A few years ago an informal survey discovered that many security practitioners report mostly “bad news” information to management.
The statistics included items like security operations costs, overtime costs, cost of investigations, number of security incidents, serious incident descriptions, and so on. Often this is information that management has asked for. But it in no way does it provide enough insight to evaluate the security-effectiveness or cost-effectiveness of the security program.
A Good Day is Not “When Nothing Bad Happens”
A good day is when security measures are effective, whether people, process or technology. A good day is when the impact of a risk incident is minimized or avoided altogether, due to the effectiveness of your security program. Risk conditions are unavoidable. The true test of a security program is whether its measures are intact and functioning, and whether or not it is reducing security risks to acceptable levels, at an acceptable cost.
What Should You Measure?
For one thing, your security cost-effectiveness metrics could tell you how security costs relate:
- per dollar of revenue
- per dollar of profit
- per dollar of company valuation
- per square foot of property or building space
- per employee
- per contractor
If you don’t like the look of one or more metrics, that can give you a focus for improvement. It can also provide the “big picture” whereas a single metric alone is subject to a lack of evaluation perspective.
Case in Point
One cost-conscious security manager had been reducing security costs about 10% per year for the past five years, when management called for a company-wide 10% reduction in workforce. The manager put together yearly metrics data, which showed that the cost of security per employee, per square foot of building space, and per dollar of profit. The graph showed a downward reduction in costs from all three perspectives.
Anticipating that the personnel reduction would require a short-term increase in security costs and level of effort required due to the terminations, the security department applied to be exempted from the workforce reduction because it had already been improving cost-effectiveness year over year, even in spite of two small increases in the number of security personnel. Management was impressed with the sound business sense the metrics demonstrated, and approved the exemption.
If you don’t already have metrics in place, it can be important to document the current state through metrics before making a planned change or improvement. Sometimes it takes more than one statistic to show the true picture.
For instance, one security director saw a need to implement a workplace violence program, due to the general increasing workplace risk picture across the community, and an internal uptick in reported company policy violations relating to employee behavior. The idea was to address the policy violations before any behavior could escalate into an actual act of violence. and to “nip the problem in the bud” before it blossomed into a serious incident.
However, after the program was implemented, the policy violations increased. Human Resources was concerned that the program had flopped, and that the money was wasted. Using only one statistic gave a completely false picture.
The true picture was established by correlating policy violations with another statistic: facility occupancy. For over a year BEFORE implementing the workplace violence program, the level of workplace violence correlated directly with the level of facility occupancy. When occupancy went up, so did the policy violations. The two graph lines had identical trends.
AFTER implementing the workplace violence program, the correlation broke, and the level of workplace violence was independently trending down. They discovered that when the workforce doubled, there was a spike in policy violations—due to the fact that the new employees were not given the same workplace violence video training. Personnel had only been given the company policies to read, which didn’t have the same effect.
The statistics showed not a failure of the program, but a failure to keep applying the program as needed, according to increases in facility occupancy.
The insightful report gained immediate approval for additional funding to put the workplace violence video online, and require its viewing followed by quiz, which was made part of the employee on-boarding process.