"At one level, these results are perhaps surprising and a bit disappointing, since they suggest that security remains a function that is mired in operations in the eyes of senior executives," says Cavanagh. "But if security executives could successfully relate security initiatives to the competitive posture of the firm -- for example, enhancing the appeal of the brand -- they might be able to bolster the case for such initiatives as part of a long-range strategy, giving them more prominence in the thinking of the board and the firm's senior management."
In critical infrastructure industries, 87% of the executives surveyed see effective alignment of security with compliance needs, compared with 70% in the non-critical industries. Similar gaps are seen with regard to protecting confidential information (77% effective alignment in the critical industries vs. 69% in the non-critical industries), meeting certification standards (77% vs. 65%), maintaining business continuity (75% vs. 68%), and keeping pace with competitors (60% vs. 54%).
CAN SECURITY PROGRAMS BE MEASURED?
The search for effective metrics has become an essential part of the management process in security as in other aspects of corporate life. Increasingly, security directors are asked to present metrics to senior management to establish a business case for undertaking security expenditures.
"Unfortunately, the measures available for analyzing the effectiveness of corporate security tend to be much less sophisticated than those that have been developed for other corporate functions such as finance, human resources, and information technology," says Cavanagh.
Survey participants say the most useful metrics for determining the appropriate level of security spending in their companies are those that enable executives to determine how much a security problem would cost the firm in terms of liabilities or lost business.
The most helpful metrics were the cost of business interruption, cited by 64% of executives; vulnerability assessments (60%); and benchmarking against industry standards (49%). Another group of helpful metrics was explicitly related to insurance costs, such as the value of facilities (44%), the level of insurance premiums (39%), and the cost of previous security incidents (34%).