Metrics, KPIs and storytelling

Measure and communicate the impact of corporate security

Clarity Up Front:

  • CSOs must identify ways to measure the impact of security.
  • It is critical to distinguish between metrics and key performance indicators (KPIs). Metrics count activities, KPIs show whether strategic objectives have been met.
  • Data must be tailored to the audience, depending on their role, responsibilities, seniority and personal data and communication preferences.
  • Data is especially impactful when paired with stories that build trust and influence and help busy executives to make sense of, and remember, security issues.
  • Effective communication at Board and C-suite level is as much about the preparation as the presentation – soliciting input, tailoring to the audience, and having the confidence to stay high level.
  • Many corporate security teams lack the skillsets to deliver data and communications at the highest level, notably business analysis, data analysis, storytelling, communication, and training expertise.

CSOs must identify ways to measure the impact of security

One of the most important challenges for CSOs is demonstrating the value and impact of corporate security in a way that resonates with the business. In our 2025 CSO Annual Survey, CSOs told us that low understanding of security among executives was the biggest obstacle to the success of their function, and many CSOs we consult with still do not have the right data in place to capture workload and value for the business.

Metrics versus KPIs

'All KPIs are metrics, but not all metrics are KPIs.' Jules Parke-Robinson, Head of Market Safety and Security, Philip Morris International

It is important to distinguish between metrics and KPIs. Metrics measure activity or performance, for example the number of security incidents, response times, the proportion of sites that have completed an emergency evacuation exercise, or the volume of investigations. They play an important role in understanding the work of the function, can be used to monitor, analyse, and diagnose what’s happening within the business from a security standpoint, and can help to make the case for increased resourcing. On their own, though, they do not demonstrate success.

KPIs, by contrast, are a smaller, more focused subset of metrics that are directly tied to strategic objectives and drive decisions and accountability. They might include, for example, vendor performance measures, the proportion of investigations completed within the target timeframe, loss reduction, or business satisfaction rates. As Jules Park-Robinson put it, ‘KPIs are really answering the question, are we on track to achieve our objectives or not?’

'KPIs are really answering the question, are we on track to achieve our objectives or not?' Jules Parke-Robinson

This distinction is critical because many security functions remain heavily weighted towards activity-based reporting. While such data is useful for the security team, it rarely translates into business relevance. To demonstrate impact, security leaders must shift from reporting what they do to articulating what they achieve. This means focusing on outcomes such as reduced financial loss or downtime, risk reduction, or the facilitation of new business activity, such as entry into new markets.

Effective KPIs can impact a security leader’s ability to both drive resourcing and demonstrate business value. Jeremy Baumann, CEO of Corporate Security Advisors, offered an example from the pharmaceutical sector of a company that was experiencing significant levels of product loss. He quantified the loss, successfully made the case for a $100,000 investment in mitigation measures, and was able to evidence a $1.4 million loss reduction in the first year. Demonstrating a clear return on investment resulted in ongoing executive support. Jeremy offered a second company example where data on increased staff suicide levels opened an opportunity for the security team to partner with HR to roll out enhanced prevention efforts, which reversed trends over time.

Tailor data to business priorities and audience

Security data becomes especially meaningful when linked to what matters most to the business, whether that is protecting revenue, maintaining continuity, reducing costs, supporting market expansion, or meeting regulatory requirements. Without this alignment, even well-designed KPIs risk being dismissed as irrelevant. This means that what works in one company may be less impactful in another, and KPIs may need to change over time as business priorities shift.

It is also critical to tailor data to the audience, depending on role, responsibilities, level of seniority, or personal preferences. As Jeremy Baumann put it, being impactful in your use of data ‘really comes from understanding your business, understanding what's important to your executives, building relationships with your executives…that allows you to understand on a personal level what matters to them so that you can make sure you tailor your work to their risk tolerance and what their beliefs are about the impact your programme is having.’

The power of storytelling

Data is especially impactful when paired with stories that build trust and influence and help busy executives make sense of security issues. Storytelling is a structured way of communicating information that connects data with emotional understanding. It enables security leaders to illustrate not just what happened, but why it matters, what the implications are for the business, and what needs to happen next.

Security teams have a storytelling advantage over other parts of the business because they have a plethora of real-life incidents to draw upon that lend themselves to creating high-impact narrative. The outbreak of an unexpected war, a natural disaster requiring large-scale staff evacuations, an active shooter attack at the head office, or a threat to a senior executive are becoming the norm for many corporate security teams. Security professionals are often reluctant storytellers, though. As Bill Tenney, CEO of ASIS International, put it, ‘I think sometimes security professionals do shy away from telling stories. I think we have a tendency to get the job done and move on… we don't want to beat our own drum.’

'I think sometimes security professionals do shy away from telling stories... we have a tendency to get the job done and move on…' Bill Tenney, CEO, ASIS International

When structured effectively and sensitively, these stories can make security work more memorable and relatable for senior leaders, helping them to make sense of risks, potential business impacts, and effective mitigation strategies that require their support. Stories can also build trust by demonstrating both the competence and sense of purpose of the corporate security team, which helps business leaders to feel confident in the security team, particularly in moments of crisis or uncertainty.

The most impactful communication combines data and story. As Peter Rudge, CEO of HumanStory put it, ‘Storytelling is a primal human communication system, and it's something that all human beings use to transmit and receive important information. It's a way of connecting appropriate levels of emotional response to data. And by doing that, you have a very powerful neurochemical effect on an audience for impact, influence, trust, and memorability. The fundamental root of it is a structural form that is common to all human beings.’

'Storytelling is a primal human communication system, and it's something that all human beings use to transmit and receive important information.' Peter Rudge, CEO, HumanStory

Bill Tenney shared a story from his corporate security career when his team was brought in to assist with a high-stakes event in Mexico when the local threat level became elevated. By offering assurance, a can-do attitude and an effective mitigation strategy, he and his team enabled the business to go ahead with the meeting without incident, and this story became a powerful tool for reinforcing the function’s value across the organisation. As Bill Tenney put it, ‘we were able to use that example afterwards to reinforce with the business, this is who we are, this is what we can help with, this is how we do business, this is what your capability is internally, and you can trust us.’

Effective communication at Board and C-suite

Effective communication with senior business leader is as much about the preparation as the presentation. This includes building relationships with stakeholders, understanding their needs and pressures, being clear about how they will use the information, tailoring data to their specific requirements, and socialising data and decision requests ahead of the meeting.

Effective CSOs develop a stakeholder map that identifies their key interlocutors, how the security team wish to influence them, the information these individuals need, and how they wish to receive it. As Jules Parke-Robinson said of stakeholder mapping, ‘It's enabled us to really land our security narratives. Shifting that conversation from “this is what security does” to “what that audience needs to decide” with the information that I'm giving them.’

'Be brief, be bright and be gone.' Jeremy Baumann, CEO, Corporate Security Advisors (CSA)

When it comes to presentation, focus is critical. As Jeremy Baumann put it, CSOs need to be ruthless in their focus, which takes practice and requires the confidence to leave things out. They need to present the right data at the right level; metrics rarely have a place in the board room. As he put it, ‘Be brief, be bright and be gone.’

Talent gaps

Many corporate security teams lack the skillsets to deliver data and communications at the highest level, notably business analysis, data analysis, storytelling, communication, and training expertise. While accommodating dedicated roles on small teams can be difficult, CSOs should explore ways to upskill existing team members with these skillsets to enhance the team’s ability to measure and communicate its impact and value.

PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
These cookies help us better understand how visitors interact with our website and help us discover errors.
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save