Four Reasons Why Your Security Team Should be Tracking Metrics
By Northland Controls, Nov 02, 2021
What is a security metric? Also known as a key performance indicator (KPI), this numerical data provides quantifiable insight into the actions and outcomes of a security team.
Whether supporting operational or technological endeavors, this data can provide a quantifiable way to track how effectively a department is achieving its objectives and key results (OKRs). And, in an industry that relies heavily on qualitative (over quantitative) data, narrowing down specific, measurable, attainable, relevant, and time-bound (SMART) goals can be beneficial for teams struggling to acquire resources or drive larger business objectives. “It can be very difficult to track metrics because a lot of [our jobs] are very tactile, soft skills – things you can’t necessarily quantify,” says Jase Keen, Director of Global Security Operations at Citrix. But by integrating security metrics into your operations, teams can begin to add in more concrete, trackable results.
Let’s take a look at some of the reasons why teams should develop and use metrics in their own security operations.
1. Understand Your Security Operations and Identify Areas of Improvement
It’s no longer enough to simply maintain a company’s security initiatives until something goes wrong. With the increase in threats companies face, security teams are needed now more than ever. However, it can be difficult to prove their worth. “In security, everyone sees the failures, but no one sees when everything goes right,” says Keen.
Relying on metrics provides insight into your security operations and associates value to a team even before an event happens. For example, being able to show a reduction in break-ins due to pre-emptive measures taken by operators can take security from a cost-center to a value-added business unit. Having a better understanding of how your teams are operating, and how they are interacting with the larger business units, can help drive policies and implement improvements throughout all areas of your team. It’s important to not only understand what is going right, but also what is going wrong in order to build a robust and constantly evolving security team. Ultimately, this type of awareness can lead to increased customer satisfaction and higher retention rates for both internal and external stakeholders.
2. Justify Growth and Resource Asks
Many security teams are challenged with a lack of resources, not enough manpower, and outdated technology that can hinder their ability to do their job. “If you take on more work without the additional resources,” says Brian Tuskan, Chief Security Officer at Microsoft, “that’s called anonymous gifting.” He goes on to share one of the most important pieces of advice he received from his Microsoft mentor, Charlie McNerney. “Something has to give,” he says, “and it’s usually time. You can’t do more with less, you’re going to do less with less.”
When teams are left doing less with less, unintentional gaps and vulnerabilities often emerge. However, using metrics to advocate for your needs can turn a request from opinion-based into a data-backed business case. Tuskan goes on to say, “As CSO, whenever the team has a resource ask, whether it be employee, equipment, contractors, etc., we look at what data has changed that makes them think the additional resources are needed.” Approaching your request from a business and financial perspective can help you advocate for your team by connecting your needs to larger corporate goals.
3. Make Data-Driven Decisions
Security teams touch every major department within a company from human resources to IT to business continuity. With that reach, comes a certain level of responsibility. Using the data produced by key security systems such as access control, video management, or critical event management platforms can help drive business decisions. According to a study conducted by ASIS, 80% of security professionals said that their metrics are tied to, aligned with, or are part of larger organizational risk processes and organizational objectives tied to business continuity, compliance, risk management, or client satisfaction.
One shining example of using metrics to drive business decisions is derived from the current COVID-19 pandemic which has presented one-of-a-kind challenges for security professionals tasked with creating return to work strategies. Leveraging access control and video management data to monitor things like social distancing, occupancy levels, and mask-wearing has allowed companies to return to their physical space and take one step closer to getting back to “business as usual.” When preparing his return-to-work strategy, Keen said he was constantly evolving and changing his approach as the situation developed and evolved. “There’s no right answer and no one has a blueprint for how to re-occupy,” he says. But by using data produced by their access control system, he could analyze who was going in, who was not, and provide insight to drive the company’s larger return to work strategy.
4. Align and Motivate Staff Performance
Used in the right context, KPIs can be used as a rallying cry to align and motivate staff striving to meet internal goals. Whether you are striving for a better response time or vying for additional resources, tracking metrics, and sharing them with your team gives a sense of progress, direction, and accomplishment. To truly have an impact, be sure that your KPIs support larger business objectives and are clearly defined to avoid confusion and demoralization amongst staff.
Metrics can also be used to celebrate the wins, no matter how small they may be, within a security department. For teams focused on the absence of events, providing a clear path to success can help boost morale and give employees a sense of accomplishment in their work. Former Northland employee and security professional James Kendall says that “the beautiful thing about metrics is it keeps the team in line with what we want to deliver upon, even if we don’t deliver on everything.” Through KPIs, teams can have a clear path forward for personal and professional development leading to a happier, more fulfilled workforce.
Developing security metrics can level up your security team by providing a deeper understanding of what is happening and how it can drive results both at your company and within your team. Using these metrics to bolster your security posture can be the difference between a high-performing team and one unable to advocate for themselves. Once you decide to incorporate data-driven decisions, it can be difficult to know where to get started. Read more about how to determine and implement the right metrics for your team, here.
Read more about how to determine and implement the best security metrics for your team, here, and if creating and tracking security metrics seems overwhelming for your team, reach out to our team of experienced security consultants by emailing info@Northlandcontrols.com.
Source: ASIS