ASG's Security Solutions Blog

The New Performance-Based Security Program: Implementation

  

 Email Article  

Tweet  

  

  

  

By The Sage Group

In our last post, we discussed several topics relating to metrics. The three questions we addressed were:

1. How do you determine what to formally measure?
2. What value does security get from investing in metrics?
3. What value does the organization get from investing in metrics?

Today, we would like to discuss implementing a performance-based security program. Now that you know what to apply metrics to and the benefit of that, let’s take a look at how to implement the practice.

How do you start? How to collect, understand and report on metrics.
Performance Management begins with defining your objectives, the Critical Success Factors (CSFs), and the metrics by which you will measure performance.
Security, as an organization, may have inherited a company system by which this is expressed. If so, then the data you will eventually collect will be expressed through that form or expression.

Regardless, you must understand the objectives of your leadership team and how performance is best expressed, then arrive at your own that aligns with those objectives.

For each objective you arrive at, you must determine the actions that will lead to a successful outcome. These are your CSFs. Then you add a performance metric that defines the success of a CSF and a target for individual and organizational achievement.

Acquiring the baseline data for performance measurement is critical. In some cases the data exists but it is difficult to access because it resides in another department, in a database that does not have a clear or straightforward means to report on it, or it is with an external party. However, without data, future measurement cannot take place. A good security process consultant will walk a process through its steps measuring the velocity and documenting the behavior of the people and their tools.

Sometimes you need to measure subjective and objective data. For example, how would you measure ‘Customer Satisfaction’; you might use an objective survey form to acquire subjective data.

You must also consider the reliability of the data you are collecting. Consider future measurements you will be taking over time and ensure you are getting reliable, accessible, and accurate data.

Finally each metric has a target. The target is a science and an art. Targets must be achievable but also inspire exceptional performance. In a period of initial change, consider setting targets that are readily achievable to help your people adjust to the new conditions. Over time, begin creating competitive benchmarks from industry data that allow you to claim a clear leadership position.

Security as a process, through its people, and through the technology it uses generates data. This data, if compiled, reported and analyzed, will create change within your security organization and increase its value to the organization as a whole.