The Security Executive Council (SEC) recently completed an online survey which queried respondents on how they used metrics (the survey also reviewed workplace violence). While the full research is not public (SEC members have access, as well as those who participated in the survey), the Council did note that they found that only 31 percent of the respondents "gather security program data in order to create statistical reports to present to senior management." Conversely, the council notes that all of its members report that they use such data in their reports.
Faced with such an alarming statistic (and the disparity between SEC members and the general security public), SecurityInfoWatch.com caught up with Security Executive Council's Bob Hayes and Kathleen Kotwica to shed some light on what it means to report security metrics.
SecurityInfoWatch: Should this 31 percent statistic be a wake-up call to security managers to start collecting data?
SEC: Yes, it should be more than a wake-up call that 67 percent said they donâ€™t collect information -- it should be an alarm. When you look beyond the statistics to see what people reported as the reasons for not collecting data, you see that a large percentage didnâ€™t collect data because management hadnâ€™t asked for it. That should be an alarm to security managers, because it may mean management isnâ€™t even aware that security has metrics that may impact the business, or it may mean that security is being left out of the mainstream of the organization. Respondent comments also indicated that some security managers donâ€™t know what metrics are or how they should gather or report metrics, and that will require some training and education. And some of the responses seemed to show that other security managers feel that collecting metrics is more work than they want to do, and that is definitely a wake-up call. If your management has an interest or develops an interest in this area, youâ€™d better be ready to respond.
Participate in a Security Executive Council Survey
New research survey examines role of security, reporting to management, IT protections
Respondents who take this monthâ€™s survey and SEC members will receive free benchmark data via e-mail once the responses reach critical mass.
Additionally, should businesses without a dedicated security department (or those that might simply hire out "security" to a guard services company) be collecting this data?
Absolutely. Itâ€™s actually even more important if youâ€™re contracting, because youâ€™re placing really high risk in other peopleâ€™s hands. You have to evaluate how well theyâ€™re doing and how effectivelyâ€”you have to have a way to quantify it.
If thereâ€™s no dedicated security department because the company is small, keep in mind that itâ€™s the small companies which canâ€™t afford incidents. Large incidents are often the cause of companies going out of business, whether itâ€™s a large fire or a natural event or a business continuity problem. Small companies should be able to glean from the metrics the value or the risk to the corporationâ€”how much risk they have and how much theyâ€™re accepting. Small businesses especially should be doing this.
Outsourcing is an issue for large corporations as well, and metrics are also necessary there. One SEC member for a very large corporation outsources his security 100 percent and he uses metrics extensively, because he has to know how security is doing, whether itâ€™s in house or not.
Are there legal/liability issues that arise if a company collects (or doesn't collect/report) security data?
A lot of security regulations require some form of measurement showing how the regulation is being implemented and how effective it is, and thatâ€™s an issue if they donâ€™t collect data.
From a liability standpoint, security data doesnâ€™t really change the equation if thereâ€™s a wrongful death suit or something along that line. Whatever data you have can be subpoenaed if you have a legitimate suit. But a good metrics program presents that data in a way thatâ€™s beneficial to the company and shows a level of professionalism that often defends the company. In fact, it should be your best defense if it the metrics youâ€™ve shown are well managed. If you have great metrics but negligent management of those metricsâ€”that is, if the metrics are showing that crime is skyrocketing and youâ€™re dong nothing about itâ€”metrics arenâ€™t going to save you.
Is there fear among some corporate security managers that showing their numbers might not impress business management?
Absolutely. As soon as you show management numbers, their response is, â€œAre these numbers good or bad?â€ One common problem security managers have had is that they canâ€™t always answer that question with certainty. Thatâ€™s the whole purpose of our International Security Research Databaseâ€”it gives security a way to benchmark and compare their numbers to those of other companies.
What management really wants to know from metrics is if theyâ€™re spending too much or too little. If your numbers are way too low, you might be spending too much for an acceptable level of risk. If your numbers are way worse than everybody elseâ€™s, then maybe you need to spend more money. Management wants those metrics because they will help them manage resources, human and capital.
So yes, there is a natural fear on the part of practitioners to say, â€œWhat if my numbers are worse than everybody elseâ€™s?â€ but that can be an opportunity. Maybe management hasnâ€™t given you enough money and resources to impact the numbers effectively. Good metrics will always be your friend.
George Campbell, an SEC emeritus faculty who wrote the book Measures and Metrics in Corporate Security, points out in his book that management is going to measure you somehow, one way or another. If you donâ€™t have your own numbers based on the reality of the security department, youâ€™re going to have to face risk evaluated in a less informed way. That could get you in more hot water than showing your own numbers, whether theyâ€™re high or low.
In terms of taking statistics to senior management to prove the value of security, what are some common measures that SEC members often use?
Management generally asks for metrics in the format of dashboards and scorecards. The topics the metrics cover depend on what security is reporting on. Management is always interested in cost; theyâ€™re interested in unmitigated risk and in anything that can impact the corporation in a significant way â€“ that might be regulatory noncompliance, for instance.
In terms of providing data/statistics to senior management, should it be more than just security system data (number of alarms detected; number of doors held open, number of background checks completed)?
Those data points you mention are activities, and thereâ€™s a difference between activities and metrics. Activities are things like number of alarms, number of doors held open â€“ metrics show what difference it makes that weâ€™ve taken or not taken certain action to deal with that. Management may be interested in how busy you are or how many cases one investigator can manage, etc, but mostly they want to know what impact this is having on board-level risk and the things that are most critical to the company. And with metrics we can make that case. We can show what role security plays as it ties to board-level risk. The council has actually recently done a research project and developed a graphic model to show how security ties into board-level risk.
More information: The Security Executive Council (formerly the CSO Executive Council) is on the web at www.csoexecutivecouncil.com.