Why Your Security Metrics Stink

            Security departments, like police departments, tend to be very good at data collection. The number of incidents, where the incidents happened, time of day and the types of crimes are all key pieces of information collected.

            The real challenge is how to best handle and report the data. The easy solution is to put together some graphs that show what happened, including trends such as whether crime is increasing or decreasing. The problem is that data like that only tells you what already occurred in the past. It is a lagging indicator. If you are relying on only historical data, your security metrics, or measures, will not always get the right level of support from your organization’s senior leadership and c-suite.

            What security leaders worry about may be completely different from what CEOs worry about. In many surveys, when asked about their top fears, security professionals will answer with topics such as terrorism, active shooters, workplace violence and so on. However, when CEOs are asked that question the answer may be very different. In fact, Lloyd’s Insurance Group just released the 2013 results of top business concerns and terrorism was near the bottom, 44 out of 50, although theft, fraud and corruption were in the top 20 risks. The top concerns instead were higher taxes, loss of customers and cyber risk (the only security-related category in the top 10). The top concerns are in the table below, with a green arrow showing an increase in the level of concern since the last survey and a red arrow showing a decrease.


            When the security leader presents his concerns to the c-suite, he may as well be speaking a different language in many cases. By presenting historical data only, the job of translating that to a business mindset is left to the senior leaders and that is only if they chose to do so.

            Instead, security leaders need to present both historical and pro-active results in a different context. Keeping in mind that the CEO may be most concerned about higher taxes, which translates to less profit, maybe even losses, requests for new or expensive security components may not be well received. Instead, focus on how security improvements helps customers feel safer and keeps them coming back instead of seeking alternatives. If a customer does not feel safe leaving his car in your parking lot due to security concerns, that customer may take his business elsewhere. Then the request to add lighting or security patrols or whatever component may become much more likely to be approved if it helps the business retain patrons. In that case, a key metric may become feedback from clients on how safe they feel at your business.

            In another study on business risks, healthcare leaders rated worry over excessive regulation as the top concern; not surprising with the implementation of Obamacare. If your organization is facing new compliance issues or regulation, how do you address those concerns? One solution is to become familiar with the requirements, especially those that have a direct or indirect impact on the security operations. Within healthcare, failure to comply or follow regulations can be directly tied to loss of reimbursement or fines.   

            To make your security metrics truly valuable, look at the list of top business concerns on the list below. Give some thought to how each of these relate to security and what impact security can have on reducing those worries. Then your metrics may be of real value to the organization.

Eric Smith, CPP is the leading authority on organizational self-defense. He has extensive experience in law enforcement as well as security management. Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces. To learn more email Eric at businesskarate dot com.

If you would like to reprint this post, please contact Eric at Eric at businesskarate dot com.

No comments:

Post a Comment