Those data points you mention are activities, and thereâ€™s a difference between activities and metrics. Activities are things like number of alarms, number of doors held open â€“ metrics show what difference it makes that weâ€™ve taken or not taken certain action to deal with that. Management may be interested in how busy you are or how many cases one investigator can manage, etc, but mostly they want to know what impact this is having on board-level risk and the things that are most critical to the company. And with metrics we can make that case. We can show what role security plays as it ties to board-level risk. The council has actually recently done a research project and developed a graphic model to show how security ties into board-level risk.
More information: The Security Executive Council (formerly the CSO Executive Council) is on the web at www.csoexecutivecouncil.com.