Yet according to George Campbell, author of the book Measures and Metrics in Corporate Security and a faculty member of the Security Executive Council, “there’s a general void within security of leaders who fully appreciate the need for and the application of metrics. Too many see their incident counts as metrics, not what the analysis of those counts is telling them about risk and program performance. Security management talks about performance, but it’s almost as if they don’t think of metrics as having anything to do with performance.”
If performance metrics are critically important to business leaders, and security leaders fail to recognize their importance, why aren’t business leaders demanding performance metrics from security in the same way they do for so many other business functions? Often it’s because management doesn’t view security as a valuable element of the business, says Campbell. “It’s part of the cost equation that sits on the side, and it’s not seen as part of the business or governance infrastructure.” In these cases, the lack of demand for metrics is simply the symptom of a much greater problem.
This ought to be a sobering possibility for many security leaders. If management lacks respect for security as a business function, the security leader can earn only limited influence, and security as an organization can accomplish only limited success. Creating performance metrics isn’t a silver bullet solution, but security leaders who undertake the development of meaningful metrics can enhance management’s perception of the value of security, while adding to that value by building a greater understanding of the security function and the business.
Some forward-thinking security leaders who have risen to the challenge of metrics development are sharing their experiences to assist others in their endeavors. Dave Komendat, VP and Chief Security Officer of The Boeing Company, and Pam Dost, his Senior Manager of Strategy Development, viewed the creation of their metrics suite as an opportunity to show the value security brings to the company.
Komendat is the winner of a CSO Compass Award and one of Securitymagazine’s Most Influential People in Security for 2011; his security organization has been recognized internally and externally as a value enhancer and a business enabler. But metrics would provide another, more succinct way to show management how security contributes. “When you have limited time with the most senior leaders in the company, metrics provide a way to communicate value simply and efficiently. It’s very meaningful for them to see fact-based data that shows the value of the cost avoidance, quality improvement and risk mitigation that your organization is bringing to the company,” Komendat says.
Pam Dost, who heads up the metrics initiative at Boeing, remarks that the education that security managers are getting from the process has been an unexpected but notable side benefit. “We invested a significant amount of time up front to educate the (security) leaders on why we need to provide metrics and how they would increase the credibility of our organization,” she says. “When we started this journey, our (security) leaders were very aware of their functional responsibilities and collecting data. But they hadn’t had a lot of exposure to the corporate interest level or how to leverage the data to tell a higher value story about risk and overall benefit. Since we launched the metrics initiative, the passion and interest in understanding the bigger picture of business has inspired our leaders to look for additional high value metric examples we can share with our corporate leaders. I think one of the biggest advantages is how developing this broader view – exposing these risks in a different way – broadens their skills and helps them become better leaders.”
Nihaus, Komendat and Campbell are collaborating to develop a course on developing and communicating security performance metrics for the Security Executive Council’s Next Generation Security Leader curriculum, set to launch in January. To learn more or to register, visit www.securityexecutivecouncil.com/nextgen.