Faculty Advisor: Running Security as a Business: Measuring Performance

Q. I recently read something from the Security Executive Council that used the term "running security as a business." Can you elaborate on what that means as it relates to security and what is an example of this approach?

A. Great question. The way I look at running the security department as a business means you approach every problem with the interest of the owners and other stakeholders of the business at the front of your thoughts (your internal customers). As you formulate solutions, operate projects, or make decisions, you should be looking for solutions that empower the business to achieve the best possible outcome. Security is a function of the business - so why would you try to run it as an ad hoc service function within the organization?

Running security as a business gives executive leadership an assurance that the day-to-day decisions are going to be in the best interest of the organization. Once executive leadership gains a level of comfort and confidence in what security can do they will be much more willing to allow more decision making latitude. That latitude gives flexibility and an ability to influence outcomes in ways that give rise to the best outcomes no matter what circumstances arise. When you have a very rigid management structure, which sometimes comes into play when people don’t treat their work as a business, management will often intervene and implement very stringent controls upon decision makers. This can also lead to less flexibility to react in an emergency.

Knowing what your internal customer would want or values and measuring progress are two important elements of running security as a business. My experience both as an employee of various organizations and as a professor in the classroom has shown that performance measurement is the one skillset that any manager can bring to any job they’re assigned. Of course, that implies that the measures that we’re going to use and the targets that we set for our performance against those measurements are going to be closely aligned with business objectives.

Having set that as a requirement, once we implement a complete, comprehensive and well thought out performance measurement system - often we call this metrics – we naturally align every decision so everything we do will be focused on getting better numbers for our metrics. If the metrics we are measuring and the outcomes we’re seeking with our target values for those measurements are intelligently aligned with the business objectives, we are naturally going to make decisions that are better aligned with the business.

If I had to say there is any one skill that a practitioner needs it is to learn how to define measurements and how to engage in a feedback loop using periodic measurements to attain performance that’s perfectly aligned with the business objectives of the organization that you serve.

In my opinion, what you gain first and foremost out of a comprehensive performance measurement program is the ability to win the argument when it comes to defining the value of your processes.  If you measure what you do and can track what you accomplish against meaningful business outcomes, you have the ability to marshal real data to show what is important. It puts bullets in your gun to argue about the value proposition.

Secondarily, I think it allows you to be more cohesive and responsive because the measurement criteria (metrics) you’ve chosen were carefully selected, thoughtfully prepared and your goals and targets for attainment are realistic and specific. The natural response of everybody aligned with these metrics is going to be to make the right choices, to make decisions that are aligned with business objectives.  You won’t have to worry about convincing people to do the right thing. They’re going to know what’s right based on the set performance benchmarks.

Response provided by Herb Mattord, Ph.D., Security Executive Council Content Expert Faculty.