©2007 security executive council. all rights reserved... © 2014 the security executive council....

©2007 Security Executive Council. All Rights Reserved.

.

.

© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.

Companion to Measures and Metricsin Corporate Security

by George K. Campbell

An SEC Customizable Senior Management Presentation Tool

• Sample metrics from Measures and Metrics in Corporate Security• Presentation application recommendations• Charts are customizable• Includes faculty coaching notes on how to use the sample metrics

effectively

Series 1


.

.


These metrics samples are directly related to the Security Executive Council's publication, Measures and Metrics in Corporate Security, second edition,and are a logical outgrowth of that book inasmuch as a variety of graphical presentations (e.g., charts and graphs) are the desired outputs of a proactive metrics program.

These provide either ideas or a template for you to use to communicate as managers and advisors on risk. They were designed so you can easily plug in your program data and customize the terminology, company name/logo, etc. Note that the data in these samples are placeholder numbers and do not represent benchmark results; however, they correspond to genericized presentations that have been used in real companies and were found to resonate with senior management. Included in the PowerPoint notes section are application advice and usage notes by Council Faculty (select View > Notes Page). Double click on many of the graphs to see the embedded Excel spreadsheet in order to quickly change the placeholder data to your own.

Why are these useful? It's about communication and risk. As security executives, managers, and professionals, we are paid to be effective risk managers. The risk inventory confronting our diverse corporate environments has substantially broadened and deepened in the past several years. Our counsel is increasingly sought in board rooms and before audit committees who are now held to higher standards of objective oversight. How do we communicate with these executives and others on the governance team? Present what you have learned, convince with facts, and influence. "Brief me" means just that. Be brief and lead your audience to a conclusion. We believe that with the wide variety of corporate security measures and metrics samples included in this presentation, you will be inspired to look for new ways to convey the value and impact of your security program.

Introduction and Instructions


.

.

© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.

There are many places to uncover and measure data, which include:

• Survey or audit findings

• Data gathered in security or IT system logs or incident follow-up

• Random awareness polls taken at employee entry points or company events

• Scorecards: Feedback to business units on periodic reviews of security effectiveness

• Incidents attributable to security deficiencies this period vs. last period

• Case volumes compared to case cost by quarter

• Losses vs. recoveries

• Customer feedback exercises

• Risk assessments: Vulnerability/effectiveness tests of specific security measures

• Data on contributing causes and effectiveness of proposed solutions from incident post mortems/lessons-learned analyses

• A current status measured against an industry standard or internal objective, performance against planned objectives

• A selected comparative measure across multiple benchmark partners

• Tracking the impact of security measures against a specific trend to assess mitigation results

• Plotting frequency (vertical) and severity (horizontal) for multiple incidents with common findings from post mortems to demonstrate need for changed policy or practice

• Comparisons of internal business processes using selected data that may contribute to risk exposure and show how each unit compares to each member of the sample

• Calculating percentage to completion, budget burn to plan, etc.

Sources for Finding Program Data

• Cost/benefit and cost/effectiveness calculations for security measures

• Comparison of like statistics from insurance and risk organizations, law enforcement, industry, professional associations and others

• Specific security cost per selected measure (employee, square foot, dollar of revenue or sales, etc.)

• Investigative findings, cost of incidents from initial investigation to recovery

• Six Sigma failure modes and effects analysis

• Security device probability of detection/other data from sensor manufacturers or independent laboratory test data

• Assessments against stated capabilities of contracted success rates of vendor services or products

• Anticipated impacts of a new security measure revealed in a risk-mapping exercise

• Frequency of requests for security services this period vs. last

• Uptime or downtime of critical processes

• Time calculations of response resources to calls for service

• Rate data: Us vs. them or this period vs. past

• Number of incidents year-to-year or quarter-to-quarter

In color-coded dashboards or graphs, the scoring mechanism (i.e.,ranges for red, yellow and green status) is up to you based on your data and how you define program success (green), shortcomings (yellow) or failure (red) and to what degree. Be consistent once you establish a measure of progress or degradation.


.

.


Financial PerspectiveHow do we look to shareholders?

What goals and measures in safety, security, integrity or

other safeguards are perceptible to shareholders?

Innovation & Learning Perspective

Can we continue to improve and create value?

What goals and measures arecalculated to improve securityat reduced cost and thereby

add value?

Customer PerspectiveHow do our customers see us?

What goals and measures will contribute to customer

satisfaction and our ability to deliver value to them?

Internal Business Perspective

What should we excel at?

What goals and measures in our key protection programs

demonstrate best-in-class practices?

Vision&

Strategy

Security’s Balanced Scorecard


.

.


(* Based upon Internal Audit reports for the most recent fiscal year)

Business Unit ComplianceWith Organizational Policy*


.

.


Critical Asset Risk


.

.


Survey of Security Policy AwarenessConducted Q2/05, 397 Responses = 62% Response Rate

0 10 20 30 40 50 60 70 80 90 100

Internet Use

Safe/SecureWorkplace

Access toCorporate Systems

ConfidentialReporting

InformationProtection

Sales Div. (N=247) Admin.Svcs. (N=94) Exec. Group (N=56)


.

.


*(Based on vulnerability tests conducted during the period 3/15/13-4/30/13)

Percent probable:

Probability of Loss*


.

.


98 of 112CRITICAL BUSINESS PROCESS RISK ASSESSMENTS WITH APPROVED RESOLUTIONS

% UPDATED & TESTED BUSINESS CONTINUITY PLANS WITH ASSOCIATED REMEDIAL ACTIONS

% OF INFORMATION SECURITY POLICY COMPLIANCE REVIEWS WITH NO POLICY VIOLATIONS

This Year Last Year

64 of 106

85%

78%

77%

31%

97%

58%

% OF SECURITY INCIDENTS THAT EXPLOITED EXISTING VULNERABILITIES WITH KNOWN SOLUTIONS

29%9%

% AUDITED COMPLIANCE WITH APPLICABLE BUSINESS INTEGRITY REGULATIONS

Organizational Integrity Dashboard: Our Critical Business Processes


.

.


Annual In-source Vs. Outsource Review

$50

$100

$150

$200

$250

$50

$100

$150

$200

$250

$300 $300

A CB DOutsourced Vendors Outsourced Vendors

Security Security W X Y Z

Investigations Information Security


.

.


How Secure Are We: This Year vs. Last

0 20 40 60 80 100 120 140

This Year Last Year

Business continuity tests successfully competed.

Security risks proactively identified and mitigated

Hi-risk business processes outsourced without a comprehensive risk assessment

Notable security-related audit findings involving critical business processes

Unanticipated cyber attacks resulting in business interruption

Insider misconduct cases resulting in termination and/or prosecution

+

+

+

(-)

++


.

.


Security Technology Returns on the Investment

(Security technology enables fewer security personnel)


.

.


Risk Ranking Business Units

Business unit

Head count

Site risk(1-5)

Internal incidentsInvolving Trusted Insiders

Current risk

analysis & plan

High Riskbusiness processes

(1-5)

Risky hires

Businessinterruption with impact

Level of Info.

security risk(1-5)

Overall risk score

Alpha 505 2 10 yes 5 3 3 5?

Beta 1,176 4 85 no 3 54 0 1?

Gamma 203 3 4 yes 2 0 1 2

?

Delta 1,459 5 113 no 4 21 17 2?


.

.


Tracking Trends

$0.16$0.17$0.18$0.19$0.20$0.21$0.22$0.23

Q12004

Q3 Q12005

Q3

75

100

125

150

Q12004

Q3 Q12005

Q3

Security cost per sq. ft. trends down Headcount per security employee trends up

$0$25$50$75

$100$125$150

Q12004

Q2 Q3 Q4 Q12005

Q2 Q3 Q4

Security cost per employee on a consistent downward trend

Go

od

Go

od

Go

od


.

.


Key Findings from Incident Post Mortems


.

.


Master Control System Uptime Reliability(Most recent 30 day rolling average with trend line -99.9% uptime objective)


.

.


Health & Safety Dashboard

0

20

40

60

80

100

2003 2004 2005

Life Safety Inspections H&S Policy Awareness Testing

Calls to H&S Hotline # First Responders Trained

H&S Crisis Plan Testing # Employee Days Lost to H&S Issues


.

.


3 5

22 41

119

15

17

Sales Division

Research Dept.

Fabrication & Assembly Div.

Administrative Svcs. Division

Customer Support Div.

Internal HR Recruiting External Staffing Agency

2005Hires

230

35

769

81

178

1293

58

0

4

87/31% 197/69%Recruits with Adverse Backgrounds

AJAX Corp. 2005 Recruiting Analysis:


.

.


Laptop Thefts: Charting a Solution

BadgeAwareness Program

AccesslimitationsImposed atkey entries

Commenceticketingunsecuredlaptops

Cable locksInstalled

Security commencesseizing unsecured laptops

Key arrestsmade

Public/PrivateCommunications


.

.


Employee SafetyAnnual Evacuation Drill

16

22

43

20

33

14

31

0

15

0

5

10

15

20

25

30

35

40

45

Min

ute

s

Site 1 Site 2 Site 3 Site 4 Site 5 Site 6 Site 7 Site 8 Site 9

Test Objective

Failed to participate

New FloorWarden

Corporate Locations


.

.


Quarterly Accident Rates

0

10

20

30

40

50

60

1st Qtr 2nd Qtr 3rd Qtr 4th Qtr

Injuries-non-machinery Injuries- machineryVehicle accidents Days of worker absencesWorkman's Comp claims Injuries- non-employeeWorkplace Violence incidents


.

.


Calls for Security Services - 2006


.

.


Workplace violence protocols and training

implemented

Improved intervention

techniques reduce confrontations

New protocols result in improved

notification andreduced instancesof confrontation

Area of Risk Contributing Cause Mitigating Actions Measures

Increased frequency and severity of

workplace violenceIncidents

For past year 42%involved spousal

conflicts withrestraining orders

Post mortems indicate poor

coordination and training of HR and Security personnel

Security not informed

of pending terminations

34% on night shift& involved alcohol

New policy encourages notification of HR of

restraining orders

Engagement by HR/EAP on late shift.

Managing AggressiveBehavior training for

1st line supervisors

No alcohol on-premisespolicy issued

Increased reporting and reduced number

of cases involving restraining orders

Reduced night shift cases involving

alcohol

Joint HR/SecurityIntervention Team

formed

Lessons from Workplace Violence Incident


.

.


Response Times for First Responder Services

Goal


.

.


There is a logging process to record the source, time and duration of all user logins

Approved standard access definitions have been established & are verified for all applications

User IDs are suspended until reset after three unsuccessful attempts to enter a password

Scheduled reviews of continued need for 3rd party access privileges are in place

There is an automated process to for disabling IDs for terminated users and inactive IDs

All system users are required to enter two forms of unique identification to access applications

Accountability is clearly established for assigning & maintaining a list of all user IDs

Information Identification Dashboard


.

.


Policy distributed and acknowledged by all employees

Attempts to access blocked internet sites 14 days prior and 14 days after advertisement of policy prohibition


.

.


Six Sigma- Failure Modes & Effects Analysis for 4 Potentially Consequential Security Incidents*

20 4 6 8 10

Laptop theft- unencrypted customer data w/disclosure

Order system sabotage- by unvetted 3rd party vendor with access privileges

Workplace violence-Failure to acknowledge violent history

Severity = 8Probability = 7.5Detection Ability = 8

SCORE

480

Severity = 5Probability = 8

Detection Ability = 4

160


Detection Ability = 8


Detection Ability = 2* Based on vulnerability tests

conducted Q3-4/06

448

Undetected break-in-Failure of alarm system @ CEO residence

32


.

.


The Security Executive Council is an international professional membership organization for leading senior security executives spanning all industries, both the public and private sectors, and the globe. Our members seek innovative issue solutions and documentation of model core security programs. The Council utilizes professional staff and a distinguished faculty of former CSOs and content experts to develop, based on member requirements, strategic services and products for the entire membership. Unlike typical peer-to-peer organizations, the Security Executive Council does not depend on member volunteers; members are involved in projects only to the extent they desire to be. Our vision is to deliver cost effective solutions to our members that are unavailable from any other source.

Title: Companion to Measures and Metrics in Corporate Security, Series 2 by George K. Campbell

Industry Applicability Concept Validation by:

•Edward G. Casey: SEC Emeritus Faculty, Security Executive Council; Former corporate affiliation: Procter & Gamble•Greg Halvacs: CSO, Cardinal Health, Inc.; Security Executive Council Member •Richard A. Lefler: SEC Emeritus Faculty, Security Executive Council; Former corporate affiliation: American Express•Mark Lex: Director, Global Security, Abbott Laboratories; Board of Advisors, Security Executive Council•Lynn Mattice: VP Global Security and CSO, Boston Scientific Corporation; Board of Advisors, Security Executive Council•G. Randolph Uzzell: SEC Emeritus Faculty, Security Executive Council; Former corporate affiliation: Burlington Industries

Editor: Kathleen Kotwica, Vice President, Research & Product Development, Security Executive Council

Design: Jayne Marcucella, Operations and Production Specialist, Security Executive Council

Your feedback is important to us. If these worked well for you, we'd like to hear it. If there are other measures or metrics you'd like to see in visual form or you have other suggestions or comments, please let us know at [email protected].

Contact Bob Hayes, Managing Director, Security Executive Council at +1 202 730 9971.

©2007 security executive council. all rights reserved... © 2014 the security executive council....

Documents

security program

security executives

security deficiencies

metrics samples

council faculty

proactive metrics program

program data

placeholder data