Wednesday, April 27, 2016

The Quest for Security Metrics!



Originally written for SourceSecurity.com by Eric Smith




Knights of medieval times are known for impossible quests and challenging missions seeking rare religious items. The quest for the Holy Grail is perhaps the most notable. Today’s security professionals are often on their own quest, seeking what sometimes feels like the impossible – the search for perfect security metrics!

What are metrics and are they really that hard to find? Metrics are simply a measure to show effectiveness or to track performance. We are surrounded by metrics every day. For someone who wants to lose weight, a daily stop on the scale to track progress is an example of a metric. For someone interested in building muscle, the metric used may be the amount lifted in a bench press or leg press. Companies use metrics to measure key progress in areas such as sales, repeat customers or net income.

Security Metrics Best Defined By Finance Team 
How do you measure the success of a security program? If your security program were primarily about preventing crime, you would need to track every time you deter a criminal – something that is very hard to know or track. Basically, it means tracking something that didn’t happen. There is good news though. There are other ways to measure success and to provide ways to showcase what the security program has accomplished. 

If there is one group that uses and understands metrics, it is the finance team of a business. The finance team deals with every part of an organization and understands the value of setting targets and measuring progress, in terms of budget, income and expenses. We are going to look at security metrics used in one case study that came about after the security department reported to the CFO. 

Understanding Security Metrics From The CFO 
The CFO had several support groups reporting to him and was interested in how to track progress of each of the groups. It was quickly determined that there were four core areas to track. Activity, Efficiency, Quality and Customer Satisfaction were the categories focused on.
Click to expand

Security Activity Measurement 
The first category was to measure overall activity. The specifics may change from one organization to another, but looks at the types of responses and incidents handled by the security team. This should include general crime rates on campus, or may be a focus on specific issues. For example, in healthcare, a top priority has become the issue of violence and assaults on clinical staff by patients. 

By nature, many of these metrics are lagging metrics. In other words, the metric is a measurement of something that already happened. However, it is possible to include leading metrics as well. Leading metrics are a measurement of an activity that is pro-active or preventative in nature. An example of a leading metric could be tracking the number of exterior patrols done by security officers. The theory being highly visible and pro-active patrols are a deterrent and reduce overall crime on campus. For a system integrator, regular maintenance of access control or video systems that prevent downtime could be a measure of a leading indicator instead. 

Financially Efficient Security Program
Efficiency was the next category. Of course, since this was coming from the CFO, financial efficiency was involved. One metric was budget compliance, a ratio of budgeted funds versus actual spend as a percentage. Another efficiency number tracked was the number of voluntary turnovers. This number tracked how many security employees left for other pursuits. It did not include involuntary turnover, as it was felt that this could potentially influence leaders to keep unsavory employees to limit the turnover data. Other examples of efficiency could include storage of valuables for guests or patients, or number of lost items returned to the owner.

Quality Of Security Program
The next category considered was quality. To track the quality of the security program, a variety of options were considered. In this case, the number of security employees who received certification in the industry was tracked. The CFO also wanted to see the security department provide, or at least facilitate, security training for staff. The metric used was the number of training sessions provided to staff, including brief internal education meetings with different departments or ‘brown bag’ lunch and learn sessions that could include outside speakers. Again, education sessions were a more pro-active measure and could be considered a leading indicator.

Customer Satisfaction
The last area considered in this example was customer satisfaction. Fortunately, there were several options from which to choose. One vital measure was an annual survey that asked about staff perception of safety and security at the organization. The scale was 1-5 and allowed to track the number in the top category, those who felt very safe at work. This was the measure used with the goal to move people from the next category, feeling somewhat safe, to the top or feeling very safe. Response time by the security team was another area that linked directly to customer satisfaction. There was also a secret shopper program in place where an individual would contact security about a routine matter and provide feedback, scoring the officer on customer service and friendliness to the appearance of the officer’s uniform. 

Importance Of Security Metrics
Of course, tracking all of the metrics mentioned is great, but what does it really mean? Once you begin tracking results, the past results can be used as a baseline that allows you to set goals, establish targets moving forward, and identify areas of improvement. Keep in mind that these baselines are different from industry benchmarks. Benchmarks are comparisons or numbers based on a mix of different organizations, often within the same industry, to gauge where one company is in relation to the industry. 

When selecting metrics there are a few things to keep in mind. Probably the most important is to make sure that the data you need for the metric is easily available. A metric is something that you are going to want to measure on a regular basis and if the work involved getting that number is too difficult, it will quickly be ignored or left undone and you end up having no measure at all. A good rule of thumb is that the data or measure should be able to be collected within 15 minutes.

Also, pick metrics that are something that the security team can act upon or have a direct impact on. If the measure reflects something that the security team has no control over, then it tells very little about the success or effectiveness of the security program. For example, neighborhood crime stats may be valuable to track for awareness sake, but do not reflect on the security team’s performance so should not be included as part of the performance metrics.  
Click to Expand

Evaluating Security Metrics
The last word about metrics: be sure to do something with the metrics collected. Use the data to tell a story about what the security department is doing. Visuals and charts can be very helpful in seeing exactly what areas may need attention and what is going well. Keep evaluating the value of the metrics used as well. An idea that originally seemed great, may turn out to not really reflect what you had hoped and should be changed and a new metric identified instead. This is an ongoing process.

Done right, a good metric program will help tell the story of the security department and highlight the successes as well as help identify potential areas for improvement.


Combining his law enforcement and corporate security experiences plus a love of martial arts, Eric Smith created Business Karate, LLC, a Colorado-based security consulting firm. His new book, Workplace Security Essentials, outlines how any business, school, hospital or organization can master the art of self-defense, reduce losses, avoid liability and build a safer workplace. Visit www.businesskarate.com for more. Follow on Twitter @businesskarate

Wednesday, January 20, 2016

Security Wishes for 2016



This time of year, we hear about all the New Year’s resolutions and our promises, or more often lies to ourselves, about all that we are going to do different, hopefully better.  Sadly, most of these well-meant ideas quickly fall by the wayside and only reflect our wishful thinking.

Maybe you’re still sticking to some of those goals. After all, it is still January.

With the new year and wishful thinking about all the areas we would like to improve on, it seemed like a good time to think about what could be better with the security industry. So I came up with my own list of wishes for 2016. See how they compare to your own and let me know in the comments.

  • Leadership support – if you don’t have this now, you certainly know it. Ongoing support by your organization’s top leaders is vital to success. Otherwise you’ll be spinning your wheels (and that won’t even burn calories if fitness was a resolution for you).
  • Budget appropriate – Budget is definitely tied to leadership support and the purse strings that make the business world spin. You may have certain capital or even operational needs that you’ve identified and certainly getting the right level of funding will impact how much you can do.
  • Administrative support – this is a personal frustration of mine. I’ve worked in security departments that strictly focus on the operational side and there is no administrative support. Paperwork, minutes, filing, ordering supplies etc. all still need to be done however. So where does that come from – the operational side.
  • Understanding that not all security is the same – IT security and physical security need to work together, but are often at odds within an organization. IT security professionals making physical assessments of non-IT sites instead of those who’ve worked in physical security or law enforcement. Do you really want your IT guy conducting robbery training and your physical security guy designing the company firewall? Keep to your area of expertise.
    WikiCommons Photo by Pierre-alain Dorange
  • Employee awareness and training – How much simpler would security be if employees all followed the rules and did the right thing? Unfortunately, too often training is not done as it is seen as down time and then when an issue comes up the expectation is for security to fix it while the employees sit back and watch. Definitely take advantage of any available training and put it into practice.
  • Right tools for the risks – I’m amazed at how often an organization expresses concerns over active shooters and then wants to add an unarmed security officer to watch the front door or to be the first responder (basically target) to an attack. Review the risks and then put the right tools, people or training into place to address those concerns.
 
Well there it is. My 2016 wish list, at least those just off the top of my head, although I’d throw in a big raise and better benefits while I am at it.

I’m sure that I did not cover everything. What are does your wish list include? Let me know and put them in the comments below.

Combining his law enforcement and corporate security experiences plus a love of martial arts, Eric Smith created Business Karate, LLC, a Colorado-based security consulting firm. His new book, Workplace Security Essentials, outlines how any business, school, hospital or organization can master the art of self-defense, reduce losses, avoid liability and build a safer workplace. Visit www.businesskarate.com for more. Follow on Twitter @businesskarate