Demonstrating Security Program Value to the C-Suite

Return to Security Metrics
Created by Dean Correia, Security Executive Council Emeritus Faculty

In a recent online presentation, Dean Correia, Emeritus Faculty - Canada, Security Executive Council (SEC), participated in a panel with other security practitioners to discuss Demonstrating Security Program Value to the C-Suite. His fellow panelists were Rita Estwick, Director of Security Strategy for Canada Post, and Silvia Fraser, Head of Security for the city of Mississauga, Ontario. The online seminar was hosted by Canadian Security magazine and moderated by Neil Sutton.

Here are some of the highlights of the session.

Dean Correia's Advice Based on SEC Research
Dean Correia cautioned that when security leaders are asked for metrics by the C-suite, it often means management has already lost confidence in Security's ability or willingness to provide meaningful data. Security needs to develop metrics programs before they are asked for them -- presenting them proactively and focusing on communicating meaningful and actionable information gleaned from these programs.

Metrics should address questions such as
  • What does security do for the business?
  • Are you managing the function well?
  • What would the business impact be if your function didn't exist?
  • What if your function did half as much as it does?
  • Who uses your services?
  • What is your impact on risk?
  • Could the business get better results by allocating a portion of Security's budget elsewhere?

Many security leaders start out by counting activities, events or tasks. The next critical step in the evolution of your Metrics Program is to demonstrate operational excellence.

chart comparing counting activity to questions showing operational excellence

If you are conducting "counts" for your metrics, Dean recommended you think like senior management: Ask yourself, "So what?" Do your counting metrics answer management's pressing questions, such as What is the cost per case? What are retention rates? What is the impact on risk? What are the root causes? How well do you do your job? Is the risk picture improving? Simple counting seldom answers these questions. Security needs to demonstrate and articulate meaningful information to the owners of the risk.

chart showing example metrics

Dean provided some security measures and metrics resources:

Rita Estwick's Case Study
Rita Estwick shared how Security at Canada Post used metrics to successfully transition to a new role in a changing industry while adding value to the organization.

Electronic mail and digital communication have been major business model disruptors for mail delivery organizations. Canada Post found opportunities to adapt to this new environment, shifting to primarily parcel post, which required new technology, equipment and training; developing new retail partnerships; fostering innovation such as drive-through parcel post; and focusing on the customer experience including flexible delivery and digital apps.

Rita quickly realized Security would also have to refocus to align with the organization's new goals, and they would need to be able to measure success in their new environment.

Combating fraud became a significant driver. "Card not present" fraud represented 76% of all fraud in Canada, and it had increased 205% between 2010 and 2015. She spoke to other businesses about how to help mitigate this as a way to improve the customer experience.

They approached one retail partner to pilot a fraud parcel intercept program. The partner would identify fraud after an order had been fulfilled, then would tell Canada Post. The postal service would track the shipment and return it to the merchant. The program was so successful it grew to other partners and then to other industries outside of retail.

From the outset, Rita asked partners for data to develop metrics that showed the program's impact. In one year, one customer logged $2.5 million fraud cost avoidance. She shared such meaningful metrics with executives and partners' executives, and the response has been so positive that now the program is on track to become a marketable corporate solution.

Silvia Fraser's Value-Based Framework
Silvia Fraser discussed her value-based security framework.

Silvia defined value as "the capacity of a service to satisfy a need or provide a benefit to a person or entity". Value is determined by:
  • What you do – your actual services
  • What you should be doing – expectations
  • How well stakeholders know you're doing it – their perception

Metrics related to actual services include internal key performance indicators (KPIs), with data from incident reports, trend analyses and employee performance. Metrics for expectations are tied to organizational and business unit values – what have security services prevented and what is the cost savings? Metrics for perception involve education and awareness, such as number of training hours.

Her framework includes a scale to quantify value. If a security organization focuses only on its actual services, it may score a three on the scale. Focus on services and expectation and it may provide value at a score of seven. Only by managing services, expectations and perceptions together can an organization provide value at the highest level.

She echoed Dean's earlier warning that counting metrics alone will fail the "So What?" test. Metrics must work together to address all three elements of value in a meaningful way.

Some lessons learned:
  • Don't hesitate to look at other industries for ideas and advice.
  • Don't be afraid to step out of your comfort zone. Others may have data you can use.
  • Don't neglect investing in your metrics development. The city of Mississauga employs an analyst whose sole job is to analyze and disseminate metrics.

Next Steps
The Security Executive Council has assisted some of the worlds most admired organizations to create and optimize their security measures and metrics programs. Counting activities may be a start, but we can show you how to demonstrate the value you are adding to the organization's bottom line.

Return to Security Metrics