Issue link: https://securitytechnologyexecutive.epubxp.com/i/282968
www.SecurityInfoWatch.com 've covered this topic in the past but dashboards are a compul- sory part of the CSO's manage- ment toolkit so repetition likely is worthwhile. If you go on line and search for dashboards or even security dashboards, you will find several examples and off-the shelf sources. But you can easily build your own with your standard desktop appli- cations. First and foremost, verify accuracy of content and conclusions. Then target your audience with actionable information while providing yourself with a script that takes advantage of the oppor- tunity for focused engagement with management. What action(s) are you seeking, by whom and how prepared are you to assist in that engagement? If you look at the dashboard here, what is dis- played on the left is a combination of six simple boxes to highlight six areas of performance report- ing with enough words to summarize status. On the right, the presentation takes a deeper dive into supply chain security compliance and then closes with a highlight result on customer satisfaction. In this example, there are four pieces of data that relate to the Security Department's manage- ment updates. The budget burn rate and customer satisfaction is good news as is our internal service level agreement (SLA) with HR on the background investigation program's sustaining its cycle time commitment. We are advising that our monitor- ing of our guard force vendor's SLA is generating concern as of Q2. The relationship of the issues here appears to go to the availability of acceptable personnel so this may also be a leading indicator of downstream service quality issues. This represents the single biggest cost in the department's budget. For this quarter, the CSO has also opted to pro- vide several alerts for management's attention and engagement. The fact that Security is doing compliance reviews on information protection indicates that they have taken some ownership of this aspect of IT security. It's often very reveal- ing to see the amount of IT resources that go to the technical side of information security while leaving the glaring defects in hard copy integrity to the whim of business unit owners. These com- pliance reviews are a very valid sharp stick in the eye and the resolution plans in place indicate that Security's influence is in place and effective. On the insider risk front, the CSO is continu- ing to monitor the critical business conduct barometer as an output of their investigation findings. He will note in his presentation that this 20 percent increase in policy non-compli- ance is just from investigations that have been referred from the business units. What do they indicate about patterns of behavior that have not yet rose to this level of intervention? Another alert and leading indicator of risk is the lack of required contingency plan mainte- nance and testing going on within business units. Global businesses are confronted with an increas- ing array of consequential risks to critical process continuity. The lack of preparation significantly contributes to protracted recovery and increased financial and reputational impact. An example of this expanded scope of dependency risk is seen in the more detailed display of security compliance defects in several of the company's leading supply chain partners. This is just one simple example of how you might assemble relevant data for a periodic dash- board scheme. The various choices selected for this presentation summarize actions being taken by the CSO to lead and engage on several key ele- ments of Security's enterprise risk management agenda. ❚ George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.secu- rityexecutivecouncil.com. "If you go on line and search for dashboards or even security dashboards, you will find several examples and off-the-shelf sources." METRICS FOR SUCCESS By George Campbell Building a Corporate Security Dashboard I A detailed dashboard can help Security communicate and manage its mission 14 SECURITY TECHNOLOGY EXECUTIVE • February/March 2014 STE_14-15_0314 Metrics.indd 14 3/17/14 7:59 AM