Developing and maintaining a high-quality security risk management or enterprise resilience program takes dedication from those of us tasked with these responsibilities. It takes planning, revision, continual improvement. It takes executive support and, of course, it takes money to implement our mitigation plans.
In my article earlier this year about Communicating Security Risk to Business Executives, I talked about the need to provide quantitative, factual information for your business audience. The stakeholders in your program are going to need to know that their investment in time, support and money is paying off. So how do you prove that to them? If you are anything like thousands of program directors in our industry, you will try to communicate that you are doing a good job through a Metrics Report. If you are like thousands of executive sponsors across all of our enterprises, your response to these rather traditional reports is often… “So what?”
The Purpose of Metrics
Why do so many of us in program management spend so much time collecting, organizing and presenting data, only to have our reports tossed aside with little to no attention paid?
The purpose of a metrics report is (or should be) to educate the reader; to tell them something that they need to know; to inform them of something that will have an impact on their lives (business or otherwise). Do your reports do that? Do you have any reports or daily/weekly communications that you truly enjoy reading? What do they have in common? What makes them worth your time?
One personal example of a report that I love and look forward to getting is a financial report*. Each morning I find out about trends and directions in the markets from the day before, get some quick, digestible bites of news about what caused those trends and what they might mean for me in the future, and then I pick up one or two points of interesting data that I was not expecting, but that teach me something, nonetheless.
That’s it. Very simple. It gives me information about a topic that impacts my life and my assets. You can do the same thing with your report to your stakeholders about how you are impacting their assets. My example isn’t even a “corporate report”, but it is a GREAT report! Don’t feel tied to traditional methods of reports you have seen in your organization. If you find the right way to connect with your audience, they’ll be more inclined to read your report.
When you are developing a metrics report, you can ask yourself a few questions:
Who is the audience for my report?
What do they care about?
What aspects of my program impact those things they care about?
What data will show that impact and demonstrate the value to them?
Tailoring Your Report To Your Audience
Generally when you are designing a report for an executive audience, you will want to write it at the strategic, rather than the tactical level. A good rule is that the “higher” your audience is in the organization, the “bigger” the picture needs to be.
Details of individual events and happenings will make way for graphs and pictures that show trends over time or benchmarks against similar organizations.
If your executive audience is in R&D, or marketing, and is very interested in the risk of internal theft of intellectual property, what can you provide them that shows the value of what’s going on in your program?
Perhaps you had previously had significant exposure in that area due to a high number of lost or stolen digital devices and you have implemented a device security program to limit those losses. The metric of the number of lost or stolen devices and the trend of those losses over time is a good one to show the efficacy of your program. If you trend that data and correlate it to the times/dates/locations of any training sessions you do, even better.
The same type of story can be shown with data relating to any mitigation activity and the risk it is mitigating. Have you installed a new access control system to respond to a risk of external intrusion? Your system can provide metrics on access granted vs. denied and, combined with effective visitor management data can even show why the denials took place and what the follow-up outcome was.
All of these stories, if supported by data, show more to your asset stakeholders than simply reporting on the number of hours worked by the security team, or a count of the number of times an activity such as a patrol was completed.
Sources of Data
Which leads to the question of where you might be able to find that data? If you do not track incidents, types, times and the outcome of them, you are at a disadvantage. If you are not also tracking closely the activities your team is doing to mitigate risks to the enterprise, you will also have difficulty telling the “value story”.
Data that can help tell your story is everywhere, in every system. You simply need to know where and how to find it, then put it together to speak directly to the things your audience cares about.
Electronic security system logs
Business plans and objectives
Business owners of key/critical assets
Asset inventory lists
BCP/DRP exercise results
Ongoing operation reports
Open source intelligence
Collecting this data is most easily accomplished in one of many software platforms on the market designed for tracking and collating this information. Manual reporting and tracking with spreadsheets and manual incident reports makes collecting and tailoring reports to your audience much more difficult. A good incident management and tracking system is definitely worth the investment because it helps you to collect “good” metrics.What exactly is a “good” metric? Ideal data to include in a report should be:
Repeatable (can be collected more than once)
Jargon-free (your audience should not need a security background to read it)
Consistently measured (you have a method for collecting it that is followed regularly)
All of these are facilitated by good management and reporting software tools.
Designing the Report
When building reports for an executive level audience, keep in mind that they have received many other metrics reports that same day, and they have only a few minutes to give to each of them. If you make it easy on them to read and understand your report and clearly tell your story using data points and brief summaries, they will be able to digest your information faster, retain more and maybe even begin to look forward to receiving your report on a regular basis.
A few tips for designing the reports and how to decide exactly what to put in them:
Make sure your data has a reason for being in the report – it is communicating the intended point to the reader.
Ensure it is clear, concise and relevant.
Use graphics to present numeric information as much as possible, rather than tables and grids.
Keep narratives short and to the point.
Present similar data on a regular schedule to show trends over time
Use only up-to-date information in reports, avoid estimates as much as possible.
Here’s a quick example of a potential report from the security team to the chief technology officer. The trends are focused on IT and technology issues, and stick to what our imaginary CTO has expressed an interest in. It’s one page, but gives them the data they need to know to understand that the security department is doing what it is charged with.
As Vice President of the Integrated Security Solutions Management at G4S, Rachelle Loyear leads the team responsible for our establishing the G4S Security Risk Management Model and the associated business development and operational management approaches, as well as the G4S Integrated Practices.