The deeper I dig to find the reasons for the lack of workable, meaningful metrics within security organizations, the more I find myself tripping over both institutional and security-imposed roadblocks. Let’s remember that I am talking about security organizations within companies that live and die on performance indicators. What’s up with this?
It is not about the metrics — it is about the quality of the connection to the customer.
The most common complaint I have heard from line security managers about metrics initiatives is that this is simply busy make-work by management that detracts from the really important stuff. “Don’t get all worked up,” they say. “This is just the project of the moment.”
The hard-liners often see a metrics push from on high as a public relations campaign that will either bring too much exposure to the results of our work or be taken as bragging — a phony celebration of security performance, “both of which can get us in trouble.”
To these short-sighted ones, I would like to ask a couple of questions: “Do you think it is possible that somebody up there really does not know what this department is doing to earn its keep and, if so, whose problem do you think that is? If all your competitors for the precious few cost-centered dollars are offering up some measurable, celebratory results, where do you think the targets for reallocations will be hanging?”
These past several years have been hard for many U.S. businesses, but they have been great for those who wield the scalpels. Many security departments have been gutted — a task often simplified by a virtual absence of any advertised measures of value contribution and indicators of mission accomplishment. It is very easy for service organizations like ours to be seen simply as unnecessary consumers of assets rather than partnered contributors to the bottom line.
We must acknowledge that all business activities have a variety of scorecards visibly and inextricably attached to their desire for financial support. Rather than moan and question the common sense of the need for a few key performance indicators, security managers should be working with their teams to build a body of activity and risk management metrics that support the value proposition of each program.
Security program scorecards possess the meters and dials that guide management and performance measurement. Where business managers are clueless about security programs, they will invariably see them as inhibitors to business process rather than enablers of secure and profitable business operations. Their lack of awareness means you have failed to educate them through the advertisement and delivery of performance metrics in business terms.
Highly effective businesses are measurably connected to their customers. They understand who they are and what they need and tailor the product or service to these constituents. Security’s self-inflicted wounds are too often compounded by a lack of real connection with business unit operations. When we are effectively joined with their needs, we are in a better position to educate and enable them to make more informed decisions about accepting or remediating security risks.
A performance-based partnership uses our metrics to assess and establish required business key risk indicators (KRI) and key performance indicators (KPI). Business-savvy security metrics provide the opportunity to demonstrate to senior management the current state of security within targeted business operations, establish mutual performance targets, and show improvements to our service delivery. The resulting script more clearly articulates the security risk to the business at a higher level.