Metrics for Success

The objective: To identify multiple products, services and positive results that the security organization brings to help meet the enterprise’s business goals.

Results Sought:
Increased understanding and appreciation by senior management and other key stakeholders of security’s value and contribution to the bottom line.

Risk Management Strategy & Where Is the Data?
How effectively are we aligned with the businesses we serve? Several months ago, The Conference Board published a survey of hundreds of business executives that revealed a perceived lack of value of the security functions within their organizations. Security leaders must use multiple data sources and metrics to identify security’s positive impact on the business and its bottom line and present that information to management.


Here are some examples you may be able to identify in your own organization:

• Penetration testing yields data on the effectiveness of safeguards and supports claims of reduced opportunity for attack.
• Pre-contract examination of the risk potential of third-party vendor relationships identifies vulnerabilities to enable favorable contract terms and post-contract inspections, thereby reducing risk and consequence of loss.
• Examination of incident trends and incident postmortems produces metrics that either affirm the effectiveness of internal controls or justify the redirection of resources, yielding improved risk management practices.
• When metrics are employed to measure and improve the effectiveness of safeguards, results may clearly support security’s contribution to customer and shareholder protection. An obvious example is in the resilience of protection measures around confidential customer information.
• Focused metrics also generate evidence of cost reduction through reduced consequences of risk and reduction in insurance premiums where effective safeguards are demonstrated.
• Metrics associated with fast recovery from business interruption incidents consistently show the advantages of a resilient business continuity program. Similarly, a more security-aware employee population enables faster notification and improved engagement in protection.
• Virtually all of the post-9/11 security-related regulations impose metrics to provide verifiable measures of compliance and thereby minimize the imposition of fines or other impact to shareholder value.
• Focused metrics enable tracking of incident costs and post-implementation value comparisons of new security measures.
• Advertised and demonstrably effective security measures not only enable customer satisfaction but may also be a draw for new customers and sales. Being “the secure choice” is a plus to the bottom line.
• Deployment of proven security technology consistently demonstrates the potential for reduced cost of security operations. The return on investment for an access control system that eliminates “x” manned security posts is a frequent example.
If you have the opportunity to present to management on the value of security, be sure to carefully identify only the results or functions that reliably offer support to your program. The key is to determine which metrics will best demonstrate your clear connection to the objectives of the enterprise you serve. This is the way to demonstrating security’s value.

George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the SEC Web site, This article is copyrighted by the SEC and reprinted with permission. All rights reserved.