Security Leadership and Management

Performance Metrics: Why Businesses Want Them and Security Needs Them

Performance metrics are “critically important” to business leaders, says Greg Niehaus, Professor of Finance and Insurance for the Moore School of Business, University of South Carolina. “In my view it’s very important for business functions to have metrics that tie back to the objectives of the organization – that measure the impact on value and value creation.” If a function fails to develop and effectively communicate performance metrics, says Niehaus, “their contributions to the organization will likely be not appreciated, which, in down times, could lead to cutting of responsibilities or jobs and hurting the value of the organization.”

Yet according to George Campbell, author of the book Measures and Metrics in Corporate Security and a faculty member of the Security Executive Council, “there’s a general void within security of leaders who fully appreciate the need for and the application of metrics. Too many see their incident counts as metrics, not what the analysis of those counts is telling them about risk and program performance. Security management talks about performance, but it’s almost as if they don’t think of metrics as having anything to do with performance.”

If performance metrics are critically important to business leaders, and security leaders fail to recognize their importance, why aren’t business leaders demanding performance metrics from security in the same way they do for so many other business functions? Often it’s because management doesn’t view security as a valuable element of the business, says Campbell. “It’s part of the cost equation that sits on the side, and it’s not seen as part of the business or governance infrastructure.” In these cases, the lack of demand for metrics is simply the symptom of a much greater problem.

This ought to be a sobering possibility for many security leaders. If management lacks respect for security as a business function, the security leader can earn only limited influence, and security as an organization can accomplish only limited success. Creating performance metrics isn’t a silver bullet solution, but security leaders who undertake the development of meaningful metrics can enhance management’s perception of the value of security, while adding to that value by building a greater understanding of the security function and the business.

Some forward-thinking security leaders who have risen to the challenge of metrics development are sharing their experiences to assist others in their endeavors. Dave Komendat, VP and Chief Security Officer of The Boeing Company, and Pam Dost, his Senior Manager of Strategy Development, viewed the creation of their metrics suite as an opportunity to show the value security brings to the company.

Komendat is the winner of a CSO Compass Award and one of Securitymagazine’s Most Influential People in Security for 2011; his security organization has been recognized internally and externally as a value enhancer and a business enabler. But metrics would provide another, more succinct way to show management how security contributes. “When you have limited time with the most senior leaders in the company, metrics provide a way to communicate value simply and efficiently. It’s very meaningful for them to see fact-based data that shows the value of the cost avoidance, quality improvement and risk mitigation that your organization is bringing to the company,” Komendat says.

Pam Dost, who heads up the metrics initiative at Boeing, remarks that the education that security managers are getting from the process has been an unexpected but notable side benefit. “We invested a significant amount of time up front to educate the (security) leaders on why we need to provide metrics and how they would increase the credibility of our organization,” she says. “When we started this journey, our (security) leaders were very aware of their functional responsibilities and collecting data. But they hadn’t had a lot of exposure to the corporate interest level or how to leverage the data to tell a higher value story about risk and overall benefit. Since we launched the metrics initiative, the passion and interest in understanding the bigger picture of business has inspired our leaders to look for additional high value metric examples we can share with our corporate leaders. I think one of the biggest advantages is how developing this broader view – exposing these risks in a different way – broadens their skills and helps them become better leaders.”

Nihaus, Komendat and Campbell are collaborating to develop a course on developing and communicating security performance metrics for the Security Executive Council’s Next Generation Security Leader curriculum, set to launch in January. To learn more or to register, visit   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Marleah Blades

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

April 2015 security magazine cover

2015 April

In this April 2015 issue of Security, find out how to keep your enterprise resilient after a disaster in 2015. Also discover how to strike a balance between design basis threats and active shooter threats and see what's in store for the 2015 RSA Conference.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.