Security's Real Dollar Value

May 1, 2006 12:00 PM

THE NEW YORK CITY POLICE DEPARTMENT employs 4.5 police officers for every 1,000 residents. Washington, D.C. fields seven officers for every 1,000 residents. In which city is the crime rate rising? Where is it falling?

The anti-intuitive answer is that the crime rate is rising in Washington, D.C., the city with a greater ratio of police officers to population. The New York City crime rate continues to decline, following a trend established before Sept. 11.

What does this say about the effect of additional police officers on crime rates? In March, Franklin E. Zimring, a law professor at the University of California at Berkeley, told a New York Times reporter that science cannot measure the effect of police officers on crime rates.

If the police cannot measure their effectiveness, how can a corporate security department do it? “It is not that security is intangible,” says Steve Hunt, president of Chicago-based 4A International, a security research firm. “It is that we measure poorly. If one thing is different than another, the difference is perceivable. If it is perceivable, it can be measured. If you can measure it, you can quantify and standardize it. This is always true, but it takes clear thinking.”

“There is a need and an appetite for security metrics,” adds Bob Hayes, executive director of the CSO Executive Council, a professional association for chief security officers based in Framingham, Mass. “We are working to define security metrics and to develop a database to collect metrics by industry.”

The CSO Executive Council (www.csoexecutivecouncil.com) recently released a book entitled “Measures and Metrics In Corporate Security” that aims to catalog metrics that indicate the value of security measures employed by a corporation. The book contains a host of suggested measurements that corporate security directors might consider:

• security cost per square foot in buildings across the organization;

• the cost of security in leased buildings compared to owned buildings;

• the dollar amount of losses per square foot;

• the average cost of security per security event;

• the security cost per corporate employee;

• serious security policy violations per year;

• number of terminations for serious security policy violations; and

• average recoveries from security investigations.

Suppose, for example, a large multi-national company believes it is important to measure recoveries made during security investigations and finds that recoveries average $14,000 per investigation. On most investigations, nothing is actually recovered. But every now and then, there is a big recovery, and the average comes to $14,000.

Suppose further that the security director tracked the number of investigations per year and found that every 1,000 employees would generate 7.6 investigations per year. “This would give you a way to check one site against another,” Hayes says. “If you have two sites each with 10,000 employees, then each site, according to the corporate average, should report 76 investigations per year, with each investigation recovering the corporate average of $14,000.”

What if one site reports only 10 investigations per year? What would explain that? Hayes says that perhaps security is so good there that fewer incidents lead to fewer investigations. On the other hand, he says, security might be failing to do its job and overlooking information that would lead to another 66 or so investigations. If that were true, the security department could be leaving hundreds of thousands of dollars in possible recoveries on the table. “This is how you work numbers,” Hayes says. “Most security directors measure activities. How many people came through the door? How many were turned away? How many packages arrived? How many cars were parked? These measures are important; they help in judging workload and staffing needs, but they may not have anything to do with security results.”

Another example: A security director could count the number of business interruptions that occur in a year. It is also possible to track response time to those incidents and to measure the disruption to business continuity. How long were these business units out of commission?

Armed with that information, it is possible to figure out how much money the company lost during those business interruptions. What percent of revenue do those units typically contribute to the corporation in the course of a year? The calculations can eventually drill down to revenue and profit losses.

By tracking business continuity performance from year to year, a security director could adopt measures that would drive down losses from business interruptions.

Then again, business interruption will carry weight in one corporation but not in another. Each corporation must develop its own priorities. “Many security directors do not know where to start,” Hayes says. “What we have done in ‘Measures and Metrics’ is use years of collective security experience from our faculty in order to help our members create standard metrics” that would help evaluate certain kinds of problems.

Take a look at the security dashboard from the book (bottom left). It illustrates six key metrics that might be important to a corporation. The dashboard is an increasingly popular reporting form for C-suite executives. The green, yellow and red color-coded summaries tell the CFO or CEO at a glance that a particular issue is green for go, yellow for caution or red for stop and look.

In this case, the security director's metrics show that security costs per dollar of revenue have risen in the past two quarters. “Spending is increasing faster than earnings and that may be a problem that needs to be reviewed,” Hayes says.

On the logical side, a red dashboard gauge indicates another problem: A 14 percent decrease in installed security patches is creating network security risks that call for immediate action.

On one of the green-for-go entries, the security director reports that 100 percent of all notable security-related audit findings have been successfully resolved.

Developing dashboard reports for C-level executives requires a security director to think strategically about the positive contributions security can make to company performance. If business continuity is a key indicator for the business, it should be tracked. What about security staffing costs? Are they too high or too low? Figuring out how to measure security performance in terms of corporate value is the first step toward integrating security into a company's business processes.

The CSO Dashboard

Security Costs	Security cost per dollar of revenue is up past two quarters.
Info Security	14% decrease Q2 vs. Q1 in devices with appropriate patches installed and current.
Business Conduct	Year-to-date investigative results indicate 20% increase in non-compliance with business conduct policies.
Security Audits	100% of all notable security-related audit findings have been successfully resolved.
Pre-Hire Backgrounds	55% of all new hires have completed and resolved background investigations.
Business Continuity	17% of critical business processes do not have up-to-date and tested response plans.

---

SHARE YOUR STORY…

This page offers an opportunity for readers to share management lessons they have learned and to provide other helpful information to their peers in the industry. To offer suggestions, or to contribute to this page, contact Larry Anderson at (770) 618-0118 or e-mail landerson@securitysolutions.com

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue