Metrics and Analysis in Security Management - Ohlhausen Research
Metrics and Analysis in Security Management - Ohlhausen Research
Metrics and Analysis in Security Management - Ohlhausen Research
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
That def<strong>in</strong>ition h<strong>in</strong>ts at the power of metrics <strong>and</strong> analysis (MA)to demonstrate a security department’s contribution to overallcorporate success. The message cont<strong>in</strong>ues to be emphasized <strong>in</strong>prom<strong>in</strong>ent security forums. For example, <strong>in</strong> a presentation titled“The <strong>Security</strong> <strong>Metrics</strong> Challenge” at the 2011 ASIS InternationalSem<strong>in</strong>ar <strong>and</strong> Exhibits, speakers stressed the <strong>in</strong>dispensability ofmetrics:• “It’s about the value proposition. If you can’t show value<strong>in</strong> <strong>in</strong>dustry, then you are not go<strong>in</strong>g to go very far… Are youproduc<strong>in</strong>g someth<strong>in</strong>g that’s go<strong>in</strong>g to <strong>in</strong>crease or susta<strong>in</strong> thevalue of the company? This is very important <strong>in</strong> the boss’sview.”James Shamess, CPP, Senior Adviser for <strong>Security</strong> Policy<strong>and</strong> Oversight, Office of the Adm<strong>in</strong>istrative Assistant to theSecretary of the Air Force• “When you talk to senior executives, you have to talk <strong>in</strong>language they underst<strong>and</strong>: money, what’s the return on<strong>in</strong>vestment, <strong>and</strong> what’s the benefit to me?... <strong>Security</strong>professionals, to have a seat at the table, need to be seen asvalue-added <strong>and</strong> cost-effective. You need to be able to reportmean<strong>in</strong>gful, <strong>in</strong>telligent, risk-based performance metrics tobuild confidence <strong>in</strong> your executive teams… Use those metricsto create a bus<strong>in</strong>ess case <strong>and</strong> measure program success. Youhave to show success <strong>in</strong> measurement. You can’t just providemetrics for the sake of metrics.”Klaus Heerwig, Director of <strong>Security</strong>, SRA InternationalWhen <strong>Security</strong> <strong>Management</strong> magaz<strong>in</strong>e gathered five lead<strong>in</strong>gsecurity professionals to discuss challenges <strong>and</strong> trends <strong>in</strong> thesecurity field, the topic of return on <strong>in</strong>vestment, or ROI, came upquickly. When asked how to make the bus<strong>in</strong>ess case for security,Chad Callaghan, CPP, Vice President, Enterprise Loss Prevention,Marriott International, Inc., replied (Harowitz, n.d.):When you talk to seniorexecutives, you have totalk <strong>in</strong> language theyunderst<strong>and</strong>: money,what’s the return on<strong>in</strong>vestment, <strong>and</strong> what’s thebenefit to me?... <strong>Security</strong>professionals, to have aseat at the table, need tobe seen as value-added<strong>and</strong> cost-effective. Youneed to be able to reportmean<strong>in</strong>gful, <strong>in</strong>telligent, riskbasedperformance metricsto build confidence <strong>in</strong> yourexecutive teams… Usethose metrics to create abus<strong>in</strong>ess case <strong>and</strong> measureprogram success. Youhave to show success <strong>in</strong>measurement. You can’t justprovide metrics for the sakeof metrics.For us, it’s metrics. Hav<strong>in</strong>g someth<strong>in</strong>g you can measure, that youcan show improvement <strong>in</strong> year over year that attaches to someth<strong>in</strong>gthat has <strong>in</strong>tr<strong>in</strong>sic value to your company. Because we do safety<strong>and</strong> security both <strong>and</strong> because we are part of risk management,we’re able to measure total losses to the company <strong>and</strong> that has ahuge impact. It is one of the key metrics used, <strong>and</strong> it gets a lot ofattention.Klaus Heerwig,Director of <strong>Security</strong>,SRA InternationalBrian Tuskan, Microsoft Corporation’s Senior Director of Global<strong>Security</strong> Technology & Investigations, notes that by us<strong>in</strong>g security-<strong>Metrics</strong> <strong>and</strong> <strong>Analysis</strong> <strong>in</strong> <strong>Security</strong> <strong>Management</strong>15