Security Leadership and Management

Performance Metrics: Why Businesses Want Them and Security Needs Them

Performance metrics are “critically important” to business leaders, says Greg Niehaus, Professor of Finance and Insurance for the Moore School of Business, University of South Carolina. “In my view it’s very important for business functions to have metrics that tie back to the objectives of the organization – that measure the impact on value and value creation.” If a function fails to develop and effectively communicate performance metrics, says Niehaus, “their contributions to the organization will likely be not appreciated, which, in down times, could lead to cutting of responsibilities or jobs and hurting the value of the organization.”

Yet according to George Campbell, author of the book Measures and Metrics in Corporate Security and a faculty member of the Security Executive Council, “there’s a general void within security of leaders who fully appreciate the need for and the application of metrics. Too many see their incident counts as metrics, not what the analysis of those counts is telling them about risk and program performance. Security management talks about performance, but it’s almost as if they don’t think of metrics as having anything to do with performance.”

If performance metrics are critically important to business leaders, and security leaders fail to recognize their importance, why aren’t business leaders demanding performance metrics from security in the same way they do for so many other business functions? Often it’s because management doesn’t view security as a valuable element of the business, says Campbell. “It’s part of the cost equation that sits on the side, and it’s not seen as part of the business or governance infrastructure.” In these cases, the lack of demand for metrics is simply the symptom of a much greater problem.

This ought to be a sobering possibility for many security leaders. If management lacks respect for security as a business function, the security leader can earn only limited influence, and security as an organization can accomplish only limited success. Creating performance metrics isn’t a silver bullet solution, but security leaders who undertake the development of meaningful metrics can enhance management’s perception of the value of security, while adding to that value by building a greater understanding of the security function and the business.

Some forward-thinking security leaders who have risen to the challenge of metrics development are sharing their experiences to assist others in their endeavors. Dave Komendat, VP and Chief Security Officer of The Boeing Company, and Pam Dost, his Senior Manager of Strategy Development, viewed the creation of their metrics suite as an opportunity to show the value security brings to the company.

Komendat is the winner of a CSO Compass Award and one of Securitymagazine’s Most Influential People in Security for 2011; his security organization has been recognized internally and externally as a value enhancer and a business enabler. But metrics would provide another, more succinct way to show management how security contributes. “When you have limited time with the most senior leaders in the company, metrics provide a way to communicate value simply and efficiently. It’s very meaningful for them to see fact-based data that shows the value of the cost avoidance, quality improvement and risk mitigation that your organization is bringing to the company,” Komendat says.

Pam Dost, who heads up the metrics initiative at Boeing, remarks that the education that security managers are getting from the process has been an unexpected but notable side benefit. “We invested a significant amount of time up front to educate the (security) leaders on why we need to provide metrics and how they would increase the credibility of our organization,” she says. “When we started this journey, our (security) leaders were very aware of their functional responsibilities and collecting data. But they hadn’t had a lot of exposure to the corporate interest level or how to leverage the data to tell a higher value story about risk and overall benefit. Since we launched the metrics initiative, the passion and interest in understanding the bigger picture of business has inspired our leaders to look for additional high value metric examples we can share with our corporate leaders. I think one of the biggest advantages is how developing this broader view – exposing these risks in a different way – broadens their skills and helps them become better leaders.”

Nihaus, Komendat and Campbell are collaborating to develop a course on developing and communicating security performance metrics for the Security Executive Council’s Next Generation Security Leader curriculum, set to launch in January. To learn more or to register, visit www.securityexecutivecouncil.com/nextgen.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Marleah Blades

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.