Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Security Metrics Story: Turning Data into Metrics

4,552 views

Published on

A step-by-step guide on how to build your security metrics program. Demonstrate security’s value through clear alignment with business strategy and objectives.

Published in: Business, Technology
  • Be the first to comment

A Security Metrics Story: Turning Data into Metrics

  1. 1. A Security Metrics Story: Turning Data into Metrics George Campbell Emeritus Faculty, Security Executive Council Copyright 2008 Security Executive Council
  2. 2. Key Objectives for Security Metrics  Positively influence action, attitude and policy  Materially impact exposure to specific risks  Demonstrate security’s value through clear alignment with business strategy and objectives  Measure the success of our diverse programs Copyright 2008 Security Executive Council
  3. 3. Some Basic Definitions* *A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002 • Measurements- single point-in-time views of specific factors generated by counting. • Example: Number of life safety vulnerabilities detected by Security Officers on tours • Metrics- comparing a pre-determined baseline of two or more measurements taken over time generated from analysis. • Example: Change in number of life safety vulnerabilities detected by Security Officers on tours since last reporting period Copyright 2008 Security Executive Council
  4. 4. What do You Want to do With Your Metrics? • Report on Risk • Risk Awareness in Business Units • Reveal Lessons-Learned from Incidents • Track Trends • Track Program Performance • Measure Security’s Influence • Measure Security’s Value • Security Overview-A Report to Management • Other message or report? Copyright 2008 Security Executive Council
  5. 5. Fundamental Requirement: Good Data! “Good” = – Timely incident & investigation reports competently prepared and reviewed by security management – Content of reports, logs and other data sources are valid, accurate and reliable – A platform that enables enterprise-wide data entry from all sources of incident and event data, query for trends, analytical searching and interface with tools such as Microsoft Excel and PowerPoint – A data analysis process that enables and provides assurance of verifiable conclusions – Clear ownership and accountability for data reliability – Regardless of source, it must be quantifiable, repeatable (for trending), obtainable and feasible to measure Copyright 2008 Security Executive Council
  6. 6. What Types of Actionable Metrics? “There are three kinds of lies: Lies, damn lies and statistics.” Trends: external Lessons-learned Your Business Accountability and internal risk case results, defect Plan: program the diligence of line factors targeted by reduction, crisis after- performance business unit security programs action reviews against managers to quantifiable protect against Change: The “hygiene” objectives known risks relationship of security programs of the firm: Performance Security’s to an improved business conduct, measurement of effectiveness state of risk continuity, integrity, staff, vendors, etc. rated by customers management incident rates, etc. Value: Contributions to Project status: Standards & execution of the Risk management, schedules, budget Benchmarks: cycle times, cost business mission burn rates, results Us vs. best to plan, etc. practices & peers mgt. ROI, etc. and strategy Copyright 2008 Security Executive Council
  7. 7. Moving From an Incident Trend to Metrics  Look at the next several slides. You will see four distinct processes related to incident analysis. Each step involves some form of assessment, measurement and consideration of related metrics.  More importantly, looking at risk this way helps form a more reliable assessment of root causes and the success of the revised security measures we propose to take. Copyright 2008 Security Executive Council
  8. 8. Moving From an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents We begin with the area of risk we are concerned about. In this example, we have noted a disturbing trend of more frequent workplace violence incidents at a particular location. Metrics are embedded in the incident reports. For example: • Frequency? • Location? • Time? • Contributing conditions or circumstances? • Apparent cause? • Failed business process? • What was the business impact? • What are the characteristics of persons involved? Is the likely perpetrator an insider or outsider? Copyright 2008 Security Executive Council
  9. 9. Moving from an Incident Trend to Metrics Area of Increases in frequency and severity of workplace violence incidents Risk Security not For past year 42% Post mortems Indicate 34% on night informed by HR Contributing Involved spousal poor coordination & shift involved of pending Vulnerabilities conflicts with training of HR & alcohol terminations restraining orders Security personnel What gaps in our security program may be contributing to this increase in frequency and severity of workplace violence incidents? When we have competent investigations with good incident reports we should drill down with a lessons-learned process that will reveal real causes rather than symptoms. Metrics are embedded in our findings regarding apparent vulnerabilities or failed security measures that contributed to the incident: • Is there a pattern in your findings that suggests a broader set of risks? • What business processes failed? Which ones should have mitigated risks like these? Who owns them? • What have we learned about the victims and perpetrators? Copyright 2008 Security Executive Council
  10. 10. Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Security not Contributing 34% on night Involved spousal poor coordination & informed by HR Vulnerabilities shift involved conflicts with training of HR & of pending alcohol restraining orders Security personnel terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented We now have a handle on broken processes and what it will likely take to fix them. Metrics are embedded in the post-incident steps taken to mitigate future incidents of this type: • What specific results are expected of the steps that have been taken? • What will the steps cost? • Who are the stakeholders? • How do we sell the proposed steps? Copyright 2008 Security Executive Council
  11. 11. Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Contributing 34% on night Involved spousal poor coordination & Security not Vulnerabilities shift involved conflicts with training of HR & informed by HR alcohol restraining orders Security personnel of pending terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented Increases in % reductions Post mortems Employee Measures % reductions reporting of in workplace show training & surveys show & Metrics in alcohol- restraining violence & intervention improved related cases orders confrontations techniques work safety Metrics are embedded in the results of the risk mitigation activities: • What were the positive or negative results vs. those planned? • What savings Copyright 2008 Security Executive Council or expenses will accrue
  12. 12. Communicating Your Findings Using the data gathered from incident reports and case post-mortems during the past year on workplace violence incidents, we can build a couple of PowerPoint graphics to demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for presentation purposes. The chart utility is fairly easy to use and offers a lot of chart types and ability to play with content, appearance and analytical options such as trend analysis. Each of the following two slides may be used in a variety of opportunities: - Advise top management on risk mitigation activities - Demonstrate the effectiveness of a new or revised security measure - Demonstrate value by reducing potentially costly litigation and reputational risk - Engage and raise targeted business unit awareness of potential risk - Modify a business process for increased safety and productivity - Meet legal obligations for safe & secure workplaces - Contribute to improved employee morale - Celebrate an important collaboration Investigative post mortems are especially effective in developing the data for a briefing on this topic. What was learned, what have we done to prevent similar occurrences in the future, what were the outcomes for victims, employees and perpetrators? Copyright 2008 Security Executive Council
  13. 13. Example: From our incident data base, we can construct an overall view of workplace violence for the current year: Internal Threat Termination Assistance Employee Conduct Ex-employee Conduct External Threat Domestic Violence (64% with restraining orders) Hostile Visitor Disgruntled Customer On site Telephone Threats* Mail Threats to Co. Bomb Threats 0 10 20 30 40 50 60 70 80 90 100 * Not bomb Copyright 2008 Security Executive Council 13
  14. 14. Cumulative Impact of Steps Taken to Mitigate Workplace Violence at Assembly Plant # 4 100.0 80.0 60.0 40.0 20.0 0.0 -20.0 -40.0 -60.0 -80.0 -100.0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr % Increase/Decrease in alcohol-related workplace violence incidents % Increase/Decrease in successful intervention since manager training % Increase/Decrease in voluntary reporting of restraining orders % Increase/Decrease in coordinated Security/HR interaction Copyright 2008 Security Executive Council
  15. 15. Summary • We own a unique database of business performance measures and metrics • Our metrics enable and support a key value proposition: our ability to positively influence enterprise protection, corporate policy and behavior • Our programs can materially contribute to corporate health and profitability • We have an obligation to inform, educate and eliminate plausible denial • We need to graphically demonstrate to management how we are probing the weak spots and influencing change Copyright 2008 Security Executive Council
  16. 16. Where to Find More on Security Metrics To learn more about the Security Executive Council and security metrics, go to www.securityexecutivecouncil.com. Portions of this presentation are from: Measures and Metrics in Corporate Security Copyright 2008 Security Executive Council
  17. 17. George K. Campbell George is currently a member of the Emeritus Faculty of the Security Executive Council and a Managing Partner in the Business Security Advisory Group, a professional security consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the world’s largest privately owned financial services firm. Under George’s leadership, the global corporate security organization delivered a wide range of proprietary services including information security, disaster recovery planning, background, due diligence and criminal investigations, fraud prevention, property protection and security system engineering. During the period 1989-92 George owned his own security-consulting firm and from 1978-89 was Group Vice President at a system engineering firm supporting worldwide U.S. Government security programs. His criminal justice career from 1965 to 1978 was spent in various line and senior management functions within federal, state and local government agencies. He is a frequent contributor to professional security journals and seminars and is the author of Measures and Metrics in Corporate Security published in 2005 by the Security Executive Council. George received his baccalaureate degree (Police Administration) from American University, Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the International Security Management Association from 1998-2003 and as ISMA’s President in 2002-03. George is a member the American Society for Industrial Security since 1978. He is an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former member of the High Technology Crime Investigation Association and the Association of Certified Fraud Examiners. Copyright 2008 Security Executive Council

×