Security Metrics in Context

Excerpted from Measures and Metrics in Corporate Security, by George Campbell, published by the Security Executive Council

While the Baldrige award may be a quest for few, it should be noted that similar criteria are found within a majority of internal audit departments or external auditor organizations that may stand in annual judgment of our operations or, at a minimum, our abilities to contribute to the management of risk within the corporation. In 1992 the Committee of Sponsoring Organizations (COSO) published what is now an accepted model of an internal control framework that emphasizes risk and internal control assessment with formal reporting to the Audit Committee. In a similar timeframe, we find the U.S. Sentencing Commission Guidelines for Corporations influencing risk reporting and corporate crime prevention. These admonitions apparently went unnoticed by multiple corporate executives, boards and internal control infrastructures in the '90s and into the new millennium thereby setting the stage for Sarbanes-Oxley, a reinvigorated edition of Sentencing Guidelines and a new round of risk management standards. A variety of regulatory initiatives also spun off post-9/11 Homeland Security legislation, much of which incorporates elements of metric-oriented analysis and reporting.

We live in times where anticipation of risk is a basic expectation of shareholders and management. The means we select to mitigate risk must be measurable. The advantage of a system of measures embedded within the control infrastructure is in the setting of expectations that eliminates plausible denial and incorporates many of the metrics available to the security of the business or organization.


The Risk Management Context

Consider this: It is only because there are unacceptable risks that the cost of a security program is tolerated. Risk management is the process of identifying and understanding applicable risks and taking informed actions to reduce potential failure, achieve business objectives and decrease business performance uncertainty. There are four categories of risk confronting businesses:

• Strategic Risk - risk that is an inherent part of the business environment and has a significant effect on revenues, earnings, market share and product offerings.

• Organizational Risk - risk that is part of a unit's environment relating to people, politics, and values that can impact organizational effectiveness.

• Financial Risk - market, credit and liquidity risk that creates uncertainty, exposure to loss and the potential that the business will not be able to meet its future obligations.

• Operational Risk - the risk of loss from inadequate system controls, human error or other management failure. These areas have increasingly become a part of Security's realm, encompassing fraud, data integrity, risky operating environments, information security, business continuity, inadequate policies and controls and the rich variety of good old problems with people.

Metrics abound in these arenas because we need to know where to devote scarce resources to their management. Corporations spend millions in measuring, anticipating, preparing and responding to their implications. Where we manage them well we reduce the likelihood of occurrence or minimize the impact of reality.


The Regulatory Context

Security no longer enjoys the cover of executive ignorance and inattention. Look at any number of corporate and natural disasters and see how politicians protect their seats and insurance companies protect their pocketbooks. Why did the majority of our fire laws follow the Coconut Grove fire in 1942; Executive Order 13224, C-TPAT, Hazmat, Maritime Transportation Act, as examples, after 9/11; Sarbanes Oxley after Enron (and others); and privacy and information security regulations after the flood of identity thefts? Regulators and insurance carriers love measures and metrics; for example, “As you can see from the attached schedule, we are 63% in compliance and will complete the balance of our security enhancements within the next 240 days.” Typically security-related regulations require risk assessments that are measurable, security enhancements or indications of the degree of current compliance that are measurable, time and cost to comply that is measurable, and schedules and other indicators of conformance with the letter and spirit of the legislation.


The CSO's Context

It pays to advertise. As CSOs, we may get caught up in the response and forget that we're in the education business. Put more bluntly, we need to empower those who get it and eliminate plausible denial from those who don't. We have to continually drive home the notion of business unit responsibility, meaning security happens when employees exercise knowledgeable oversight. Where correctly focused, measures and metrics are pointedly informative and enable our constituents to see the results of measurably effective and ineffective security measures. In the wake of corporate meltdowns to the ethically deficient, this focus needs to reach to the Board of Directors and across the ranks of senior corporate management.

Security executives must know how to influence the corporate population and business focus. There are five key pillars in a measurably influential security program: