Security Spotlight, a monthly feature highlighting ASIS resources on specific topics in security management. This includes information free to all practitioners, as well as select members-only content.
Not a member?
Join now and gain access to all ASIS resources, including information, education, networking, and more.
A business metric is a quantifiable measurement used to track and assess the performance of a business as a whole or a specific business process. Security metrics are no different. At one time, security metrics mainly tracked events, processes, and workload. Today, however, security metrics must be collected, analyzed, reviewed, and communicated in a way that fits into an organization’s overall business strategy.
The following resources will help security professionals understand what security metrics are being collected, how they are being used, and how to incorporate them into a business plan.
Metrics that Score with Your Boss
Seminar Session Recording
This video, The Security Metrics Challenge, available for both members and nonmembers, was recorded at a recent Annual Seminar and Exhibits. Five top-level security professionals discuss how they use metrics in their organizations. The list of speakers represented the U.S. Air Force, the Defense Intelligence Agency, Northrop Grumman, BAE Systems, Boeing, and General Dynamics.
All five find their approach to using metrics in the C-suite is driven by risk management—assessing the potential for risk, plotting potential stress points, and giving warnings before the bad news hits. Examples of these types of risks include cyber threats, data breaches, and physical threats. The metrics included in this type of presentation must be targeted to provide a risk profile for decision making, including countermeasures and mitigation alternatives. The approach should include elements that the boss wants to know or is unaware off, including what needs to change.
Using Security Metrics to Persuade Management
Our second resource, also available
for both members and nonmembers, is an ASIS Foundation report on
Persuading Senior Management with Effective, Evaluated Security Metrics. The report, based upon findings from the
Security Metrics Survey listed below, includes:
- The Security Metrics Evaluation Tool (Security MET), which security professionals can self-administer to develop, evaluate, and improve security metrics
- A library of metric descriptions, each evaluated according to the Security MET criteria
- Guidelines for effective use of security metrics to inform and persuade senior management with an emphasis on organizational risk and return on investment