The ability to measure and analyse the effectiveness of security operations is extremely useful – not only for identifying and addressing an organisation’s vulnerabilities, but also for demonstrating security’s mitigating impact on overall risk levels along with the higher-level value security delivers to a business. Brian McIlravey, Co-CEO at PPM, explains how security metrics can provide a powerful toolset for accomplishing these objectives.
By quantifying information about conditions within and around facilities, along with situations and incidents which occur and the actions taken to reduce and manage risks, metrics provide insights which give the organisation a better understanding of risks and losses, helping them to identify trends and manage performance based on real and meaningful indices. Detailed and concise reporting gives security managers the means to present their findings clearly and accurately to executive management, often an essential step towards building a case for the additional budget allocations needed to improve the safety of a facility. Ultimately, security analytics are a vital resource to help an organisation minimise the risk, damage to reputation, theft, and business discontinuity that stems from breaches.
Among the many different kinds of measurements they offer, security metrics can help calculate how much of the budget should be allocated towards security, which aspects should be top priorities, the most effective system configuration, return on investment (ROI), how to measure those improvements, whether exposure and risk have been reduced, and by how much. By gathering data associated with a number of factors, metrics can identify indicators that may suggest problems with a security program – identifying the root causes of incidents, rather than the symptoms – in an effort to prevent incidents before they occur or issues before they arise.
| Security analytics help an organisation minimise risk, damage to reputation, theft, and business discontinuity
Security metrics - benefits
For example, security metrics may show that there has been a rise in the frequency or severity of accidents, crimes or policy infractions, increased downtime of critical equipment, changes in security response times and much more. While this information is extremely helpful for security professionals to have, it is the associated analysis, a crucial component of metrics, which helps determine why these things are happening. This increased understanding of what is causing particular issues is the main goal of security metrics, as it enables security staff to implement new policies and programs to address those underlying issues.
Metrics can also be used to demonstrate the security program’s accomplishments, complete with figures that can be presented to management to gain support and resources for the program or to encourage recognition for security staff performance.
Choosing what to measure and analyse requires careful consideration; how can an organisation be sure to identify the right security metrics from the hundreds of potentials? What are the best tools and strategies for data collection, measurement and analysis? It’s important to note that because relevant metrics vary widely and are specific to an organisation and its vulnerabilities, there is no standard answer to this question. Therefore, when designing a program, the goal must be to identify those factors that directly apply to and will affect a specific organisation’s risk, ROI, costs, legal, policy and safety issues. Among the top metrics that could be considered would be cost of downtime; incident response times; number of nuisance alarms; number of safety or security hazards identified and eliminated; security cost and/or losses per square foot; and security cost per employee and/or as a percentage of total revenue.
When designing a program,
the goal must be to identify
those factors that directly
apply to and will affect a
specific organisation’s risk
Getting relevant security metrics - key questions
While the answers will be different from organisation to organisation, there are proven processes that aid with identifying what needs to be measured. These three questions should form the basis for developing the most relevant metrics:
- What are the business goals, needs, values and policies?
- Who is the audience and what are their objectives?
- What types of data will be required for metrics and analysis?
Based on how these are answered, the next step is to develop those metrics that will measure and demonstrate security’s contribution to risk management, as well as overall organisational strategies and objectives. It is crucial to treat all collected data very carefully to ensure its integrity and preserve and protect its confidentiality.
The process of analysing security data can be made more convenient and more productive with analytical software and other tools, which allow a security manager or director to easily and constantly analyse the data on security activities, losses and investigations, and to view graphs and charts that are generated automatically. The faster information is available, the faster measures can be taken to address risks and minimise incidents.
With the right data and analysis, security metrics provide valuable insight into an organisation’s current security program and policies, and enable changes to be made to address any shortcomings. These changes can then be analysed to determine whether they’ve been effective in accomplishing particular goals. By demonstrating security’s value to an organisation as a whole, metrics will have a major impact on decisions regarding security and business operations, ultimately leading to greater security and safety for people and property.