« Individual Life Evaluation Worksheet
Vulnerability Auctions »

Security Metrics - GCSH

Bhutan emblem.pngI am not religious (see below) but if I were I would be a Buddhist. The concepts, teachings, ideas are all very interesting me and the Art of Happiness certainly changed my life completely. Note to self: read it more often to condition yourself! Its fair to say I am fascinated by Buddhism and plan to visit Tibet in the next few years.

 Yesterday morning I was reading about Bhutan, a small Kingdom sandwiched between China and India. In 1972 the King declared that GNH or Gross National Happiness was more important that GNP or Gross National Product. Yesterday afternoon I found myself talking to a potential customer (global bank) who was asking about creating an information security scorecard for a distributed team of business owners across the world. I asked him what the most important metrics to his customers would be. He was stumped. It was awkward. This was not my intention. 

Most banks will tell you that their core business metrics can be broken down into three things.

1. Attracting new customers

2. Retaining existing customers

3. Upselling new products to existing customers

I think an incredibly powerful metric for any CSO to publish into his business is how many positive or negative events relating to 1, 2 or 3 above were as a result of GCSH  or Gross Customer Security Happiness.

How do you capture the metric? Add a simple question to call center scripts, web forms and educate customer facing staff to talk to customers ……….and then use an open platform to push it back into the central security scorecard system. You need a whole solution afterall.

You can measure people, process and technology don’t you know!

As a side note I am currently reading God is Not Great.

Explore posts in the same categories: Lifestyle, Security metrics

This entry was posted on July 3, 2007 at 8:28 am and is filed under Lifestyle, Security metrics. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

3 Comments on “Security Metrics - GCSH”

  1. Icarus Says:
    July 3, 2007 at 12:48 pm

    I think most banks, at least those i got to talk to, share data within their industry. Andrew Jaquith outlines in his metrics book that most organisations suck at metrics because of systematic non-disclosure. In the financial sector they are used to data sharing and it shows within the infosec departments too. Of couse all data is shared under NDA.

    Thats how the CSO I talked to can outline metrics like the % of loss customers per public security incident (see point 2). You can probably define it yourself too, but you would have to start monitoring customers fluctuations for a certain number of months after an incident to see if they change.

    Obviously to collect this data you need to amend the procedure for account closure so your staff at the call center can correctly identify when a client closes his account due to security concerns. Most good banks would likely ask why you close your account anyway so you can build on that (except BMO which didnt ask me a thing, good job).

    Surveys can also work well (perhaps annually?) to mesure customer trust, which is really just a word for Gross Customer Security Happiness ;)

  2. dre Says:
    July 3, 2007 at 11:18 pm

    Jaquith has a section on “Happy Metrics” in his book (Chapter 3 in the “Anti-Virus / Anti-Malware” section, but I like your version of happy metrics better.

  3. Christofer Hoff Says:
    July 4, 2007 at 1:12 am

    It’s odd that many of the folks that *should* be able to answer that question have never heard of the HBR Balanced Scorecard approach. Love it or leave it, it asks you to set goals and actions that include, amongst other things, speaks to the customer-facing perspective.

    /Hoff

Comment: