My Point of View

Oct. 27, 2008
Looking to Create a Realistic Measuring Stick

To say that the security industry lacks standards and a rigid set of operating protocols would be an understatement. As our fragmented industry turns, the only true constant is that nothing is consistent.

This certainly comes as quite a shock to new professionals who enter the corporate security suite from other venues such as finance, human resources, legal, IT or business continuity — where measuring performance and auditing procedures is a regular occurrence. Although the trend is changing thanks to an influx of insightful security executives and emerging professional security organizations like the Security Executive Council (SEC), tracking security’s success or failure at the enterprise level with baseline metrics remains a mystery to some. For others, though, it is Standard Operating Procedure.

“Having come into security from another arena, I was a surprised how little metrics were being used at other places,” says Randy Harrison, director of corporate security at Delta Airlines in Atlanta. “Here at Delta we certainly incorporate metrics in the security process. We generate reports on a monthly and quarterly basis. There are several areas that are of prime concern for us, with compliance being one of them.

“We measure all our security mandates against the compliance issues we are expected to meet regarding federal regulations,” Harrison continues. “But we also measure our performances as an organization with issues that directly impact our passengers. These include wait time and flow at the security checkpoints, along with the more traditional areas like theft and pilferage.”

Realizing that security directors among the Fortune 50,000 companies lack a resource pool for collective knowledge has driven the SEC to create an International Security Research Database.

“We find there is no best practices model out there when it comes to metrics, security programs and procedures,” says Kathleen Kotwica, the SEC’s vice president of research and product development, whose group has recently released the results of survey developed to determine what measures and metrics are used to evaluate security programs. “Every process is being invented over and over again. Our goal is to catalog all areas of relevant information related to metrics, compliance and board-level risk assessment in one place.”

The SEC survey was posted on the Council’s own Web site between April and June of this year, along with other media outlet sites. Questions were broad enough to encourage a wide range of respondents.
Project status to plan was the most popular administrative function tracked among both the Fortune 500 and Fortune 50,000 companies responding. Fortune 500 companies tracked the following metrics more often than the mid-sized Fortune 50,000: budget burn to plan; the percentage of identified risks with approved mitigation plans; and contractor performance to contract terms.

“We have found that almost 67 percent of security executives do not create metrics,” Kotwica says. “The biggest problem is they don’t know how to start. They understand the need but not the how-to. These people want some rules and what they should benchmark against. [The SEC] explains the process and provides a recipe for creating sound metrics, but then we are assuming they already have the data — that is not always the case.”
At Delta Airlines, Harrison and his team understand that metrics help align his resources and security priorities with the parent company when it comes to allocating personnel and technology implementation. “You must have metrics to ensure that you are budgeting in the proper areas. Good metrics are also essential when it comes to planning for any emerging security threats — so you are always prepared.”

For more information on the International Security Research Database log onto the SEC Web site, at

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]