The global COVID-19 pandemic is the most intensive data-driven global crisis we’ve seen. Even the most forward leaning and well-resourced companies have struggled with the sheer volume of data they must monitor and track daily, as well as the rapid rate at which they must make sense of that data to inform decision-making and planning. On top of that, many are facing intensive financial pressure and scrutiny to cut program costs wherever possible without impacting core operations or functions.

This is familiar territory for security and resilience professionals, as well as CIOs and IT leaders of organizations. Core to this perennial issue has been the lack of hard metrics to track, measure, and continuously report on program effectiveness and return on investment using data. Meeting this task requires the integration of technology to leverage machine learning and computing power along with the application of data analytics, intelligent interpretation, and visualization tools. Only by clearly telling the story of what the data reveals can your organization zero in on potential business impacts and measure the effectiveness of mitigation measures, and ultimately, show the value for the business.

Organizations that have done this best in their COVID-19 monitoring and response have been able to make faster, more informed decisions, and have also been able to pivot and adjust course to rapidly changing conditions across the globe. That same logic can be applied more broadly to build, drive, and continuously improve corporate security and resilience functions. We’ve broken down some of the key lessons from COVID-19 in the use of data and data analytics to drive more effective security and resilience programs.

1. Understand the maturity of your program

Determine if your security and resilience program has the right elements at the right levels of maturity to address your organization’s strategic needs. While it’s certainly possible to measure the performance of programs at earlier stages, metrics become more meaningful indicators of the effectiveness and value of a program once a certain level of maturity is achieved. That said, some measurement of performance is better than none. The sooner a security function embraces a data-focused mindset, the sooner it will be able to allow for more balanced investment in capabilities -- and in time, demonstrate the full return on investment. 

2. Define metrics and key performance indicators

Once program metrics and KPIs are identified and clearly defined, design your data collection plan to determine which data sets to use, which sources to draw from, and what mechanisms and tools are needed to collect and aggregate it all. That roadmap should then be used to determine where to invest in security and resiliency programs to ensure they support the overall approach.

Certain metrics can be more easily quantified than others --  from the very tactical number of confirmed COVID-19 cases in a particular jurisdiction, known incidents resolved, threats detected, or reduced operational downtimes, to the more strategic loss of market share and shareholder value post-crisis. Where it becomes more challenging is proving the value of prevention and ROI to the business at large. Once an organization begins collecting and aggregating the right data sets, patterns and trends will emerge to enable better-informed decisions, and demonstrate impact and opportunity growth using actual data. 

3. Map and index global data sets to tell your story

Invest time into understanding which data exists and how it can be used to support your security and resilience mission and tell your story in alignment with your core business. Understand that your data is a foundational step that only the most mature organizations have solidly grasped. Relevant data sets can include everything from corporate assets prioritized by criticality (physical and digital), audit reports, risk and business impact analyses, human resources, and general ledger transactions (given supply chain implications) to the more operational threat intelligence feeds (internal and external), access controls, video and alert monitoring, incident reporting, and even loss prevention statistics. 

After understanding this data, use data aggregator and visualization tools to simplify complex issues, communicate key findings quickly, and make better informed prevention or response-related decisions. The flexible and interactive nature of these tools means that visualized reports can be designed in easily digestible, intuitive, and interactive formats that allow the business to slice the data in different ways, and drill down from executive summary-level information to site or even process-level details. 

Fundamentally, what is required is a mindset shift: Start thinking of both the quantitative and qualitative data that can be tracked and measured in association with your core security and resilience activities. Data is the language of business, and corporate security and resilience professionals, as well as IT leaders, must gain greater fluency in it in order to translate these activities into the same value-based terms as the rest of the business to clearly articulate and prove the ROI. 

Jackie Day leads Control Risks' business resilience consulting and security services across the Americas, based out of the Washington DC office.

Al Park is the Global Technology Consulting Leader for Control Risks and is based in Washington DC.