Security
departments, like police departments, tend to be very good at data collection.
The number of incidents, where the incidents happened, time of day and the
types of crimes are all key pieces of information collected.
The
real challenge is how to best handle and report the data. The easy solution is
to put together some graphs that show what happened, including trends such as whether
crime is increasing or decreasing. The problem is that data like that only
tells you what already occurred in the past. It is a lagging indicator. If you are relying on
only historical data, your security metrics, or measures, will not always get
the right level of support from your organization’s senior leadership and
c-suite.
What
security leaders worry about may be completely different from what CEOs worry
about. In many surveys, when asked about their top fears, security
professionals will answer with topics such as terrorism, active shooters,
workplace violence and so on. However, when CEOs are asked that question the
answer may be very different. In fact, Lloyd’s Insurance Group just released
the 2013 results of top business concerns and terrorism was near the bottom, 44
out of 50, although theft, fraud and corruption were in the top 20 risks. The top concerns instead were higher taxes, loss of customers and
cyber risk (the only security-related category in the top 10). The top concerns
are in the table below, with a green arrow showing an increase in the level of
concern since the last survey and a red arrow showing a decrease.
When
the security leader presents his concerns to the c-suite, he may as well be
speaking a different language in many cases. By presenting historical data
only, the job of translating that to a business mindset is left to the senior
leaders and that is only if they chose to do so.
Instead,
security leaders need to present both historical and pro-active results in a
different context. Keeping in mind that the CEO may be most concerned about
higher taxes, which translates to less profit, maybe even losses, requests for
new or expensive security components may not be well received. Instead, focus
on how security improvements helps customers feel safer and keeps them coming
back instead of seeking alternatives. If a customer does not feel safe leaving
his car in your parking lot due to security concerns, that customer may take
his business elsewhere. Then the request to add lighting or security patrols or
whatever component may become much more likely to be approved if it helps the
business retain patrons. In that case, a key metric may become feedback from
clients on how safe they feel at your business.
In another study on business risks, healthcare leaders rated
worry over excessive regulation as the top concern; not surprising with the implementation of Obamacare. If
your organization is facing new compliance issues or regulation, how do you
address those concerns? One solution is to become familiar with the
requirements, especially those that have a direct or indirect impact on the
security operations. Within healthcare, failure to comply or follow regulations
can be directly tied to loss of reimbursement or fines.
To
make your security metrics truly valuable, look at the list of top business
concerns on the list below. Give some thought to how each of these relate to
security and what impact security can have on reducing those worries. Then your
metrics may be of real value to the organization.
Eric
Smith, CPP is the leading authority on organizational self-defense. He has
extensive experience in law enforcement as well as security management. Eric is
available for staff education and security awareness training as well as business
coaching to help organizations provide safe workplaces. To learn more email Eric at businesskarate dot com.
If you would like
to reprint this post, please contact Eric at Eric at businesskarate dot com.