Demonstrating Security’s Contribution to Organizational Goals

Q. How can we identify and highlight the programs, services and positive outcomes that Security brings to help meet the organization’s business goal? In particular, we are seeking an increased understanding and appreciation by senior management and other key stakeholders of security’s value and contribution to the bottom line.

A. When we build our security programs for a clear connection to performance excellence in mitigating risk and serving the goals of the enterprise, our value is far more visible and measurable.

First, ask yourself/your team a few questions:

What is the business case for your security organization and how do you want it measured?

What are the quantifiable measurements that ought to apply to management’s assessment

of value?

How would you grade your current measurements and metrics?

Security leaders need to identify data sources and metrics to demonstrate Security’s positive impact on the business. Here are some ideas you may be able to use in your own organization:

  • A pre-contract examination of third-party vendor relationships identifies vulnerabilities to enable favorable contract terms and post-contract inspections, thereby reducing risk and consequence of loss.
  • An examination of incident trends and post incident analyses can produce metrics that either affirm the effectiveness of internal controls or justify the redirection of resources, yielding improved risk management practices.
  • When metrics are employed to measure and improve the effectiveness of safeguards, results may support security’s contribution to customer and shareholder protection. An obvious example is the protection measures around confidential customer information.
  • Metrics can generate evidence of cost reduction through reduced consequences of risk and reduction in insurance premiums where effective safeguards are demonstrated.
  • Operational excellence metrics, e.g., related to faster recovery from business interruption incidents, can show the advantages of a resilient business continuity program.
  • Advertised and demonstrably effective security measures not only enable customer satisfaction but may also be a draw for new customers and sales. Being “the secure choice” can be an effective marketing position.
  • Deployment of proven security technology consistently demonstrates the potential for reduced cost of security operations. The return on investment for an access control system that eliminates “x” manned security posts is a frequent example.

If you have the opportunity to present Security’s value to management, be sure to identify the results or functions that reliably offer support to your program. The key is to determine what data or metrics best demonstrate your clear connection to the objectives of the organization you serve.

Answer provided by George Campbell, SEC Emeritus Faculty member and industry expert in security metrics.

This is a Security Bloggers Network syndicated blog post authored by Kathleen Kotwica. Read the original post at: Security Executive Council Faculty Advisor