Step 1: Identify the business drivers and objectives for the security metrics program.
A security metrics program is as important for the business as for Security. As discussed, security metrics can provide all kinds of results that senior management would appreciate, such as evidence of regulatory compliance and assessment of security program investments. Before you set out building your program, consider your business’ goals, needs, values and policies. Think about the specific results metrics could provide and how they match your company’s objectives. Focus on creating a metrics program that responds to the primary concerns of your business.
Then, lay out the objectives of your metrics program. Do you wish to use metrics to make a positive impact on company policy and culture? To impact risk exposure? To demonstrate Security’s alignment with business goals? To demonstrate cost effectiveness and the value of Security? Be clear on your priorities and objectives as you begin to develop your program, and record them in writing as a resource for the future.
Do not take this step lightly. Create a formal process for identifying what management wants and needs, and communicate to them Security’s role in their vision. There is a clear correlation between how well you identify these needs and how successful your program will be.
Step 2: Determine who your metrics are intended to inform and influence.
Chances are, as you begin to create security metrics, you will find that different metrics address different business units and different levels of the management hierarchy. For example, a metric that demonstrates a business unit’s inaction to correct a known, reported vulnerability could be presented to the business unit manager (to encourage them to correct the issue) or to an internal audit committee (to preemptively show that Security reported the problem for correction). Each of these audiences has a unique agenda and set of needs, and the presentation of the metric should be tailored to speak to the needs of the given audience. It might be helpful to create a list of all potential audiences and their primary business goals, which you can use as both a reminder and a reference as you create individual metrics.
Regardless, metrics should be presented as enabling tools rather than criticisms whenever possible. They will more likely result in positive action if the audience feels he or she is being given an opportunity rather than a tongue-lashing.
Step 3: Identify the types and locations of data essential for actionable security metrics.
Actionable metrics require analysis, draw conclusions and tell a story. The results they demonstrate provide direction for decisions, affirm actions taken, or provide clarity for next steps. Non-actionable metrics simply count things and have little value for influencing or finding causes of risk.
Take a look at the business drivers and objectives you outlined in step one, and then consider the types of data you might need in order to create meaningful metrics that help meet those objectives. Have your programs resulted in an improved state of risk management? How, by how much and why? What was learned that should modify business process and thereby eliminate future risk? You have a staggering amount of data in the files associated with your service portfolio. You have invested financial, personnel and technology resources into understanding, preventing and responding to the risks on your watch. What have these investments accomplished?
Step 4: Establish relevant metrics.
Relevant metrics clearly link to something you want to accomplish that has a direct benefit to the business. We can approach this step in a couple of ways:
1. Establishing metrics that demonstrate our role in enterprise risk management; and
2. Establishing metrics that demonstrate our alignment with business strategy and objectives.
4A) Risk-related metrics. Risk-related metrics enable you to determine and to demonstrate to management how Security programs and services are impacting the risk to the business. To develop these:
1. Prioritize the risks confronting your enterprise. Which are most important to the business, and which have the greatest potential negative impact?
2. Determine which risks Security has full or partial responsibility for managing (remember that these may be assigned to any business unit).
3. Inventory the products and services you have in place to address these risks.
4. Identify the results management wants to see from its investment in these products or services; how these products and services are impacting risk management (positively or negatively); and whether they are doing the job reliably and cost-effectively.
These four steps will help you narrow your focus to develop metrics that matter to the business and that can demonstrate meaningful results you can use. In step 4, you will be pulling from the data you just identified to make your metrics.
The graphic on this page offers one example of how a risk that is identified as high priority can be combined with data to create an effective metric.
4B) Metrics that show Security’s business alignment and value. Can you envision a metric that demonstrates the results of the steps are you taking to reduce or manage program costs while maintaining or improving the state of security in your company? For example, do we not have a value story to tell if we have significantly reduced hours of costly guard post coverage by installing technology? If our safeguards measurably remove a vulnerability that could impact brand reputation and compromise customer confidence in our products or services, do we not provide a value to our shareholders while contributing to customer satisfaction? When our benchmarking demonstrates that a service we provide is delivered at lower cost than that of our competition, isn’t this a value metric understood by top management?
As you establish your metrics, focus on developing ones that could serve the dual purposes of assessing risk and demonstrating value. Highlight metrics that show such benefits as increased protection and decreased cost, enhanced customer satisfaction or confidence due to security measures, increased recovery of losses, reduced risk to revenue-generating activities, reduced insurance costs, reduced risk of attack, and reduced notable audit findings attributable to security defects.