For over ten years the Security Executive Council (SEC) has been working with leaders of security programs worldwide. While doing so we have been collecting information about what separates world-class security leaders and programs from others. Our findings show that one of the greatest differentiators is the ability to demonstrate the value security brings to the organization.
Over time we have built up a knowledge base of a large number of methods and techniques that contribute to demonstrating value. We recently conducted a survey to get an idea of how widespread the usage of some of these indicators were amongst our community.
From our many years of research we have found that top scorers have…
A security metrics program that measures value.
When first initiating a security metrics program many rely on showing activity, e.g., how many badges issued or how many investigations have been completed; or a step-up, they show how their processes are becoming more efficient. This is a good start but the metrics that resonates with senior management are those that show a desired impact on business goals, some examples:
A framework for scoring risk, mitigation plans and calculating residual risk.
This provides a metric used by Security that measures the primary reason for having security in the organization.
A quantitative grasp on their resources and capacity and articulate this to senior management.
Security Leaders systematically collect, identify, analyze, and report security services and measure their business value. This process can include creating a master list of security services by program; FTE commitment by service by internal customer; criticality and/or satisfaction ranking of services by customer; cost of security calculation by service by customer; and results reporting. The SEC calls this process a critical part of "running security as a business."
A "brand" for security and tell the brand story to a diverse set of audiences throughout the enterprise.
This is more than the traditional mission, vision and strategy statements. In order to brand Security as a value service, security leaders:
An alignment with their security services and Board-Level Risks™ and the organization's enterprise-level risk assessment.
Security leaders do this to create awareness of the Board-level risks and the role and boundaries of all staff groups (including Security) in mitigating risk. Security program services are defined and mapped against the corporation's most significant enterprise risks using the language of the Board (or senior management). This often results in eliminating duplication and confusion of services across staff departments, identifying gaps in risk mitigation and fosters effective working relationships between staff groups. They also use this alignment during Board-level presentations to show a direct connection between risks that the Board members concerned about and Security’s strategy in reducing those risks – that is, the value of Security.
Download a PDF of these recommendations here:
For More Information on the Topics Discussed Above:Managing Enterprise-Wide Board Risk
Case Study: Risk Management and Security Metrics at Boeing
The Importance of Security's Brand Image
Turning Incident Based Data into Metrics
Discovering the Total Cost of Security to the Enterprise