Return on investment, or ROI, is probably one of the biggest challenges for corporate security executives to articulate to their leadership. A corporate security director’s primary mission should always be prevention of events such as workplace violence, theft, vandalism, sabotage or preparedness for natural phenomena such as severe weather. Our corporate security clients, however, are also constantly feeling pressure from their leaders to articulate the ROI to justify their security investments. Insider threat is a security issue faced by all industries and sectors today.
An Opportunity to Demonstrate ROI on Security Investments
The consequences of insider incidents can include lost staff hours, negative publicity and financial damage so extensive that a business may be forced to lay off employees or close its doors. Insider incidents can also have repercussions extending beyond the affected organizations to include disruption of operations or services within critical sectors, or the issuance of fraudulent identities that create potential risks to the general public and homeland security. Executive leaders recognize this threat to the business, but how does a corporate security director justify an annual budget to combat this problem? Case tracking in workplace violence can be a prime opportunity to demonstrate ROI.
Understanding Threat Assessment Methodology
My friend and longtime colleague, Dr. Michael Gelles, has just authored a book on insider threat entitled Prevention, Detection, Mitigation and Deterrence. Dr. Gelles is a Managing Director with Deloitte Consulting LLP. I first met Dr. Gelles over 20 years ago when I was the Special Agent in Charge of the U.S. Secret Service National Threat Assessment Center and he was the Chief Psychologist for the Naval Criminal Investigative Service. NCIS and the U.S. Secret Service refined threat assessment, the process of gathering and assessing information about persons who may have the interest, motive, intention and capability of mounting attacks against public officials and figures. Today, threat assessment lies at the core of the methodology we use in this country to determine vulnerability and guide interventions in potentially lethal situations.
His pioneering book is a fascinating read. It takes insider threat prevention to a new level of sophistication and helps make threat assessment understandable. What particularly caught my attention is his contention that an absence of insider threat metrics for a program could lead to “multiple interpretations and the program may be cut or funded.”
7 Metrics to Prove the Value of an Insider Threat Program
Dr. Gelles provides 7 Metrics that, although not all-inclusive, can demonstrate the unique value of a corporate insider threat program:
- Cases opened: Number and types of cases reviewed by the program
- Internal requests for information: Number and types of RFIs to organizational stakeholders
- Internal escalation and triage: Number and types of cases escalated and triaged within the organization
- External escalation and triage: Number and types of referrals to external law enforcement agencies
- Risk mitigation actions: Number and type of risk mitigating actions
- Documents retrieved: Number of document prevents from leaving a secure environment
- Investigative productivity: Average reduction in investigative timelines
Building and maintaining the organizational capacity to prevent an insider threat at the corporate level takes careful conceptualization, planning and oversight by experienced security professionals. Ensuring an annual budget for an insider threat program is critical to its success. I recommend reading Dr. Gelles’ book to learn more about the key components of a comprehensive prevention program.