• Home
• Articles
• Analysis of Security Metrics, Data, Proactive KPI’s, and the C-Suite value Proposition

9/08/2023

Analysis of Security Metrics, Data, Proactive KPI’s, and the C-Suite value Proposition

• How does the C-Suite prioritize or even consider security expenditure if it does not have an accurate picture?
• How does the security team identify historical trends and patterns to enable some predictability, or facilitate some projection as to what might occur in the future?
• What other benefits can accrue where considered metrics are applied?

Quality data collection and considered metrics analyzed professionally, provide organizational opportunities for cost savings, streamlining activities and will even support strategic goal determination in your forward security plan. If your organization is information and intelligence driven, you can quickly move to a culture where accurate reporting, ensures managers are not left scrabbling for crumbs from the fiscal budget table. Funding allocations are then targeted, justified and proportionate. Your C-Suite will love the clarity, and here at Lions Gate we can ‘deep dive’ into the data on your behalf, to develop a business case.

Budgets allocated based on identified need are focused, they ensure you are ‘getting the grease to the squeak’ and they result in both cost savings and enhanced performance.

Security Key performance indicators (KPIs) are measurable indicators of progress towards business goals.

• You need to determine what physical security metrics to measure.
• Identify how you collect data.
• How you analyze that data.
• Employ current and leading indicators, to prioritize measure focus on ‘proactive preventive,’ ahead of, but not to the detriment of, ‘reactive response.’ The former leads to a reduction in incidents or events and the latter does not. Your measurement should not prioritize focus on how you responded, but how you prevented the need to respond at all.
• Finally you need to present your findings to the C-Suite.

As an actual but sanitized example, directly related to cost savings, and streamlining activities, Lions Gate conducted a contracted security guarding activity audit at a large publicly accessible multi-use facility. Studying the data we found that security personnel were asked to provide ‘information and directions’ an average of 1760 times per month. It was by far the most predominant call on their time, and also a diversion to the detriment of their primary security function. This translated to 1,320 hours annually at a conservative 30 seconds per interaction, or .75 of an FTE. In establishing why this was the case we found that the signage used at the facility, was both temporary, often changed, and just overwhelming and disconnected. Our conclusion, and irrefutably based on the metrics, was that the provision was confusing visitors, who then were compelled to ask. We quickly established that what was required, was, concise quick read, wayfinding, and information signage, so visitors could better predict where their next piece of information would be located. Large airports have wayfinding signage nailed, and visitors have all the information they need to get to where they need to go. Appropriate signage could alleviate some of this time and cost, while freeing up security resources to do more related security functions.

When I request historical crime and nuisance data from client organizations in support of security risk assessments, it is rarely what I would categorize as analyzable actionable data. It is rarely sufficiently detailed enough to allow the type of pattern analysis that is essential to focus security responses. Moreover, it is rarely complete enough to underpin a business case to justify expenditure on structural design changes, human security provision, and technology-based countermeasures.

Simply put, not collecting incident data using a consistent and considered template, is counterproductive to achieving organizational goals and objectives. It is also to the detriment of proactive and preventive metric determination.

It is actually quite simple to collect incident data of analyzable quality and maintain an incident log and a Rudyard Kipling quote sums it up. “I keep six honest serving men, they taught me all I knew, their names are What and Why, When and How, Where and Who.”

For credible analysis I need to know what happened, why it happened, when it happened, how it happened, where it happened, and who did it. I would also categorize a failed attempt or near miss as a recordable incident because it provides invaluable extra information which analyzed shapes future security direction. It will often also tell you what currently works to prevent incidents, and for both offences, and attempts, shine a light on vulnerabilities. Near Miss and actual incidents are vital to see what the program is doing and how you are responding.

I would strongly recommend that an organizations security manager, or person designated that responsibility complete all incident reports and based on interviewing the reporting party an any other witnesses. If it all seems overly complicated or time consuming it does not need to be. Do not permit a little dedicated time to deflect you from the process. The benefits far outweigh the effort.

• What Happened is easy – Its right in front of you and your only caveat is to provide an absolutely accurate description of the event. It is not the time to spare blushes. Include a cost of crime value, where you can because, direct and indirect costs, are an essential consideration in funding security solutions.
• When it happened accuracy, depends. If you have detection equipment or present security, you can date time stamp accurately. An incident discovered after the passing of time is going to be less ‘when’ accurate, and the event window wider.
• Why it happened requires some security knowledge and understanding – Routine activity theory is the simplest way to explain this. For a crime or nuisance to be perpetrated requires the presence of a motivated offender, a suitable target, and the absence of a capable guardian. Examples might be door not locked, window open, target item in full view and not secured, no staff, no security staff, no capable guardians, no cameras, no alarm, inadequate lighting.
• How it happened requires some straightforward investigation and tracking the offender path from your perimeter through your existing security layers to the target. Consider insider offender threats in addition.
• Where it happened is easy and simply requires accurate mapping and description.
• Who was the target of the property crime or crime against the person? There may be a reason a particular person was victimized, and more so for crimes against the person.
• Who did it? It depends and, in most cases, and with most incidents, you are not going to know who did it. Post event investigation may turn up video surveillance footage of sufficient definition to enable a quality description. It may also be an identifiable and known offender to you or law enforcement.

The size of your organization is irrelevant, and this incident data detail is applicable for all. For larger organizations operating multiple sites, analyzed data in a report, allows for prioritization and budgeting, based on an accurate portrayal of risks, threats, and adversaries. It allows a needs-based allocation of resources, including physical, financial, and training and education. For this to be effective requires each location to use the same template and methodology. “Data apples to compare with data apples.”

I spent five of my years in policing working with a dedicated crime pattern analyst, whose exceptional skill sets, supported and guided my determination of remedial measures and recommendations over forty-five projects. The savings to clients in the public and private sector, during that program tenure, amounted to tens of millions of dollars. Consider also that many crimes or nuisance events are not reported and that in consequence police recorded crime and nuisance is less than 40% of actual crime and nuisance. With the right process in place you have an opportunity to collect 100% of security incident data that pertains to your organization. That prizes open a much more productive data seam for your information mining. It also overcomes a significant information obstacle in that law enforcement rarely shares reported crime information. Even on-line police statistics are sanitized so as to protect the identity of victims of crime.

If you have a competent crime data analyst who is reviewing incident reports and accurately determining trends and patterns, you are in a sweet spot. If you do not, and most organizations, do not, then you could outsource that analysis to a credible third-party contractor, who has subject matter expertise. We can also help your C-Suite prioritize security expenditure by providing an accurate picture. We can help the security lead identify historical trends and patterns to enable some predictability, and project what might occur in the future. We can identify other benefits that accrue where considered metrics are applied.

Adopting our Organizational Security Risk Management Program (OSRM) will enable access to our experts and support your security business case to your C-Suite decision makers. Get in touch to discuss how this service could support you. 1-604-383-0020 or toll free 1-888-212-2026 and ask for Mike Franklin or Mike McCafferty.