In many organizations, the physical security function’s reporting is not done to the same level or standard as most other functional areas of the business. Getting there is not instant but to start progressing in the right direction should be an immediate priority.
Q: When I explained our security operations reporting the new VP I now report to, she asked about security KPIs and metrics, which we don’t have. What should my next step be?
A: For decades it has been common for security functions to track security operations costs and also report on major security incidents. Nowadays, much more is needed.
Business physical security functions, especially for large and medium-large businesses, are now expected to do the kinds of business planning and reporting that other functional areas of the business perform. Physical security is not a static picture, and that is more obvious now than in earlier decades – and especially after the arrival of COVID-19.
The use of security KPIs (Key Performance Indicators), measures and metrics have been common in cybersecurity, and a web search on “security metrics” will mostly provide cybersecurity-related results. However, even the physical security metrics suggestions are more along the lines of what to do, and less about how to get there or where to start.
Fortunately, a rock-solid approach has been documented by George Campbell, the former chief security officer at Fidelity Investments, the largest mutual fund company in the United States, which now manages over $4.2 trillion in assets and has over 40,000 employees.
Campbell advises security practitioners desiring to establish or improve their security metrics to first do a metrics self-assessment to get a good understanding of their starting point. If you are the sole security practitioner in your organization, you can perform the assessment yourself. If you have a team of managers leading various programs and functions, Campbell suggests the assessment be a team exercise.
The details are laid out in his book, Measures and Metrics in Corporate Security 2nd Edition, which is available on Amazon.com in paperback and Kindle editions. You can use the “Look inside” feature on the book’s web page to preview the self-assessment questionnaire and see why you should get and use this book as your starting point, whether starting or improving on a metrics program.
Many of today’s security practitioners have inherited security programs and their reporting (or lack thereof) from their predecessors. Given the rate of change across the business landscape today and the related risks that businesses face, it’s common for risk picture to evolve beyond what inherited security programs address. Security measures and metrics are a critical element in making sure that the right matters get the right attention, and by management as well as the security leader.
Figure 1 in the book’s “Look inside” preview presents a six-step construction process for implementing a security measures and metrics program. Measures and Metrics in Corporate Security provides a variety of organizational measurements, concepts, metrics, indicators and other criteria that can be employed to structure measures and metrics program models that are appropriate for specific operations and corporate sensitivities. The book includes several hundred examples of security metrics, which are organized into categories of security services to facilitate practitioners in identifying and customizing metrics to fit their operational needs.
How can you align your metrics with management’s assessment of value? What quantifiable measurements ought to apply? Questions like these, their related advice, and the answers you discover will point you in the right direction.
It’s likely that IT has quite an array of metrics in use, and it would be smart to get a good overview of them and understand which ones are of operational value to information security (infosec) on a day-to-day basis, which are useful for evaluating progress toward infosec objectives, and which are meaningful to management. IT (as well as other functional areas reporting KPIs) can often offer some do’s and don’ts derived from their organizational experience in developing and reporting metrics.
Establishing a truly meaningful metrics program can be a multi-year undertaking for several reasons. First, it usually requires changes to data tracking and reporting roles and responsibilities, which are best incremented incrementally as opposed to all at once. What are the things that you want status indicators for now, what will it take to make them a small additional part of routine processes as opposed to burdensome periodic tasks for you or one of your staff? Second, new insights you get along the way often prompt changes to correct or optimize the way security work is done and reported on. Third, reporting on measures and metrics to management involves providing contexts and perspectives to help them evaluate what’s being reported so that it is meaningful to management as well as yourself. All these things take time when done right.
Campbell’s book may be the most valuable Christmas present you can get for yourself and should be extremely helpful in getting your new year’s security program improvements off to a great start.
© 2021 RBCS
