Data-driven programmes and decision making

Optimising the corporate security and resilience function

The global COVID-19 pandemic is the most intensive data-driven global crisis any of us has seen. Even the most forward-leaning and well-resourced companies have struggled with the sheer volume of data they must monitor and track daily, as well as the rapid rate at which they must make sense of that data to inform decision-making and planning. On top of that, we now have intensive financial pressure and scrutiny of corporate programmes to cut costs wherever possible, preferably without impacting core operations or functions. 

This is familiar territory for security and resilience professionals. For almost as long as they have been in existence, security and resilience departments have been asked to do more with less and have struggled to find the best way to demonstrate their true value as a business-enabling function - rather than just a cost centre. Core to this perennial issue has been the lack of hard metrics to track, measure, and continuously report on programme effectiveness and return on investment (ROI)-using data – and to ensure the security and resilience programme is optimised to address the risks to the organization in the most efficient and effective manner.

COVID-19 has thrown into stark relief the criticality of good data and metrics to support effective decision-making – both for strategic crisis response and for more operational and tactical business continuity planning. The same thinking needs to be applied more broadly to optimise corporate security programmes.

Human resources and manual processes alone cannot meet this enormous task. It requires the integration of technology to leverage machine-learning and computing power along with the application of data analytics, intelligent interpretation, and visualisation tools. Only by clearly telling the story of what the data reveals can the organisation zero in on potential business impacts and measure the effectiveness of mitigation measures, and ultimately, show the value delivered back to the business.

Organisations that have done this best in their COVID monitoring and response thus far have been able to make faster, more informed decisions, and have also been able to pivot and adjust course to rapidly changing conditions across the globe. That same logic can be applied more broadly to build, drive and continuously improve corporate security and resilience functions.

Four steps to building a data-led security and resilience programme

To help distil some of the key lessons learned from COVID-19 and broaden the thinking around the use of data and data analytics to drive more effective security and resilience programmes, we’ve broken the initial priorities down into four steps:

Step 1: Understand the maturity of your programme

Determine if your security and resilience programme has the right elements at the right levels of maturity to address your organization’s strategic needs. While it is certainly possible to measure the performance of programmes at earlier stages, metrics become more meaningful indicators of the effectiveness and value of a program once a certain level of maturity is achieved. That said, some measurement of performance is better than none at all. The sooner a security function embraces a data-focused mindset the sooner it will be able to accelerate its own evolution and allow for more balanced investment in capabilities – and in time, demonstrate the full return on investment.  

Step 2: Define metrics and key performance indicators (KPIs) 

Identify programme metrics and define key performance indicators (KPIs) used to gauge program performance and progress towards carefully defined goals (i.e., “what good looks like”). Once the metrics and KPIs are set out clearly, design your data collection plan to determine which data sets to use and, what sources to draw from, and what mechanisms and tools it needs to collect and aggregate it all. That roadmap should then be used to determine where to invest in security and resiliency programs to ensure they support the overall approach.

Certain metrics can be more easily quantified than others - from the very tactical number of confirmed COVID cases in a particular jurisdiction, known incidents resolved, threats detected, or reduced operational downtimes, to the more strategic loss of market share and shareholder value post-crisis. Where it becomes more challenging is proving to the wider business the value of prevention and return on investment. Once an organisation begins collecting and aggregating the right data sets, over time patterns and trends emerge to enable better informed decisions to recalibrate and improve overall programme performance and, better yet, demonstrate impact and opportunity growth using actual data. 

Step 3: Map and index global data sets

Invest time into understanding which data exists and how it can be used to support the security and resilience mission, while also aligning more closely with the core business. This is a foundational step that only the most mature organisations have a solid grasp on. It’s important to think broadly here. Relevant data sets can include everything from corporate assets prioritised by criticality (physical and digital), audit reports, risk and business impact analyses, human resources, and general ledger transactions (given supply chain implications), through to the more operational threat intelligence feeds (internal and external), access controls, video and alert monitoring, incident reporting and even loss prevention statistics. 

Step 4: Use data to tell your story

Apply data analytics tools and techniques to visualise and “tell the story.” By leveraging data aggregator and visualization tools, the corporate security function can simplify complex issues to communicate key findings quickly and make better informed prevention or response-related decisions. The flexible and interactive nature of these tools means that visualised reports can be designed in easily digestible, intuitive and interactive formats that allow the business to slice the data in different ways, and drill down from executive summary-level information to site or even process-level details. 

What next?

While these concepts certainly aren’t new, it is still reasonably new for organisations to successfully implement and wield these new tools  across the entirety of their corporate security and resilience portfolios. The COVID-19 pandemic has accelerated the understanding not only of what data matters, but how it can be used to show what security and resilience teams can deliver to the wider business. Whether directly linked to COVID response or not, organisations continue to struggle with how to apply data analytics to measure, report, improve their performance and, crucially, find the “so what” in their reams of data. Instead, undue effort and value may have been placed on purchasing the latest shiny tool or application to address a specific need when, in fact, that same functionality resides in a previously acquired tool or platform (or in some cases within another silo of the security and resilience apparatus). Without cooperation between teams and their technologies, and without the application of data analytics to your data sets, the larger learnings and opportunities could be missed.

Few organisations routinely leverage technology as systematically and effectively as they might, and that has repercussions on the intelligence extracted. Aside from the obvious budget and resource implications, too many disparate technology tools that don’t speak to one another can result in not only operational inefficiency but worse – dragging down system bandwidth such that even the most basic tasks can no longer be accomplished and become self-defeating. The good news is that while some of the requisite expertise and tools may require additional investment or training, many of the baseline capabilities likely already exist in another part of the organisation but just haven’t been introduced into or applied to the corporate security and resilience function. 

Fundamentally what is required is a shift in mindset, to start thinking of both the quantitative and qualitative data that can be tracked and measured in association with all core security and resilience activities, whether they are prevention or response-oriented in nature. Data is the language of business, and corporate security and resilience professionals must gain greater fluency in it in order to translate security and resilience activities into the same value-based terms as the rest of the business to clearly articulate and prove the return on investment.