CSO Perspectives: American Water’s Larson Lays Down Some Metrics

COLORADO SPRINGS, COLO. — The CSO Perspectives conference tagline this year is “The Business Case for Security” and that’s exactly what American Water’s security chief Bruce Larson is trying to deliver to his bosses. He shared his experiences building and maintaining useful metrics at a breakout session here this afternoon.

Larson oversees security for the nation’s largest supplier of tap water. His security division is converged, “maybe too converged” he said, showing how the company tries to be consistent with a single risk process across 10 disciplines, including information security, event management (his bosses more pleasant euphemism for crisis management), physical security, health and safety and others. One other coyly named discipline was personnel surety, which Larson said meant “background checks, which is a term the lawyers didn’t like.”

At the core of Larson’s security program is the Value Protection metric. He developed it but says it boils down to planned cost for security events over observed costs for those events. That is, how much did you intend to spend during a business day divided by how much you actually spent. For more on Larson’s metric, see “Value Made Visible.”

Larson has set benchmarks using his metric and now sets goals for reaching a certain Value Protection ration quarterly, annually and even on a five-year plan. For some security events, use of the metric is ongoing. For example, Larson has a project to calculate damage from Hurricane Katrina that is ongoing, and he doesn’t expect to finalize calculations for years.

Larson had two key points beyond metrics he wanted to make. First he’s trying to build metrics that become part of the business vocabulary, that aren’t specific to a person or security team that, after all, might not always be there. “I want security metrics to become like profit per share or EBITDA,” he said. “They never change no matter who the CFO is.”

Also, Larson wanted security to change its thinking about who owns security metrics. “I’ve gone from wanting senior management buy-in to wanting senior management ownership,” Larson said. “They own the metrics; we just host them.” To make this shift, Larson said, it’s imperative to get out in the business units and get them calculating losses from security events and contributing. He can guess all day long but the metrics would never be as effective that way.

— Scott Berinato