Case Study
Value Made Visible
How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time
By Scott Berinato
Other times, the hard-to-quantify costs simply remain separate, a footnote. In those cases, Larson can present a Value Protection metric with a note attached that says, "We've left perception costs out of this, but we expect to incur some costs there." Larson must keep a careful balance between leaving out the costs that are wild guesses (because they will create a misleading ratio) and including all costs that can be assigned with some accuracy (because they will increase the confidence in the ratio).
In any case, Larson says, it's important to define event costs consistently with all business process owners so that comparisons are valid. If, for example, American Water defined response costs differently than RWE Thames, then the comparison of man-hours for recovery, and eventually this implementation of the Value Protection ratio, would be invalid.
Savvy security professionals will see Larson's Value Protection metric for what it is: a simple, smart approach to risk analysis. But Larson has larger ambitions for Value Protection. "That's why I'm sharing it," he says. "We need to start sharing our data. We need to share what we know about ourselves. And we need to accumulate a good set of historical data resulting from events like Welchia."
From that, Larson can see in his mind's eye what he calls the "ultimate evolution" of Value Protection, "when cross-discipline industry organizations have these metrics. Underwriters could supply the metrics and tell us what's 'good' and what's 'not good' security. Because," he says, "ultimately we'd love to transfer this risk instead of just mitigate it and own it. There needs to be that third option of transference. We have insurance for everything else. There's M&A insurance, IPO insurance.
"Why not real, scientific information security insurance? That should be our goal."
Other stories by Scott Berinato
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
