On March 4th, the Sage Group hosted The Great Conversation in Seattle, Washington. The opening video interviews with executives said it all: “What is Changing in Your World?”
All the leaders are experiencing change. This is not only escalating global risk and regulatory expectations, but also changes in expectations from business leaders. More than ever, we are being challenged to meet the change head on rather than respond to unfolding events.
True innovation and value occur at the intersection of the business and the security program. This requires a unique engagement of internal and external stakeholders to create the guiding coalition for the next generation of security.
There were excellent templates shown that provided a roadmap and demonstrated how successfully measuring and articulating program support successful security execution. Examples included measurements of:
- Program Objectives
- Risk and Threat – Trends and Details
- Costs to Support Requested and Executed Security
- Benchmarks
- Cost of Security by Employee
- Response Time
- Loss of Value
Measurements and metrics are crucial in demonstrating security program value, proactively identifying trends related to threat and risk, and illustrating the costs associated with business requested and executed security program elements. Effective leaders select insightful metrics for industry benchmarking, program improvement, and initiative justification. As summarized in the program, it’s the analysis and communications of the metrics that brings the value, which is achieved through a formalized measurement and review process.
This should be aligned as well, with the business/investor version of risk as articulated in the corporate 10-K, an annual report required by the U.S. Securities and Exchange Commission (SEC) that gives a comprehensive summary of a company’s financial performance. When preparing annual reports, companies must always revisit their risk factor disclosure to ensure the disclosure is up to date and includes a discussion of the most significant risk factors that could affect the company’s business, operations, industry, financial position, or future financial performance. Security’s role is to align with and actively act to mitigate these perceived risks. As Security Leaders learn to effectively articulate how their initiatives positively impact the corporate risks, the perceived value of security increases. Thus, Security Executives must learn the language of the business and investor community. When they do this, their projects become “business initiatives” with a value proposition, not simply security protection measures.
Once this occurs, the security program must create a technology architecture and roadmap that correlates with these business needs. A new scorecard is being developed for the acquisition of this platform. It involves the following:
- Scalability: Can it meet the future growth needs of my company?
- Integration: Can it be integrated into other applications and devices to provide a common operating picture? How do we share and communicate data, information and actionable intelligence within that common picture?
- Data Analytics: How are analytics and workflow-derived data rules applied to automate processes, highlight trends, and proactively identify business impacts through intelligent use of data?
- Communications: The “Intelligibility” of data, voice, video when presented must be measured
- The Business of the Service and/or Product Provider:
- Is Business Process Optimization included in the solution (business modeling and workflows within the security and business operation)?
- Does the vendor/partner understand our problem? Are they trying to solve a problem that doesn’t exist?
- What is the financial state of the supplier company being considered? What is the confidence in their longevity?
- Who will take ownership to maintain regulatory compliance and ensure cultural compatibility?
To bring the leaders of the entire ecosystem together and have them share their perspectives is very valuable. I walked away from the event assured of our mission and our vision. More than ever, security organizations and leaders need a measurable roadmap to guide future success. These steps involve:
- People with defined roles and key performance metrics
- Process which is designed around a value metric
- Technology which is be applied to increase efficiencies and measured outcomes.