METRICS Mapped TO CORPORATE GOALS

Petrie developed a metrics program that was mapped to corporate goals for the organization. Clarke American, one of the two companies that joined to form Harland Clarke in May 2007, won a prestigious Malcolm Baldridge National Quality Award in 2001; it was the sole recipient in the manufacturing category. Petrie took advantage of this strong culture of quality to develop a centralized and repeatable metrics program. His approach to designing and implementing a security metrics program takes the following steps:

Step 1: Get to know your business and understand the culture. Successful CISOs know how to reach out across teams to understand security's impact. Petrie founded his security practice on an organization that was already committed to quality. Understanding this foundation was crucial in developing a security program — and later, a metrics program — that had relevancy. He used a lot of the existing measurement process and tools to gather security-related information.

Step 2: Identify business goals. At Harland Clarke, senior executives define key business strategic imperatives. Imperatives are refined annually based on results from the prior year and the company's overall vision, factoring in marketplace dynamics. The statements define the focus that each business unit needs to align with to plan their actions and define success for their respective areas. Petrie was able to map security initiatives to these business success imperatives.

Step 3: Determine how security can impact corporate goals. Understanding what makes the company successful leads to understanding how security might affect that success.