There is an old saying that there are three types of lies: “lies, damn lies and statistics.” I won’t dwell on the obvious downside of lies or damn lies in our job, but I will underscore that statistics, when calculated hastily or from poorly managed data, are no better than lies. We must have accuracy and integrity in our use of data and statistics, or we will undermine our initiatives, our programs and our own standing with senior management. Here are five components of a reliable system for managing metrics-relevant data:

Assurance of accountability. You don’t need a dedicated staff or individual to maintain a quality metrics program. Whether your scope includes the full range of security services; or, if you are a sole practitioner overseeing the physical security program, you must hold specific individuals accountable for maintaining the integrity of data that could be used for metrics and program management. If you rely heavily on vendors to provide day-to-day security service delivery, do not fail to incorporate contractual standards on reporting and data administration.

Assurance of data integrity. Consider these two key objectives for our security measures and metrics: 1) to positively influence action, attitude and policy, and 2) to materially impact exposure to specific risks. The visibility of these objectives imposes the highest standards of data integrity. We can only craft strategy and tactics to effectively target specific risks if we have reliable data processed by competent, focused analysis. Imagine the potential consequences of drawing conclusions and formulating recommendations based on inaccurate, unreliable data overseen by flawed, poorly supervised sources!

Data management and analysis. You can maintain a solid metrics program with standard desktop applications like Excel and PowerPoint. But scalable, commercially available incident reporting software provides a more tailored and robust infrastructure for standardized reporting, facilitates customized administrative routines, and enables quantitative analysis and trending.

Relevance to business process. Appropriate data management for security metrics supports security program planning, management and performance assessment. But it also enables us to analyze a variety of risk and program-specific data, to draw conclusions of measurable relevance to business risk management. We seek to structure measures and metrics that inform (increase awareness) and assess the effectiveness of internal controls. Remember, we seek to influence policy and enable the business to more securely engage in business activities that might otherwise be too risky.