How to Use Metrics

Analyzing security data can spell success for a security operation and the organization it serves.

CIOs and CISOs generate security data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves

Why metrics? The fact that established metrics and measures for the full range of security programs are few and far between tells a story about the historical disconnect between these functions and the core businesses they serve. The risk environment has changed significantly over the past 30 years, with shocking wake-up calls to CEOs, boards and shareholders. Attentive corporations have had to address the exposures uncovered in these times with more sophisticated and mainstream corporate security organizations. With this mainstreaming comes the obligation to measure performance and demonstrate bottom-line contributions. Metrics are a natural descendant of this process.

It is also essential that we recognize security's contribution to the corporate system of internal controls.

Internal controls, established to mitigate a variety of business risks, provide the dashboard to inform management on the status of core activities and to apply the brakes that keep the enterprise safely on course. The security organization plays a critical role in identifying, measuring, preventing and responding to a growing inventory of risks. We must be able to measure the probability and potential consequences of an identified risk, or management has no gauge to assess and prioritize what actions to take. Metrics are central to understanding the adequacy of security controls and where to focus our limited resources for the greatest contribution to the protection strategy.

This excerpt from the book Measures and Metrics in Corporate Security, Communicating Business Value gives a few examples of the ways CIOs and CISOs can think about the data they collect as part of their security operations and identifies what is important to measure, and how to communicate with senior business executives about what the data indicates about their organization's risk environment and how it's being managed.

1.Aligning security metrics with business drivers

Security programs gather volumes of data every day. If we gather the right information, we generate unique and informative data that, for example:

• Defines what, where and how risk is occurring

• Emphasizes the accountability of business management for safeguarding the organization's assets

• Directly aids in measuring service quality and customer satisfaction

• Provides measurable support for new and existing programs

• Contributes to a variety of value-based assessments

The successful CIO or security executive defines his business plan and the performance of resources and services around clearly articulated measures. Those measures should be aligned with core business strategy and priorities. Figure 1 (this page) illustrates how a CIO has evaluated the importance of various security metrics, based on their relevance to business drivers such as managing costs and risks, focusing on return on investment, complying with the law and company policies, and protecting the lives and safety of employees. Note the last column on the right, which is checked every time: internal influence. Effective use of metrics that matter to business leadership, demonstrating the value of security operations, wins a security executive important capital.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about BossHISSpeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by George Campbell

Latest Videos

More videos

Blog Posts