Sage Conversations: Measuring the performance of security

Establishing benchmarks and setting goals are imperative for an organization’s security operations


In a previous column I made an audacious comment. It was tantamount to saying: "Thar is gold in them thar hills!"  I suggested there was 5 to 20 percent of security’s yearly operations budget that could be reduced by optimizing their people, process and tools, thereby permitting a reinvestment in security program innovation that drives value to their organization.

I provided five key areas that I thought might lead to these savings from discussions with key risk and security consultants:

1. A review of your security technology architecture. Under-performing and/or under-leveraged applications create a ripple effect of cost throughout your organization. Redundancies in your hardware such as servers and storage are hidden by internal department politics and practices.

2. Identity management is costing your company. Once again, redundancies in computing and resources are supported by silos: departmental policies and procedures anchor the approach. Vendors are unable to agree on standards which add to the problem.

3. The performance measurement dilemma. If you cannot measure, you cannot manage. If you cannot measure and manage, it is difficult to improve. W. Edwards Deming, one of the thought leaders in creating Total Quality Management (TQM) programs emphasized this and it is still an oft-quoted truism today. Security’s technology architecture, its alignment with core processes that deliver an outcome critical to the organization it supports, and the alignment of its resources, internal and external, around these tools and processes, all depend on information. The means by which this information is collected, stored, categorized and communicated, will determine its efficacy and its leverage in reducing costs and driving value.

4. The baseline metric. This is tied to #3 and emphasizes the need to collect this ‘baseline’ metric at the beginning so that improvement programs or new technology acquisitions can be measured.

5. Technology acquisition process. This brings the four previous steps full circle. The means by which services and technology solutions are acquired, maintained, and measured is costing security executives time and money. The well intentioned discipline of the purchasing process and/or the lack of discipline in benchmarking solutions against well informed use cases are, in many cases, resulting in the acquisition and deployment of under-performing systems. The lack of measurement systems that tie the outcomes promised with the delivery and performance of the purchases also leads to assumptions that can hurt the long term value of the security operation.

Where to start? This is a challenging question. Let’s start with the end in mind by re-framing the strategic goal for security executives in business process optimization terms. Please consider the following:

Security desires a comprehensive and adaptable process for creating, sustaining and persistently improving their organization’s (customer) purpose and goals through risk and security management. To do this requires a deep understanding of security’s customer: the organization. It also requires a disciplined process of gathering critical information, analyzing that information, and diligently managing, improving, and reinventing the way it serves the organization.

This paragraph could be extracted from any TQM text book and applied to any department in an organization. To many risk consultants, Organizational Resilience Management (ORM) includes TQM. (See ASIS SPC. 1-2009 approved by the American National Standards Institute, Inc.)

If this is done well, the benefits achieved could provide security and their organization (the customer) with cost reductions, productivity improvements, customer protection and retention, cycle time reduction, cultural change and alignment, and new value added services.

The highway to getting there has many on ramps. Your situation may be different than your peers in other industries. But here are five on ramps that I have extracted from discussions I have had recently with risk and security consultants that you might consider in jump starting your efforts:

This content continues onto the next page...