It is easy to cover yourself in statistics when attempting to assess your department’s worth. It is not unusual to see a security director or CSO marching into the C-Suite with enough excel spreadsheets to fill an Iron Mountain shredder truck.
If that is S.O.P. at your quarterly management meetings, then it is more likely than not that the wrong message is being sent to your higher-ups. There is no doubt that management bases its critical decisions around the bundled data you provide in folders filled with trend lines, graphs and assumptions. But like unfiltered video streaming onto a server from a surveillance camera, it is crucial you have someone in your security department providing the analytical thinking to accompany the data.
Never has the practice of metrics been as important to the role of security in an organization as it is today. The evolution of enterprise risk management policy and procedure dictates that you and your boss understand the data that can help your organization identify risk, and thereby aid in mitigating it.
“It’s not about the spreadsheets, the numbers or the flow charts — it’s all about the analysis of that data and how you then implement the strategic thinking that goes into mitigating your risk,” said George Campbell, regular STE columnist and one of the industry’s most vocal champions of security and risk metrics, at the recent ASG Security Summit & Expo in Seattle.
“Measuring is what successful management really is,” he continued. “And at the end of the day, it is communication that is the core competency of every good manager. A large part of being a good communicator is how you manage data and how you present the results to your superiors to tell a compelling and honest story.”
Perhaps the most shocking aspect of this new age of security and risk accountability are the voids in the corporate landscape related to accurately assessing vulnerability. I’ve been shocked following discussions with veteran security gurus like Campbell and others who tell me horror stories of Fortune 500 companies that have no incident management protocols or assessment programs at all. “It is a characteristic of far too many of our major organizations,” Campbell said.
Three years ago, Boeing Corp. vice president and CSO Dave Komendat wasn’t completely satisfied with the impression his security department was making within the company. He thought they could be telling a better story. “We were doing all the right things and doing them well when it came to security [within Boeing],” he said. “But we felt we weren’t able to really paint the true picture and tell an effective story about security’s positive role here.”
Komendat admitted that it was partly his fault that upper management at Boeing didn’t realize what his department did to protect the bottom line assets and integrity of the company. He figured that it would benefit both his department and board to go on the offensive.
“I don’t care if your security budget is $500 or $250,000, you must always be able to tell a relevant story and leave the C-Suite realizing you run your department as a business,” he said. “But you should also reinforce the fact that you understand how your department is aligned to your company’s bottom-line objectives. You should always have those four, five or six things in your back pocket that can demonstrate an impact on the business. Show management you are a business enabler and you will be viewed as an influencer.”
Komendat summed up the metrics proposition very simply when he said that it doesn’t matter how good your people or your processes are if your department has zero visibility. “Being invisible is a recipe for disaster. Your board better know where your budget money is going.”