Visible Value

A longstanding problem with anybody selling security products is that they don’t have an ROI like normal products. Does it bring in sales or increase efficiency? Or by another formulation of the old rule of thumb, does it make money or save money? Either way, if the purchasing executives take the rule of thumb too seriously, then security looks like a cost with no benefit.
So we came up with Value Protection,” Larson says. “You spend time and capital on security so that you don’t allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That’s there. What we need to do now is quantify the value to the business of deploying those technologies.”

Value Made Visible How American Water’s Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time, By Scott Berinato CSOonline.com, April 2006

That seems like a pretty good elevator pitch to sceptical executives.

Personally, I always thought security was about protection; what else would it be? (Well, several things else, but I’ll come to that.)

If you think of it in analogy to insurance, it’s clear: insurance doesn’t bring in new sales either, nor increase efficiency.

Of course, either insurance or security can increase efficiency in the case when something bad actually happens, by making the effects less bad (paying for replacement in the case of insurance, or prevention in the case of security).

But that’s not how people usually think of efficiency.

And either insurance or security can help bring in sales. Would you rather ride in an insured taxi or one without? Would you rather use a bonded electrician or one without? Would you rather let an insured online financial house handle your money, or one without?

But that’s not how people usually think of sales.

So Larson came up with a simple formula:

Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($)

VP = (N – E)/N

Simple enough for the average executive to remember.
“Then,” Larson says, “I bring it up [with the CEO, CFO and other executives] as something from me and the business process owner.” Co-ownership, he says, is a nonnegotiable prerequisite for using the Value Protection metric.
He doesn’t say that otherwise the CxOs won’t buy it because they think it’s just IT trying to get more money. But if the customer says it’s needed, well then…. Larson is trying to quantify security in order to justify its costs. And he’s succeeding by another simple metric: he’s getting executives to spend money on it.

-jsq

PS: This article was pointed out to me by Wendy Nather.

One thought on “Visible Value

  1. wpn

    Actually, I had an email exchange with Berinato in which he made me understand that this formula is really only good as a “referendum” on past spending. In other words, the business can tell you whether the E (loss) you incurred last year was acceptable to them, and if not, you can invite them to play with the ratio by adjusting N (your spending). But this is only a way of measuring failures, not successes. Unless you can map your losses directly to things you were supposed to fix and didn’t, you won’t know whether your losses were at that level because you were spending the right amount (in the right places), or because you got lucky and things could have been worse.
    The CFO will always want to know whether you can achieve the same results next year with less money. This formula won’t give you any answer to that — until next year is done.
    I think people will be tempted to confuse security spending with insurance, which it’s not. Insurance is what you buy as a backup to minimize losses when your security spending fails in its preventive measures.

Comments are closed.