Case Study:  Security Metrics Dashboard


Situation

Serving the largest company in its industry, the Corporate Security department wanted to standardize on a set of meaningful security metrics to communicate performance. Incident data had been collected in multiple, separated databases and, other than case-by-case, analysis was difficult to perform and incident trends not regularly monitored. The security department was not widely understood and wanted to identify metrics meaningful to senior management and integrate them into a regular report.  

 
Approach

The team’s approach combined evaluating external practices with internal needs and existing capabilities. An internal analysis of the company’s previous reporting and metric usage was undertaken and compared to that of select companies known to be advanced in performance measurement. Specific objectives included evaluating current incident reporting practices, integration with the company’s case management system, and ascertaining internal client and senior leadership needs. The case team identified meaningful performance and cost metrics used by peers and compared them with the internal needs of the company.  Multiple metrics were evaluated for suitability in incident trending, mitigation effectiveness and value-added. Incident and performance data were compared cross-sectionally relative to prior years and targets to ascertain informative value.

Analysis & Results

A detailed report was developed that would facilitate comparative analysis and generate insights for improvement. The report was designed in a tiered structure so that it could be rolled up to a comprehensive monthly executive overview but with a detailed section available for distribution to the person accountable in the area. New sub-components provided important input and included threat assessment metrics, incident trending analyses, mitigation effectiveness evaluations, recoveries, settlement awards and prosecution performance. Each section also contained comparative data on growth and net cost, case management and load balances, as well as security responsiveness to help requests. The report could be web-based with both an input and output capability.

Benefits to Client

The newly designed report was able to demonstrate Corporate Security’s performance in concise, digestible format with meaningful metrics. The standardization improved meeting efficiency and internal communication as common parameters and associated terminology became more widely known and adopted. Senior leaders became more conversant with security activities and cognizant of the benefits provided. The Corporate Security department found it easier to set forward-looking objectives and quantify them for reward purposes. Reporting sections were designed by area of accountability to enable better management by objectives. Overall, the security metrics dashboard integrated multiple, informal reports into one document with one common set of definitions.