Data-driven programs and decision making
- Data Analytics
Data-driven programs and decision making
Optimising the corporate security and resilience function
The global COVID-19 pandemic is the most intensive data-driven global crisis any of us has seen. Even the most forward-leaning companies have struggled with the sheer volume of data they must monitor and track on a daily basis. Then must also quickly make sense of that data to inform decision-making and forward planning.
This is not a new problem. For as long as they have been in existence, security and resilience departments have struggled to find the best way to demonstrate their true value as a business-enabling function. Core to this perennial issue has been the lack of hard metrics to track, measure and continuously report on program effectiveness and ROI using data – and to ensure the security and resilience program is optimized to address the risks to the organization in the most efficient and effective manner.
COVID-19 has thrown into stark relief the criticality of good data and metrics to support effective decision-making – both for strategic crisis response and for more operational and tactical business continuity planning.
Human resources and manual processes alone cannot meet this enormous task. It requires the integration of technology to leverage machine-learning and computing power along with the application of data analytics, intelligent interpretation, and visualization tools. Only by clearly telling the story of what the data reveals can the organization zero in on potential business impacts and measure the effectiveness of mitigation measures. Organisations that have done this best in their COVID monitoring and response thus far have been able to make faster, more informed decisions, and have also been able to pivot and adjust course to rapidly changing conditions across the globe. That same logic can be applied more broadly to build, drive and continuously improve corporate security and resilience functions.
Four steps to building a data-led security and resilience program
So where do you start? To help distill some of the key lessons learned from COVID-19 and broaden the thinking around the use of data and data analytics to drive more effective security and resilience programmes, we’ve broken the initial priorities down into four steps:
Step 1: Understand the maturity of your programme
The first step is an objective assessment to determine if your security and resilience program has the right elements at the right levels of maturity to address the strategic needs of the organisation. While it is certainly possible to measure the performance of programmes at earlier stages of maturity, metrics become more meaningful indicators of the effectiveness and value of a program once a certain level of maturity is achieved. That said, some measurement of performance is better than none at all. The sooner a security function embraces a data-focused mindset the sooner it will be able to accelerate its own evolution and allow for more balanced investment in capabilities – and in time, demonstrate the full return on investment.
Step 2: Define metrics and key performance indicators (KPIs)
Next up is the identification of program metrics and the definition of key performance indicators (KPIs) used to gauge program performance and progress towards carefully defined goals (i.e., “what good looks like”). Once the metrics and KPIs are set out clearly, the organization will need to design its data collection plan to determine which data sets to use and, what sources to draw from, and what mechanisms and tools it needs to collect and aggregate it all. That roadmap should then be used to determine where to invest in security and resiliency programs to ensure they support the overall approach – whether they are in crisis mode or back to a new form of “normal”.
Certain metrics can be more easily quantified than others - from the very tactical number of confirmed COVID cases in a particular jurisdiction, known incidents resolved, threats detected, or reduced operational downtimes, to the more strategic loss of market share and shareholder value post-crisis. Where it becomes more challenging is proving to the wider business the value of prevention and return on investment. And beyond that, demonstrating how security and resilience programs can enable the business by providing the confidence that risks will be well managed when they manifest. Once an organization begins collecting and aggregating the right data sets, over time patterns and trends emerge to enable better informed decisions to improve overall program performance and, better yet, demonstrate impact and opportunity growth using actual data.
Step 3: Map and index global data sets
Now that we’ve established what we want to measure and how, it’s vital to invest a significant amount of time understanding what data exists and how it can be used to support the security and resilience mission while also aligning more closely with the core business. This is a foundational step that only the most mature organizations have a solid grasp on. It’s important to think broadly here. Relevant data sets can include everything from corporate assets prioritized by criticality (physical and digital), audit reports, risk and business impact analyses, human resources, and general ledger transactions (given supply chain implications), through to the more operational threat intelligence feeds (internal and external), access controls, video and alert monitoring, incident reporting and even loss prevention statistics.
Step 4: “A picture is worth a thousand words…”
If Steps 2 and 3 are all about defining what to measure, identifying gaps, and designing programs, processes and tools to collect and aggregate data the right way, Step 4 is all about applying data analytics tools and techniques to visualize and “tell the story.” By leveraging data aggregator and visualization tools, the corporate security function can simplify complex issues to communicate key findings quickly and make better informed prevention or response-related decisions. The flexible and interactive nature of these tools means that visualized reports can be designed in easily digestible, intuitive and interactive formats that allow the business to slice the data in different ways, and drill down from executive summary-level information to site or even process-level details.
While these concepts certainly aren’t new, it is still reasonably new for organisations to successfully implement and wield these new tools across the entirety of their corporate security and resilience portfolios. The COVID-19 pandemic has accelerated the understanding not only of what data matters, but how it can be used to show what security and resilience teams can deliver to the wider business. Whether directly linked to COVID response or not, organizations continue to struggle with how to apply data analytics to measure, report, improve their performance and, crucially, find the “so what” in their reams of data. Instead, undue effort and value may have been placed on purchasing the latest shiny tool or application to address a specific need when, in fact, that same functionality resides in a previously acquired tool or platform (or in some cases within another silo of the security and resilience apparatus). Without cooperation between teams and their technologies, and without the application of data analytics to your data sets, the larger learnings and opportunities could be missed.
Few organizations routinely leverage technology as systematically and effectively as they might, and that has repercussions on the intelligence extracted. Aside from the obvious budget and resource implications, too many disparate technology tools that don’t speak to one another can result in not only operational inefficiency but worse – dragging down system bandwidth such that even the most basic tasks can no longer be accomplished and become self-defeating. The good news is that while some of the requisite expertise and tools may require additional investment or training, many of the baseline capabilities likely already exist in another part of the organization but just haven’t been introduced into or applied to the corporate security and resilience function.
Fundamentally what is required is a shift in mindset, to start thinking of both the quantitative and qualitative data that can be tracked and measured in association with all core security and resilience activities, whether they are prevention or response-oriented in nature. Data is the language of business, and corporate security and resilience professionals must gain greater fluency in it in order to translate security and resilience activities into the same value-based terms as the rest of the business to clearly articulate and prove the return on investment.