One of the ironies in the world of industry research and benchmarking is that everyone is looking for information, but few are willing to share it. In the realm of enterprise security, for example, there is often understandable hesitancy about revealing details of how a security department operates. Furthermore, busy professionals often don’t share knowledge because they don’t have the time, or they don’t have the budget to retain someone else to do the work.
However, often, security professionals find themselves in a position whereby they need answers quickly to a variety of difficult questions. Some have internal drivers:
  • What strategies can I use to implement a new program?
  • How can we save money for the services we provide?
  • Other companies must have dealt with something similar: How did they do it?
Often, the driver comes from senior management pushing on questions such as:
  • What are best practices for handling an information breach?
  • Are we on the right track related to compliance?
  • Consider almost any current news story: What if this happened to our company?
  • How does our security program compare to others (including cost)?
Looking for useable and reliable answers can be frustrating. A lot of security-related research is driven by a commercial agenda. Or it isn’t quite specific enough. Or it’s in pieces. Or it’s created by people who don’t really understand security. What security professionals need is a place to go for information that is specific to security and where a variety of security leadership and management issues have already been addressed. That is our goal for the recently launched Security Leadership Research Institute (SLRI), an offering of the Security Executive Council.
The fact is, the practice of security doesn’t really know itself, and most people involved are familiar with various pieces of the puzzle but haven’t looked at the big picture. If you talk to 10 different people, you get 10 different concepts of security, but there are common threads. We want to tie those threads together. We know that security is multi-faceted and varies from company to company, but how can we connect those facets? There are common issues among security practitioners everywhere, such as budgetary issues, ownership of programs, reporting structure and other concerns inside an organization. How do we bridge the gap between the IP side and the physical security side? What are the minimum baseline requirements one should expect in successful workplace violence, resiliency/crisis management, security awareness, or brand reputation programs, for example?
The mission of the SLRI is to provide independent and actionable research to the security community, thus answering the critical industry need for information on the entire spectrum of risk mitigation and security. The Institute is designed to facilitate sharing of practitioner-based research reports, benchmarks and a metrics database (under development). All content will be guided by the needs of participants and their security peers. As an inclusive organization, SLRI will work with academics, vendors and other strategic alliance partners to add the benefits of their expertise to the mix. Ultimately, the goal is to create a research repository geared to the needs of the practitioner and their unique situation. It will be a dynamic collection of research intelligence that will evolve along with ongoing changes to the security function, helping practitioners cope every step of the way. It will also leverage the high-level security management expertise of the Security Executive Council community.
This is clearly an ambitious project, which brings us full circle to that big irony in the world of security research: Practitioners want data when they need it but aren’t always inclined to contribute. The success of the SLRI depends on participants taking a little of their time to feed the well, so to speak. Only those that participate will receive the full research outcome of the SLRI.
The good news in this time of economic challenges for security departments everywhere is that the only cost of participating is a willingness to share information (and a small investment of precious time). If you often find yourself looking for solid research information on security, you can help us provide the source by joining the SLRI. There is no risk: Participants’ identities will be kept confidential, and research results will only be reported in aggregate. Take the first step by filling out a short member form and participating in our Roles and Responsibilities survey ( to help build the collection of research data and information the industry so urgently needs.