Metrics for Success: Exploring the Value Story

Aug. 2, 2012
How metrics proved the importance of one security executive’s internal first responder program

Last month I proposed to lay out a few metrics I believe qualify as “must have.” I started with a bucket of key risk indicators, because risk, after all, is why we have jobs in this business. This month, my bucket contains a few of what I like to call value indicators.

Our value has to be connected to our success in measurably impacting risk. What are the measures, and how are you communicating the critical messages? Sure, every program is delivering some statistics — typically lists of incidents or activities that they sell as “metrics.” But real metrics inform by creating a storyline that implies the need for action. Lists are just the nails you use to build these stories.

I recently worked with a CSO of a global manufacturing company who launched an initiative to identify metrics across the security organization “to tell the value story to management” and to “demonstrate in measurable ways where and how we bring value to the bottom line of our company.” He found value delivered in guard force operations, investigations, background vetting, risk assessments, supply chain protection, workplace violence response and a variety of previously unprobed corners of security service delivery. Let’s explore their fire and life safety first responders.

This company’s industrial operations involve the potential for fire, the presence of hazardous materials, and accompanying employee safety risk. To help manage this risk, the security organization developed an internal first responder team. The assumption going in was that management would see Security’s maintenance of a first responder program as wasteful, because the company already supported qualified public fire departments with its taxes. Why pay twice?

We categorized several areas of preventive service and incident response, as seen in the above chart. The bottom line comparison was impressive: Company cost = $4.5M; Alternative = $16.45M.

But the real value story is about the quality of response:
• When employees return to work quickly, productivity increases.
• Faster, better-prepared and equipped response equals less production downtime.
• Faster, high-quality response contributes to employee safety and morale.
• Preventive operations result in lower construction and insurance costs.
• Proactive inspection programs mitigate fire, safety and business interruption risk.
• OSHA and other regulatory sanctions are avoided with aggressive inspection.
• Company and individual health insurance costs are reduced.

Several employee lives were saved by the Corporate Security first responders in the course of this year of analysis (2010).

Of course, the average security executive doesn’t have an internal first responder service in their organization. But think about what services you do deliver that can tell your unique value story.

Protective operations: Are your officers trained to respond to health and safety events and have they done so successfully in the past? Are their tours organized to identify and eliminate hazards or to identify exploitable vulnerabilities that could result in loss, such as business interruption or asset compromise?

Risk assessments: Do you have a program that proactively examines the range of security-related risks to critical assets? What would the cost of compromise have been for those vulnerabilities your team found and eliminated? What fines or litigation were avoided by eliminating a failed security measure or risky practice?

Timely response: When security programs deliver faster, quality response to risk events, you measurably reduce the cost of impact.

Awareness: When you deliver learning to the business, you impact intelligent accountability and contribute to prevention of loss.

The idea here is to think about how we prevent bad things from occurring and reduce the consequences when they do occur. We add value in many ways, but we often fail to document and tell our story. What is your story?

George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the SEC website. The SEC ( is a problem-solving research and services organization focused on helping businesses effectively manage and mitigate risk; and helping security leaders initiate, enhance or innovate security programs, build their leadership skills, and bring quantifiable value to their organizations. For more information, email This article is copyrighted by the SEC and reprinted with permission. All rights reserved.

Sponsored Recommendations

NYPD launches Knightscope security robot service in Manhattan subway

The first two weeks will be spent on training, configuration and setup protocols for the autonomous robot to navigate followed by patrol activities between the hours of 12:00am...

Hornetsecurity releases "Microsoft 365: The Essential Companion Guide"

Microsoft 365: The Essential Companion Guide is a comprehensive resource that provides an in-depth analysis of Microsoft 365 to help users maximize their efforts when using this...

SecurityDNA podcast recap: discussing digital twins, venture capital and smart cities with security industry futurist Jon Polly

Jon Polly utilizes his knowledge of past security trends to analyze the impact that regulating artificial intelligence and the expansion of digital twins will have on the industry...

One in six attacks on U.S. government offices linked to LockBit

The report revealed that many ransomware threat actors are no longer going after "big game" targets, instead focusing on smaller organizations they presume to be less well-defended...