Insight on Security Metrics

The SEC’s perspectives on KPIs and business alignment.

Filter by

Insight on Security Metrics

Building Valued, Relevant Metrics Programs

In the SEC's October 2023 Security State of the Industry briefing, Tier 1 Security Leaders heard from two successful security executives discuss their metrics journey.
Click for more details
Insight on Security Metrics

Key Performance Indicators in Security

Incorporating key performance indicators (KPI) into a robust security metrics program can keep your program moving toward meaningful, business-aligned goals, and improve your confidence and influence with senior management.
Click for more details
Insight on Security Metrics

Assess the Probability of Business Loss

Objective: To estimate the probability of loss in areas of concern, given known vulnerabilities.
Click for more details
Insight on Security Metrics

Measures and Metrics in Corporate Security

How good is your security program? By what ruler do you measure security’s effectiveness, efficiency, or success? How do you explain and prove this success to the rest of the organization? Strong metrics can communicate security’s value, results, and return on investment in a language all other functions can embrace...
Click for more details
Insight on Security Metrics

Faculty Advisor: Operational Excellence Metrics for Security

I would like to engage my security function in some sort of Operational Excellence framework so I can show my organization, in terms that already resonate with our executives, how we meet and exceed expectations. Do you have any recommendations for measurable targets we can set as we get started?
Click for more details
Insight on Security Metrics

Operational Excellence in Contract Security Performance Measurement

The focus in this paper is on measuring the performance of security service providers. The Security Executive Council believes that there needs to be a more in-depth consideration of what constitutes "excellence" in these operations given the consistent growth of outsourcing to guard service companies.
Click for more details
Insight on Security Metrics

Building a Security Measures and Metrics Program, Parts 1-7

Metrics provide invaluable insight on program effectiveness, the means to influence business strategy and policy, and the ability to demonstrate the value of security services to business leaders.
Click for more details
Insight on Security Metrics

Demonstrating Safety and Security Program Value to Executive Management with Metrics

One of the biggest challenges facing many safety and security practitioners today is effectively and consistently communicating the value of their security program.
Click for more details
Insight on Security Metrics

Faculty Advisor: Defining Your Top Security Metrics

What should your top security metrics be?
Click for more details
Insight on Security Metrics

Good Metrics Tell a Story

Good metrics demand a story. The story reveals the lesson, the learning from the conclusions drawn by analysis of the data. Like any good story, you have to know your audience and select your theme to connect with their frame of reference.
Click for more details
Insight on Security Metrics

What is the Cost of a Bad Employee

Even a single insider incident can rise to the level of a serious crisis. the time involved in resolving an insider misconduct case resulting in termination for cause is one small aspect of reputational risk.
Click for more details
Insight on Security Metrics

Security Issues in Leased vs. Owned Property

Whether a company owns or leases properties for its various operations often depends on cost and logistics, but risk should also be considered.
Click for more details
Insight on Security Metrics

What Is a Reportable Security Violation in Your Organization?

Security is a key player in the governance of internal controls. How serious is the notion of compliance in your company?
Click for more details
Insight on Security Metrics

Working with Customers for Better Access Control

Access management is a core safeguard. Understand the range of risks driving this set of safeguards and work with your customers to tailor the protection strategy for results.
Click for more details
Insight on Security Metrics

Nuisance Alarms Are More than a Nuisance

Frequent false alarms are not only a nuisance but could result in a lack of confidence by first responders who may start to distrust the validity of a call to that location, as well as cause additional costs to the company.
Click for more details
Insight on Security Metrics

Security Operations Control Center Metrics

The security operations control center (SOCC) is one of the most critical functions of the security organization, where customer service, first response and risk management combine to provide the most visible and essential corporate security services.
Click for more details
Insight on Security Metrics

Demonstrate a Need for Stronger Background Vetting

A comprehensive background investigation program is critical to the health and integrity of any enterprise and the quality of internal and external background vetting is critical.
Click for more details
Insight on Security Metrics

Demonstrate the Effectiveness of Emergency Response

The safety of employees and visitors is a core mission of corporate security. In light of budgetary restrictions, it is important to communicate these two key measures of readiness to management.
Click for more details
Insight on Security Metrics

Business Alliances and Security's Due Diligence


These are eight factors that the security organization should consider in its evaluation of a prospective business alliance.
Click for more details
Insight on Security Metrics

The Risks of Outsourcing Information Security

Don't overlook the risks that accrue due to the loss of effective business controls over sensitive activities, particularly those associated with information infrastructure and vital information assets.
Click for more details
Insight on Security Metrics

How to Reduce the Cost of False Alarms

Time is money. Look at how your team is spending its time.
Click for more details
Insight on Security Metrics

Ranking Security Performance

Here are four of the most often-used methodologies we've seen for demonstrating how your security program ranks to corporate leadership team.
Click for more details
Insight on Security Metrics

Demonstrating Security Program Value to the C-Suite

These are highlights from a panel discussion with security practitioners on Demonstrating Security Program Value to the C-Suite.
Click for more details
Insight on Security Metrics

Case Study: Risk Management and Security Metrics at Boeing

This case provides background information on Boeing and why its security group undertook an evaluation of the metrics that they use. The results of that evaluation are presented, along with a general discussion of how metrics are used to improve decision making and assessment.
Click for more details
Insight on Security Metrics

Security Contract Compliance Auditing

Contracts with product and service suppliers are an integral part of many corporate security service delivery programs; in fact, many companies spend millions of dollars annually for thousands of hours of service from contract guard vendors.
Click for more details
Insight on Security Metrics

Security Metrics in Context

Why go through the trouble of applying metrics to your program? George Campbell explores this question in his book, Measures and Metrics in Corporate Security. In this exclusive excerpt, Mr. Campbell describes how metrics improve security's chances for success in various contexts.
Click for more details
Insight on Security Metrics

Building a Metrics Program that Matters

In a 2007 Security Executive Council survey, nearly 70 percent of respondents stated that they do not collect security program metrics for the purposes of presenting to senior management.
Click for more details
Insight on Security Metrics

Delivering Meaningful Metrics

If security continues to mature as a business function, senior management will likely ask for a set of metrics to measure performance. Security leaders should prepare meaningful metrics that inform management and improve security effectiveness.
Click for more details
Insight on Security Metrics

What Is the Return on Your Company’s Security Investment?

Objective: To select a small set of security-related services and assess the potential for a return on expenses.
Click for more details
Insight on Security Metrics

Investing in Security’s ROI

We hear a lot about the difficulty of documenting Security’s return on investment. Consider this example.
Click for more details
Insight on Security Metrics

How Good Is Your Customer Connection?

The deeper I dig to find the reasons for the lack of workable, meaningful metrics within security organizations, the more I find myself tripping over both institutional and security-imposed roadblocks.
Click for more details
Insight on Security Metrics

Demonstrate Security’s Alignment with Business Objectives

Results Sought: Increased understanding and appreciation by senior management and other key stakeholders of security’s value and contribution to the bottom line.
Click for more details
Insight on Security Metrics

Measure Influence by Tracking Recommendations

All non-revenue-producing organizations like Corporate Security are in the influence business. Influence is a measure of effectiveness, and we need to apply various processes to evaluate security’s effectiveness.
Click for more details
Insight on Security Metrics

Are Your Metrics Connected to Top Management’s Agenda?

The January/February 2011 issue of Financial Executive magazine included an article titled “Corporate Performance Metrics to Top Board Agendas,” ...
Click for more details
Insight on Security Metrics

Do Business Units Value Security Recommendations?

Our ability to influence internal customers starts and ends with their perception of the effectiveness and value of security programs.
Click for more details
Insight on Security Metrics

Measuring Alignment Using Key Risk Indicators

I get a lot of questions about how Security can demonstrate with metrics that we have a positive connection to the core business strategy and objectives. Here’s one example.
Click for more details
Insight on Security Metrics

Neglect and Apathy – Your Worst Enemies

Risks become avoidable when we put effective safeguards in place to counter them. They become inevitable when we fail to do our jobs — that is, when we disable or fail to enable essential security measures. Let’s look at a large retail chain as one example.
Click for more details
Insight on Security Metrics

Threat Assessment: Measuring Likelihood

When you think about security threats to your business, which do you think are likely to manifest? What are the probabilities of a specific type of event occurring at a particular location? How do you convey your concerns to management without sounding like Chicken Little yelling that the sky is falling?
Click for more details
Insight on Security Metrics

Increase Influence and Protection through Proactive Risk Assessments

We security professionals cannot sit back and wait for an incident to happen. We are paid to anticipate risk and engage in preventative activities that will eliminate hazards or minimize the impact on business operations and employee safety.
Click for more details
Insight on Security Metrics

Incident Analysis Identifies Business Practice Risk

Knowledgeable insiders are a serious threat to an organization, since they live inside protective measures. They have a unique understanding of the company's vulnerabilities and know how to use them to their own advantage.
Click for more details
Insight on Security Metrics

Gain Support by Illustrating Security's Response Time

We hear a lot about first responders. In the proactive security organization, our security operations teams are the ones that get the initial emergency call and move to assess it and respond from within. Is your organization up to the test of that call?
Click for more details
Insight on Security Metrics

Create a Measures Map

Objective: To visually convey our understanding of and response to a risk event, to show how that risk links to applicable metrics, and to demonstrate that measures are being taken to mitigate future risk.
Click for more details
Insight on Security Metrics

Tracking Leading and Lagging Indicators

Senior management and analysts in the businesses we serve are constantly tracking and evaluating a host of economic and programmatic indicators to provide alerts on changes in market conditions that need to be addressed.
Click for more details
Insight on Security Metrics

Leading Indicators

A leading indicator signals a future event — it measures the current state of the market or the business, as well as the future state, in the form of already planned or projected changes. In our world, leading indicators signal future risk of security-related events.
Click for more details
Insight on Security Metrics

Be a Learning Organization

Do you routinely dig into your incidents to identify the root causes and pass on the learning to those who need to know? If not, plan on logging more of the same and documenting allegedly smart people repeating their mistakes — or worse.
Click for more details
Insight on Security Metrics

Create a Business Unit Scorecard

Objective: To assess the security of various business units and effectively communicate our findings and recommendations to business leaders.
Click for more details
Insight on Security Metrics

Build a Risk Indicator Dashboard

Objective: Provide a single display of the key information a manager needs to monitor a set of measures and effectively communicate the status of those measures.
Click for more details
Insight on Security Metrics

Determine the Exploitability of Selected Security Defects

Objective: To estimate the probability of loss in areas of concern, given known vulnerabilities.
Click for more details
Insight on Security Metrics

Security Awareness: A Few Key Indicators

If your company thinks
Security is the owner of security-related business risk, get your résumé up to date! Business process owners’ awareness is a fundamental element in a security risk mitigation strategy. We are paid to understand the range and depth of risks confronting the business in its various environments, to build strategies to mitigate them, and to educate our constituents on their responsibilities.
Click for more details
Insight on Security Metrics

The Risk-Aware Organization

Security practitioners often equate security awareness programs with posters in break rooms, intranet alerts and informative brochures on the risk of the month. While these media serve a useful purpose, Security’s risk awareness strategy must be significantly more disciplined and structured than a periodic communication exercise.
Click for more details
Insight on Security Metrics

Measuring Awareness of Access Control Responsibilities

Two key measures of the effectiveness of a security program are (1) how well security communicates the security responsibilities it expects employees to meet; and (2) the affirmation that those expectations are being met.
Click for more details
Insight on Security Metrics

Create A Security Awareness Dashboard

One of the fundamental obligations we have in corporate security is to understand the potential for “what if” and communicate our knowledge and concerns both to those who could be affected and to those who have accountability for protecting the assets of the enterprise.
Click for more details
Insight on Security Metrics

Empower Critical Business Process Owners Through Awareness

Security has a unique perspective on risk that comes from gathering, analyzing and understanding threat and risk data. This insight obligates us to make our customers aware of the risks that could affect them, especially when those customers control the most sensitive and essential business processes in our companies.
Click for more details
Insight on Security Metrics

Meeting Contract Standards

Is there a visible commitment to operational excellence within your security vendor’s on-site team? Contract guards represent the security organization to the average visitor and employee at U.S. businesses today, and their competence is both critical and evident in their interactions.
Click for more details
Insight on Security Metrics

Showing the ROI of Contract Security Forces

A thoughtful security manager in Arizona once e-mailed me the following in response to one of my regular columns on security metrics: “I can’t think of a more relevant issue for physical security than a series of metrics regarding contract security costs...
Click for more details
Insight on Security Metrics

Measuring Guard Force Operations

One of the largest line items in most corporate security budgets is security operations, or guard force costs. I am often amazed at the answers I get when I ask, “What metrics do you have for these activities?”
Click for more details
Insight on Security Metrics

Faculty Advisor: Does Benchmarking Really Show How Well Your Security Program Measures Up to Best Practices?

Our new senior management team is requesting a report on how we measure up against security best practices, but we’re struggling to find formal or accurate benchmarks, and the data we do find isn’t often comparable with our organization. I think best practices are important, but they have to be fair and accurate to be useful, and we’re coming up short. What can we do?
Click for more details
Insight on Security Metrics

How to Use Metrics

CSOs generate security data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.
Click for more details
Insight on Security Metrics

Measure Your Metrics

Why measure, why metrics? The fact that established metrics for the full range of security programs are few and far between tells a story about the historical disconnection of these functions from the core businesses they serve. We all know how the risk environment has changed over the past few decades with wake-up calls to Boards and senior management.
Click for more details
Insight on Security Metrics

What's State-of-the-Art in Security Metrics?

Think about what metrics you should follow in your organization and why you think they are important for the senior management team and have an answer ready when the boss asks what kind of metrics you have in the can.
Click for more details
Insight on Security Metrics

Who's Accountable for Metrics?

Where does accountability lie for the maintenance of a proactive measurements and metrics program? The answer is that it is shared up and down the organization, but the CSO is the initiator who must design and sell the program up and down the chain of accountability.
Click for more details
Insight on Security Metrics

It’s Time to Get Security Metrics Savvy

Every business manager needs to develop and deliver programs and services that demonstrate measurable results, whether good or bad, positive or negative — and that includes security.
Click for more details
Insight on Security Metrics

Accuracy & Integrity: Essential Metrics Characteristics

We must have accuracy and integrity in our use of data and statistics, or we will undermine our initiatives, our programs and our own standing with senior management. Here are five components of a reliable system for managing metrics-relevant data.
Click for more details
Insight on Security Metrics

A Risk Quantification Process

Having a list of security-related business risks and their associated countermeasures is an essential part of the risk management process.
Click for more details
Insight on Security Metrics

Don’t Neglect Key Performance Indicators

We have mentioned balanced scorecards and KPIs, but it is useful to occasionally revisit these concepts because they can be so much a part of a corporate management business strategy. In our corner of the business, we may employ KPIs in any of several security program areas.
Click for more details
Insight on Security Metrics

Corporate Security Metrics - Key Performance Indicators: Examples

Following are some KPI samples by way of charts that might be used in executive communications. Use them to generate ideas for performance indicators your security organization should deploy.
Click for more details
Insight on Security Metrics

Measuring Key Performance Indicators

Most of us have heard of Key Performance Indicators (KPI): they are measures of progress toward some goal that often reflect how well a business process is being performed. If you have not considered developing KPIs for your security program, I would encourage you to look at them as a component of your measures and metrics program.
Click for more details
Insight on Security Metrics

Faculty Advisor: Demonstrating Security’s Contribution to Organizational Goals

How can we identify and highlight the programs, services and positive outcomes that Security brings to help meet the organization’s business goal? In particular, we are seeking an increased understanding and appreciation by senior management and other key stakeholders of security’s value and contribution to the bottom line.
Click for more details
Insight on Security Metrics

Faculty Advisor: Contract Security Challenges and Strategies: Part II

The KPIs currently used by my company to assess security services have been in place for years and the value of the information is questionable. What are the best quantifiable KPI measurements to demonstrate the value of our security contract as well as evaluate the performance of the security officers? How can I use the information to improve my overall contract security program?
Click for more details
Insight on Security Metrics

A Guide for Building Your Corporate Security Metrics Program

Consider this: You can't manage well without measuring well. This short guide will set forth a set of steps that security managersshould use in building a basic metrics program.
Click for more details
Insight on Security Metrics

Faculty Advisor: Turning Incident Based Data Into Metrics

We have a fairly new security metrics initiative. I am able to show how we are assisting the organization to be more secure but I don’t think we’re showing business-based value. How do I take incident-based data and make a more compelling “story” to senior management?
Click for more details
Insight on Security Metrics

Enterprise Security Metrics: A Snapshot Assessment of Practices

This SEC report provides an assessment of the current use of metrics in corporate security management.
Click for more details
Insight on Security Metrics

Measuring and Communicating Security's Value

This book builds on George Campbell’s Measures and Metrics in Corporate Security. While Measures and Metrics guides you through creating a meaningful security metrics program, Measuring and Communicating Security’s Value takes you to the next step: using the metrics you deliver to communicate quantifiable value to the organization. The book...
Click for more details