Developing and maintaining a high-quality security risk management or enterprise resilience program takes dedication from those of us tasked with these responsibilities. It takes planning, revision and continual improvement. It takes executive support and, of course, it takes money to implement our mitigation plans.
The stakeholders in your program need to know that their investment in time, support and money is paying off. So how do you prove that? If you are anything like the thousands of program directors in the security industry, you will try to communicate that you are doing a good job via a metrics report. But if you are like thousands of executive sponsors across all enterprises, your response to these traditional reports might be, “So what?”
The Purpose of Metrics
Why do so many in program management spend so much time collecting, organizing and presenting data, only to have reports tossed aside with little to no attention paid?
The purpose of a metrics report is to educate the reader, tell them something that they need to know and to inform them of something that will impact their lives (business or otherwise). Do your reports do that? Do you have any reports or daily/weekly communications that you truly enjoy reading? What do they have in common? What makes them worth your time?
A financial report outlines trends and directions in the markets from the day before. It will provide some quick, digestible bites of news about what caused those trends and what they might mean in the future. The reader may pick up one or two points of interesting data that they were not expecting.
That’s it. Very simple. It provides information about a topic that impacts your life and your assets. You can do the same thing with your report to your stakeholders.Simply tell them a quick story about how you are impacting their assets. Don’t feel tied to traditional methods of reports you have seen in your organization. If you find the right way to connect with your audience, they’ll be more inclined to read your report.
When developing a metrics report, ask these questions:
- Who is the audience for the report?
- What do they care about?
- What aspects of the program impact things they care about?
- What data will show that impact and demonstrate the value to them?
Tailoring Your Report To Your Audience
Generally when you are designing a report for an executive audience, you should write it at the strategic, rather than the tactical level. A good rule is that the “higher” your audience is in the organization, the “bigger” the picture needs to be.
Details of individual events and happenings will make way for graphs and pictures that show trends over time or benchmarks against similar organizations.
If your executive audience is in R&D or marketing and is interested in the risk of internal theft of intellectual property, what can you provide that shows the value of what’s going on in your program?
Perhaps you had previously had significant exposure in that area due to a high number of lost or stolen digital devices and you have implemented a device security program to limit those losses. The metric of the number of lost or stolen devices and the trend of those losses over time is a good way to show the efficacy of your program. If you trend that data and correlate it to the times/dates/locations of any training sessions you do, even better.
The same type of story can be shown with data relating to any mitigation activity and the risk it is mitigating. Have you installed a new access control system to respond to a risk of external intrusion? Your system can provide metrics on access granted vs. denied and, combined with effective visitor management data can show why the denials took place as well as the the follow-up outcome.
All of these stories, if supported by data, show more to your asset stakeholders than simply reporting on the number of hours worked by the security team, or a count of the number of times an activity, such as a patrol, was completed.
Sources of Data
This leads to the question of where you might be able to find that data? If you do not track incidents, types, times and outcomes, you are at a disadvantage. If you are not also tracking closely the activities your team is doing to mitigate risks to the enterprise, you will also have difficulty telling the “value story.”
Data that can help tell your story is everywhere and in every system. You simply need to know where and how to find it, then put it together to speak directly to what your audience cares about.
Data Sources include:
- Electronic security system logs
- Business plans and objectives
- Business owners of key/critical assets
- Asset inventory lists
- Risk assessments
- BCP/DRP exercise results
- Incident reports
- Post-mortem reviews
- Ongoing operation reports
- Open-source intelligence
Collecting this data is most easily accomplished in one of many software platforms on the market designed for tracking and collating this information. Manual reporting and tracking with spreadsheets and manual incident reports makes collecting and tailoring reports to your audience much more difficult. A good incident management and tracking system is definitely worth the investment because it helps you collect “good” metrics. What exactly is a “good” metric? Ideal data to include in a report should be:
- Repeatable (can be collected more than once)
- Jargon-free (your audience should not need a security background to read it)
- Consistently measured (you have a method for collecting it that is followed regularly)
All of these are facilitated by good management and reporting software tools.
Designing the Report
When building reports for an executive-level audience, keep in mind that they have received many other metrics reports that same day, and they have only a few minutes to give to each of them. If you make it easy to read and understand and clearly tell your story using data points and brief summaries, they will be able to digest your information faster, retain more and maybe even begin to look forward to receiving your report on a regular basis.
Here are a few tips for designing the reports and how to decide exactly what to put in them:
- Make sure your data has a reason for being in the report — it is communicating the intended point to the reader.
- Ensure it is clear, concise and relevant.
- Use graphics to present numeric information as much as possible, rather than tables and grids.
- Keep narratives short and to the point.
- Present similar data on a regular schedule to show trends over time.
- Use only up-to-date information in reports, avoid estimates as much as possible.
Here’s a quick example of a potential report from the security team to the chief technology officer. The trends are focused on IT and technology issues, and stick to what our imaginary CTO has expressed an interest in. It’s one page, but gives them data they need to know to understand that the security department is doing what it is charged with.