 Welcome back to the Think Tech Away studio. It looks like we've got a new intro in my absence. That was pretty cool. I'm sorry I've been out. I had to take some time. I was hiking in the Tetons and I really don't think we were gonna get an episode broadcast out of the mountains. Back from PSA Tech. It's good to be back in the studio today. I know I had advertised that Kim Lloyd was gonna join us from Acre. She cannot be here today due to a scheduling thing that came up for her. So we'll look to get her on a future episode but Jonathan Harris, the amazing Jonathan Harris has stepped in to save the episode. No pressure, Jonathan. Welcome to the studio. That was my pleasure. I'm excited to participate. Thanks for having me. Thanks for jumping in, man. I appreciate it so last minute. We, Jonathan brought this topic up. We're gonna talk about metrics and I'm gonna let him start off with some of his background and how usually Johnson's been on a few times. Normally I let my guests give their background and stuff. So if you wanna do some of that, please do. Maybe as it relates to this, bringing the metrics forth from your prior practices would be good. And then we'll just kind of bounce into this and then we'll look at it from a few perspectives he wants to bring in. And I like to bring some of the broader picture, the end game and some of the home and security looks at for some of their facilities. And we'll kind of play around with this and I think you'll find it quite interesting. So stick around gang. Jonathan, thanks again for joining me. I'll let you take over there with just sort of a little bit of your history with the industry and then, you know, how metrics has come to play a part in the roles that you've had. Excellent, appreciate it. Thank you. So I would recommend anybody who wants kind of my full bio had to our website or my LinkedIn profile for kind of the whole thing, but I'll focus in on kind of where my maturity through metrics and wanting to like have them and know them and evolve them came from. So I started my career in security officer training where I was developing training programs for security officers. And a key thing for me was understanding what was working and what wasn't. So we were training them on how to use security systems, how to do certain rounds, how to just, you know, come from nothing, you know, right off the street and be operable and do what they want to do. So I would track certain things and measure things and trying to figure stuff out. So, you know, kind of an analytical person from the beginning. I moved on to an aerospace and defense company that had a focus on lean and six sigma principles and lean operating systems. And so they, my first security management role, they came to me and said, hey, we need your metrics. I'm like, for what? What do you mean? We're security officers, we just make sure nothing bad happened. So I really was resistant to that concept. And it said, no, we're different. We don't make widgets. We can't give you anything to track. You know, we just, we're here making sure things stay safe. And they pushed back. They go, no, you know, you're a manager now in this company and in this company, everyone does this and you need to do it. So I went to the class to learn around the lean manufacturing operating systems. And it was like this aha moment. Like, oh, we're trying to measure the wrong stuff. And so through about eight or nine years with that company, you know, I went through kind of this iteration of really understanding, measuring key processes, mapping out key processes, applying the lean manufacturing and operation excellence principles and then getting a performance output on things that matter to the business. After that experience and being a global security and compliance leader, I went to work for a access control systems manufacturer under the same parent company. And they struggled with the same thing. You know, we don't make airplane parts, which is the company I came from. We make access control systems and it's different. You know, we don't do, the metrics don't do the same thing. Or I was in the sales and business development department. And so we said, no, we don't, yeah, we'll go get the check box and say we took the training, but we don't buy into that. And so the metrics, you know, didn't mean anything because it was just credenza where because we had to do it. We just did it. And now working at 337, I'm looking across the industry seeing how metrics are used. I did an impromptu poll on LinkedIn about 70 people responding where all I asked was, do you use metrics as of now? About 80% of respondents said, yes, we use them. And I asked them to give me some examples both privately or just posted in the comments. And there was things like number of alarms or uptime of systems or number of visitors, number of badges distributed. And it was really interesting to me because I look at all those and say, well, what is that? What are you learning from that? What are you gaining? What's the outcome? What's the objective? And so that's kind of like a little bit of history and a little bit of a background on like my thoughts and perspectives. And why this is so intriguing to me is because in my perspective you can't meet an objective unless you're measuring it and then your objective has to be meaningful for your business, for your operation. And I think I get the, my hypothesis is that we don't really do this well across the security industry, whether it's integrator, manufacturer, end user, consultant, there's not really a methodology that gets applied either individually or universally. And so I think there's a lot of opportunity for us to take industry to another level if we took a closer look at the stop. Yeah, and 100% agree. Is it like the father of Six Sigma? I think that said, and I don't remember his name offhand, but like what gets measured gets improved, right? And so in our industry, since we grow, I'm just just popped into my head as you were speaking. You know, we've grown, I think some in the low teen percentages every year since the 70s. So if we're growing, right? We must be doing everything right. So therefore, why should we look to improve? What measures could possibly tell us how to get better? And so that's, it's an interesting thing, you know, and I don't know if that's out of arrogance, but I know there's a, or not not arrogance, but complacency maybe is a better word from across the industry, you know, that we have not pursued metrics to gauge the performance that we have and look for places that we could improve. I've seen access control comes to my like throughput, right? Cause there were definitely bad experiments, I don't know if they're experiments, bad projects where, you know, not enough doors to get, you know, 3000 people into a high rise, you know, in the 20 minutes before they had to all be at their desks, right? So there were problems like that early on in the industry that were, you know, so throughput for access control became sort of a known metric and need me to understand how many lanes I was going to need to enable the workforce that shows up, you know, 20 minutes before it has to be at work or whatever. But downtime, you talked a little bit about that, you know, so device downtime, I remember when we used to advertise, you know, five, nine uptime, blah, blah, blah. That was all the failover days, S2L and legato before that, all those types of things, but these are fairly archaic, right? None of them are sort of leading indicators for how we can improve our industry. So what, from what you've seen or maybe some of the comments that you got, what do you think kind of leading indicators we could look at? What are some things we could measure for how we're getting better? I mean, crime stats don't necessarily reflect what we do. You know, maybe, maybe a piece of it does. Yeah, I think, so where I would start is understanding, and this is why I think it's so challenging because if you looked across even like an industry and you looked at different types of operations, you looked at, let's say like, you know, we'll use the aerospace industry because I'm familiar with it. You have Boeing, you have Lockheed Martin, you have Raytheon, and you take their, you know, 10 of their sites at each one, and you say, all right, we're going to do a benchmarking exercise between your security operations across those three. If, so like the site that I'm, that was my headquarters, which is here in Minnesota, South Minneapolis, we had something like 5,000 people maybe in the building, three buildings at any given time with two entrances, and we made that work. And so we looked at that and said, all right, our, and so we looked at what's the key process? What's our key objective for security, physical security at that building? That everyone who's supposed to get in gets in when they're supposed to get in, period, right? So that's what we want to measure is our people who are supposed to get an authorized personnel getting in on time and to where they need to be. And so then you start there and you work back and say, well, what does that look like? If they're a visitor, they have to get registered and processed effectively and efficiently. If they're employee, their badge has to work. If they're a contractor, they're registered, pre-registered, they're in the system, or we can register them effectively and efficiently. So you take that and you build your security program, technology and metrics off of that. So you also have to measure your turnbacks, turnbacks being when the thing you want to happen doesn't happen. So when the visitor isn't pre-registered, well, the employee forgot. So the way I looked at it is that was my problem because my security department didn't educate that person enough or give them enough knowledge to know that that person needed to be registered at a time, turn back for me. I have to go address that. How do I get better the next time? So taking that approach and having to distill it down to like almost a operational level, and then you may have another building that is smaller, but because of the disbursement of the parking lots, they have to have five entrances versus two. They could have half the population. So if you look at like, well, we only want one entry way and we're gonna have X many entry lanes per population, I think that's a fool's measure because it doesn't really indicate the operational effectiveness and efficiencies that need to be there based on what your key objective is. So that was my key objective. It doesn't mean it's everybody else's. If I'm an integrator, I could say I want 100% on time XYZ. For instance, for a lot of manufacturing companies, it's 100% quality on time delivery. Those are the metrics that they use. Those are easy. I get it there when I say I'm gonna get it there and it works just like it's supposed to work. You can apply those same metrics to an integrator that says I install it, it works, you're trained, and I don't have to come back for the first 30 days, something like that might be an effective metric to say it works how it's supposed to work, when it's supposed to work, and it works that way for a good extended period of time. So that's how I articulate it. That's why I think it is a bit bespoke, but there's some concepts and principles that I think could be applied universally. Yeah, I'm looking at DHS as reference guide, and they talk about, first of all, you've got this asset inventory, right? So you've gotta have a picture of the assets it takes to do all those things that you mentioned. You've got visitor management, you've got access control for the regular people, you've got a guest registration type system, you perhaps have guards, so you've got an asset of stuff that needs to be operational, and then of course the people that operationalize it, which they list as like resource requirements, so they kind of looked at measuring how many FTEs that they take to get it done as another sort of an input to the process of measurement. And then they also listed like countermeasures, so how many types of countermeasures are in place, right? So if you, if I don't have it to your point, if you had the one place that had only the two doors, and maybe because it's smaller, there's less surveillance on the parking lot where the other place had a larger parking lot, so I'm using surveillance over there, what type of incidents do I get, and what volume of incidents do I get, and are those countermeasures effective, or were they effectively deployed versus the other facility? And I know DHS has to look across all the facilities on all the critical infrastructure and try to find a comparative value there, but as a metric, these are interesting ideas for operationalizing security in an environment. Where does it, at what level do you think it begins to mature for an organization? How many metrics do they need to have that are valuable in guiding decision-making processes when they can say, hey, we're getting pretty good at leaning in to our business? Well, I would apply the continuous improvement principles and say that you're never done, because you're changing your baseline based on the environment around you and there's internal and external factors. So let me double tap on that a second. If before COVID, you had mature processes and you knew how everything operated, when COVID happened, you need to reassess everything because your baseline has just adjusted. And so now you're reapplying because you don't have anybody in your building anymore. So tracking visitors isn't a relevant statistic because it doesn't matter. And now you've changed and when your company adjusts again to whatever it's gonna be in the future, which is maybe a hybrid situation or something completely different, you now have to reassess your situation but internally and externally. So did the environment around you? So take down how many app was for an example. Last summer, actually a year ago today, I believe would you had the order of George Floyd and all the things that happened downtown, you had a pandemic, social unrest and rioting all happening at once. Tell me one person or company that had that plan slotted out? Nobody, I bet they all do now though. And that's where the nimbleness has to come into play about how you adjust to that. So there's a framework that has been popularized in the last 10 years or so, but it's been around for a while to enterprise security risk management or ESRF. And it uses the continuous improvement framework that basically you take external internal data points you kind of put them into your assessment protocol. You see if they change any of your processes, procedures or protocols. And if they don't, then you're good and you continue on. If they do, you readjust and then reassess then it's a continuous loop. But the starting point for me is to really understand what your key processes are. And the way that I did it previously is we had a maturity matrix of where we would, there were certain components and this is right out of like the six sigma operating protocol and lean operation principles. And you mature your processes up until the right. And when you get to a certain level, you know that this is a mature process. I can track it, I know the inputs, I know the outputs, I have all the metrics around it. And then you have other processes that now you say, okay, I need to mature those. So that means I can I track it? Do I have all the inputs and outputs? And for me, from a end user perspective, from a security practitioner, it's what value did I produce to the operation? What do I do? Or the question I would pose to myself and the colleagues is what process do we do, or if we didn't do it, would have direct impact on the business that would impact its ability to operate. So for me, going back to the example of the right people getting in the building when they were supposed to and getting where they're supposed to be, if people can't get to the production line, they can't make our products, we can't make our products, we can't ship them, we don't make money, companies cease to exist. So those are the kind of threads that we pull through to say, how do we directly impact or support the business? The same thing around collection of situational awareness and business intelligence. Are we taking that and delivering it to anybody to make actionable activities? Like if there's a tornado warning that's gonna impact one of our sites, do we give them enough heads up where they can be safe or move assets out of the way so they're not impacted or go into some sort of protective lockdown? You know, things like that. So, you know, knowing what your processes are, knowing what the impact is on the business or the operation, and then continuously assessing and improving, you know, kind of exponentially, right? The job's never done. Nice. Nice. Okay. Cool. We're gonna pay some bills. We're talking security metrics with Jonathan Harris. I wanna get into some of these output measures and a little more continuous improvement when we get back, stick around. 60 seconds, we'll see ya. Hey, we're back. Welcome back to Security Matters. We are talking about security metrics and Jonathan Harris has a great history of looking at this from a manufacturer's lens and then from a security lens within that environment and then looking at it across the industry. So we were kind of kicking around input measures and we ultimately got to this idea of continuous improvement because when you get one piece of an organization, you know, operating well, mature, probably it's as effective as it can be or maybe spending more money to improve it a couple points really isn't valuable to the organization. There's maybe a maximum efficiency or something like that that can be obtained in each area. But so you'll take your resources and go look at another area that needs improvement. Maybe it's scoring a D. You wanna get all processes up to a B or an A or I think six stigmas. I don't remember if that's five nines or what the ultimate measure is. But DHS, I was looking at some of the ways they measure these things and when they get to the outputs, they really look at things like how many of the facilities have they assessed completely? What's the acceptable level of risk for each organization, right? So if you think about all the facilities they're responsible for across the country, if you've got facilities that are at a 60% risk level and others that are 95% protected, well, you wanna go work on those ones that are at 60% if they're the closer they are to shutting down the economy or shutting down national security, those types of risks get elevated for them. They have some other interesting things around countermeasures, the number that are deployed, the number that are needed, is there a backlog of deployment? How many have they tested and how frequently and what's the response time to a problem? These are kind of like kind of things we'd all would like to know about our facilities and like from an end user perspective, the kind of things maybe people could bring into their operations. You could definitely download this if you just Google Homeland Security risk measures, you can find this document. And I thought it was kind of interesting and they ultimately get to like stakeholder satisfaction things like that, right? Which is kind of the end user satisfaction when he asked the integrator, hey, you gave me all this stuff, what's it doing for me? You should have some metrics to back up your answer, maybe. Yeah, 100%, I think so. I will take that in kind of two chunks there. So the one thing that I would be cautious of with some of those metrics that DHS lists off is just kind of vanity metrics. So like, hey, we got 10 sites, we assessed eight, we're good. Well, what did you assess? How did you assess it? How did you choose those? So a lot of times what I would do when I was working for a couple of years as a security consultant and working with enterprise companies specifically looking at this kind of thing, doing enterprise wide physical security risk assessments, we would look at their whole operation and say, tell me the sites that if they shut down would destroy your company, you start there. And then we say, all right, let's rank them by business impact. And then let's try to take a cross representation because we can't go look at all 100. So maybe we're gonna say we're gonna do 10%. We'll look at all the, maybe we'll do your top 10 and then we'll take 10% representation across your others. So we will go into one little sales office. We will go look at a couple of small plans. We'll go look at an R&D facility and some other things and we'll use that to try to extrapolate an effective representation of your entire risk profile. But we'll really make sure we go look at those 10 that if one of them shut down, like it's catastrophic to your business and then really applying, and you could go back to the old carver methodology of risk assessment or just looking at the probability and likelihood and impact, so the kind of that, you know, XY scale of, you know, what's the likelihood of it happening and what's the business operational impact if it does happen and looking at everything through those lands and then driving your metrics off of that. So if you just say, we assessed, you know, 10% last year, we wanna get to 40% this year. Like, does that really mean anything if you haven't done some of that asset work that you talked about when you went and looked at, what's the most important stuff? I was a subcontractor to the US government and they would require us to do what they called a crown jewels assessment. So whether it was our facilities that were working on classified programs or not, they would say you do enough work with the government and your critical infrastructure and you do things for certain other sectors that are critical to the US government kind of economy, you know, writ large. So we wanna help you protect your information. So go look at what's the IP or what's the information that you have or even that one engineer, right? You might have that really smart engineer who's the best at what they do in the world and maybe other companies, maybe other adversaries and other, you know, nation states are gonna try to, you know, get into this person to extrapolate information that could cost you as a business and frankly impact, you know, the national security efforts as well. So there's a lot to that, a lot to unpack but that's just to say that just to say assessment yes or no is probably not detailed enough unless you have that information behind it that said we went through this rigor and this methodology to pick the ones that we did, we did this many and we're gonna reassess next year make sure that nothing moved up and down the list and then we'll continue on with our assessment protocol. On the integrator side or the service provider side just like you said, you know, it's the same thing where those customer satisfaction metrics and I would even argue that at the end user that we need to see ourselves as service organizations and that we're providing a service and so we should be getting those customer satisfaction that's a part of our, the Six Sigma and need operating process is getting customer feedback and doing market feedback analysis. I'm providing you this service, how am I doing in my meeting, you know, your expectations and so if we as service providers in the security industry aren't asking our clients how am I doing and waiting to say, oh man, they just ripped us out and replaced us with a different technology we should have paid better attention. You know, all good, let's go chase down another logo and we'll work really hard to spend millions of dollars to get new customers and we could just focus on the customers that we have if we ask them how we're performing, how are we doing, how can we get better and so I think that's a huge area where customer retention metrics could be with like other parts of our like adjacent industries like SaaS companies and IT companies look at customer churn and it's a little bit easier for them to observe it because if I'm providing you a service like Netflix Netflix can tell you every day how many people canceled and how many new subscribers they've had so they use that as a ratio, their CAC ratio of what are their customer acquisition costs with their customer churn, how many new are acquired and they have this ratio that they have for how much they're spending on new and how much they're retaining. I've never heard of a security company in our industry that focuses on that concept to the level to the extent that I could ask you how much, what's your CAC ratio, how much money does it cost you to bring on a new client and then how much do you, where's your breakeven point, how long do you have to keep them on before now you're making money on that client and then what's your plan to retain them over time and continue to grow them. It seems like we focus on new client, new customer acquisition, new logos and that's all we wanna do and I think that's something right away that we could be measuring better than actioning and really helping companies mature and keep good customers as opposed to just chasing new ones. Yeah, I definitely agree with you that engaging our clients from the integrator perspective. I think the alarm guys are better at kind of doing what you're talking about tracking some of the cost of acquisition in that but integrators in particular, if we're not engaging our customer in the value of continuous improvement and making sure that they understand our role in that and their role in that for their organization for the people that they're protecting to work for them. If we can't get that kind of agreement early on that that's the role that we play and have a partnership that works towards continuous improvement. They were just showing up at the door every year trying to upgrade you to the latest widgets and that's how we look, it's too transactional. And so they definitely want more value from us and we owe that to the industry, we owe that to our customers, we owe that to the country realistically as security service people. And as we pivot to real quick on that like the buzzword in our industry from an integrative perspective is the reoccurring revenue model, right? We want that RMR, those things come piece and parcel, right? If you want me to continue to pay you for reoccurring service there needs to be a ratio of service cost and value and value needs to go up, right? Because I'm gonna look at that bill every month just like I do, I use a Netflix example. I look at it, do I still get $19.95 out of value for my Netflix? Yep, I'm keeping it, right? So that's an assessment that we're doing every time we get that bill is the value there. And so I think that's the concept that we need to embed in order to make that work. I love it, I love it. We got a minute or so left, final comment. What do you do to motivate this industry to get better? Yeah, I think for us it's just breaking away from the way it's always been done as an excuse to continue to do it that way. That there's other industries adjacent to us that have applied new methodologies and it's okay to try new stuff, fail quickly at it and learn from it. And I think that's what we can learn from software companies, technology companies and embrace that. And I think the companies that do that will move fast and move past other companies that don't embrace that. I think us as security professionals also need to embrace that end users need to get a little bit more comfortable with the new and I do feel that the pandemic for all the challenges and catastrophe that it has caused has expedited that component of it. And so there is this silver lining around this otherwise disastrous cloud that has pushed us forward outside of our comfort zones and embracing the new and embracing the change. Yeah, difficulty and difficult times can bring about great change. So I do look forward to seeing that happen. Jonathan, thank you so much for your time and your insights today. Appreciate you jumping in at the last minute for this episode. We will do it again, sir. Thanks a lot. Everybody take care out there. Aloha.