This month, ST&D launches several new monthly departments and columns in collaboration with the Security Executive Council. One of these is called Metrics Pipeline, found in this issue on page 64. Each month this new department will describe and explain one metric of value to any security department. Why go through the trouble of applying metrics to your program? George Campbell explores this question in his book, Measures and Metrics in Corporate Security. In this exclusive excerpt, Mr. Campbell describes how metrics improve security's chances for success in various contexts.
What Are Security Metrics?
At a high level, metrics are quantifiable measurements of some aspect of a system or enterprise. For an entity (system, product or other) for which security is a meaningful concept, there are some identifiable attributes that collectively characterize the security of that entity. Further, a security metric (or combination of security metrics) is a quantitative measure of how much of that attribute the entity possesses. A security metric can be built from lower-level physical measures.
Security metrics focus on the actions (and results from those actions) that organizations take to reduce and manage the risks of loss of reputation, theft of information or money, and business discontinuities that arise when security defenses or protocols are breached. They are useful to senior management, decision makers, users, administrators, or other stakeholders who face a difficult and complex set of questions regarding security, such as:
a) How much money/resources should be spent on security?
b) Which system components or other aspects should be targeted first?
c) How can the system be effectively configured?
d) How much improvement is gained by security expenditures, including improvements to security processes?
e) How do we measure the improvements?
f) Are we reducing our exposure?
The Business Context
There are a variety of metric and performance indicators that may be employed to assess security programs in a number of different ways. Before discussing these, it is important to note that it is the quality- and cost-performance-based models that drive many corporations. These models find traction with boardrooms under pressure and senior executives with an appetite for enhancing share price by reducing the cost of doing business.
Reengineering, cost reduction initiatives, efficiency studies and any number of highly organized, data-dependent (and costly!) management reviews should all be familiar to anyone working and awake in a major corporation in the past decade or two. The criteria for the Malcolm Baldrige Award presented by NIST's Baldrige National Quality Program underscore the wisdom of having an organized set of performance metrics embedded within the operations of each security function …
“A major consideration in performance improvement involves the creation and use of performance measures or indicators. Performance measures or indicators are measurable characteristics of products, services, processes, and operations the company uses to track and improve performance. The measures or indicators should be selected to best represent the factors that lead to improved customer, operational, and financial performance. A comprehensive set of measures or indicators tied to customer and/or company performance requirements represents a clear basis for aligning all activities with the company's goals. Through the analysis of data from the tracking processes, the measures or indicators themselves may be evaluated and changed to better support such goals.”