Read an Excerpt

Strategic Security Management

Butterworth-Heinemann

Chapter One

In this chapter ...

* Need for Data-Driven Security

* Security Metrics

* Data-Driven Assessments

Data-Driven Security

What cannot be measured cannot be managed. This is a commonly accepted business paradigm, yet its acceptance is not as far reaching within the security industry as it is in other industries. Simply put, data-driven security refers to using measurable factors to drive a security program. While not all elements of a security program lend themselves to measurement, many components can be measured effectively. For example, physical protection systems are measured via penetration times, and barriers are measured using delay and defeat times. Other security components can be measured, though not mathematically, including morale of protection forces.

Some would argue that security is more of an art than a science. While they are correct, the business of security is not an art per se. The security department is a business unit not unlike other business units within a company that must justify their existence. The higher security moves up the corporate ladder, the more challenges the security director will face and the more business acumen will be required. Given the security industry's growth out of public law enforcement, it is no surprise that it has taken the industry this long to develop into a full-fledged corporate entity. With this growth comes the need to depart from the police mentality. Twenty years ago, most security directors were retired law enforcement agents who made the jump to private security as a way to supplement their retirement income. This has proven to slow the growth of security within the corporate hierarchy, but it was probably a necessary step in the history of the industry. This is not to say that retired law enforcement personnel do not have a place in the security industry. To the contrary, many have proven to be exemplary business security leaders who have made significant leaps for the security departments in their companies.

As the security industry grows to include not only physical security, but also information technology security, it is incumbent upon today's security directors to focus more on the business than operational side of security. This necessity is best summarized by the world's leading security association, ASIS—International, in its Chief Security Officer Guideline:

Today's business risk environments have become increasingly more severe, complex, and interdependent, both domestically and globally. The effective management of these environments is a fundamental requirement of business. Boards of Directors, shareholders, key stakeholders, and the public correctly expect organizations to identify and anticipate areas of risk and set in place a cohesive strategy across all functions to mitigate or reduce those risks. In addition, there is an expectation that management will respond in a highly effective manner to those events and incidents that threaten the assets of the organization. A proactive strategy for mitigation of the risk of loss ultimately provides a positive impact to profitability and is an organizational governance responsibility of senior management and governing boards.

The guideline goes on to discuss the role of the chief security officer (CSO) as a business leader, a problem solver, as well as an expert in security for their company. Interestingly, the guideline also suggests that the CSO's background includes business, not law enforcement, since the CSO's key responsibility "is to develop and implement a strategy that demonstrates the processes in understanding the nature and probability of catastrophic and significant security risk events." As the company security departments grow and begin to encompass more responsibility for the protection of people, property, and information, so too must the ability to fall back on empirical data to support our position. No longer can security professionals rely solely on gut instincts.

Too often recommendations from the security department are presented with little or no thought to why certain procedures or security equipment should be used. Often, a security measure is deployed because other companies are doing it. It is all too common in the security industry for there to be a propensity for using certain security measures without complete understanding of the problem or a thorough analysis of the security measures' ability to be effective in a given situation. Data-driven security can help security directors overcome this problem by identifying key concerns, the specific security measure's ability to solve the problem, and the anticipated cost.

How can security professionals justify to senior executives a sizable and usually growing annual security budget? By now, most security directors are keenly aware that a security program's success depends on the commitment and support, or buy-in as it is commonly known today, of senior executives. Using anecdotal evidence to justify spending on physical security measures and costly protection personnel no longer suffices. A data-driven security program helps management understand that security is more than a must-have expense; it justifies costs to management by showing the proof of success that, when presented effectively, can garner the necessary buy-in from upper management and demonstrate a convincing return on investment. Security expenditures, just like other departmental budgets, need to be justified with empirical data and supplemented with cost-benefit analyses and comparisons.

Throughout the first part of this book, various assessments used in the security industry are discussed, including threat, vulnerability, and risk assessments along with specific types of assessments such as crime analysis. Common to each of these assessments is a quantitative approach to establish a baseline from which security effectiveness can be measured. Assessments are the foundation on which a security program is built by establishing a baseline of risks that companies face. They guide the strategic planning and design of countermeasures intended to mitigate those risks.

Such a logical approach brings benefits that are unattainable with qualitative assessments, which are still used throughout the public and private security sectors. While qualitative assessments cannot be abandoned, their use should be limited to those instances where quantitative ones cannot be used for lack of measurable elements. Thus, physical security is, and shall remain, more of an art than a science, though science can be infused into an otherwise abstract industry.

I don't care how skilled you are as a diplomat or how brilliant you are at leading, if you are not professional about security, you are a failure. —U.S. Secretary of State Madeline Albright

Security Metrics

Between September 2001 and the writing of this book in April 2006, the United States suffered no major terrorist attacks. Although this fact makes for a great sound bite for political talking heads, it is not an accurate metric of the true threat faced by the United States. A more appropriate metric would be the number of attacks thwarted since September 2001 or the number of arrests made of known terrorists. When providing asset protection, accurate measurement of security effectiveness can have a profound impact on management's level of support for the security department.

As we have discussed, a common paradigm in business is that an activity cannot be managed if it cannot be measured. Security is one such activity. Security metrics communicate vital information about security activities and drive decision making. Metrics for various security components, such as the protection force or access control system, can be an effective tool for security professionals to understand the effectiveness of the overall security program. Metrics, as previously mentioned, may also identify risk based on failures or successes of security components, and can provide solutions to security problems. Security metrics focus on the results of security decisions such as a reduction in thefts after implementation of a CCTV system, an increase in visibility after a change in security officer uniforms, or a reduction in terrorist acts as a result of terror cell arrests.

Security metrics help define how secure we are. They assist security professionals in answering basic questions posed by management, such as:

* Are company assets protected?

* Which assets need more protection?

* Can the asset protection program be improved?

* What resources should be allocated to security?

* How does our company compare to others?

* Are we reducing our liability exposure?

The National Institute of Standards and Technology (NIST) defines metrics as tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Thus, security metrics assist security professionals in making asset protection decisions through the measurement of performance-based characteristics of security components. Simply stated, security metrics are tools used for measuring a company's security posture.

For the security metrics to be accurate, security professionals must have two elements in the metrics model:

1. Proper performance data for the specific countermeasure under evaluation.

2. An appropriate baseline from which to compare.

Baseline measurements are often difficult to obtain, especially in the business of security where companies are, out of necessity, secretive about their protection systems. In recent years, security industry associations such as ASIS—International, the National Fire Protection Association, and the International Association for Professional Security Consultants have promulgated standards, guidelines, and best practices. In addition to published and accepted industry standards, the courts have outlined baselines of measurement for the security industry. An example is a Texas Supreme Court case, Timberwalk v. Cain, which outlines the specific factors necessary for establishing foresee-ability of crime in premises liability lawsuits. In Timberwalk, the court set forth five criteria for measuring the risk of crime: recency, proximity, publicity, frequency, and similarity of past crimes. An example of crime metrics legislation is the 1996 Illinois Automated Teller Machine Act (ATM). Section 20 of the Act provides procedures for evaluating the safety of ATM regarding "the incidence of crimes of violence in the immediate neighborhood of the ATM." Texas has a similar ATM Safety law which requires that financial institutions collect crime metrics. Thus, the professional security practitioner will stay abreast of industry standards and the law. While laws must normally be reasonably followed, security professionals may fine-tune published industry standards to meet the needs of their company.

In addition to establishing a baseline for comparing company metrics, metrics are also used to justify budgets, provide data for decision making, and improve security practices.

(Continues...)

---

Excerpted from Strategic Security Management by Karim H. Vellani Copyright © 2007 by Elsevier Inc.. Excerpted by permission of Butterworth-Heinemann. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---