Home » Security Leadership » Metrics/Budgets

The Metrics Quest

Under pressure from the CFO to quantify security benefits, a CSO finds measures that matter

November 01, 2004 — CSO — We have a chief financial officer who's always been a nut on quantitative measures. But he's recently decided to make a metrics march on all his direct reports—and that includes me. So every department in the company has engaged in a great exercise identifying the metrics appropriate to their business processes. And since all the service functions (including corporate security) report to him, I determined that compliance is the better part of valor.

I first found this metrics mania somewhat vexing. Historically speaking, I am the kind of person who has proudly sported that bumper sticker proclaiming, "What do you mean I'm overdrawn, I've still got checks left!"

I decided early on to go to the source, the CFO and chief metrics officer himself. What might he be looking for in this program? I was aware that there was a risk involved here; I didn't want to appear like I was carrying a dunce hat in hand. But caution has never been my strong suit, so I got right to the point in our one-on-one meeting in his office.

Fateful Meeting

Me: "I know you have an endgame in mind with your measures request from the services group. In corporate security, we generate volumes of data on a daily basis. It would be helpful if we could kick some ideas around on how to meet your goal."

CFO (smiling): "Sure. The heart of it is that if a business process cannot be measured in one way or another, we likely ought to cast it off as wasted effort. As a business, we live or die every day on a host of measures, all of which indicate our health to shareholders, the capital markets and any manager worth his or her paycheck. I know you're thinking about replacing our global access control system. It's a significant investment. You know I need to see the return on it. What's the benefit? When is the payback? What's it going to give us that the one we've got doesn't? This is the simple stuff. Digging into the essence of what we get for our global spend on security programs is far more difficult."

(He pauses, looks at me. I know this is a test. But I'm not done asking questions.)

Me: "You've highlighted the fact that we've always been seen as a cost center. But how do you see security as being a fundamental part of our financial success?"

CFO (excited, stands up): "That is absolutely the right question! But think about it for a moment. You are in the best position to answer it. And, you need to know that I don—t see security as a cost center. You are a performance center. You are focused on helping our company succeed in an increasingly risky world.