In recent columns, I proposed some “must have” metrics — both key risk indicators and value indicators. Let’s say you develop these metrics in your organization. You have the data and the results, now how will you use them to influence your business?
Think about the results you are seeking, how the measures and data you are communicating are achieving some improved state of security or safety. Remember that one of the key requirements of an effective security metric is that it is actionable. It shouldn’t just count things; it needs to inform and create a storyline that leaves the audience with the need to address what you consider risky conditions or root causes. Let’s look at a sample metric and ask a few questions about how you would use it to influence.
In the example above, a new security director has determined that relationships between Corporate Security and several business units are either non-existent or seriously deficient. One obvious consequence is some fairly significant non-reporting of incidents in the Sales & Marketing Division. A referral from the Purchasing Department indicated a consistently high run rate for laptop purchases within this division over the past 10 quarters, so an inquiry was initiated.
Nine laptops have been reported stolen from sales office spaces across the company since the beginning of 2010, and 10 were reported stolen from employee vehicles or on travel in the same period. However, when investigators tallied purchased laptops against those stolen, they found significant variances:
14 laptops were somehow lost after assignment to the division but apparently replaced; 18, not 10 as reported, were lost in transit; and seven were stolen from employee residences.
Using available benchmark data against known on-board data content, investigation and replacement cost, this division alone accounts for a $900,000 loss to the company. Clearly, there is more than non-reporting going on here.
If you are this security director, you have pretty good picture of a set of notable risks that likely go beyond this specific case. Is this an opportunity to influence on a broader scale, or are you just an investigator closing out an investigation? How can you use this snapshot to influence behavior?
Think about the following questions:
• What conclusions would you draw from these findings?
• How would you relate these findings to the division SVP?
• Who are the supervisors who own these yahoos who are asking for new laptops? What questions are being asked about the negligence that led to their loss?
• How would you propose to influence the SVP’s decision on addressing the implications of these findings?
• What sanctions should be applied to those who failed to report?
• If the SVP doesn’t see the problem (“I think most of these were encrypted…”) and thinks this is just part of the cost of doing business, how are you going to escalate to his manager?
Perhaps there are deeper opportunities to influence policy and behavior here as well, such as the status of IT policy around laptop security and accountability; and checks and balances on purchasing requests.
How could you use this example to influence the enterprise risk management agenda? Metrics provide both the vehicle to identify problems and the tools to address them through business influence.
George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security may be purchased through the SEC website. The SEC (www.securityexecutivecouncil.com) is aproblem-solving research and services organization focused on helping businesses effectively manage and mitigate risk; and helping security leaders initiate, enhance or innovate security programs, build their leadership skills, and bring quantifiable value to their organizations. For more information, email firstname.lastname@example.org. This article is copyrighted by the SEC and reprinted with permission. All rights reserved.