Building a Metrics Program that Matters

The first of a two-part series from the Security Executive Council


Step 5: Establish internal controls to ensure integrity of data and data assessments, and to protect confidentiality.
Without data integrity, your metrics will be useless. In this case, data integrity means more than basic information security. It also encompasses ensuring that data is reliable, accurate and appropriately managed. There are several levels of internal controls necessary.
• Ensure accountability. Someone must be responsible and accountable for data integrity.
• Ensure integrity. Make sure the content of reports, logs, incident and investigation reports and other sources is accurate and verifiable. These sources must be competently prepared and reviewed.
• Manage data appropriately. Ideally, data should be stored in a way that enables searching, analysis and enterprise-wide data entry from approved sources.
• Keep it relevant. Maintain a process of data analysis and assessment that enables you to reach timely conclusions that matter to the core needs of the business.
• Ensure data security. Store data and metrics securely in a manner that is appropriate to the sensitivity of the data, and maintain a process for labeling and handling of metrics.

If You Are Not Measuring, You Are Not Managing
Security metrics is not rocket science. Our IT security colleagues do it, so we can use their business performance measures and metrics to guide our resource allocation plans and enable reliable assessment of their impact. When we apply intelligence and discipline to their analysis and reporting, we positively influence enterprise protection and contribute directly to corporate health and profitability.

It is important for us as individual business leaders to develop metrics programs in our organizations, not just because it is good for business and security, but because outside forces may be stepping in to strongly recommend that we do. Next month we will take a look at public- and private-sector security metrics initiatives and what they may mean for you.

George Campbell is emeritus faculty of the Security Executive Council, former CSO of Fidelity Investments, and the preeminent expert in the field of security-related metrics. His book, Measures and Metrics in Corporate Security, includes 375 metrics examples in thirteen categories that Mr. Campbell has compiled from his 30 years of experience.

Marleah Blades is senior editor for the Security Executive Council (SEC). Prior to joining the SEC she served for six years as managing editor of Security Technology & Design magazine.

The Security Executive Council is a member organization for senior security and risk executives from corporations and government agencies responsible for corporate and/or IT security programs. In partnership with its research arm, the Security Leadership Research Institute, the Council is dedicated to developing tools that help lower the cost of members’ programs, making program development more efficient and establishing security as a recognized value center. For more information and inquiries on membership requirements, visit www.securityexecutivecouncil.com/?sourceCode=std. Measures and Metrics in Corporate Security may be purchased through the Security Executive Council Web site.