A Guide for Building Your Corporate Security Metrics Program

Return to Security Metrics
Created by George Campbell, Security Executive Council Emeritus Faculty

A Short Primer for Security Managers
(Abbreviated version - full report is available for download bottom of page.)

Over the past decade, my SEC colleagues and I have worked with hundreds of corporate security executives and managers who have either discovered or have been told they need to have a set of performance measures and metrics for their programs. These epiphanies or directives come in a variety of wrappers. Here are a few that summarize the frame of reference for beginning the metrics journey:
  • "My new is boss asking for our key performance indicators and I’m not sure where to start."
  • "We're under pressure to show where Security contributes to the bottom line and add value."
  • "We have been delivering our numbers but they don't seem to have any impact with our stakeholders."

"Where to start" is the issue for all three of these managers. Regardless of the composition of their corporate security program, they all have been generating reams of data 24/7 but have neither organized nor focused the data on the stories it can tell. They have been counting activities but haven't been measuring performance value. This short guide will set forth a set of steps that security managers should use in building a basic metrics program.
Let's begin with a few assumptions that may serve as key success factors:
  • You have an incident reporting system or framework for collective capture of reported event data. "Collective capture" means that the full scope of your program's service offerings may be routinely tallied in a common database (like Excel) on demand. 

    Why? This is where the data, the fuel for the metrics, live. Multiple unconnected repositories or sources may present a variety of barriers to accessibility and reliability and can be very labor-intensive to collate. 

  • You have the scope of authority to set the rules for metrics maintenance and reporting.
    Why? Clarity in metrics administration and program integrity are critical from end to end. If you don't have the authority but are the designated metrics manager, get the accountability clearly assigned.
  • You can identify a member of the corporate senior management team to serve as a metrics mentor.
  • You can identify an individual on your team with good analytical skills and hands-on knowledge of the tools the company utilizes for data management.
    Why? You have a full-time day job, and a good metrics program takes time and consistent focus. You will have several staff with solid computer skills and the desire to grow, or there will be an Analyst somewhere in the company that can help you jump-start to tools and processes.
  • You have engaged the Security team and they understand this is a part of the way we will manage and they have a key role in metrics success.
    Why? Management is committed to metrics and expects results. It takes committed time and dedicated work to honestly measure how well your Security programs are delivering planned results. 

  • Your Security programs can identify a body of accepted policies and performance standard to serve as guides for metrics development.
    Why? Policies, standards and their related goals provide anchors and content for performance targeting. There are well-established best practices and benchmarks in your industry, in professional practice guidance, in applicable regulatory regimes or in industry literature.
We have seen the factors listed below add up to the difference between success and failure of a security metrics program. Everyone who has a role to play needs to believe this is a part of how Security will be managed going forward. Consider each one in the unique context of your organization and then go start your metrics initiative.

Why do you need security metrics program?

You need to have a solid rationale for building security metrics. Where we’ve seen real success from Chief Security Officers in this space, there were a few inter-related motives driving their journey:
  1. They believed in what metrics could do for the incremental improvement of their programs
  2. They wanted to be able to better tell (sell?) Security's value story
  3. They had a vision for how good metrics could better connect them to their stakeholders and the business. You need to believe that some good metrics from your organization and for your employer will deliver similar benefits.

If you don’t know why you need metrics, I'd advise putting this more serious journey aside until you reach this state.

Who are your customers for your metrics?
Who are your customers? What do your key stakeholders really need to know from your metrics? What metrics could engage their more informed participation in enterprise risk protection and enable their success? You have a diverse array of internal stakeholders who need to hear and see the metrics that are meaningful to them. Ask them! Good, customer-focused metrics are central to our ability to influence and engage our customers in their role in corporate security and brand protection.

Metrics are a key part of your communication strategy. They contribute to a coherent set of messages focused on a targeted audience. You cannot over-emphasize the importance of understanding the diversity of perceptions about risk and how each of your constituents view your role in its management.

Good metrics are SMART
Specific to what is required and understandable,
Measurable from available data,
Actionable/Achievable - driving change and positive results,
Relevant to what is important and
Timely because verifiably reliable data is there when you need it.

You can't manage well without measuring well. Be SMART. Don't waste time building a metric unless there is a solid reason for what you want it to achieve. Remember that what we want to measure is the focus of the process; the metrics are the outputs of the process.
Objectives for Metrics
Your initial objective in building a basic metrics program must be to find the metrics that really resonate for your program. In our corporate security realm, I see risk, program performance, value and influence providing mutually supportive boxes in a metrics four-square. Here is a brief discussion on each of these.
Quality and Integrity
Consider these two key objectives for our security measures and metrics: 1) materially impact exposure to specific risks and 2), positively influence action, attitude and policy. These objectives require an established and clearly communicated set of internal controls focused on the integrity of the data that is gathered, the quality of the analysis and assessment applied to that data and the assurance of data security and protection.

Imagine the potential consequences of drawing conclusions and formulating recommendations to management on inaccurate, unreliable data overseen by flawed, poorly supervised sources. Failing to embed data integrity within your metrics program will go directly to the credibility of the security program and its management.
Most organizations have established requirements for the type, format and frequency of departmental reporting to include specified metrics updates that typically include one or more topical dashboards. As noted earlier, you will also need to determine the when and what of more customized metrics reports to your key customers and those you want to inform on specific findings or recommendations. It's critical to establish a monthly routine for delivery of metric reports from your program managers and contracted service providers, and you must include an assessment of the quality of their reporting in your measurement of their performance.

Unless you are an “army of one,” you will rely on designees to deliver high-quality metric reporting based upon reliable data and conclusions. What measures of quality assurance are in place to give you confidence in the results that you must have?
In Conclusion
Corporate security owns a unique database of business performance measures and metrics. Collectively they enable and support a key value proposition: the ability to positively influence enterprise protection, corporate policy and behavior. Enterprise protection is measurable, as are the benefits that accrue to our diverse protection programs. A well-defined security metrics program demonstrates to management how we are probing the weak spots, informing, educating, and influencing change.

As a manager, you are expected to be a good communicator. S.M.A.R.T. metrics can provide the storyboard and the script you need to for a quality connection with management and your customers.

Return to Security Metrics