Metrics and Analysis in Security Management - Ohlhausen Research

Recommendations

Info

Even before major problems occur, MA can be used to watchindicators—signs of risk—that may suggest a need for differentsecurity measures. Campbell (2006b) notes that these indicatorsor metrics “become the earliest prompts for more in-depth analysisof trend dynamics,” allowing CSOs to “look at the root causes ofproblems, not just the symptoms.” He lists several trends thatmetrics may help identify:METRICSPROVIDEANSWERS• More frequent or more severe accidents, crimes or policyinfractions;• Increased downtime of critical equipment;• Rise in negative background investigations;• Changes in security response times;• Reduction in building evacuation exercises; and• Rise in misconduct cases within a business unit.With careful analysis of the right metrics, a security professionalcan devise appropriate strategies to reduce risks. Expanding onthe example of increased misconduct cases, Campbell (2006b)suggests that further investigation might show poor supervisionof employees in that unit, as well as little employee awareness ofcompany policies on business conduct. Solutions would requireefforts by the security, human resources and legal departments.MA can also be used for external comparisons—that is, comparingone organization’s security-relevant metrics to those of otherorganizations. This process of benchmarking depends on theavailability of metrics and, of course, the underlying data thatmust be collected to produce those metrics.Metrics as Marketing for theSecurity ProgramIn their definition of security metrics management, Kovacichand Halibozek (2005) emphasize both the operational aspects ofmetrics (discussed above) and the business aspects of metrics. Onthe business side, they note:Consider this: Does yourmanagement want to beable to clearly see whetheryou are conforming withcorporate values andpolicies? Would they like tohave a visual representationof the state of the company’srisk—desirable orundesirable? Would theylike to have measurementsand data at hand that showwhether the company is incompliance with applicablelaws and regulations? Dothey want to know whetherpast and current securityinvestments have resultedin decreased risk or fewerincidents, so they canmore easily determinethe direction of futureinvestment?Through the use of metrics, the security cost versus benefitanalysis becomes more quantitative and easier to understand andcommunicate in common business terms. Metrics help the securityprofessional and others better understand the efficiency andeffectiveness (value) of an assets protection program.(Campbell & Blades, 2009)14 Metrics and Analysis in Security Management
That definition hints at the power of metrics and analysis (MA)to demonstrate a security department’s contribution to overallcorporate success. The message continues to be emphasized inprominent security forums. For example, in a presentation titled“The Security Metrics Challenge” at the 2011 ASIS InternationalSeminar and Exhibits, speakers stressed the indispensability ofmetrics:• “It’s about the value proposition. If you can’t show valuein industry, then you are not going to go very far… Are youproducing something that’s going to increase or sustain thevalue of the company? This is very important in the boss’sview.”James Shamess, CPP, Senior Adviser for Security Policyand Oversight, Office of the Administrative Assistant to theSecretary of the Air Force• “When you talk to senior executives, you have to talk inlanguage they understand: money, what’s the return oninvestment, and what’s the benefit to me?... Securityprofessionals, to have a seat at the table, need to be seen asvalue-added and cost-effective. You need to be able to reportmeaningful, intelligent, risk-based performance metrics tobuild confidence in your executive teams… Use those metricsto create a business case and measure program success. Youhave to show success in measurement. You can’t just providemetrics for the sake of metrics.”Klaus Heerwig, Director of Security, SRA InternationalWhen Security Management magazine gathered five leadingsecurity professionals to discuss challenges and trends in thesecurity field, the topic of return on investment, or ROI, came upquickly. When asked how to make the business case for security,Chad Callaghan, CPP, Vice President, Enterprise Loss Prevention,Marriott International, Inc., replied (Harowitz, n.d.):When you talk to seniorexecutives, you have totalk in language theyunderstand: money,what’s the return oninvestment, and what’s thebenefit to me?... Securityprofessionals, to have aseat at the table, need tobe seen as value-addedand cost-effective. Youneed to be able to reportmeaningful, intelligent, riskbasedperformance metricsto build confidence in yourexecutive teams… Usethose metrics to create abusiness case and measureprogram success. Youhave to show success inmeasurement. You can’t justprovide metrics for the sakeof metrics.For us, it’s metrics. Having something you can measure, that youcan show improvement in year over year that attaches to somethingthat has intrinsic value to your company. Because we do safetyand security both and because we are part of risk management,we’re able to measure total losses to the company and that has ahuge impact. It is one of the key metrics used, and it gets a lot ofattention.Klaus Heerwig,Director of Security,SRA InternationalBrian Tuskan, Microsoft Corporation’s Senior Director of GlobalSecurity Technology & Investigations, notes that by using security-Metrics and Analysis in Security Management15
Page 1: WHITEPAPERMETRICS AND ANALYSISIN SE
Page 5: ContentsExecutive Summary 7The Powe
Page 8 and 9: The Power and Importance ofMetrics
Page 11 and 12: may mean that security is being lef
Page 13: actions, including maintenance and
Page 17 and 18: Developing Specific MetricsWhat, ex
Page 19 and 20: derogatory backgrounds.” The key
Page 21 and 22: Such software can also automate the
Page 23 and 24: Getting StartedThe case for using m
Page 25 and 26: ReferencesCampbell, George. (2006a)
Page 27 and 28: 27 Metrics and Analysis in Security

Metrics and Analysis in Security Management - Ohlhausen Research

Create successful ePaper yourself

Delete template?

Save as template?