Home » Security Leadership » Metrics/Budgets

In Brief

Five Metrics That Matter

George Campbell, former CSO of Fidelity Investments and now a security consultant, says there are hundreds of security metrics available for CSOs, who need to identify those relevant to their organization.

By Tom Wailgum

February 01, 2005 — CSO — 1Risk analyses. The risk analysis process, a constant activity for security executives, incorporates several metrics: assets, loss events, vulnerability assessments (how easy would it be to do X, Y or Z?), likelihood of an event, probabilities, and options to mitigate vulner-abilities and their cost and benefits.

2Value indicators. Cost-benefit analyses yield relevant metrics. "If you've got an investigation function that costs X amount of dollars, and it recovers twice that in losses, that's a positive return on investment," he says. But the value indicators will be unique to each business segment within a corporation.

In the financial world, much is based on reputation. In businesses where there's a lot of intellectual property, the value will be based on stopping some-one from counterfeiting or stealing any proprietary processes.

3Process performance. Response times and recovery procedures produce metrics. How long does it take to recover a critical business process lost to a natural disaster or cyberattack? What is the average time for a security officer to respond to a critical alarm or injured person? What is the time needed and cost of a background or business conduct investigation? "Every CSO develops annual objectives that must be measurable if they are to devote resources to their accomplishmentand be willing to be held to them," Campbell says.

4Integrity scorecard. Campbell says this is where the CSO tracks what keeps business executives awake at night. These include risk awareness; security breaches resulting in losses; hiring people with bad backgrounds; higher than normal accident rates; and failure to address known vulnerabilities. "You maintain a scorecard on what makes that business unit tick from an integrity standpoint," Campbell notes. "You understand where to allocate your resources, and you can show the CEO where the problems could be in the business."

5Confidence measures. These allow the CSO to see how well the security function is delivering services. Through internal customer satisfaction surveys and postmortems on investigations, CSOs can measure the confidence the business has in the security department. "You can look at how well you did and what the problems are," Campbell says.

Campbell adds that communicating the goal of metrics is a key activity. "If you're going to track metrics on integrity or by a scorecard, you'd better presell the process at various levels and be very careful to ensure accuracy of information and who you share it with," he says.

The message, Campbell says, has to be that "CSOs are paid to report on risk as we know it and will work with other executives on resolving deficiencies."