Case Study

Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

By Scott Berinato

Page 5

"Normal" Defined

When trying to define normal operations costs, Larson enlists those he's trying to protect. "So if it's a customer service director with a call center, I say, 'What's your comfort level for service interruption?'" Larson explains. Notice he's mentioning a security event, and he's asking the stakeholder what impact he would be comfortable with. "So the call center guy says he's comfortable with so many minutes of interruption, which would cost whatever," Larson says. "Then I can say, 'These are the investments I need to make to ensure that level of service.'"

Larson is being canny here. He's deferring to the business process owners on what kind of pain, what event impact E, they are willing to endure. Once he has that variable, he can work with the Value Protection ratio to define what he'd need to spend to provide that level of protection.

Say the call center manager will tolerate 20 minutes of downtime a year, which would cost $20,000. And then say Larson is comfortable with a Value Protection ratio of 0.75 or higher.

VP = N  E / N

VP = 0.75 and E = $20,000, so 0.75 = N  20,000 / N

In this case, Larson would say that he'd need no less than $80,000 for operations costs for protecting the value of the call center to the level that that manager wants it protected. "Then," Larson says, "I bring it up [with the CEO, CFO and other executives] as something from me and the business process owner." Co-ownership, he says, is a nonnegotiable prerequisite for using the Value Protection metric. Both parties must agree on what pain that business unit could comfortably endure and what it would cost to ensure that protection. His information security program would surely fail if he barged in and said, "This is what you have to spend," not only because it's a bad management approach but also because Larson couldn't possibly know what's normal and what's tolerable to every business process owner. They are in the best position to educate him. Finally, Larson says, normal is fluid. Those costs must be reviewed regularly for relevance and accuracy. How regularly? "At a minimum, annually," Larson says. "But also it's mandatory upon any business process change [such as outsourcing a service] or upon business environment change [a merger or acquisition, a supply chain variation, after natural disasters like Hurricane Katrina and so forth]. We also make the effort to validate all impact in [lessons learned] sessions."

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors