The New Performance-Based Security Program

By The Sage Group

The Professional Services Group (PSG) of Aronson Security Group asked us to comment on four questions related to metrics. Since creating, measuring and accelerating value is our focus, we were happy to oblige. Here are the four questions:

  1.  How do you determine what to formally measure?
  2.  How do you collect, understand and report on those metrics?
  3.  What value does security get from investing in metrics?
  4.  What value does the organization get from investing in metrics?

We’ll answer #1, 3 & 4 today and leave the implementation piece for Monday.

Introduction: What is Performance-Based Security?

Measuring security performance means assessing business and security results to: (1) determine how effective the strategies and operations are and (2) make changes to address shortfalls and other problems.

There are different methods and criteria for measuring performance. However, the common strand through each is the ability to measure the results generated by core business processes, using specific metrics. For each process, there are many possible metrics.

  1. What Should Security Organizations Measure?

• Improvement: Understand your strengths and your weaknesses. Show continuous improvement over time.

• Planning and Forecasting: Performance metrics create a progress trend line allowing organizations to not only be clear on their current performance position but also forecast their future condition based on the data.

• Technology Lifecycle Management: Performance metrics are non-existent for the up-time metrics of the hardware and software that security uses. But this ‘viability index’ can measure service costs, availability costs, levels of risk incurred with downtime, and the lifecycle of the total solution.

• Security as ‘Friction’ or ‘Lubricant’ to Company Value: When Security interacts with core business processes, is it an obstacle to company performance or a critical value driver? These intersections are more common than you think. Find them and measure them and reap the rewards.

• Competition: When organizations benchmark their performance against their competition or even similar companies in a different market space, they can identify practices that can improve their performance over time.

• Reward: By knowing the organization, the department and individual employees that have performed in achieving their outcomes, leaders can determine budget and compensation alignment accordingly.

• Regulatory and Standards Compliance: A baseline metric and a benchmark assist in forecasting compliance capacity and performance.

  3. What Value Does Security Get from Investing in Metrics?

Determining how to translate data into information and then elevate it to security business intelligence is critical to managing cost effective security programs that allow for transformative innovation. Product manufacturers need to make it easier to exploit the data that is generated by their technology devices and software. Integrators need to know the business better to be able to assist in workflow and technology use patterns. And, security professionals must become performance driven for the sake of their profession, the companies they represent and their strategic place at the table in the C-Suite.

  4. What value does the organization get from investing in metrics?

Key performance indicators come in three types:

• Process KPIs measure the efficiency or productivity of a business process. Examples include "Product-repair cycle time," "Days to deliver an order," and "Number of rings before a customer phone call is answered."

• Input KPIs measure assets and resources invested in or used to generate business results. Examples include "Dollars spent on research and development," "Funding for employee training," "New hires' knowledge and skills," and "Quality of raw materials."

• Output KPIs measure the financial and nonfinancial results of business activities. Examples include "Revenues," "Number of new customers acquired," and "Percentage increase in full-time employees." Three particularly common output KPIs that are used by managers include:

• Return on investment (ROI): Return on investment represents the benefits generated from the use of assets in a company, unit, or group—or on a project. ROI is helpful to top executives, finance managers, board members, and shareholders.

• Economic value added (EVA)™: EVA, popularized in the 1990s by U.S. management consultancy Stern Stewart & Co., is defined as the value of a business activity that is left over after you subtract from it the cost of executing that activity and the cost of the physical and financial capital deployed to generate the profits. In the field of corporate finance, EVA is a way to determine the value created, above the required return, for a company's shareholders. It's therefore useful to senior management, boards, and shareholders and other investors. EVA is calculated as follows:

• Market share: The percentage of sales in a given industry segment or sub-segment captured by your company.

All three types of KPIs—process, input, and output—generate valuable performance metrics. A mix of the three types ensures a comprehensive picture of your unit's or organization's performance.

Be sure to come back Monday to learn how to implement these important metrics.