In Depth
Metrics for Corporate and Physical Security Programs
CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives
By Tom Wailgum
Hedley says he focuses much of his attention on Nestlé's brand and reputation among consumers. "We have a broad brand protection strategy, in which we work in close collaboration with the intellectual property department," he says. "There's a very strong argument that brand and reputation are worth more than physical assets." Hedley points to the difference in measuring hard physical assets versus intellectual property and brand assets. "You can measure the number of burglaries you suffer and the amount of shrinkage," he says. But in the order of priorities for his group, he looks to condensed milk as an example. "Stolen boxes of condensed milk can be replaced," he says. "But if someone keeps them past the 'sell by' date, and then someone consumes it and gets an upset stomach, it's not so much the actual value of condensed milk but the effect that the inappropriate distribution and handling of such products can cause to people." And consumers' upset stomachs tend to give him an uncomfortable feeling as well.
The bottom line is also important to Hedley and his bosses. "We [in security] are judged by our overall contribution to the profitability to the group," he says. As an example, Hedley tells of how he grapples with trying to plan for the unforeseen. "Having the ability to reduce the number of events that are unforeseen is a very valuable metric," he says. When he is able to do this, it grabs the attention of senior management. "If you can tell a story that says, We were able to preempt a problem that was going to affect us, and, Oh by the way, had we not done this, this would have been the cost
CSOs can estimate the damage that was not predicted or planned for by comparing to previous events or ones that hit other companies, Hedley says. You can say, If we hadn't taken the action we did, then the probability effect would have been X. "The downside, however, is that you can't say, This is the money we would have saved, and go put it back in the bank account," he says.Utility Uses Government Rules to Build Metrics Margaret Levine, corporate security manager at Georgia Power, has found ways to convert the necessary burden of regulation into a bounty of physical security data for the electric utility.
Levine must demonstrate that Georgia Power, the largest subsidiary of Southern, the $11.3 billion regional utility based in Atlanta, complies with federal regulations. Her security group does that by completing security audits to make sure that the protected areas at plants and substations are indeed protected.
physical security metrics
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
