of untested security measures? What happens to owner and responder confidence when poor maintenance results in a pattern of nuisance alarms?

Look at your metrics for some key leading indicators that you can track and use to influence corporate policy, business awareness and knowledge. You have a unique set of meters and dials that can offer alerts to the business and that speak volumes of the value of the security program.

George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the SEC Web site. The SEC is a problem-solving research and services organization that involves a wide range of risk mitigation leaders. Its community includes forward-thinking practitioners, agencies, universities, NGOs, innovative solution providers, media companies and industry groups. Backed by a Faculty of more than 100 successful current and former security executives, the Council creates groundbreaking Collective Knowledge™ research, which is used as an essential foundation for its deliverables. For more information about the Council, visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.