How to Determine and Implement the Right Security Metrics for Your Team
By Northland Controls, Nov 16, 2021
It’s amazing what a dashboard full of numbers can tell you.
For security teams, tracking, reporting, and reviewing these numbers in the form of key metrics, it can tell a story of safety, success, and opportunity. According to ASIS, 78% of security professionals would use metrics if they knew more about how to create and use them effectively. However, determining what the right metrics are and how to successfully turn them into actionable insight can be challenging.
Traditionally, metrics have been driven by securing places and buildings, but former Northland employee and security professional, James Kendall, says that he is seeing a shift to a more user-centric approach. “There is a big change happening in the industry that is now being driven by the ‘smart office’ revolution. It’s changing to become more user centric and looking at why are we doing this and what is the user experience that needs to go hand in hand with what we’re doing.”
He goes on to discuss that the push for smart office environments is being fueled by consumer’s current needs and desires. From unified business technology to sustainable buildings, security teams are uniquely positioned to touch multiple aspects of these developments. Just one example being the adoption of mobile credentials in the workplace. By using a single application, companies have the opportunity to use a credential for more than just access. Kendall says, “this same app will become a utility for event information, space management, accessing office resources such as printing, and even ordering food at the cafeteria” all with security and measurable insights in mind.
However, as we look to the future of the security industry, we first must understand where we stand today. Tracking and analyzing security metrics can help define a roadmap for tomorrow by giving teams a better understanding of their current operations and helping them make data-driven decisions. But where do you get started?
Based on the response of 3,000 security professionals, ASIS created five metric categories that are applicable to a variety of security teams. These categories included security incidents, criminal incidents and investigations, cost against budget, security training, and guarding performance. While these buckets may cover general metrics that should be tracked, it’s important to take a look at your unique challenges and opportunities.
Here are four ways to determine and implement the best metrics for your security team:
1. Define what success looks like and what problems you are trying to solve.
The first step in determining the most impactful metrics is to define the current problems and pain points that you are experiencing. Are you lacking resources to perform the given tasks in the given time? Would new technology help minimize false alarms? Do you need additional manpower to maintain your response time? Your problems are unique to your team and, once defined, will help pinpoint the type of data needed to manage them.
Now that you have your problems identified, take time to specify what success looks like in response to these problems. Kendall says that he and his team set bold goals but always keep in mind that the target is always moving. “We set bold goals, but to us, success means that you’re moving in the right direction and that you can reflect that what you’re working on is directly impacting what we are trying to achieve.”
2. Determine the story you are trying to tell.
Implementing security metrics can be a real game changer, regardless of size or objectives, but it’s important to track the right metrics. Before you get started, understand where it is you want to go. What story do you want to tell with your metrics and what numbers need to be included to tell the full story? Building a business case for growing your team, for example, will be much different than the type of metrics needed to justify purchasing new technology.
Brian Tuskan, Chief Security Officer of Microsoft, recommends teams understand what story they are trying to tell before choosing which metrics to track. He says,“Just because you have the data, doesn’t mean that it’s worth the use. When you start using meaningful data is when you can truly be successful.” Choosing the right metrics is crucial to narrate a story of triumph and success.
3. Set a baseline to provide context for your future findings.
Without understanding where you are starting, it is extremely difficult to track any future progress. Once you have determined the metrics that you want to measure, figure out where you currently stand with those numbers. If your goal is to reduce the number of false alarms, for example, determine how many of those false alarms you are currently experiencing. Once you understand that, you can begin to make an action plan to reach your goals.
When creating a baseline, there is great value in being able to compare all facilities across your corporate landscape, regardless of size or headcount. By normalizing this data, offices can be evenly compared in terms of metrics. For example, taking into account headcount and device count can give you an average alarm per asset, instead of looking at large incomparable data sets. “This baseline allows for a week-over-week trend that you can use to compare offices to each other in an equal fashion. Once you have this, you can empower the local offices to take responsibility and provide transparency to the offices on what you’re trying to achieve,” says Kendall.
4. Define a reporting structure that will turn data into action.
Now that you have the data, what are you going to do with it? Simply having the data will not drive results. According to Kendall, proper reporting can help look for operational risk, shed light on the health of the system, help advocate for additional resources, and sell the value of your team and systems. And while these numbers are dynamic, pulling reports and sharing them with C-Suite executives at least once a quarter can help make sure your objectives remain aligned with larger organizational goals. Use these reports to determine how you are tracking with the goals set for your team. Are you on track or do you need to re-evaluate the actions being taken to reach them?
Using reports on a more frequent cadence can also help teams become more proactive against potential threats. “By pulling data from multiple sources, teams are able to build better awareness and learn trends and habits from daily routines. By doing this, it is easier to spot a red flag such as an employee accessing an office at an unusual time or a laptop accessing the Wi-Fi in a different location than where the employees badge shows,” Kendall goes on to share. The data presented in these reports can be used to respond to an immediate threat or address larger trends that are creating vulnerabilities within the company.
Depending on your team’s responsibilities, the type of metrics that you will track can vary greatly. For example, Tuskan, whose efforts are focused on security operations, emphasized life safety, incident reports, types of services being provided, response times, and occupancy data as some of the key metrics he looks for. On the security technology side, Kendall spoke to the importance of system integrity, user experience, cyber posture, and non-compliance among offices within his metrics dashboard.
Whatever your goals are, determining and monitoring security metrics can elevate your security team’s ability to protect your employees, secure your buildings, safeguard your operations against impending threats. Now that you know the how, read more about why you should be tracking metrics, here.
If creating and implementing security metrics seems like an overwhelming task, reach out to our team of security consultants by emailing firstname.lastname@example.org.