How to Measure Your Risk Monitoring Activities
Ideally, businesses should use data to inform and contextualize their most important decisions, both inside and outside the security function. But obtaining accurate data to measure the value and effectiveness of security services such as risk monitoring or threat mitigation—which can be inherently less tangible—is often much more complex than a simple profit or loss calculation.
Well-designed and implemented security programs typically aim to be seamless and invisible, preventing and mitigating threats so well that many in the organization don’t realize a risk was present. But when success means nothing happened, how can security teams better measure and articulate the effectiveness of their programs? Even though most security programs can’t easily tie their contributions to a dollar value, that doesn’t mean those programs aren’t making direct and significant contributions to the business, or that metrics don’t exist to show that impact.
Protect Your Intellectual Property by Connecting the Dots—Trillions of Them
Strider combines open-source data, proprietary risk methodology, and subject-matter expertise to provide organizations direct visibility into the tactics, techniques, and procedures that lead to state-sponsored IP theft.
There are several ways to measure the effectiveness of your security programs, helping to demonstrate your team’s successes while also highlighting gaps that need to be filled in resources and personnel to ensure the security program can continue to support the organization’s growth and contribute to its goals. Perhaps most importantly, defining and measuring these benchmarks can provide a foundation to prepare the security team and the larger organization for emerging risks and the future threat environment.
Understand the Most Important Metrics
There is no one-size-fits-all solution to choosing the correct metrics to monitor, especially within the security industry. When considering the most important security program metrics you should track, everything should be viewed through the lens of your specific organization’s goals, strategy, and priorities. The most important metrics to track are those that are clearly and directly relevant to your organization’s most critical activities. Usually, there is a direct connection to activities that bring revenue, but that isn’t true in every organization.
Start by thinking about the security programs that support your organization’s most critical business processes and operations and consider how you define the success of those programs. You will likely find many interesting and useful data points that can be analyzed and tracked—but just because a point of interest can be measured and tracked doesn’t mean it will be beneficial to your team. The most useful categories of metrics will be:
- Relevant. The easiest metrics to track often turn out to be the least relevant. Ideally, the metrics you track should not only be useful and relevant within the security organization, but also followed as critical parts of the success of the larger organization.
- Actionable. The metrics you choose to track should be tied to actions the security team or your organization can take. Don’t measure anything your team would not be expected to take action on or that your team’s actions would not impact. The more a metric can inform effective business decision making by the security team or the wider business, the more useful it is to monitor.
- Cost effective. While it might be useful to measure and track many things, make sure the metrics you choose to track are worth the cost. The final cost will include monetary cost of the data, collection time, and analytical effort to evaluate the data.
If you’re starting the metrics monitoring process from scratch, it may be useful to start with only one to three metrics and reevaluate their usefulness to your ultimate goals and the broader organization.
What is the power of unification?
Unifying video management and access control, along with other functions, reduces costs and improves efficiency. If your organization is thinking of moving towards unified security, you’re not alone. With Genetec Security Center 5.11, we make unification even easier.
Measure and Benchmark Program Effectiveness
Once you have a short list of the most critical items to monitor, think about the best ways to measure progress within each of those metrics. Then consider what decisions can be made based on the information you will collect—for example, whether specific metrics should trigger any actions within your programs. Where possible, financial measurements typically provide the most tangible demonstration of a program’s value, but in security programs, financial metrics may also be the least cost-effective and most time-intensive to obtain and monitor.
Similar to the work identifying the most appropriate metrics to track, don’t be afraid to get creative to ensure that your measurement of these metrics is relevant to the program’s actual performance. The quality and relevance of the metric is almost always more important than the quantity of data you can collect. For example, counting the number of violent threats to the organization may not be a particularly useful number if there is reason to believe the count is not accurate due lack of monitoring or lack of awareness of reporting mechanisms. While it may be helpful to create quantitative measures of program performance—such as surveys of employee understanding of key security programs and objectives—it’s critical to ensure only the most relevant data is captured.
Also keep in mind that burning goodwill with others within the organization is rarely worth the benefit of obtaining a metric.
In some cases, it may be useful to create categorizations within a metric to provide nuance and create more value in your evaluations. For example, for a program that conducts investigations, it may be useful to separate each investigation based on complexity to ensure the level of effort, speed, and performance can be reflected accurately. An honest cost–benefit analysis of the collection should drive your decision about whether further categorization of metrics is a useful and effective step.
Ultimately, the metrics you collect and measure should be able to help your team prove the effectiveness of its programs in two key areas. First, demonstrating changes in performance or changes in program effectiveness in key time periods allows your organization to understand changes over time. Second, analysis of trends can establish patterns of activity and performance, correlating specific events or program changes with corresponding levels of performance. For example, the loss of a key person on the team may cause performance to decrease in a specific program’s effectiveness, while the acquisition of a new tool may drive increased program use or employee engagement in other programs.
Where possible, it may also be useful to articulate the benefits and cost savings of acting proactively within specific programs, identifying the costs associated with failing to mitigate specific risks before they become direct threats that require most costly interventions.
Moving the Needle
Even though security professionals are challenged with knowing the best ways to document their program accomplishments, identifying and tracking key metrics is critical to ensuring your team’s continued contributions and relevance to the organization. As with any other business function, presenting data that demonstrates the ways your team is working to promote growth, revenue, or productivity is a key way to demonstrate the value of your programs and get larger organizational buy-in to accomplish key goals and share the responsibility for mitigating risks across the business.
Security teams make daily decisions that keep employees, physical assets, and operations safe from a wide spectrum of risks. Using the right data to demonstrate the effectiveness of those efforts can help the security team to earn the confidence, trust, and support your programs deserve.
Stay Alert, Stay Updated
Find out your top 7 security-news articles,
Thomas Kopecky is the chief strategy officer for Ontic, where he oversees corporate strategy while leading a team of security intelligence experts that develop protective intelligence programs and support clients in maximizing Ontic’s economic value. He also lends his many years of experience in protective intelligence and threat assessment to the Ontic Center for Protective Intelligence. Prior to joining Ontic, Kopecky founded two boutique service firms that focused on global threat assessment and security consulting, as well as intelligence collection for both litigation support matters and protective security applications.