Measuring the Business Value of Security

The Security Executive Council weighs in on why security metrics are important to your job

Outsourcing is an issue for large corporations as well, and metrics are also necessary there. One SEC member for a very large corporation outsources his security 100 percent and he uses metrics extensively, because he has to know how security is doing, whether it’s in house or not.

Are there legal/liability issues that arise if a company collects (or doesn't collect/report) security data?

A lot of security regulations require some form of measurement showing how the regulation is being implemented and how effective it is, and that’s an issue if they don’t collect data.

From a liability standpoint, security data doesn’t really change the equation if there’s a wrongful death suit or something along that line. Whatever data you have can be subpoenaed if you have a legitimate suit. But a good metrics program presents that data in a way that’s beneficial to the company and shows a level of professionalism that often defends the company. In fact, it should be your best defense if it the metrics you’ve shown are well managed. If you have great metrics but negligent management of those metrics—that is, if the metrics are showing that crime is skyrocketing and you’re dong nothing about it—metrics aren’t going to save you.

Is there fear among some corporate security managers that showing their numbers might not impress business management?

Absolutely. As soon as you show management numbers, their response is, “Are these numbers good or bad?” One common problem security managers have had is that they can’t always answer that question with certainty. That’s the whole purpose of our International Security Research Database—it gives security a way to benchmark and compare their numbers to those of other companies.

What management really wants to know from metrics is if they’re spending too much or too little. If your numbers are way too low, you might be spending too much for an acceptable level of risk. If your numbers are way worse than everybody else’s, then maybe you need to spend more money. Management wants those metrics because they will help them manage resources, human and capital.

So yes, there is a natural fear on the part of practitioners to say, “What if my numbers are worse than everybody else’s?” but that can be an opportunity. Maybe management hasn’t given you enough money and resources to impact the numbers effectively. Good metrics will always be your friend.

George Campbell, an SEC emeritus faculty who wrote the book Measures and Metrics in Corporate Security, points out in his book that management is going to measure you somehow, one way or another. If you don’t have your own numbers based on the reality of the security department, you’re going to have to face risk evaluated in a less informed way. That could get you in more hot water than showing your own numbers, whether they’re high or low.

In terms of taking statistics to senior management to prove the value of security, what are some common measures that SEC members often use?

Management generally asks for metrics in the format of dashboards and scorecards. The topics the metrics cover depend on what security is reporting on. Management is always interested in cost; they’re interested in unmitigated risk and in anything that can impact the corporation in a significant way – that might be regulatory noncompliance, for instance.

In terms of providing data/statistics to senior management, should it be more than just security system data (number of alarms detected; number of doors held open, number of background checks completed)?