Going into our latest webinar alongside Security Magazine, 54% of attendees said the biggest challenge their security program faces is budget, followed by inefficiencies at 20%. Starting off the discussion, this was a great jumping off point into covering how a security program is measured, analyzed, and assessed to see if it’s effective.
(Sidenote: If you missed the event and want to watch the whole thing, click here. Otherwise, read some of the highlights below.)
A security program is the organization's security policies, procedures, tools, and controls that are in place to protect the organization. Oftentimes in physical security, security leaders are tasked with ensuring the security program is in place to protect the organization from risk; but it’s more complex than that when it comes to communicating security’s value.
HiveWatch Director of Account Management and Security Advisory Rebecca Sherouse was joined by Control Risks Associate Director Isabella Cuomo and The Chertoff Group Managing Director Ben Joelson to discuss the ins and outs of determining whether a security program is effective.
Here are four of the takeaways:
Create a baseline. Creating a baseline for reporting the effectiveness of a security program begins with the data and KPIs being established. When doing so, security leaders must understand how the performance of the security organization compares to the needs of the business. A lot of times, security operates in a vacuum. But security leaders need to understand the strategy of the business.
Joelson said, “Spend some time with senior leaders in the organization and ask them questions, such as, ‘Where do you see the company going? Are we scaling globally, or keeping domestic?” The answers – using data – can better inform the actions of the security program as it relates to risk. For example, if security is focused domestically and the business is looking to expand globally, those goals are misaligned. Being able to match what the security team is trying to achieve with what the business needs is critical.
“It’s so important to look at what the risk is to the business if you go offline because of a security incident,” Joelson said. “Make sure you’re gathering data and information about the impact to the business, response time, and how that mitigates risk to the C-suite.”
Creating a baseline should start with the following:
- Gaining a holistic view of what data points are collected today
- Align the business strategy, prioritize based on what's known
- Develop goals that are measurable
- Be flexible
The bottom line is, “Put these steps into practice in a blame-free environment that focuses on continuous improvement,” Joelson said.
Benchmarking isn’t always the right approach. A lot of organizations seek understanding about their business by benchmarking themselves against their peers. This means looking at your competitors to figure out what they’re spending on security programs, how they’re performing, and how you measure up. But this might not be the best approach.
“Benchmarking can be a useful tool, but like any tool or process, it’s important to identify the desired outcome from the comparison at the beginning of the exercise,” Cuomo said. W
As security consultants, professionals like Cuomo ask their clients, “Are you seeking to understand the program’s maturity? Do you want to understand if the coverage allocation for an executive is appropriate based on their unique profile? Do you want to leverage the comparison to craft an effective business case for more resources?” This will help define if this is the best approach.
"Organizations are unique in terms of priorities, risk exposures, and risk appetites, so think about these things before you rely too heavily on peer benchmarking." - Isabella Cuomo
Measure return-on-investment (ROI). Starting with the data available, security leaders need to be able to measure ROI on the tools and resources they use in their programs. This is one of the most critical steps toward ensuring the C-suite understands the value that security brings to the organization.
“It’s so hard to conceptualize how a security program is performing without first knowing the metrics that you’re competing against,” said Sherouse. Measurement cannot happen without the data. In a Global Security Operations Center (GSOC), there is a rich subset of data that can be used.
Using this data to approach other stakeholders, you can paint a picture for them. For example, we’ve realized operators spent XX minutes triaging a call in our GSOC, and we need to shoot for XX minutes. Framing the improvements in ways that leaders can understand makes it more likely that you can ensure investment.
As another example, you leverage existing incident frequency data to determine that static posts (where guards are in a fixed location) are inefficient at 50% of facilities. You deploy a new guard tour technology and decrease ineffective guard spend by 30%. This proves ROI to leadership by providing real-time analysis. Data remains a critical piece of the puzzle.
“The organizations that are able to have a security program with a strong internal brand and that are able to continuously communicate its value add into the C-suite are the ones with the effective ROI assessments,” said Joelson.
Consider technology that meets your program goals. When considering technology investments to reduce risk, it’s important for buyers to take a risk-based approach to acquisition. Before investing in a specific solution, do the following:
- Audit internally to avoid redundant tools
- Consider point versus complementary solutions
- Assess data ownership and access
- Ensure flexibility and future-proofing related to strategic roadmaps
The best technology investments highlight security program metrics that can be used to showcase the benefit of security to the broader business goals (see our first point above). Without these numbers, security can often get lost in the discussion as a “cost center” rather than a business enabler.
How HiveWatch Can Help
HiveWatch captures baseline systems data ahead of implementation, then we help customers design their ROI models to capture things like:
- Operator and guard response time
- Device health and impact to integrator contracts
- Guard compliance with SLAs
- Incident trends to drive resource allocation