George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.securityexecutivecouncil.com. The SEC draws on the knowledge of security practitioners, experts and strategic partners to help other security leaders initiate, enhance or innovate security programs and build leadership skills.
I’ve covered this topic in the past but dashboards are a compulsory part of the CSO’s management toolkit so repetition likely is worthwhile. If you go on line and search for dashboards or even security dashboards, you will find several examples and off-the shelf sources. But you can easily build your own with your standard desktop applications. First and foremost, verify accuracy of content and conclusions. Then target your audience with actionable information while providing yourself with a script that takes advantage of the opportunity for focused engagement with management. What action(s) are you seeking, by whom and how prepared are you to assist in that engagement?
If you look at the dashboard here, what is displayed on the left is a combination of six simple boxes to highlight six areas of performance reporting with enough words to summarize status. On the right, the presentation takes a deeper dive into supply chain security compliance and then closes with a highlight result on customer satisfaction.
In this example, there are four pieces of data that relate to the Security Department’s management updates. The budget burn rate and customer satisfaction is good news as is our internal service level agreement (SLA) with HR on the background investigation program’s sustaining its cycle time commitment. We are advising that our monitoring of our guard force vendor’s SLA is generating concern as of Q2. The relationship of the issues here appears to go to the availability of acceptable personnel so this may also be a leading indicator of downstream service quality issues. This represents the single biggest cost in the department’s budget.
For this quarter, the CSO has also opted to provide several alerts for management’s attention and engagement. The fact that Security is doing compliance reviews on information protection indicates that they have taken some ownership of this aspect of IT security. It’s often very revealing to see the amount of IT resources that go to the technical side of information security while leaving the glaring defects in hard copy integrity to the whim of business unit owners. These compliance reviews are a very valid sharp stick in the eye and the resolution plans in place indicate that Security’s influence is in place and effective.
On the insider risk front, the CSO is continuing to monitor the critical business conduct barometer as an output of their investigation findings. He will note in his presentation that this 20 percent increase in policy non-compliance is just from investigations that have been referred from the business units. What do they indicate about patterns of behavior that have not yet rose to this level of intervention?
Another alert and leading indicator of risk is the lack of required contingency plan maintenance and testing going on within business units. Global businesses are confronted with an increasing array of consequential risks to critical process continuity. The lack of preparation significantly contributes to protracted recovery and increased financial and reputational impact. An example of this expanded scope of dependency risk is seen in the more detailed display of security compliance defects in several of the company’s leading supply chain partners.
This is just one simple example of how you might assemble relevant data for a periodic dashboard scheme. The various choices selected for this presentation summarize actions being taken by the CSO to lead and engage on several key elements of Security’s enterprise risk management agenda.
George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.securityexecutivecouncil.com.