In Depth

Metrics for Corporate and Physical Security Programs

CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives

By Tom Wailgum

Page 6

Second are the lists for "did well" and "areas for improvement": These are reported along behaviorally based criteria (for example, clarity of communications with "outsider" or whether incident notification procedures were followed) as well as results-based criteria (penetration foiled or speed in which penetration was detected).

After collecting results, Levine's group tracks the physical and technical security measures at each location to ensure that they are functioning properly. Physical security measures include perimeter barriers, lighting, locking devices and key controls, and signage. Technical security measures include intrusion alarms, closed circuit television and other monitoring devices, access control and visitor management systems.

"We would want to make sure that the security folks onsite knew what to do in the event of raising the threat level or a breach of security," Levine says, "and also have a good awareness of security protocol and who they could go to if a breach did occur."Tracking TrendsIncident trends and loss trends are next on Georgia Power's metrics list. Levine says that it's critical to be able to demonstrate that a CSO's security program is a significant mitigating factor in preventing increased incidents and losses. Levine can compare incidents by quarter, year-to-year and across multiple years. She can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location. She follows the same process for tracking losses; she says she tracks property and monetary losses. The key, she says, is if you're not able to prevent losses, then "you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures."

Levine adds that metrics must be more than in-house security tools; they have to be relevant to the people she supportsbusiness executives, plant operators, substation engineers, customer service managers. She says her reports must contain information that is important to them, not just to security managers. Doing this, Levine says, "also enables us to educate them about things that are important from our perspective, and in that give-and-take process we're able to validate the measures that we're using." Depending on the type of data and compliance requirements, Levine reports her metrics monthly, quarterly or yearly.

Levine considers two other factors when collecting data for metrics. The first is how Georgia Power compares to other utilities. And the second is data quality.