Sage Conversations: Measuring the performance of security

In a previous column I made an audacious comment. It was tantamount to saying: "Thar is gold in them thar hills!"  I suggested there was 5 to 20 percent of security’s yearly operations budget that could be reduced by optimizing their people, process and tools, thereby permitting a reinvestment in security program innovation that drives value to their organization.

I provided five key areas that I thought might lead to these savings from discussions with key risk and security consultants:

1. A review of your security technology architecture. Under-performing and/or under-leveraged applications create a ripple effect of cost throughout your organization. Redundancies in your hardware such as servers and storage are hidden by internal department politics and practices.

2. Identity management is costing your company. Once again, redundancies in computing and resources are supported by silos: departmental policies and procedures anchor the approach. Vendors are unable to agree on standards which add to the problem.

3. The performance measurement dilemma. If you cannot measure, you cannot manage. If you cannot measure and manage, it is difficult to improve. W. Edwards Deming, one of the thought leaders in creating Total Quality Management (TQM) programs emphasized this and it is still an oft-quoted truism today. Security’s technology architecture, its alignment with core processes that deliver an outcome critical to the organization it supports, and the alignment of its resources, internal and external, around these tools and processes, all depend on information. The means by which this information is collected, stored, categorized and communicated, will determine its efficacy and its leverage in reducing costs and driving value.

4. The baseline metric. This is tied to #3 and emphasizes the need to collect this ‘baseline’ metric at the beginning so that improvement programs or new technology acquisitions can be measured.

5. Technology acquisition process. This brings the four previous steps full circle. The means by which services and technology solutions are acquired, maintained, and measured is costing security executives time and money. The well intentioned discipline of the purchasing process and/or the lack of discipline in benchmarking solutions against well informed use cases are, in many cases, resulting in the acquisition and deployment of under-performing systems. The lack of measurement systems that tie the outcomes promised with the delivery and performance of the purchases also leads to assumptions that can hurt the long term value of the security operation.

Where to start? This is a challenging question. Let’s start with the end in mind by re-framing the strategic goal for security executives in business process optimization terms. Please consider the following:

Security desires a comprehensive and adaptable process for creating, sustaining and persistently improving their organization’s (customer) purpose and goals through risk and security management. To do this requires a deep understanding of security’s customer: the organization. It also requires a disciplined process of gathering critical information, analyzing that information, and diligently managing, improving, and reinventing the way it serves the organization.

This paragraph could be extracted from any TQM text book and applied to any department in an organization. To many risk consultants, Organizational Resilience Management (ORM) includes TQM. (See ASIS SPC. 1-2009 approved by the American National Standards Institute, Inc.)

If this is done well, the benefits achieved could provide security and their organization (the customer) with cost reductions, productivity improvements, customer protection and retention, cycle time reduction, cultural change and alignment, and new value added services.

The highway to getting there has many on ramps. Your situation may be different than your peers in other industries. But here are five on ramps that I have extracted from discussions I have had recently with risk and security consultants that you might consider in jump starting your efforts:

1. Get educated on ORM/TQM and business process and performance models that can be adapted to security. These processes and models contain proven and widely recognized techniques and tools that support a security program’s key performance objectives. This can be done by peer review with other executives who have successfully implemented such models or through an experienced ORM/TQM consultant who can provide you a review of the key pillars of a quality program that make those concepts relevant to your organization’s leaders. Be sure to include success criteria and implementation strategies. There is actually a certification for ORM through ASIS (a recognized standards body) that will help you assess your consultant’s capabilities for auditing or implementation.  

2. Hire a firm to survey the organization’s leadership to understand how they operate. What are their value drivers? What do they currently think about security and what are they expecting? In short, what is the company’s temperament regarding security leadership and programs? Do this so that risk and security can create a bridge to the organization’s leadership and mission in tune with the corporation’s environment and culture.  

3. Hire a consultant and/or integrator who has benchmarked (tested) and implemented security technology and can help you create a baseline and performance measurement plan for your systems and programs.

4. Develop a strategic roadmap with the end in mind. Tie security technology evolution and program development to the company’s business cycle and business plans. The ability to create a security/risk master plan which will demonstrate value through the metrics and measurements it produces should be considered as a first step.

5. Understand and align with the IT technology roadmap and architecture.

These are all good starting points that will help you jump start your efforts toward the goals and new outcomes that you desire for security.