Security metrics highlight the successes as well as help identify potential areas for improvement
Done right, a good metric program will help tell the story of the security department

Knights of medieval times are known for impossible quests and challenging missions seeking rare religious items. The quest for the Holy Grail is perhaps the most notable. Today’s security professionals are often on their own quest, seeking what sometimes feels like the impossible – the search for perfect security metrics!

What are metrics and are they really that hard to find? Metrics are simply a measure to show effectiveness or to track performance. We are surrounded by metrics every day. For someone who wants to lose weight, a daily stop on the scale to track progress is an example of a metric. For someone interested in building muscle, the metric used may be the amount lifted in a bench press or leg press. Companies use metrics to measure key progress in areas such as sales, repeat customers or net income.

Security Metrics Best Defined By Finance Team

How do you measure the success of a security program? If your security program were primarily about preventing crime, you would need to track every time you deter a criminal – something that is very hard to know or track. Basically, it means tracking something that didn’t happen. There is good news though. There are other ways to measure success and to provide ways to showcase what the security program has accomplished. 

If there is one group that uses and understands metrics, it is the finance team of a business. The finance team deals with every part of an organization and understands the value of setting targets and measuring progress, in terms of budget, income and expenses. We are going to look at security metrics used in one case study that came about after the security department reported to the CFO. 

Understanding Security Metrics From The CFO

The CFO had several support groups reporting to him and was interested in how to track progress of each of the groups. It was quickly determined that there were four core areas to track. Activity, Efficiency, Quality and Customer Satisfaction were the categories focused on.


Service Area Background
Activity

Crime trends that pose a concern or need to be tracked;
what events take security's time and efforts?

Efficiency Budget, of course. What else affects efficiency?
Quality

What makes the security department stand out? What
does security offer to add value or improve quality of
services?

Customer Satisfaction What makes employees feel safe at work?

Security Activity Measurement 

The first category was to measure overall activity. The specifics may change from one organization to another, but looks at the types of responses and incidents handled by the security team. This should include general crime rates on campus, or may be a focus on specific issues. For example, in healthcare, a top priority has become the issue of violence and assaults on clinical staff by patients. 

By nature, many of these metrics are lagging metrics. In other words, the metric is a measurement of something that already happened. However, it is possible to include leading metrics as well. Leading metrics are a measurement of an activity that is pro-active or preventative in nature. An example of a leading metric could be tracking the number of exterior patrols done by security officers. The theory being highly visible and pro-active patrols are a deterrent and reduce overall crime on campus. For a system integrator, regular maintenance of access control or video systems that prevent downtime could be a measure of a leading indicator instead. 

Financially Efficient Security Program

Efficiency was the next category. Of course, since this was coming from the CFO, financial efficiency was involved. One metric was budget compliance, a ratio of budgeted funds versus actual spend as a percentage. Another efficiency number tracked was the number of voluntary turnovers. This number tracked how many security employees left for other pursuits. It did not include involuntary turnover, as it was felt that this could potentially influence leaders to keep unsavory employees to limit the turnover data. Other examples of efficiency could include storage of valuables for guests or patients, or number of lost items returned to the owner.

Quality Of Security Program

The next category considered was quality. To track the quality of the security program, a variety of options were considered. In this case, the number of security employees who received certification in the industry was tracked. The CFO also wanted to see the security department provide, or at least facilitate, security training for staff. The metric used was the number of training sessions provided to staff, including brief internal education meetings with different departments or ‘brown bag’ lunch and learn sessions that could include outside speakers. Again, education sessions were a more pro-active measure and could be considered a leading indicator.

Customer Satisfaction

A metric is something that you are going to want to measure on a regular basis and if the work involved getting that number is too difficult, it will quickly be ignored or left undone and you end up having no measure at all

The last area considered in this example was customer satisfaction. Fortunately, there were several options from which to choose. One vital measure was an annual survey that asked about staff perception of safety and security at the organization. The scale was 1-5 and allowed to track the number in the top category, those who felt very safe at work. This was the measure used with the goal to move people from the next category, feeling somewhat safe, to the top or feeling very safe. Response time by the security team was another area that linked directly to customer satisfaction. There was also a secret shopper program in place where an individual would contact security about a routine matter and provide feedback, scoring the officer on customer service and friendliness to the appearance of the officer’s uniform. 

Importance Of Security Metrics

Of course, tracking all of the metrics mentioned is great, but what does it really mean? Once you begin tracking results, the past results can be used as a baseline that allows you to set goals, establish targets moving forward, and identify areas of improvement. Keep in mind that these baselines are different from industry benchmarks. Benchmarks are comparisons or numbers based on a mix of different organizations, often within the same industry, to gauge where one company is in relation to the industry. 

When selecting metrics there are a few things to keep in mind. Probably the most important is to make sure that the data you need for the metric is easily available. A metric is something that you are going to want to measure on a regular basis and if the work involved getting that number is too difficult, it will quickly be ignored or left undone and you end up having no measure at all. A good rule of thumb is that the data or measure should be able to be collected within 15 minutes.

Also, pick metrics that are something that the security team can act upon or have a direct impact on. If the measure reflects something that the security team has no control over, then it tells very little about the success or effectiveness of the security program. For example, neighborhood crime stats may be valuable to track for awareness sake, but do not reflect on the security team’s performance so should not be included as part of the performance metrics.  

If there is one group that uses and understands metrics, it is the finance team of a business
(see bigger image)
Visuals and charts can be very helpful in seeing exactly what areas may need attention and what is going well

Evaluating Security Metrics

The last word about metrics: be sure to do something with the metrics collected. Use the data to tell a story about what the security department is doing. Visuals and charts can be very helpful in seeing exactly what areas may need attention and what is going well. Keep evaluating the value of the metrics used as well. An idea that originally seemed great, may turn out to not really reflect what you had hoped and should be changed and a new metric identified instead. This is an ongoing process.

Done right, a good metric program will help tell the story of the security department and highlight the successes as well as help identify potential areas for improvement.

Download PDF version

Author profile

In case you missed it

Changing Regulations Promote Better Care Of Consumer Digital Privacy
Changing Regulations Promote Better Care Of Consumer Digital Privacy

There are two types of people in the world as it relates to privacy. Those that care about their privacy and sadly, those that don't. This divide continues to be further separated with the constant flood of cyber security breaches that we hear about. We, as consumers, can no longer get a cheap hamburger without hearing that once again, the information we want to be kept secret, has been breached. The old phrase of "you can lead a horse to water but you cannot make him drink" rings true as we approach helping consumers take charge of their digital and personal privacy. Governmental Regulations For Privacy Law makers have started taking up the charge to help protect the privacy of consumers Law makers have started taking up the charge to help protect the privacy of consumers. This has been executed with the newly European General Data Protection Regulation (GDPR) which went into effect on May 25th, 2018. The core premise is the consumer owns their data. Despite any company which uses, stores, or profits from a consumer's data, the consumer still owns it. This is a major shift in how the business are forced to protect the consumer's data. Even though many of us have likely heard about GDPR, it is not the only privacy law that's taking the world's stage. In fact, in California there is a new law called the California Consumer Privacy Act of 2018 which is focused around the same principles GDPR. This new California law goes into effect in 2020 and goes one step further by considering privacy as an alienable right for all consumers. Encouragement for consumers to take charge of their digital and personal privacy is becoming ever more important  Taking Ownership Of Privacy Despite the new regulations due to a corporation's lack of controls around consumer privacy data, the truth is that even though these regulations provide consumers with a mechanism to take ownership with how their personal data is used, doesn't mean they will. It's at this point we, as the security industry, need to step back to consider how we can improve the problem. Just because laws have paved a way, we still need to help consumers travel down the road to better privacy. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rightsThere are two further mechanisms that we still need, governmental social programs and continued passionate discussions from the security industry. Governmental social programs will help provide free or low-cost classes for consumers to learn about how they can protect their privacy. However, governmental programs can only go so far and this by itself will not be enough. History has shown that social progress accomplished by a passionate minority that stands up against the oppression of human rights. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rights. Not only do we need to exercise the capabilities new GDPR laws has created for us, but we should tell the important people in our lives. We need to stand up for our privacy because if we don't, we'll end up losing even more of our privacy. 

What Is The Value Of Remotely Monitoring A System's Health And Operation?
What Is The Value Of Remotely Monitoring A System's Health And Operation?

When is it too late to learn that a video camera isn’t working properly? As any security professional will tell you, it’s too late when you find that the system has failed to capture critical video. And yet, for many years, system administrators “didn’t know what they didn’t know.” And when they found out, it was too late, and the system failed to perform as intended. Fortunately, in today’s technology-driven networked environment, monitoring a system’s health is much easier, and a variety of systems can be deployed to ensure the integrity of a system’s operation. We asked this week’s Expert Panel Roundtable: How can remote monitoring of a security system’s health and operation impact integrators and end users?

Importance Of Establishing Security Standards For K12 School Security
Importance Of Establishing Security Standards For K12 School Security

As we approach National Safe Schools Week (October 21-27), it is appropriate for a conversation to begin regarding establishing standards for K12 school security. Currently no standards exist for assisting schools navigate the complexity of understanding what they need, how much it will cost and how they will secure their learning environments. Security Industry Experts The Partner Alliance for Safer Schools (PASS) is one of the organizations at the forefront of establishing security standards for schools. In 2014, the Security Industry Association (SIA) and the National Systems Contractors Association (NSCA) formed PASS, which brought together a cross functional group of members including school officials, safe schools’ consultants, law enforcement and security industry experts to collaborate and develop a coordinated approach to protecting K-12 students and staff. School administrators are often contacted repeatedly by organizations with multiple safety and security products PASS has provided valuable insights regarding an ‘All Hazards’ approach to school safety and security. In fact, PASS suggests that school administrators are challenged with two decisions: Determining what they need to do How to prioritize Safe School Environment School administrators are experts in running schools and providing education. However, most are not security experts and do not understand the complexity of implementing a comprehensive physical security and safety program across their districts. Still, they are often contacted repeatedly by organizations with multiple safety and security products. School administrators are experts in running schools and providing education, but most are not security experts  Some of these organizations recognize their products are just pieces of a safe school environment puzzle and how they fit in, whereas others focus on specific applications and do not understand how their specific solutions may affect life safety codes and Americans with Disabilities Act law. (Note: Many ‘barricade devices’ fall into this latter category and actually introduce liability concerns with the unintended consequences of their use.)Schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis Even for experts, the plethora of options and disparate systems required to integrate a safety and security approach at schools is daunting. The ongoing challenge is integrating access control, video, mass notification, and/or visitor management products into a single, effective, and appropriate system the owner can understand, utilize, and afford and that meet local codes and ADA laws. In the absence of standards, schools are likely to amass a collection of devices that do not constitute a comprehensive solution. Lack Of Consensus In years past, the our industry and commercial buildings adhered to legacy codes – like Building Officials and Code Administrators International Inc. (BOCA), Uniform Building Code (UBC), Southern Building Code Congress International Inc. (SBBCI), and International Conference of Building Officials (ICBO) – which have traditionally been revised every three years, while local jurisdictions decided what versions to adopt and enforce. Currently, however, there is a move toward the International Building Code (IBC), which is published by the International Code Council (ICC) and includes standards and guidance for commercial buildings on doors, windows, and other openings. A risk assessment is the next step toward developing a comprehensive security plan, and begins with developing a trend analysis Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security. The current fragmented approach causes confusion regarding how new schools are designed and how to retrofit existing school buildings, whose average age is 45+ years. Right Protection Equipment One can point to the fact that there hasn’t been one student lost in a school fire in over 50 years as testament to standards like NFPA 80 and NFPA 101 being referenced in model building codes. Additionally, schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis. It’s not just having the right protection equipment in the building, it’s also having a procedural layer in place to make sure everyone knows their roles and responsibilities in the event of fire. The stress of the actual event can limit ones’ ability to think clearly. Practice makes perfect. Why would we approach school security any differently? School security is a team effort, and it is important to understand all the areas security impacts and involves School security is a team effort. It is important to understand all the areas security impacts and involves. PASS suggests starting with a basic team consisting of: Security Director Local Law Enforcement School Administrator Integrator Door and Hardware Consultant IT Director Comprehensive Security Plan Quantifying and mitigating risk are the jobs of security professionals and school administratorsA risk assessment is the next step toward developing a comprehensive security plan. This often begins with conducting a trend analysis requiring the collection of data from a variety of public and private sources. The challenge is to pull these pieces into a usable and easily understood format that provides a guide for current and future risk concerns. Risk assessment and mitigation can never eliminate risk. Quantifying and mitigating risk are the jobs of security professionals and school administrators. Data from the following sources can help measure risk: Campus: Review incident report trends for at least the past 36 months. Area and city: Review crime data from local law enforcement for the surrounding neighborhood and city. Screening procedures: How is hiring conducted? Anonymous tip reporting systems: Enabling students, staff members, parents and the community to anonymously alert administrators to perceived and actual threats. Social media monitoring: such monitoring can provide important information that can be used to identify risks. Monitoring social media could help measure risk for school safety Delay Adversarial Behaviors These assessments can then be incorporated into the best practice approach of Layered Security. Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors. Layered security works from the outside in. As one layer is bypassed, another layer provides an additional level of protection. The asset being protected is at the center of the layers – students, staff and authorized visitors. PASS defines five layers of Security:As one layer is bypassed, another layer provides an additional level of protection District Wide Property Perimeter Parking Lot Perimeter Building Perimeter Classroom/Interior Perimeter Appropriate Tier Target Each layer can be broken down into Tier levels with Tier 1 being basic and Tier 4 being the highest level of security. It is important to understand that the demographics of individual school buildings varies, even within the same district. Security experts will quickly point out that ‘if you’ve seen one school, you’ve seen one school’. The assessments will determine the appropriate Tier target. Figure 1 Each layer includes essential protective elements, or components, of security. Every layer does not necessarily include all seven of these common components, and a layer may include additional components unique to that particular layer. Safety And Security Components Policies & Procedures People (roles & training) Architectural Communication Access Control Video Surveillance Detection and Alarms Layered Security While components are not listed in a priority order, three components included in all layers are policies and procedures, the roles and training of people, and communication. These components often perform a function in every layer and every tier in each layer. Three tools come together in the PASS approach as outlined in the new 4th Edition of the PASS Guidelines (Figure 2) - the Layers are established and defined, a Checklist/Assessment breaks down each layer into tiered best practices which then tie into the guidelines where a narrative explains each best practice in more detail. Figure 2  Schools need not reinvent the wheel when it comes to school security planning. Following the best practices of Risk Assessments and Layered Security will ensure that every school building in a district will have a unique and comprehensive plan that is tailored to their individual needs.