All companies collect and evaluate data. In many cases, because it is so easy to gather information, staff members must scour through massive quantities of material to glean any meaningful conclusions. The challenge for businesses today is not getting the raw numbers; it’s deciding which metrics a company should track and how to use that information to make decisions.
Metrics that do not support the decision-making process can become more of a hindrance than a help.
The nature of the financial industry and the security threats corporations face putting additional pressure on tracking the success or failure of security protocols. Companies must balance the need to secure assets and data, with customer privacy and convenience, along with legal compliance concerns. The financial industry must also adapt quickly to rapidly changing technologies that introduce new vulnerabilities within the corporate structure.
Strong security measures build trust and loyalty with customers. A security breach triggers customer fears of identity theft and fraud and can force the CEO to resign for failing to protect customer data. Measuring and tracking the right metrics can help financial companies maintain agility in the ever-changing world of security.
The Primary Goal of Existing Security Measures
Whether reviewing cyber or physical security protocols, financial companies tend to focus on two primary goals. The first is to manage the risk of a security breach and the second is to defend against attacks.
Risk management: Financial corporations evaluate risk in terms of the cost of implementing a new product, process, or procedure in relation to its protection from a security failure. Companies then compare those costs with the direct and indirect costs of a security breach. The goal is to put processes in place, which are cost-effective with regard to mitigating these risks. Measures might include implementing new technologies, automating systems, and addressing employee training designed to protect assets and data.
Defending against attacks involves unique challenges, as customers demand access to data from an ever-increasing number of entry points. Companies must secure each point of entry from multiple sources through software and technology, which protects against physical attacks, cyber attacks, employee mistakes, and other threats.
New products and technologies in the market can solve many problems for companies. Using valuable metrics throughout the testing and buying phase can assist with the decision making process.
The Real Purpose of Metrics
Tracking and measuring the right metrics gives businesses the tools necessary to tune out the noise around security needs and direct the focus to the highest value solution for the investment required.
Jason Remillard, Vice President of Security Architecture at Deutsche Bank recommends, “You should demonstrate that you have tracked true business risks against the investments that have been made – and that they have been mitigated appropriately.”
When used systematically, metrics should help security departments measure the effectiveness of existing procedures, processes, and protocols. The statistics should also identify areas of weakness, where the business can add or develop new systems and processes to reduce threats and vulnerabilities within the corporation.
When a company collects data from the right metrics for the right reason, it can result in lower overall costs, while increasing the effectiveness of the security program. Metrics should provide clarity rather than confusion.
How to Choose the Right Metrics to Track
Security, in its most fundamental state, is a resource allocation question. It is impossible to reduce the risk of a security breach to zero, requiring corporations to make decisions based on the cost of the security measure in relation to the risk reduction. The goal is always to allocate the right amount of resources to protect the most sensitive data and assets held within the company.
The best metrics are actionable and will fundamentally impact the security of vulnerable data and assets. They should have a direct and measurable impact on how the business manages risk and defends against both internal and external threats. Metrics should directly link to the company’s objectives and assist in eliminating blind spots. They help corporations prioritize threats and reduce the exposure to losses.
At its core, the metrics a company uses should show both what has been done as well as what needs to be done. Perhaps the best rule of thumb to follow is this:
If the data in the metric changes, would you alter your approach to that particular threat or vulnerability? If the answer is no, then don’t track the metric.
Types of Metrics, Financial Companies Measure
An activity metric tracks how often something is done or how frequently an event occurs. For example, when reviewing the physical security in a building, a business might track how often an employee reviews video files for quality, how often someone activates locks, or how many times an employee enters or leaves a space.
Activity metrics provide a status report on procedures and protocols currently in place. They rarely drive action. In most cases, businesses are better off measuring the effectiveness of the activity, rather than measuring the activity itself.
Using trend metrics, rather than activity metrics will provide insights into the effectiveness of existing policies and procedures. They ask the question, “How well is this activity working?”
Trend metrics relate more to the specific business activity and the outcome, rather than just the activity. For example, knowing how often an employee opens or closes a secure cabinet or door does not provide valuable information because it does not provide a context for what is a normal or abnormal activity. Measuring trends will show spikes or declines in behaviors or activities, which can give a business valuable information for both employee training and guarding against theft. Understanding the baseline for the overall objective can help the business measure how well the action moves the needle.
For instance, the Senseon cabinet access control system creates an audit trail, which tracks not only when an employee opens a cabinet file or drawer, but can identify which employee gained access at what time. This stepped-up audit trail provides a valuable trend metric for identifying and preventing internal fraud.
Outcome Metrics are the most important ones because they measure how actions improve the process. They speak to the value of the activities and processes the company uses to secure data and assets.
Executives are nearly always more interested in outcomes than activities. Outcome metrics are forward-looking trend data, which provide an accurate assessment of what works and what does not while identifying areas for improvement. They create a clear link to the business objectives and the value created by the processes and procedures in place.
These metrics allow companies to track risk compared to the investment dollars spent on security measures and to track the true business risk against the investment made. This data opens the door to appropriately mitigating the risk.
Financial institutions sell trust represented by high levels of security. Most metrics are activity-based, providing the lowest value. Instead, track outcome-based results when evaluating existing security measures and new technologies for the most relevant metrics.
Tracking trend based measures will identify areas where human error most often occurs, allowing you to proactively address implementation gaps and prevent security breaches.
Learn more about how the Senseon electronic locking device, reduces human error through its auto-relocking feature and establishes an audit trail tracking both the time and the employee who accesses drawers or file cabinets containing sensitive information.