Corporate security metrics - curse or cure?

Corporate security practices have developed significantly over the last few years in response to a rapidly changing threat environment.

Organisations now require ever more sophisticated security controls to cover a broad range of domains, from manned guarding to business intelligence. Developing an active Key Performance Indicator (KPI) framework makes more sense now than ever before.

Despite this most organisations struggle to embed an effective performance management approach for their security functions. This is primarily due to legacy structural issues, but also ongoing challenges with the quality and quantity of data.

For many, corporate security continues to be seen as a basic operational compliance requirement instead of a strategic business enabler. Whilst most other business functions are required to report a variety of metrics to manage performance, security is often overlooked, which demonstrates a perceived lack of value. 

Part of the challenge is the lack of an established model for corporate security. Whilst other functions such as HR, Finance, HSE all have a clear set of standards and compliance mandates, there are no mandatory security standards which public or private companies must adhere to. Consequently, corporate security operating models vary dramatically between different businesses, sectors, and geographies. Whilst some organisations adopt a lean security model, outsourcing most of their security requirements, others use an internal team in a centre of excellence to drive service quality for business units. 

Corporates are increasingly awash with data. Security professionals need to have both the capability and capacity to identify and source the right data to establish an effective metrics programme. Often as a further result of the security operating model, corporate security relies on data from different functions and businesses. Identifying and collecting that data is challenging and should be a first step in establishing an effective metrics programme. Ideally, corporate security should develop and own its own data sources to ensure quality and ongoing assurance.

Across all sectors, KPIs are increasingly seen as an effective means of monitoring the value of security and demonstrating its contribution to the bottom line. 

Measuring a range of security metrics has the following benefits:

  1. Improve the adequacy of security controls and resource needs
  2. Assign accountability for security delivery
  3. Demonstrate the cost benefit for resource commitment
  4. Better alignment of security delivery with business objectives and priorities 

Establishing a KPI framework can be done using a staged approach starting with defining business objectives, identifying who will use the metrics, locating sources of data, linking to threats and risk, and reporting. 

 Establishing a KPI framework

Figure1: Establishing a KPI framework

To achieve these benefits, it is good practice to use a range of metrics across several different categories to demonstrate security’s multiple benefits to the business. 

 Core KPI categories

Figure 2: Core KPI categories

Mature organisations capture KPIs at a local level using a balanced scorecard and report at least bi-annually, but ideally quarterly, to regional executives. Leadership can use the data to review cost trends and benefits of security controls, allocate budget, and as a benchmark when analysing the business case for investment into new regions or geographies. 

 Example KPI reporting framework

Figure 3: Example KPI reporting framework 

Checklist

    So, what can corporate security professionals do now to start to think about developing a KPI based performance management system for their security scope?

  1. Review and assess your security maturity: KPIs work best in established security organisations which have a defined scope and a consistent framework. A maturity assessment will determine whether your organisation is ready to consider KPIs and identify any other gaps which might need closing first.
  2. Benchmark: Review internally to see how other functions and departments are measuring themselves. Often organisations will have well established KPIs and it’s just about finding those parts of the business which are doing this well and learning from them. Consider benchmarking against peer organisations to see how others outside your organisation are managing and measuring security performance.
  3. Find the data: KPIs require good quality data to work effectively. A quick scan across the organisation, in discussion with management and IT, will highlight whether data is available or whether security needs to start collecting and structuring its own data.
  4.  Develop a narrative: KPIs are about performance and telling a story to those who want to hear about the positive benefits that security can bring to the business. Different levels of the business will be interested in different data and matching these requirements will be critical to the success of any KPI programme.