Case Study

Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

By Scott Berinato

Page 3

But events that have zero impact aren't really events, so a Value Protection ratio of one is really just an idealized fiction. It's better to think of Value Protection as a number approaching one, and to think of the information security department's job as bringing that ratio as close to one as possible. Strictly looking at the formula's variables, there are two ways to move the Value Protection ratio closer to one: minimize event impact or increase normal operations costs. That is, you either find ways to make your E smaller or your N larger.

Increasing the N isn't always an option. Even if it is an option, it might not be the one you want to lead with. After all, if you can lower your E without increasing spending, that's both more efficient for you and more desirable to your bosses.

And in fact there are ways to finesse the Value Protection ratio closer to one without increasing spending. Take security information management (SIM) systems. Traditionally, SIMs were used to look for network traffic anomalies and then raise alarms when something suspicious came across the wire. But in the post-Sarbanes-Oxley world, SIMs have been extended to become compliance tools, using the logging capability they already possessed to track network activity. With little or no increase in operations costs, information security managers have lowered their security event costs, since compliance fines could be minimized with proper logging.

"We could be more productive. Any time I hear someone say, 'Oh, that tool paid for itself in a week just with the productivity gains alone,' I'm skeptical."

- Bruce Larson

Managing information security by plugging data from real events into the Value Protection formula is the ideal situation. Larson was lucky enough to have the real thing, the Welchia worm, to combat. That this real thing hit in two distinct geographies, which he could then compare, made him even luckier. It was a stark case, which Larson says showed RWE Thames suffered "at least 100 times the impact" that American Water suffered.

But not everyone has that kind of detailed comparative or historical data. (Larson will continue to collect such data, and both he and VP of Operations Schmitt say they will continue to refine their use of Value Protection as a metric.)

Value Protection can also be used as an investment analysis tool. In that scenario, a CISO would aggregate the total expected negative event impact over the life of a particular investment and then subtract that from the operating costs over that same period of time to get an expected Value Protection ratio for any given potential investment or set of investments. (Calculating the event impact costs for events that haven't happened presents a challenge, and requires intense dialogue and collaboration between the security department and business unitsmore on this later.)

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors