Those of us who read this magazine regularly know about security metrics. We have read about their value and seen monthly examples of useful metrics and what to do with them. But, ladies and gentlemen, we are still missing the proverbial boat. Some of us are running alongside as it pulls from the dock, waving our arms and begging it to slow down so we can figure out where the ramp is. Others are across the street at the ticket booth wondering why there are so many people in line.
In a 2007 Security Executive Council survey, nearly 70 percent of respondents stated that they do not collect security program metrics for the purposes of presenting to senior management. There is little evidence to show that the statistic has changed much since then. Sadly, the metrics boat we are missing is not just a vehicle that might take us to a cozier career life. It’s where we are supposed to be, it’s where our job asks us to be, and it’s where our senior management should want us to be — whether they can verbalize it or not.
The survey referenced above asked respondents why they did not collect metrics, and three themes emerged among their answers:
1. Management has not shown interest or requested such information.
2. My program does not have the funding or budget to do that.
3. I would not know where to start.
This article will eliminate the third obstacle by laying out the basic steps for creating a security metrics program. But before we go there, let’s quickly address obstacles 1 and 2.
Problem: Management has not requested security metrics.
Solution: Surprise them.
In one way, you are lucky. You are flying so far below the radar that they do not even know you are there. Consider this: Does your management want to be able to clearly see whether you are conforming with corporate values and policies? Would they like to have a visual representation of the state of the company’s risk — desirable or undesirable? Would they like to have measurements and data at hand that show whether the company is in compliance with applicable laws and regulations? Do they want to know whether past and current security investments have resulted in decreased risk or fewer incidents, so they can more easily determine the direction of future investment?
You can provide all this with security metrics. If management is not asking for them, the best-case scenario is that they do not realize that metrics are the way to get these results.
The worst-case scenario is that either they do not consider Security an important part of the business, or they do not know what Security does. They are asking for metrics from nearly every other business unit. If they are not asking you, it might be because they are not thinking about you at all. If that is the case, you have big problems.
But when it all comes down, it does not matter why management is not asking us for metrics. We should be providing them. As the security experts, it is our job to manage risk and to inform management on our status. We should be taking metrics to them — we should not have to wait to be asked.
Problem: We do not have the money to create a security metrics program.
Solution: What money?
Measuring your various programs is not something extra to do. It is a key element of management and an expectation of your position. Metrics are the outputs of the measuring process. The tools and data you need to create security metrics already exist. If you conduct after-action reviews, if you speak to your peers about trends and best practices, if you assess your risk on a regular basis, if you track project status or log incidents, you already have the necessary data. If you have access to a computer with PowerPoint, you already have the necessary tools and technology. Do you need to do some analysis to turn this data into metrics? Of course. You might not have the budget to dedicate a staff member to metrics creation, but who better to develop the necessary metrics than you? You know the program, the business, the risk, the needs, and you have the authority to collect and access all the information you need.
And again, if we as security professionals are not doing what we can to ensure that management is informed of business risk and how we are addressing it, we are not meeting the obligations of our position. If building metrics means we have to put in more time, then as difficult as it may be, every security manager at every level should put in that time.
With those objections behind us, let’s consider five steps in building a responsive security metrics program.