How to Leverage Metrics and Benchmarks to Generate Executive Buy-In

Most security practitioners recognize the struggle they face communicating the value of their programs to executive leadership teams. As security consultants advising these programs, one of the most frequent complaints we hear is that leadership “does not understand what we do and the value we bring.” While other departments may be considered existential to how the firm operates and generates revenue, security teams frequently face headwinds justifying existing budgets, much less major capital investments they deem critical to protecting the organization.

Of all the tools in the toolbox, data-driven metrics are one of the best ways to change this perception from leadership, but security programs often lag behind other functional areas in capturing and communicating this information to decisionmakers. How then can security teams better leverage metrics and benchmarks that will resonate with organizational leaders?

Benchmarks vs KPIs

First, it is important to delineate between benchmarks and key performance indicators (KPIs)—terms that often used interchangeably. Benchmarks are a standard point of reference against which things can be compared between companies. They often rely on data that is easy to cross-reference and readily available within various departments. But benchmarks, when used incorrectly, can end up focusing on the wrong data or making irrelevant comparisons that skew findings and recommendations for leadership.

KPIs are uniquely developed around an organization and customized to its mission and goals. These strategic data points help show value, track progress, illuminate indicators of risk, and advance various initiatives within a department. Well-designed KPIs are much more useful in demonstrating value and generating executive buy-in. KPIs can be used as data to then benchmark against other organizations, but standalone KPIs should serve as an essential baseline to any conversation with leadership.

Improving the Use of KPIs

The perception of security being cost-centric makes the executive buy-in process more difficult. The industry is generally governed by different KPIs than operations, supply chain, sales, and other P&L functions, which can be easily measured in quality, revenue, and cost. Articulating success requires a more determined effort coupled with a little bit of creativity, because you are capturing and presenting data that shows at its core the bad things you prevented from happening.

This process starts by developing KPIs collaboratively with leadership. Because security teams may not have historically provided metrics, it is entirely possible—and in many cases likely—that leaders aren’t asking for them. It is important to go into these conversations proactively with ideas and a roadmap, then validating these KPIs continuously with executives. This ultimately ensures KPIs are meaningful and aligned with organizational goals and objectives. Making KPIs simple and visual also helps executives internalize trendlines amidst their competing priorities. The development of dashboards is increasingly common for security teams and mimics the success of other functional areas in communicating their metrics to leaders with cross-functional portfolios.

Security organizations also need to assess their ability to capture the right data. Generally speaking, security teams are less mature in this regard and often end up falling back into whatever is available. KPIs focusing on loss prevention, business impact, and recovery time objectives are a great way to start, as these functions are easily quantifiable and show cost savings to the business. Trends around incidents, investigations, and quantified risk mitigation efforts that lower probability of loss further demonstrates the value security brings.

But these data points are only available if they are captured and doing so is not always easy to spin up. Efforts must be made to begin putting in place the infrastructure and processes that enable these collection efforts.

From collection and analysis, security leaders then move to the critical step of executive dissemination. One suitable roadmap might include incorporating metrics dashboards into the agenda at monthly or quarterly meetings with leadership. There, team members can explain any contextual elements and provide time for questions. Security can articulate efforts underway to improve upon these KPIs and, over time, show trendlines.

Consider one theoretical use case that brings this all together. Using metrics, a security leader illustrates a material uptick in workplace violence incidents at a set of factories year-over-year. This directs in-house investigative resources to conduct a root cause analysis, drives funding approval for increased investment in various countermeasures, and leverages the executive to streamline cross-functional, top-down collaboration between security and human resources. This is one simple example of converting available data into a tool for executive outreach to bring stakeholders into team outputs and make metrics more actionable.

The Role of Benchmarking

Once KPIs are established and captured, only then can a security organization really think about the value of benchmarking.

Because much of the data that is useful may be sensitive, benchmarking is often most effective when done informally between CSOs in similar industries, working together to understand the nuance of issues and what has worked well. Security is a public good, and most CSOs are inclined to share best practices and challenges transparently with their peers.

Large-scale, commissioned benchmarking exercises may help in understanding industry-wide perceptions, but they will struggle to provide real utility for individual security teams or significant takeaways for executives surrounding security programs in their remit.

Generating Support for Current and Future Efforts

As security leaders, we inherently know the value our teams bring to the business. By reducing risk to revenue generating activities, reducing the cost of security-related incidents, and increasing the actual recovery of losses, security programs directly and indirectly make product and services companies more profitable. The challenge remains developing an easily digestible narrative for leadership that articulates this value add over time. Identifying, capturing, and communicating KPIs is one of the most effective ways to accomplish this, ensuring executives are bought into the security team’s mission and are supportive of efforts to continuously improve and adapt to an evolving risk landscape.

Brogan Ingstad is a vice president at Teneo Risk Advisory, where he advises Fortune 500 clients on risk management, corporate security, and business resiliency.