Issue link: https://securitytechnologyexecutive.epubxp.com/i/118926
MY POINT OF VIEW By Steve Lasky Arm Yourself with Metrics Coupling hard numbers with thoughtful analysis is essential to getting the buy-in you need from upper management I ���I���ve been shocked following discussions with veteran security gurus who tell me horror stories of Fortune 500 companies that have no incident management protocols or assessment programs at all.��� t is easy to cover yourself in statistics when attempting to assess your department���s worth. It is not unusual to see a security director or CSO marching into the C-Suite with enough excel spreadsheets to fill an Iron Mountain shredder truck. If that is S.O.P. at your quarterly management meetings, then it is more likely than not that the wrong message is being sent to your higher-ups. There is no doubt that management bases its critical decisions around the bundled data you provide in folders filled with trend lines, graphs and assumptions. But like unfiltered video streaming onto a server from a surveillance camera, it is crucial you have someone in your security department providing the analytical thinking to accompany the data. Never has the practice of metrics been as important to the role of security in an organization as it is today. The evolution of enterprise risk management policy and procedure dictates that you and your boss understand the data that can help your organization identify risk, and thereby aid in mitigating it. ���It���s not about the spreadsheets, the numbers or the flow charts ��� it���s all about the analysis of that data and how you then implement the strategic thinking that goes into mitigating your risk,��� said George Campbell, regular STE columnist and one of the industry���s most vocal champions of security and risk metrics, at the recent ASG Security Summit & Expo in Seattle. ���Measuring is what successful management really is,��� he continued. ���And at the end of the day, it is communication that is the core competency of every good manager. A large part of being a good communicator is how you manage data and how you present the results to your superiors to tell a compelling and honest story.��� Perhaps the most shocking aspect of this new age of security and risk accountability are the voids in the corporate landscape related to accurately assessing vulnerability. I���ve been shocked following discussions with veteran security gurus like Campbell and others who tell me horror stories of Fortune 500 companies that have no incident management protocols or assessment programs at all. ���It is a characteristic of far too many of our major organizations,��� Campbell said. Three years ago, Boeing Corp. vice president and CSO Dave Komendat wasn���t completely satisfied with the impression his security department was making within the company. He thought they could be telling a better story. ���We were doing all the right things and doing them well when it came to security [within Boeing],��� he said. ���But we felt we weren���t able to really paint the true picture and tell an effective story about security���s positive role here.��� Komendat admitted that it was partly his fault that upper management at Boeing didn���t realize what his department did to protect the bottom line assets and integrity of the company. He figured that it would benefit both his department and board to go on the offensive. ���I don���t care if your security budget is $500 or $250,000, you must always be able to tell a relevant story and leave the C-Suite realizing you run your department as a business,��� he said. ���But you should also reinforce the fact that you understand how your department is aligned to your company���s bottom-line objectives. You should always have those four, five or six things in your back pocket that can demonstrate an impact on the business. Show management you are a business enabler and you will be viewed as an influencer.��� Komendat summed up the metrics proposition very simply when he said that it doesn���t matter how good your people or your processes are if your department has zero visibility. ���Being invisible is a recipe for disaster. Your board better know where your budget money is going.��� ��� If you have any comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at steve.lasky@cygnus.com. SECURITY TECHNOLOGY EXECUTIVE (USPS 009-826; ISSN 1946-8474 print; ISSN 2158-7078 on-line) is published nine times per year: January/February, March, April, May, June/July, August, September, October and November/December by Cygnus Business Media, 1233 Janesville Avenue, Fort Atkinson, WI 53538. Periodicals postage paid at Fort Atkinson, WI and additional entry offices. POSTMASTER: Please send all change of address to SECURITY TECHNOLOGY EXECUTIVE, PO Box 3257, Northbrook, IL 60065-3257. Subscription Policy: Individual subscriptions are available without charge in the U.S. to qualified readers. Publisher reserves the right to reject nonqualified subscribers. One year subscription to nonqualified individuals: U.S. $35 One Year; $70 Two Years; Canada and Mexico $55 One Year; $100 Two Years; all other countries, payable in U.S. funds, drawn on U.S. bank.: $80 One Year; $150 Two Years. Single issues available (prepaid only), $10 each. Canadian GST #131910168. Canada Post PM40612608. Return Undeliverable Canadian Addresses to: SECURITY TECHNOLOGY EXECUTIVE, PO Box 25542, London, ON N6C 6B2. The opinions expressed by the authors and contributors to Security Technology Executive are not necessarily those of the editors or publisher. SECURITY TECHNOLOGY EXECUTIVE is published and copyrighted 2013 by Cygnus Business Media. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage or retrieval system, without written permission from the publisher. The publisher reserves the right to accept or reject all editorial or advertising material. Publisher assumes no responsibility for return of unsolicited manuscripts or artwork. Printed in the U.S.A. 6 SECURITY TECHNOLOGY EXECUTIVE ��� April 2013 www.SecurityInfoWatch.com