Case Study

Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

By Scott Berinato

Page 2

The event served as a catalyst in the ongoing development of a key metric that Larson uses to justify his existence to the business. He calls it the Value Protection metric.

Value Protection is Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business. "Look, business units do one of two things: increase revenue or increase efficiency," Larson says. "We don't bring in revenue. So then you say, 'OK, then you're making the business more efficient, right?' Well, no, we don't do that either. So, if those are the two possible goals of a business unit and we don't fulfill either, then I'm confused.

"So we came up with Value Protection," Larson says. "You spend time and capital on security so that you don't allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That's there. What we need to do now is quantify the value to the business of deploying those technologies."

"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric. For a while, people were just trying to create reasonable security, Schmitt says, "but now you need something moresomething that proves the value, and that's what Bruce developed. Plus, as a secondary benefit, it's getting us better visibility from business owners and partners on risks and better ways to mitigate the risks."

Here, Larson shows how he uses the Value Protection metric to that end.

Value Protection Defined

By Larson's own admission, figuring out the Value Protection metric is "not complex, just long," by which he means it will require some legwork, meetings with business unit leaders and canvassing for data. The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($)  Event Impact ($) / Normal Operations Cost ($). In formula:

VP = N  E / N

Seems simple enough. Larson's metric just subtracts the cost of security events from the normal cost of doing business, then divides by that same operations cost to get a ratio. The point of making Value Protection into a ratio is that it gives Larson a simple scale to present to executives. On this scale, a ratio of one would be perfect. (Imagine a security event with zero costs and then plug that variable into the formula: N  0 / N equals N / N, which equals 1.)

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors