Metrics that Matter for Everyone

The second of a two-part series on how to make security metrics work for your organization

No private industry group has yet announced an effort to take the first step of developing security metrics that can be used across all sectors in the security industry. It is likely that such an effort could only succeed if industry groups worked together and encouraged all their members and constituencies to participate in a joint effort.

A Starting Point

In preparing this article, George Campbell, emeritus faculty member of the Security Executive Council, drafted a set of metrics he believes could be used to measure security in any business. He expected the task to be a difficult one, but, he says, “I was struck by how many common denominators there were. I was amazed to find a prevalence — not an absence — of commonalities.”

The metrics Campbell chose focus on two areas that security has to address in any type of organization: how security interacts with the business (meeting goals, contributing value) and how security deals with risk.

In the coming months, the Security Executive Council is going to be focusing on all the relevant areas of security where metrics can provide significant insight or can sway management or demonstrate value to the organization. Do you have ideas on metrics that would be useful to security in all companies? If so, we would like to consider these for inclusion in our list. Send your thoughts to

George Campbell is emeritus faculty of the Security Executive Council, former CSO of Fidelity Investments, and the preeminent expert in the field of security-related metrics. See page 20 for the rest of his bio.

Marleah Blades is senior editor for the Security Executive Council (SEC). Prior to joining the SEC she served for six years as managing editor of Security Technology & Design magazine.

The Security Executive Council is a member organization for senior security and risk executives from corporations and government agencies responsible for corporate and/or IT security programs. In partnership with its research arm, the Security Leadership Research Institute, the Council is dedicated to developing tools that help lower the cost of members’ programs, making program development more efficient and establishing security as a recognized value center. For more information and inquiries on membership requirements, visit