- If ChatGPT produces AI-generated code for your app, who does it really belong to?
- The best iPhone power banks of 2024: Expert tested and reviewed
- The best NAS devices of 2024: Expert tested
- Four Ways to Harden Your Code Against Security Vulnerabilities and Weaknesses
- I converted this Windows 11 Mini PC into a Linux workstation - and didn't regret it
The value-add of security metrics
Enterprise security functions that collect and analyze data can identify trends to improve their teams and prove the value of security within the organization. From tracking workplace violence incidents to facility access patterns, enterprise security teams use data to forge relationships across the business and evaluate their own successes and improvements.
Below, we explore how four enterprise security functions have embraced data to improve operational efficiency, enterprise-wide communication and security buy-in from organizational leadership.
YAZAKI NORTH AMERICA
At Yazaki North America, Bert Morales, Vice President, Corporate Security and Crisis Management, leverages his mature security metrics program to improve security operations, make judicious security budget decisions, and improve cross-functional collaboration across Yazaki North America. At the company, an automotive electrical system provider that supplies materials to automobile manufacturers worldwide, Morales is responsible for more than five countries to include Mexico, Central America, the U.S. and Canada, with over 50 plants and facilities and 60,000 employees.
“Tracking security metrics is really about showing your impact and value to the company,” says Morales. “That’s demonstrating what capabilities you bring, and how they add value to the business. It’s about helping the company meet its business objectives.”
Yazaki North America’s security team has built a metrics program that provides valuable insights into security challenges and successes, allowing the team to respond quickly to any growing threats. Across the company’s North American facilities, Morales and his team can focus on security threats that are prominent in a specific region. Morales says that tracking data related to theft, substance abuse and logistics security incidents has helped the security team take a preventative approach to these issues.
Yazaki North America has five manufacturing plants across the border from El Paso with a worker population in the thousands. According to Morales, tracking substance abuse data in these facilities has helped the security team reduce incidents and notice negative trends quickly. “We track the number of instances of substance abuse and see if we are having a problem. If so, we take additional preventive measures where we bring in a drug canine, we step up our screening of employees entering and exiting the facility, etc.,” Morales says.
Another regional threat Morales’ team tracks is cargo theft. “Over the last few years, cargo theft on the highways has increased significantly in Mexico,” Morales notes. “We were seeing a spike in cargo theft in our shipments, which were headed toward either a distribution center or leaving the distribution center and would get stopped and stolen.”
He says that tracking the increases in cargo theft led to a stronger organizational partnership between logistics and security. “In response, we embedded a security investigator inside the logistics and transportation team, and it gave us much more insight to the carriers. That choice created a partnership between us and the logistics and transportation team on supply chain management.”
NRG ENERGY
When Joe Walters joined NRG Energy (NRG), a leading energy and home services company headquartered in Houston, Texas, in 2016, he was tasked with building out a centralized security program across all of NRG, including its affiliate brands and subsidiaries. Walters, Vice President, Enterprise Security and Real Estate at NRG, says metrics have played a role in the successful implementation of the centralized program since the project started.
“One of the first things we did was conduct a benchmarking study where we looked at other Fortune 150 companies and built a roadmap for our security program with senior leadership,” says Walters. The study analyzed data on security budget, technology, standards and processes to give Walters and his team insight into the state of their program.
“We have a history of starting with good data — that’s how we built our function. And over the years, we’ve worked on maturing that process,” Walters says.
The NRG security team recognizes the importance of data in fostering leadership buy-in to enterprise security. Walters’ program reports out metrics tailored to the many business units across NRG, including power generation, smart home technology, wholesale and retail electricity services across the country.
“We have an overall metrics deck that goes to our corporate leadership, but then we pare down metrics specific to our business unit leaders. In their metrics reports, they’re not seeing data that’s irrelevant to their business unit — they’re seeing what specific enterprise security solutions are doing for their business,” Walters says.
By customizing security metric reporting to each NRG business unit, Walters fosters buy-in and trust among business unit leaders, who know that the security data they review will be as specific and actionable as possible.
“Our reports foster that relationship with those business unit leaders, which then helps us to evolve some non-traditional value add by them having a solution — they can see the capabilities that are directly in line with their business,” says Walters.
NRG security metrics can show business unit leaders how security systems add operational value. “One of the things we report on specifically to power generation is how often a specific plant is contacting the security operations center, processing after-hours deliveries, or authenticating visitors or contractors. Additionally, our team breaks down security system performance, physical and virtual patrols, as well as any costs associated with the location. This not only keeps the business up to speed on the level of security services provided, it also allows us to identify trends, and forecast future needs. We can show them exactly how many times per month and at what level security is touching their business.”
In addition, NRG uses metrics to prove non-traditional security value. “Data provides another layer of depth in our conversations with leaders,” Walters says. “If I’m going to a senior executive, and we’re talking about their space needs in a new location, we can show them good datasets which highlight existing usage and heatmaps that help determine the number of conference rooms and shared spaces their employees will utilize. Additionally, we can show what teams are collaborating with other parts of the business most frequently to leverage and maximize those opportunities. This data helps us to build an environment where we foster collaboration and efficiencies with how our business functions.”
According to Walters, metrics play a critical part in demonstrating security value. “At least in my eyes, the objective of a security leader is to always foster relationships, and showcase your collaborative abilities where the security function can add real business value.”
BRIDGESTONE
Marie Schmidt, Director of Security Programs at Bridgestone, a global leader in tires and rubber building on its expertise to provide solutions for safe and sustainable mobility, ensures that the security team has the proper foundational governance built and maintained to maximize the impact of metrics in the organization. Schmidt spearheaded the security metrics initiative at Bridgestone when she joined the company in 2022.
“Our security function is on a multi-year journey to mature into a programs, risk and intelligence-led team,” Schmidt explains. “As we progress on this journey, we have to be efficient with the resources we have dedicated to it. We use data often to make sure that we’re using those resources — time, talent, budget — in the most impactful and responsible ways, so that we can maximize the ability to fulfill our duty of care to our company and teammates.”
Bridgestone uses metrics to enhance the security function’s ability to be proactive. By analyzing data, the security team can identify problematic trends in any key performance indicator (KPI) and take action quickly to correct issues before they amplify.
“We have to be proactive,” says Josh Walker, Vice President, Security and Enterprise Risk at Bridgestone. “By doing things such as leading trainings and conducting threat, risk and physical security assessments, we hope we can prevent incidents from occurring in the first place and reduce how often we have to be reactive.”
Bridgestone’s security metrics track KPIs on a monthly, quarterly, and annual basis to measure how the security function is performing against its strategic goals and how often they perform key responsibilities. Schmidt says Bridgestone uses metrics to demonstrate successes and identify areas of opportunity for continued growth to the security team and organizational leadership. She says metrics at Bridgestone have played a role in improving communications between Security and the enterprise.
“When we’re talking with our business partners, we use data to help us show the value of security. By referencing our metrics, we can use language that our business partners understand and speak as well,” says Schmidt.
Schmidt and Walker credit the success of their growing security metrics program with its alignment to Bridgestone’s strategic business goals. By taking the time to understand enterprise priorities, security can better demonstrate how the function supports aspects of the business, like revenue generation and enterprise operational efficiency.
“Each part of your business views different metrics in a different way — whether they are your functional counterparts, retail or manufacturing. There are certain metrics that are more important than others to each different audience,” says Walker. “We try to make sure that the metrics we’re using are the most helpful for our business leaders.”
BAKER HUGHES
Since Andy Tosh, Executive, Enterprise Security, Western Hemisphere joined Baker Hughes 16 years ago, the energy company’s security function has undergone a significant transformation in how they track incidents and accomplishments and report that information to leadership. Tosh says while it has been a gradual process, the largest shift in their metrics program has happened in the last three years.
“The concept of using tangible, consistent and accurate data as a value-add to our security function and business leadership has been evolving over the last three years. Only in the last two years have we been able to start gauging the effectiveness of what that data is telling us, how we can use it to assess or manage risk and subsequently adapt our security programs as appropriate,” explains Tosh. “Today, our metrics — through regular analysis of the trends and the actual data we’re reporting — help our security team better understand what types of threats we’re facing and how that impacts or has the potential to impact our business and operations.”
Around three years ago, the Baker Hughes security team conducted an in-depth evaluation of their governance framework, processes and systems, as well as how they were measuring the effectiveness of their security programs on a national, regional and enterprise level.
“At that stage, we had availability to a lot of open-source information on threats and risks, but we identified a need for an internal, formal system to measure how we were either proactively or reactively managing these threats and risks,” Tosh says.
In response to this need, the Baker Hughes security function shifted their approach to collecting data in an incident management platform, enabling employee’s access to directly report data into the software.
“Year on year, our employees have been inputting observations and concerns into this platform, and it’s grown significantly. Across the organization, we set about socializing the benefit of this tool to our workforce. Internally within the security function, we set some measurable targets of how many incidents we expect to be reported in the platform each year,” says Tosh. “In the first year, we only achieved about 66% of our goal. Now in our third year, we’ve exceeded our monthly, quarterly and annual goals and it now allows us to set baselines for the future. What’s important is that this initiative has been absolutely critical in defining what data we need to track and what we need to do to mitigate risk.”
The Baker Hughes security team tracks and reports on data related to emergency communications — for example, the number of messages sent to the workforce from the Baker Hughes Global Intelligence & Travel Security Operations Center (GITSOC), and security training — including the types of training, frequency and attendance. The Baker Hughes security team also tracks metrics related to workplace violence, investigations, security costs, crisis management training exercises, real-time events, and more.
“With all of this information available, month on month, quarter on quarter and year on year, we analyze the data. That helps us have a clearer understanding of where we’ve placed resources, where we’ve invested time, and what we’ve done to better safeguard and improve our security measures for our business, as well as where we ultimately have opportunities for improvement,” says Tosh.
Tosh says the security metrics initiative at Baker Hughes has helped the security team support its decision-making and if necessary, needed investment. “It gave us credible information and data to understand where we were as a function and also how effective our business is at responding to events.. The success and value that this was bringing to us as a security function became very evident in a short period of time. It helped us articulate our performance and risk management strategies to our leadership across the Enterprise.”