One of the most common challenges security departments face when justifying their budgets (and their need to invest in tools like incident management software) is demonstrating value over cost. Security is historically viewed as a cost center, so how does a security team turn this perception around by showing return on investment and justifying the budget required to gain efficiencies, protect assets, and prevent incidents? In other words, what metrics matter most in measuring and demonstrating the value of the security function?
A few weeks ago, the ASIS Foundation published an in-depth research report on this very topic, Persuading Senior Management with Effective, Evaluated Security Metrics. This detailed (and free!) report covers survey results from 297 security professionals and focuses on the metrics used in 16 different businesses and corporations. These security professionals shared their metrics, processes, graphs, and reports together with how these statistics guide their decision-making. Based on this data, the writers of the report were even able to create a Security Metrics Evaluation Tool (Security MET) which you can use to develop, evaluate, and improve your security metrics.
In reading the introduction, it seems most security teams are facing the same opposition:
Corporate management tends to view security as overhead (i.e., a cost center rather than a production center) and security metrics as merely measuring activity, not value. Security professionals note that security benefits are difficult to measure compared to the benefits of profit centers, and such professionals often lack the skills or time to create and administer effective metrics. Thus, current security metrics, in practice, are generally not compelling and are often not taken seriously. (Rothke, 2009) (ASIS Foundation report page 15)
We know that having the right type of reporting is important. Not only do you need to keep track of the numbers for trending and analysis, you need to put them into context so that your executive team can understand impact and how your security initiatives save them money through incident reduction and prevention.
Incident management software (IMS) can help make organizing and discerning meaning from data (i.e., trends analysis) faster and less burdensome on personnel, and thus could serve as a crucial aid in efficient and effective communication. (From the white paper: Strengthening Intelligence and Investigations with Incident Management Software, McIIravey & Ohlhausen, 2013, included in Persuading Senior Management with Effective, Evaluated Security Metrics, page 16)
PPM’s Perspective software has three robust levels of reporting and all of the data in our incident management system can be used for forecasting and analysis. Out-of-the-box, Perspective also has multiple levels of loss tracking including direct, averted, and indirect. Within the ASIS Foundation report is a real example of a Perspective client using our reporting and loss tracking to calculate ROI. Here are some of the key pieces from their survey submission:
We count and analyze the number and type of security incidents. Using incident management software from PPM 2000 and our own customized Web form, we have been gathering incident data to monitor losses, study the effect of security interventions, and initiate investigations. (Persuading Senior Management with Effective, Evaluated Security Metrics, page 97)
So we expend considerable effort in dealing with other parts of the business, looking at their security risks and helping them find solutions to their risk exposures. We make extensive use of our data in targeting key areas of the business in order to provide support. (Persuading Senior Management with Effective, Evaluated Security Metrics, page 99)
Regarding costs, it can be expensive to buy software and train staff to use it, yet manual tracking could be slow and difficult. The metric shows promise for reducing pilferage, thereby enhancing the security ROI. Different companies would need to tailor this metric to their specific needs. Regular tracking, training, and reporting can be an effective means to reduce loss. (Persuading Senior Management with Effective, Evaluated Security Metrics, page 101)
Using their incident tracking data and trending analysis, this security team was able to identify high risk areas and install hardware (cameras, alarm systems, and lighting) in those areas to realize an immediate reduction in theft. The intelligence also allowed them to implement countermeasures to decrease cable cutting linked to EFTPOS (electronic funds transfer at point of sale) transactions.
A final method is to measure and communicate metric results over time. Ultimately, metrics are the marketing tool for the security program. (From the white paper: Metrics and Analysis in Security Management, McIIravey & Ohlhausen, 2012 included in Persuading Senior Management with Effective, Evaluated Security Metrics, page 16)
Meaningful metrics are the key to buy-in from the C-level whether you are seeking a larger work force, more hardware, or even specialized software to capture incidents and manage investigations.
The security industry is one where information is typically held close to the vest, so it’s refreshing to read a report full of information on metrics and ROI. The more we share best practices, the more we can communicate value, assist other departments in reducing risk, and prevent incidents. Security teams are much more than cost centers, and with the right data, it’s possible to showcase security as a profit center that contributes to the bottom line.
A big thank you to the ASIS Foundation for putting this research report together. Make sure you take the time to read through the case studies and see how the data provided can be applied to your organization. Download the free document (and its Security Metrics Evaluation Tool) here.
For further security ROI information, you can also download our white papers referenced within the ASIS Foundation document here or click the button below.
The post Measures and Metrics in Corporate Security appeared first on PPM.