By the numbers
If you put up a new fence and cameras to improve perimeter security, how do you know if it’s accomplishing what you intended it to do? Most would say if you’re keeping the bad guys out, it’s working, right? But what if you were asked to demonstrate exactly how effective the system has been?
Or, to illustrate exactly how many incidents were occurring before the
fence went up? What was the impact after the fence went in? Have there
been any incidents since the fence and cameras were put in place?
As security is typically viewed as a cost centre the pressure to prove
that the money allocated for security systems is being well spent is on
If you only have a gut feeling about the value of the people and
systems in your department you may be in trouble if senior management
starts asking questions about justifying expenditures.
Building a business case to invest in new systems or maintain spending
on existing security systems is not a new requirement, but few security
departments have the tools or know-how to execute on delivering a plan
to management on what they want to see.
If an executive came and asked for $500,000 out of your budget, would
you be able to demonstrate the implications to the overall organization
if that funding disappeared?
“Ad hoc answers aren’t going to fly anymore,” says Brian McIlravey of
PPM 2000, an Edmonton, Alta.-based firm that provides software-based
incident reporting and dashboard tools for tracking incidents. “The
days of, “Uh, I think I have a problem’ are gone. You need hardcore
stats to prove your need.”
And even when you collect data on your department, you better know how best to organize and present it to decision makers.
“It’s one thing to collect information; you have to know what to do
with it,” says Kevin Murphy, director of security operations with
Woodbine Entertainment in Toronto.
Murphy started using incident reporting data in the late 1990s and has
continued to mine information to routinely identify problems day-to-day
and more importantly perhaps, to help justify to the executive level
the expenditures he is making and has invested in his security
Where Murphy makes the most of data collected in his organization is
when he’s called upon by the finance department to defend a cost —
often a human resource, and typically when faced with a cost-cutting
“I can tell them why we shouldn’t do something, like when they ask me
”˜Do we need this person guarding this point in the building?’ I can
pull incident stats to show that because we had, say, 5,000 incidents
last year and 2,000 happened in that spot, we need to keep the person
stationed there,” says Murphy.
Value also comes when another department comes looking for data to help
support their initiatives. For example, the health and safety
department at Woodbine Entertainment recently asked Murphy for data to
help support a workplace violence audit and he was able to supply
incident information to them to build their plan.
And with human resources, security and legal increasingly working more
closely together, the value proposition for having a metrics system
that can deliver data to all three becomes greater.
However, incident reporting and the gathering of metrics is still
viewed as a “nice to have” in most security organizations, says Phillip
Banks of Vancouver-based The Banks Group, which provides consulting
services on risk mitigation to companies globally in the areas of
supply chain and critical infrastructure protection projects. While, he
says, there are more security departments gathering metrics to support
their programs, most are not.
“Although I think it has moved forward, and we see more of it, I think
a significant number of security departments are still tasked for time
to get to this. Generally, we find there is still a real gap in
maintenance of performance measurements on the actual security
function,” says Banks. “Proactive security directors will really take
to that kind of on-going measurement to help sell their program. They
want those questions from the C-suite.”
Too often though, security managers and directors wait until it is too
late to find the right tools to give them the data they need. They may
have a paper-based spreadsheet system to collect stats, but if it takes
a week to produce a report from it it’s probably not good enough.
“I can count on one hand how many large engagements we’ve done where there have been metrics in place,” says Banks.
But before you put any program or measurement system in place, you need
to have a sound threat, risk impact and security vulnerability process
in place to identify what it is, exactly, that you’re trying to solve.
Understanding the power of metrics and how to automate systems to deliver data that is useful should be the next step.
“I think the C-suite wants to see this kind of measurement, but I still
think as an industry we need to grow a little bit to make sure we can
get it to them in a way they can use it,” says Banks who puts on
training programs for security organizations and always asks those who
take his classes how many have an automated data collection system that
allows them to collect and analyze information. Out of a group of 30
people if five put up their hand, he says he’s impressed.
“How can you establish metrics and ROI unless you have a process that allows you to track and analyze data and make decisions?”
When tracking incidents, Murphy says the best way is to have a system
set up to send alerts and then you can start to see if a situation is
getting better or worse.
At some point, not tracking incidents could become a detriment to your organization and your career.
“You can be liable if something is happening in your organization, and
if there is a question that you could have known, you might be on the
hook,” says McIlravey.