An end-user organization formed to help large-company security executives measure the business value of their own security operations is building a database to create real-world benchmarks against to measure exactly that.
The database, posted this week by the CSO Executive Council, is based on surveys to be filled out by any end-user company. The first 60-plus responses to the International Security Benchmark Database will come from CSO Executive Council members from companies such as Kimberly-Clark Corp. Boise Cascade LLC, Target, Starbucks Coffee Company and PricewaterhouseCoopers, LLP, who have promised unfiltered answers to performance questions.
Each organization pays $17,500 per year for membership, which pays for research into the business value and measurement of corporate security, as well as seminars and other council activities.
The database is designed as the first repository of objectively collected security performance data coming directly from the people best positioned to evaluate the performance of their own company, according to Bob Hayes, managing director for the Council.
The questions (sample survey here) cover 13 categories from the council's publication Measures and Metrics in Corporate Security, a management guide written by George K. Campbell, former CSO at Fidelity Investments.
Neither the publication nor the database are designed to answer technical questions about security, Hayes said. Instead, they're designed to define and measure the factors that go into building an effective security organization -- few of which are technical.
"Our surveys show that CSOs are becoming predominantly business people, instead of coming from one of the traditional backgrounds -- law enforcement, the military, corporate security or IT," Hayes said. "They have to be able to define the value they're bringing to the organization, not just the security aspects."
That type of information is not necessary or necessarily valuable to a security or network manager who spends most of his or her time working within IT, according to Kevin Beaver, president of Acworth, Ga.-based security consultancy Principle Logic and a columnist for SearchWindowsSecurity.com.
"But for a VAR or consultant, that would be invaluable," he said. "It can help you show the business value of a security recommendation and help the client communicate the finding to their managers."
Building a business case -- including defining what factors would go into a return-on-investment (ROI) calculation and what the total cost of ownership (TCO) of a product would be, extend far beyond the price of the product, integration services and even the technical benefit, according to Tom Bowers, managing director of Security Constructs, an Allentown, Pa.-based security consultancy.
"You can quantify a virus attack because it's a discrete event. You can say: 'this is how much damage it did, and how much time it took to fix, and here's how much the product cost to prevent it from happening again,'" Bowers said. "But content security is harder to quantify. How much is that new drug formula worth? How much is it worth to keep customer data from walking out the door? You have to talk in business terms in order to define those kinds of benefits, and help the client do that, too."
The database is available now, according to Hayes, though its utility will expand as more companies add their own data. Eventually the Council will charge a fee for access, as it does for its other reports and research.
It is distributing its current benchmarking report free, however. The 2006 Corporate Governance and Compliance Hotline Benchmark Report is available from the Council's Web site.
Let us know what you think about this story; e-mail Kevin Fogarty, News Director.