what does security do for the business what is your impact on risk are you improving your service to the business and how if management approached you with questions like these today would you be able to quickly point to targeted data to back up your response having key performance indicators in place as part of a security measures and metrics program can give you the information you need to defend and justify your program and to improve over time on an organizational level key performance indicators or kpis are measurable targets that show how well a company is meeting its overall business objectives kpis are also valuable at the business unit level to measure progress toward each function's own key long-term goals goals that hopefully are aligned with the objectives of the company metrics come in many flavors and not every metric is a kpi simple counting metrics generally don't act as key strategic measures kpis are more likely to deal with optimization and value because those most frequently reflect businesses objectives for security kpis also incorporate targets that the function intends to meet in order to show progress toward long-term goals an example if your department has set a one-year goal to provide excellent internal customer service a goal aligned perhaps with the company's mission of being an open and responsive employer you may set a kpi target of scores of 4 or 5 on 80 of customer satisfaction surveys after a security related intervention or engagement ideally kpis should be determined when the security department is developing its long-term one or five year strategic plan this will be the time when you set your long-term goals the progress toward which the kpis are intended to measure both goal setting and kpi target setting will likely require interviews with key stakeholders introspection and feedback from security team members if your long-term goals are smart specific measurable attainable relevant and time-bound then the kpi will be baked into goal development once you've identified your goals identify how you can measure your success toward each goal based on the data that you can collect or that is already available to you determine where you are now and where you would like to be in terms of each goal then use this information to set your kpi targets let's look at some examples in this example the security leader has chosen four high-level directional indicators that are critical to the success of his or her security program internal customer service guard operations incident response and investigation outcomes under each we can see multiple supporting metrics that will indicate progress depending on long-term goals other kpi supporting metrics may include elimination of sanctionable penalties associated with the frequency and severity of compliance deviations reduction in security cost as a percent of revenue reduction in direct cost of security incidents or critical process disruptions reductions in employee interaction with time-consuming security measures or increased market penetration attributable to security measures facilitating secure business process in key markets this example shows a year-over-year comparison of expenditures and returns for security-run investigations one of the kpi supporting metrics mentioned in the previous slide expenditure value may include the time and compensation cost of the investigative team and or the annual cost of resources hardware and software specialty training or equipment return value might include the value of tangible assets recovered and or the estimated cost of damage avoided by termination of dangerous employees or interruption of misuse of privileged information a security leader may set a kpi target of a three to one return to expenditure ratio to support the security functions goal of bringing value to the organization kpi tracking requires a baseline of documentation within the program in the case of kpis that revolve around generally documented processes such as incident response in the example you see here and guard force management the supporting data you will need should be found in your audits or inspections of service level agreement stipulations and in your security operations center incident logs or call center logs other kpis that deal with less commonly quantified markers may require development of a record-keeping process and training for staff for example if you intend to show that client expectations are met or exceeded to meet a kpi of high customer service you will need to have a reliable method of identifying and documenting client expectations at the outset as well as a plan for tracking results and feedback note that basic counts such as number of guard tours and hours on patrol generally do not demonstrate the value of a process or its progress toward a kpi target sometimes long-term goals require measurement of more abstract concepts like security's business influence or its impact on company culture it might take more analysis to find the right metrics to support goals like these in this example a security leader needs to demonstrate how much influence security has in a given business unit they've chosen to measure influence by tracking the business unit's response to various security policies and recommendations over a year how often the business unit managers decline security recommendations how often they fail to address repeated violations how frequently they ignore critical deficiencies a business unit that skews to the right-hand side of this chart is not being influenced by security to make this a kpi set a target zero items in the far right column for example or three or more in the zero to twenty five percent range that you want to meet by your deadline and then measure each quarter to track progress toward that goal as the sec's metrics expert george campbell is fond of saying if you're not measuring you're not managing incorporating key performance indicators into a robust security metrics program can keep your function moving toward meaningful business aligned goals and improve your confidence and influence with senior management for more information about getting started with metrics or building a metrics program visit the links in this video's description the sec offers a multitude of resources to the security community and to clients check out our website and youtube page for more wondering how the sec can help you contact us at contact secleater.com you