Seeking to demonstrate the business value of security services, the Security Executive Council (SEC) has released the results of an online survey it conducted recently of how security metrics are used in organizations. An interview on the survey results is on SecurityInfoWatch.
Metrics are data collected on security activities; they are intended to measure performance, rather than merely collect numbers. Examples would be the number of safety hazards proactively identified and eliminated annually. Or the number of failed responses to identified fraud issues.
Interestingly, the SEC survey showed that 67 percent of the online respondents said they don’t collect such information. “That should be more than a wake-up call,” SEC noted, “it should be an alarm.”
“When you look beyond the statistics to see what people reported as the reasons for not collecting data,” said Bob Hayes and Kathleen Kotwica of SEC, “you see that a large percentage didn’t collect data because management hadn’t asked for it. That should be an alarm to security managers, because it may mean management isn’t even aware that security has metrics that may impact the business, or it may mean that security is being left out of the mainstream of the organization.”
“Respondent comments,” they added, “also indicated that some security managers don’t know what metrics are or how they should gather or report metrics, and that will require some training and education.
“And some of the responses seemed to show that other security managers feel that collecting metrics is more work than they want to do, and that is definitely a wake-up call. If your management has an interest or develops an interest in this area, you’d better be ready to respond.”
The SEC spokespeople noted that all the council’s members who joined in the survey reported that they use metrics in their reports. But it seems that the security field still has a distance to go to full professionalism.