7 minute read
How to Measure Your Risk Monitoring Activities
Writing for ASIS International publication Security Management , Thomas Kopecky, chief strategy officer for Ontic, demonstrates the importance of a metrics-based approach to security management.
Ideally, businesses should use data to inform and contextualise their most important decisions, both inside and outside the security function. But obtaining accurate data to measure the value and effectiveness of security services such as risk monitoring or threat mitigation—which can be inherently less tangible—is often much more complex than a simple profit or loss calculation.
Well-designed and implemented security programs typically aim to be seamless and invisible, preventing and mitigating threats so well that many in the organisation don’t realise a risk was present. But when success means nothing happened, how can security teams better measure and articulate the effectiveness of their programs?
Even though most security programs can’t easily tie their contributions to a dollar value, that doesn’t mean those programs aren’t making direct and significant contributions to the business, or that metrics don’t exist to show that impact.
There are several ways to measure the effectiveness of your security programs, helping to demonstrate your team’s successes while also highlighting gaps that need to be filled in resources and personnel to ensure the security program can continue to support the organisation’s growth and contribute to its goals. Perhaps most importantly, defining and measuring these benchmarks can provide a foundation to prepare the security team and the larger organisation for emerging risks and the future threat environment.
Understand the Most Important Metrics
There is no one-size-fits-all solution to choosing the correct metrics to monitor, especially within the security industry. When considering the most important security program metrics you should track, everything should be viewed through the lens of your specific organisation’s goals, strategy, and priorities.
The most important metrics to track are those that are clearly and directly relevant to your organisation’s most critical activities. Usually, there is a direct connection to activities that bring revenue, but that isn’t true in every organisation.
Start by thinking about the security programs that support your organisation’s most critical business processes and operations and consider how you define the success of those programs. You will likely find many interesting and useful data points that can be analysed and tracked—but just because a point of interest can be measured and tracked doesn’t mean it will be beneficial to your team. The most useful categories of metrics will be:
Relevant. The easiest metrics to track often turn out to be the least relevant. Ideally, the metrics you track should not only be useful and relevant within the security organisation, but also followed as critical parts of the success of the larger organisation.
Actionable. The metrics you choose to track should be tied to actions the security team or your organisation can take. Don’t measure anything your team would not be expected to take action on or that your team’s actions would not impact. The more a metric can inform effective business decision making by the security team or the wider business, the more useful it is to monitor.
Cost effective. While it might be useful to measure and track many things, make sure the metrics you choose to track are worth the cost. The final cost will include monetary cost of the data, collection time, and analytical effort to evaluate the data.
If you’re starting the metrics monitoring process from scratch, it may be useful to start with only one to three metrics and re-evaluate their usefulness to your ultimate goals and the broader organisation.
Measure and Benchmark Program Effectiveness
Once you have a short list of the most critical items to monitor, think about the best ways to measure progress within each of those metrics. Then consider what decisions can be made based on the information you will collect—for example, whether specific metrics should trigger any actions within your programs. Where possible, financial measurements typically provide the most tangible demonstration of a program’s value, but in security programs, financial metrics may also be the least cost-effective and most time-intensive to obtain and monitor.
Similar to the work identifying the most appropriate metrics to track, don’t be afraid to get creative to ensure that your measurement of these metrics is relevant to the program’s actual performance. The quality and relevance of the metric is almost always more important than the quantity of data you can collect. For example, counting the number of violent threats to the organisation may not be a particularly useful number if there is reason to believe the count is not accurate due lack of monitoring or lack of awareness of reporting mechanisms.
While it may be helpful to create quantitative measures of program performance—such as surveys of employee understanding of key security programs and objectives—it’s critical to ensure only the most relevant data is captured.
Also keep in mind that burning goodwill with others within the organisation is rarely worth the benefit of obtaining a metric.
In some cases, it may be useful to create categorisations within a metric to provide nuance and create more value in your evaluations. For example, for a program that conducts investigations, it may be useful to separate each investigation based on complexity to ensure the level of effort, speed, and performance can be reflected accurately. An honest cost–benefit analysis of the collection should drive your decision about whether further categorisation of metrics is a useful and effective step.
Ultimately, the metrics you collect and measure should be able to help your team prove the effectiveness of its programs in two key areas. First, demonstrating changes in performance or changes in program effectiveness in key time periods allows your organisation to understand changes over time.
Second, analysis of trends can establish patterns of activity and performance, correlating specific events or program changes with corresponding levels of performance. For example, the loss of a key person on the team may cause performance to decrease in a specific program’s effectiveness, while the acquisition of a new tool may drive increased program use or employee engagement in other programs.
Where possible, it may also be useful to articulate the benefits and cost savings of acting proactively within specific programs, identifying the costs associated with failing to mitigate specific risks before they become direct threats that require most costly interventions.
Moving the Needle
Even though security professionals are challenged with knowing the best ways to document their program accomplishments, identifying and tracking key metrics is critical to ensuring your team’s continued contributions and relevance to the organisation.
As with any other business function, presenting data that demonstrates the ways your team is working to promote growth, revenue, or productivity is a key way to demonstrate the value of your programs and get larger organisational buy-in to accomplish key goals and share the responsibility for mitigating risks across the business.
Security teams make daily decisions that keep employees, physical assets, and operations safe from a wide spectrum of risks. Using the right data to demonstrate the effectiveness of those efforts can help the security team to earn the confidence, trust, and support your programs deserve.
This article was originally published on 01 March 2023 in the ASIS International publication Security Management.