CSO Perspectives: American Water's Larson Lays Down Some Metrics
COLORADO SPRINGS, COLO. -- The CSO Perspectives conference tagline this year is "The Business Case for Security" and that's exactly what American Water's security chief Bruce Larson is trying to deliver to his bosses. He shared his experiences building and maintaining useful metrics at a breakout session here this afternoon.
Larson oversees security for the nation's largest supplier of tap water. His security division is converged, "maybe too converged" he said, showing how the company tries to be consistent with a single risk process across 10 disciplines, including information security, event management (his bosses more pleasant euphemism for crisis management), physical security, health and safety and others. One other coyly named discipline was personnel surety, which Larson said meant "background checks, which is a term the lawyers didn't like."
At the core of Larson's security program is the Value Protection metric. He developed it but says it boils down to planned cost for security events over observed costs for those events. That is, how much did you intend to spend during a business day divided by how much you actually spent. For more on Larson's metric, see "Value Made Visible."
Larson has set benchmarks using his metric and now sets goals for reaching a certain Value Protection ration quarterly, annually and even on a five-year plan. For some security events, use of the metric is ongoing. For example, Larson has a project to calculate damage from Hurricane Katrina that is ongoing, and he doesn't expect to finalize calculations for years.
Larson had two key points beyond metrics he wanted to make. First he's trying to build metrics that become part of the business vocabulary, that aren't specific to a person or security team that, after all, might not always be there. "I want security metrics to become like profit per share or EBITDA," he said. "They never change no matter who the CFO is."
Also, Larson wanted security to change its thinking about who owns security metrics. "I've gone from wanting senior management buy-in to wanting senior management ownership," Larson said. "They own the metrics; we just host them." To make this shift, Larson said, it's imperative to get out in the business units and get them calculating losses from security events and contributing. He can guess all day long but the metrics would never be as effective that way.
-- Scott Berinato
Print
Larson oversees security for the nation's largest supplier of tap water. His security division is converged, "maybe too converged" he said, showing how the company tries to be consistent with a single risk process across 10 disciplines, including information security, event management (his bosses more pleasant euphemism for crisis management), physical security, health and safety and others. One other coyly named discipline was personnel surety, which Larson said meant "background checks, which is a term the lawyers didn't like."
At the core of Larson's security program is the Value Protection metric. He developed it but says it boils down to planned cost for security events over observed costs for those events. That is, how much did you intend to spend during a business day divided by how much you actually spent. For more on Larson's metric, see "Value Made Visible."
Larson has set benchmarks using his metric and now sets goals for reaching a certain Value Protection ration quarterly, annually and even on a five-year plan. For some security events, use of the metric is ongoing. For example, Larson has a project to calculate damage from Hurricane Katrina that is ongoing, and he doesn't expect to finalize calculations for years.
Larson had two key points beyond metrics he wanted to make. First he's trying to build metrics that become part of the business vocabulary, that aren't specific to a person or security team that, after all, might not always be there. "I want security metrics to become like profit per share or EBITDA," he said. "They never change no matter who the CFO is."
Also, Larson wanted security to change its thinking about who owns security metrics. "I've gone from wanting senior management buy-in to wanting senior management ownership," Larson said. "They own the metrics; we just host them." To make this shift, Larson said, it's imperative to get out in the business units and get them calculating losses from security events and contributing. He can guess all day long but the metrics would never be as effective that way.
-- Scott Berinato
Previous Post: On war anniversary, Bremer opens CSO Perspectives preaches patience in IraqNext Post: Security Awareness Requires Carrots, Sticks -- and Lots of Communication
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
