Incidents, though often unfortunate, deliver an incredible opportunity to not just respond to and correct the situation, but to compile and analyze data that can greatly contribute to security strategy. This effort has evolved over time with the adoption of security technology. 

Organizations commonly implement incident management systems to address challenges with lost, illegible or incomplete incident reports. The drive for sustainability also plays a part. Beyond the ease of use, efficiencies and mobility gained, forward-looking organizations also understand the automation possibilities of utilizing such a system.

Arguably the most important feature of an incident management system is the reporting engine, which is the primary tool for data analysis. Reporting is what prevents a system from becoming a black hole for data. The more flexible a system’s reporting functionality is, the more powerful its data can become. Incident data can help to guide the evolution of an entire security program. It can enable an organization to deploy countermeasures against the specific threats and adjust its deployments as threats evolve.

An incident management system’s reporting interface should allow users to easily identify sites, areas within sites, time ranges, days, months and seasons of high or low incident volume based on the historical data in the system. This is most useful in setting staffing levels for security officers. Many organizations are surprised by the degree of opportunity they have to move staff from low-volume to high-volume shifts, areas or sites in order to increase efficiency. This results in safer properties and improved risk mitigation, which in turn reduces costs to the organization.

An incident management system should also enable the rank-ordering of incident types on number of occurrences, costs to the organization, or resource utilization. This is most helpful in prioritizing risks for future mitigation, and using the severity and total cost of an incident type to determine the importance of mitigating it. Also, knowing the potential cost of a type of incident allows the security professional to understand the value of mitigating it, which is a key determinant of the elusive return on security investment (ROSI).

The incident management system’s data can then be used to compare total incident cost before and after the implementation of a countermeasure, which is the primary component of ROI for that countermeasure. When done on a repeated basis, the average ROI can serve as a predictor for future implementations. This becomes even more powerful if sites are grouped based on similar risk profiles or assessment results. An organization can then conclude that sites with similar risk profiles will experience similar results from implementation of a given countermeasure, and repeat the cycle by measuring afterwards to determine success.

The results of an incident management system are simple – better information. How each organization utilizes that information is up to them but the knowledge it affords is undeniable.

There are many technology solutions that generate data to support security strategy. The next segment of this series will examine the security data to be gained from tour management systems. Look for the final installment in the Security eNewsletter on September 10.