Metrics that matter: How security professionals can show value
Think back to your early days in the security industry. Perhaps, like many others, you spent years in law enforcement or the military before transitioning to the private sector. The business jargon you encountered — ROI, KPI, risk mitigation — may have felt like another language. It’s not that you didn’t understand what your colleagues were talking about. But using these terms to tell the story of your department may have been challenging.
Metrics are the language of business and the foundation on which many of the most important organizational decisions are made. They can help you defend the department’s budget and support requests for resource increases. They can help document year-to-year progress and identify opportunities for improvement.
I was lucky when I entered the private sector. I had good mentors who showed me the ropes. But I frequently get questions from newly-minted security leaders on how they can improve their use of metrics to drive results. Which metrics matter? Which ones resonate with decision-makers?
Those are actually hard questions to answer, in part because every organization is different. The important data for retailers differs from those of a bank, and financial institutions have different metrics than the teams that protect pop stars or dignitaries. The metrics that matter are the ones that support the organization’s objectives.
Over the years, I’ve learned to think of metrics in four broad buckets. These categories answer several questions that tend to align with your organization’s goals.
A metrics framework
Efficiency
Efficiency metrics track the tactical efforts of the security team: the number of cases opened, the incident response time, and the median time to resolution of an incident. The efficiency aspect directly addresses the value of security as it relates to annual spending and answers the question, “What are you doing with the organization’s resources?”
Mitigation
These metrics seek to quantify avoided risks and should be measured against what an incident could have cost a company — an idea often referred to as “risk return on investment.” Was the team able to identify and intercept a person of interest or interrupt an attempt to steal intellectual property? How much did that incident cost to investigate? What is the expected cost of an intellectual property theft? Mitigation metrics directly address questions about the return on the organization’s investment to detect, deter, disrupt, deny and defend against threats.
Enablement
Security executives should align themselves with the broader strategic goals of the business. If a company is going through an expansion, security should be prepared to offer input on local safety issues and the impact that may have on the business. In healthcare, enablement metrics might focus on how many times guards need to escort nurses and doctors with high-risk patients. In a rapidly expanding organization, a security team might be evaluated on the number of site assessments it has performed or background checks. Enablement metrics directly address questions like “How does security facilitate the work of this organization?”
Training
Training metrics can help you answer a couple of different questions. Imagine, for example, that your internal data shows that your response time to incidents has slowed. Training data answers the question “what are you doing to get back on track?” But training also can be used to identify the capabilities of the security teams, like the percentage of security personnel trained in CPR, or in tactical driving. These types of metrics can answer questions like “what capabilities is the organization getting for its investment?”
Leveraging metrics to prove the value of security
If you are able to build a successful metrics program, your work will likely have an additional benefit: transforming the perception of security within the organization from a cost center to a strategic contributor.
At the core of this transformation is the presentation of your metrics. Choose metrics that build a narrative, one about the risk you’ve mitigated, the budget you’ve saved, and the initiatives your team has facilitated. All of these points should ladder up to the theme that your team is aligned with the organization’s business goals. To hammer home that narrative, discuss your team’s goals, the capabilities you will adopt, and metrics that you will improve in the future.
Resources to build a metrics program
While it is important you assess which specific metrics our organization needs, I want to leave you with a couple of thoughts about how to find resources.
First, to the extent that you can, look for ways to automate the reporting process. If you are using a platform for research, case management, or investigations, dig in to see if it has the reporting capabilities you need. Technology can go a long way toward streamlining this process.
Lastly, if you don’t have a mentor for your transition to the private sector or your transition to the executive ranks, try to find one. The security community is often very good about supporting its members.
Building a metrics program tailored to your organization’s strategic goals isn’t just a paperwork exercise. It will not only help secure investments that will strengthen the organization, it can resonate with decision-makers and help ensure your team is seen as a contributor to the organization’s success.