Metrics to Make Security Shine Beyond the Numbers
The adage, “What gets measured gets done,” makes sense regarding accountability, deadlines, and goals. It is also the mindset of many busy C-suite executives. However, it does not always account for the proactive, preventative, and forward-looking mindset that today’s security leaders must have.
Security operations rarely make a profit for the organization. Security is seldom known for all that is done to prevent an incident but will be praised for responding to one—this is often a small, but critical, portion of our time.
The challenge is we often must try to measure the absence of an event. We should show day-to-day prevention activities that help reduce the frequency and severity of incidents. This demonstrates the value we bring to the business every day in addition to those high-profile response events. This is where you need to unquestionably understand and establish your organization’s mission, vision, and values. If this is unfamiliar, read up on the topic, brainstorm what it means for you and your team, and establish the mission. It is your North Star.
The role of metrics must meet the goals of the organization. Metrics are used to help build programs, measure output, improve efficiency, and make data-driven leadership decisions. Data or metrics can also justify the expense of an investment, especially in the early and late stages of the business growth model.
Security’s metrics have historically fallen flat in the modern business world. Incidence rates, response times, expenses, and headcount are all either lagging indicators or captured in other parts of the business. As leaders, we must ask the fundamental question: Where do we want to take our program? What metrics will help us get there?
Start with Common Language
All levels in the organization must understand the metrics you use for your program. Your aim should not be trying to talk above or over others with your metrics. Instead, the goal must remain focused on support for your program.
People support what they understand and fear the unknown. This can be forgotten in C-suite discussions when we often want to showcase our contributions and forget our audience.
Look at other parts of the organization. What do other business units report, and how do they report that information? Many business leaders understand language and terminology relating to environmental, health, and safety (EHS) and U.S. Occupational Safety and Health Administration (OSHA) matters. On the other hand, security and law enforcement lingo is not relevant in most business settings and can be off-putting for those in leadership roles outside of security.
When setting the baseline and modeling your data for departments and leaders outside of security, using language or examples from EHS can be a good starting point because of the similarities in the protection of people, processes, and infrastructure. Human resources (HR) or facilities may also be options for a common language base. The key will be to align terminology—where possible—so communication isn’t delayed by defining different terms.
Blended metrics is an approach that includes lagging and leading indicators. Leading indicators predict future performance, while lagging indicators measure past performance. This approach helps balance where we have been with where we want to take our program, so be very deliberate with this communication. One of the easiest ways to help leaders engage is by using language or concepts they already understand. An example may be the Heinrich Safety Pyramid or Incident Pyramid, pictured below.
Figure 1 shows a hypothetical year-over-year performance and clear differences between leading and lagging indicators—simple yet effective. It shows if people are engaged, at what rate, and the benefits of that engagement.
EHS professionals often use this pyramid because the concept has been around since the 1930s and is sometimes included in annual reports. This example, which illustrates year-over-year performance, indicates whether things are improving or getting worse.
The example above also helps show that an engaged workforce in the leading indicator space should help reduce the number of lagging indicators. As you follow the pyramid, there are some key points to consider: the hours have increased, but so have the improvements (one of the leading indicators), which in turn should reduce the number of incidents (a lagging indicator). The metrics are normalized using the OSHA Total Recordable Incident Rate (TRIR) formula. The rate is calculated by dividing the number of recordable injuries per year by the total hours worked and multiplying that by 200,000.
Consistency in what you share helps get to the richer conversations on why things are improving or getting worse. Examples that might be used for the improvement areas are items found on tours to prevent security incidents from happening or an upset employee found in the grievance phase (leading) to prevent workplace violence (lagging). Those numbers replace the recordable part of the calculation above for the rate at each level of the pyramid.
The pyramid helps show those clear differences between leading and lagging indicators. Simple, yet effective. It shows if people are engaged, at what rate, and what the benefits are. This straightforward approach gets you to the table and able to visually explain security’s impact, helping build support. A clear program ask of the business in leading indicators gives the company a purpose to support security. An example can be participation in voluntary training, such as security awareness, emergency preparation, and a security improvement that an employee submitted. These must be easily obtainable and generate engagement and further interest.
Consistency in what you share helps get to the richer conversations on why things are improving or getting worse.
Tracking such efforts can be done on existing business systems. Again, this should be easy for the end user and allow you to track, use, and share the data. The goal is to have actionable data.
In some cases, the volume itself is actionable if it shows employee participation in your program—a leading indicator. Over time, leading indicators should help reduce your lagging indicators’ frequency, impact, or severity. If not, then adjust your leading indicators.
Examples that can be easily understood should be spelled out. Employee participation and awareness will reduce significant security incidents, such as piggybacking reporting. In turn, this reduces potential intrusion threats and shows employee awareness and engagement in your program. This should be tracked and celebrated to have maximum impact.
What gets measured gets done; we started this discussion acknowledging this. What we measure and how our mission, vision, and values impact an organization is up to us as security leaders.
We often get lost trying to show people how smart we are, but this is not necessary. Instead, we need to focus more on demonstrating our value through smart, innovative metrics that are easily communicated, understood, and actionable for everyone in our team and especially for all employees—from the production floor to the C-suite. This can all be done by understanding how metrics impact the organization, and how you can lead the team to better utilization of those metrics in the future.
Dan Rhatigan, CPP, CSP (Certified Safety Professional), is the executive director of EHS and security at Regeneron Pharmaceuticals. Rhatigan has worked in the EHS and security field in the pharmaceutical and chemical manufacturing industries for more than 27 years. He has extensive emergency response experience, having spent almost 20 years in the fire service, moving up to first assistant chief of training and operations. He holds a Bachelor’s of Science in Emergency Management, a master’s degree from Georgia Tech in Safety and Health, and is completing a doctorate in criminal justice/homeland security. Rhatigan spends as much of his free time as possible with his wife and two adult children doing anything outdoors, including skiing, golfing, kayaking, and fishing.
