One of the most difficult tasks a security professional will ever face is communicating to senior management why security expenditures should be made, policies enforced, new positions created, programs funded. In times of business cutbacks, it is even more important to convince management that security programs should not be downsized.
The only way this can be done effectively is by first identifying senior management's most important business goals and the security risks that can prevent them from achieving those goals. Then design a program to minimize those risks that will not cost so much that it eliminates the profitability of the venture. Once you've gotten that far, you must begin to measure the results of the security work and communicate the results to management.
Creating security metrics is a challenging task for the seasoned security executive. It can be overwhelming the first time you try. Yet it is so important that nearly all security leaders interviewed by the Security Executive Council (SEC) for a recent survey stated it was a top priority for them. In response to the survey, I worked with the SEC to develop the first book on metrics, titled Measures and Metrics in Corporate Security, that covers the 13 key areas of security in business and public organizations. In its pages, I've identified and explained more than 375 metrics that I've compiled over a course of many years.
ST&D and the SEC have teamed up to share with you the key metrics on physical and operational security as well as compliance with laws and regulations. Each month, this Metrics Pipeline column will highlight a crucial issue that must be communicated to management. I will outline the objective of the metric, the result that it hopes to gain from senior management, and a strategy you may use to reduce the risk and gain the intended result, and I'll also identify the source of the data you will need.
You'll be able to put this practical column to work immediately. It will improve your chances of success by helping you prove to management the value of your security organization. Check back next month for the first metric in this valuable new series.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased through the SEC Web site,
www.csoexecutivecouncil.com/?sourceCode=std.
