In last month’s issue of Security Technology Executive, we discussed the importance of internal security metrics programs and laid out a six-step plan for creating one (“Building a Metrics Program That Matters,” Feb 2008, p.22). If you have not started working toward a metrics program yet, now is the time.
Budgets are tightening — a metrics program will help you identify and present tangible savings and return on security investment. Layoffs are skyrocketing — a metrics program will enable you to better secure your organization in the face of an increased threat of workplace violence and insider theft. Management is looking for internal partners who are motivated to help the business succeed in a tough market — a metrics program will elevate your stature in the company by showing how you align your programs with the goals of the business. (Check out last month’s article for more specifics on what metrics can accomplish and how.)
While it is clear that stand-alone metrics lead to significant internal benefits, their value increases exponentially when they are paired with the metrics of others. Comparing your metrics results with the results of other businesses in your sector and across sectors enables you to rate your security program’s performance, which could help you identify security gaps as well as gain funding and executive-level support. Unfortunately, the security industry has often shown itself unprepared and unwilling to develop a framework to accommodate benchmarking on a significant scale.
How Is Benchmarking Useful?
Comparing your security metrics results with others’ can give you insights beyond those you receive from studying your own metrics without context. Say, for instance, that you have established a metric to show security’s cost as a percentage of the company’s revenue. You have collected all the data and done your calculations; however, as you prepare to present the results to management, you realize that you have no way of proving to your CFO that the numbers you have arrived at are evidence of cost efficiency.
The percentage may look great to you, because you may have talked with peers about their overhead and heard some statistics at seminars that convince you that you are way ahead of the curve. But your CFO is a tough sell these days, and he or she is going to think your cost percentage looks awfully big sitting out there all by itself. Without solid data showing that you eat up a smaller percentage of revenue than your competitors’ security programs, your numbers may be more of a hindrance to you than a help.
Without metrics results from other companies, you have no way of identifying what is missing from among your own security measures and programs. Your internal metrics may show that you are meeting your own and your management’s standards in all your existing initiatives, but they cannot tip you off that your standards are lower than the standards of 80 percent of the other companies in your sector.
Reliable benchmarking data also enables you to label your program “good,” “better,” or “best” — or “bad,” “worse,” or “worst” — and you cannot honestly do that with only your internal metrics. If you could prove your program was good, better or best, you may have an easier time securing support and funding for security initiatives, and you would be able to easily show due diligence in case of a breach or lawsuit. If you could prove your program was bad, worse or worst, you would be able to see exactly where you needed improvement, and you would again have an easier time showing senior management the need for funding and support.
Sector-Specific vs. Cross-Sector Benchmarking
Benchmarking with “like” organizations within your sector is an extremely valuable endeavor. Since each sector has unique risks, requirements and controls, benchmarking within your sector enables you to make specific comparisons without having to account for the differences between industries. Yet, with security becoming increasingly sophisticated and branching out in new directions yearly, should sector-specific benchmarking be the highest level of commonality we seek to achieve?