George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.securityexecutivecouncil.com. The SEC draws on the knowledge of security practitioners, experts and strategic partners to help other security leaders initiate, enhance or innovate security programs and build leadership skills.
Every senior executive collecting a paycheck has a financial scorecard that shines a quarterly positive or negative light on their performance. When I reported to our company’s CFO for a period, we had interesting discussions on what performance measures made sense for our corporate security functions. At the end of the day, we settled on anchoring to our risk management mission but periodically tried out others more clearly tied to his numerological comfort zone. I’d urge the reader to have a similar discussion with their CFO as it will send a message that you are thinking about the metrics that matter to the business.
What follows are some basic criteria with which you can assess your security department’s cost-effectiveness. This can serve as a starting point for discussions with your organization’s C-level executives in evaluating the impact of security’s footprint.
Security cost as a percent of revenue -- This is a basic measure that works across all revenue-generating as well as more cost-centered functions.
Security cost per square foot of space under protection -- This is often popular with facility cost-sensitive operations. I’ve added the qualifier of “space under protection” to eliminate the inclusion of space outside of security’s coverage. Something like this is a basic, accepted metric for benchmarking and for trending and is a good measure of peer comparability where comparable data is available. Also, both work well for impact analysis related to proposed security enhancements.
Ratio of security officers (first responders) to employees served -- Measure of efficiency- employees are a key focus of protection programs. A ratio of fewer delivering services to a larger population than a comparable peer group is a measure of cost efficiency.
Hours of security personnel directly assignable to security incident management as a percent of total hours available -- You track incidents (hopefully) and may track time by various categories of labor. This metric enables assessment of the extent to which direct risk management activities compare to what may be less productive time from a mission perspective.
Cost of protection as a percent of property value or maximum foreseeable loss -- Your corporate risk management program will have this data for insurance purposes. Again, useful metrics for trending and provides an interesting perspective on comparative security costs for your facilities’ inventory. Outliers on cost where the criticality of business operations is taken into account are targets for examination.
Cost per day for security-related tasks -- Think about it. I can pretty much guarantee that you don’t know the total cost of security for your company. IT security processes alone consume lots of little bites of time and a risk-responsive security program in today’s pervasive risk and regulatory environment racks up a lot more. Try a sample of logging time just within your own team. While you may not want to know and it’s costly to determine accurately, this metric can drive significant debate on the options for a more cost-efficient risk management agenda like savings attributable to reduced cycle times that eliminate business process delay.
Cost assignment to preventable security incidents -- A significant number of security events are clearly avoidable and preventable and by sampling incident reports or engaging in after-action reviews, we gain actionable data on such events. While developing a reliable cost estimate may appear to be daunting, this metric has significant impact with management and enables security management to utilize lessons-learned to modify behavior and reinforce critical policy and procedure. This analysis can also provide a valuable view of Incident [type] cost as a percent of (a) revenue, (b) occupancy or (c) cost of operation.
Annual cost of loss to various categories of incidents compared to annual cost of protection measures -- If (maybe a big if) you have a handle on your incident, investigation and operational costs, you have focused your prevention tactics where the highest likelihood of loss is known. If you aren’t routinely reporting your key risk and performance indicators to management, good luck muttering your way through the CFO’s question on this one.
George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.securityexecutivecouncil.com. The SEC draws on the knowledge of security practitioners, experts and strategic partners to help other security leaders initiate or enhance security programs and build leadership skills.