Metrics for Success: What’s the Endgame?

March 23, 2015
Finding measurable reduction of targeted risk attributable to security initiatives

In a recent security barometer quick poll conducted by the Security Executive Council (SEC), respondents were asked what they thought would be the single most meaningful metric to have for their security function. The overwhelming selection – almost four to one -- was to achieve a “measurable reduction of targeted risk attributable to security initiatives”. It seems to me that the appeal of this metric reflects our struggle with the proof of value challenge and how to demonstrate a clear connection between our expenditures and an equal or better return on security investments.

 This metric reflects this struggle. The manager confronted with the security events we see in this chart knew that making real reductions in these trends required discipline in uncovering the root causes of each incident, then developing specific plans to attack the vulnerabilities uncovered, and finally tracking results to ensure real elimination of the risks rather than a temporary lull in the exposure. He believed that the value story would follow this disciplined approach.

 Note that there is a 24-month duration covered in this chart.  The story here is about connecting the dots, not about isolated one-offs.  If you really look at the five measures this security manager selected for his pitch, which one stands out as the most indicative of the problem at this company? 

 The correct one is, the “documented and unaddressed high risk vulnerabilities!”  This manager hasn’t been asleep at the wheel; he has been out there investigating and learning with an aggressive risk assessment program.  His organization learns by thoroughly investigating what has happened after an event and using this data to direct proactive probing and assessing the effectiveness of the company’s safeguards and internal controls to identify exploitable gaps in protection. 

 The learning here is that these multi-site security events reflect a systemic lack of engagement by business unit management.  This is a clear common denominator and a root cause linking these costly enterprise security risks.  To be sure, there is a lack of local security awareness here as well, but it’s much more about the failure of business units to take real ownership of people and asset protection.   Consider the summary facts:

 The South Production plant has a variety of labor issues boiling that have fed those engaged in vandalism and theft.  Security had repeatedly recommended a mitigation strategy and management finally agreed to increase hours for directed patrols and surveillance of security coverage in mid and late shifts.

  •  Both of these tactics combined to successfully close a series of incidents here and gain recoveries.
  • The laptop thefts and thefts of personal and company property at multiple leased locations also reflect absence of local management’s discipline for security policy regarding access control and information protection standards; never mind the risk to employees from uncontrolled access.
  • Workplace violence at Plant 3 is about the total lack of established connection between first line supervisors, human resources and local management to address a set of protocols proposed by Corporate Security and Legal Counsel to investigate and mitigate these events.  

 The most telling fact in this story is that Security had alerted management in multiple risk assessments that had gone unaddressed in spite of quarterly reporting on lack of remedy. Security Director’s objective with this presentation was threefold:

 To use this chart to demonstrate the power of a collaborative, engaged and accountable process of enterprise risk management.

  •  To  provide evidence of a persistent effort to proactively address known risks and show the value of these efforts.
  • To seek approval for moving the matter of quarterly unaddressed risk assessment findings to the Audit Committee for compliance review. 

 All three were accepted by the CEO.  And that is the real story.

About the Author

George Campbell

George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the Security Executive Council Web site. The Security Executive Council is an innovative problem-solving research and services organization that works with Tier 1 Security Leaders™ to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through its pioneering approach of Collective Knowledge™, the Council serves all aspects of the security community. To learn about becoming involved, e-mail [email protected] or visit The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.