Security Metrics: Demonstrate the Business Value
"The top management doesn’t want to listen to a technology speech. Show them trends and measurably demonstrate the business value of the various controls put in place"
What does the management look at, in the money spent by the company’s information security specialists on various controls?
Our company, Bharti AXA General Insurance Company Ltd., is a general insurance joint venture started about three years ago, and right from the start, I’ve been interacting extensively with the business side of the company. We were late entrants into the insurance market, we were probably the 16th entrant, there were giants ahead of us, and shareholders wanted to get into the top five in the five-year time frame.
Every time I went to the management to get budget approvals for information security, the questions were very different from what I’d faced earlier. The management would say, ‘fine we’ll give you the money, but tell us how this will help us get into the top 5 slot in the insurance market?’ I would get stumped, thinking I’m talking about security and controls, but the management needs to know how that will help the company meet its objective.
Balanced Score Card: Such questions prompted us to attempt a balanced-score-card approach to demonstrate the value at risk, to our business colleagues. Our company’s mission is to become the preferred general insurance provider for our customers, partners, employees, and, shareholders. The balanced score card talks about finance, employees, learning and growth and customers, which put our mission statement in alignment with the score card quadrants. That’s how we got the idea to use the score card approach to show how information security is adding value and contributing to the company’s growth.
Every department had to come up with their goal sheets in line with the mission statement. The Information Security team also did the same. While not exactly following the score card methodology, we looked at how we can add value to shareholders, partners, and customers.
Metrics: What did we measure? Instead of the normal way of counting incidents, user IDs created or deleted, we tried to give them a business value number on what is at risk. How does one match the security metrics with the top line and the bottom line with every single security incident -- we presented this from a finance and business perspective.
For example, if the company’s website went down for a certain period, customers won’t be able to buy online policies, which would hit the top line. While this isn’t a fool-proof system, and has a lot of assumptions, it still yields a way to value risk to business. Therefore, tracking the number of customers who generated quotes using the site would be an indicator, as the ratio of the quotes generated to actual conversions to policies sold is known.
If we don’t have Log monitoring, firewalls, IPS, IDS and so on, what would be the value at risk. From a regulatory and compliance point of view, the auditors from the Insurance Regulatory Authority of India tend to look at the steps we’ve taken from the perspective of customer protection, which again plays into the idea of figuring out what’s the value at risk and how the score card will be affected by the absence of certain IS measures.
Business executives look for trends in the form ‘where were we six months ago and what is our position today and where do we want to be two quarters down the line.’ Finding a way to show in a measurable way, which way the risk to the business is moving before and after putting in place various controls, will help CIOs get the backing of their business colleagues.
Our company, Bharti AXA General Insurance Company Ltd., is a general insurance joint venture started about three years ago, and right from the start, I’ve been interacting extensively with the business side of the company. We were late entrants into the insurance market, we were probably the 16th entrant, there were giants ahead of us, and shareholders wanted to get into the top five in the five-year time frame.
Every time I went to the management to get budget approvals for information security, the questions were very different from what I’d faced earlier. The management would say, ‘fine we’ll give you the money, but tell us how this will help us get into the top 5 slot in the insurance market?’ I would get stumped, thinking I’m talking about security and controls, but the management needs to know how that will help the company meet its objective.
Balanced Score Card: Such questions prompted us to attempt a balanced-score-card approach to demonstrate the value at risk, to our business colleagues. Our company’s mission is to become the preferred general insurance provider for our customers, partners, employees, and, shareholders. The balanced score card talks about finance, employees, learning and growth and customers, which put our mission statement in alignment with the score card quadrants. That’s how we got the idea to use the score card approach to show how information security is adding value and contributing to the company’s growth.
Every department had to come up with their goal sheets in line with the mission statement. The Information Security team also did the same. While not exactly following the score card methodology, we looked at how we can add value to shareholders, partners, and customers.
Metrics: What did we measure? Instead of the normal way of counting incidents, user IDs created or deleted, we tried to give them a business value number on what is at risk. How does one match the security metrics with the top line and the bottom line with every single security incident -- we presented this from a finance and business perspective.
For example, if the company’s website went down for a certain period, customers won’t be able to buy online policies, which would hit the top line. While this isn’t a fool-proof system, and has a lot of assumptions, it still yields a way to value risk to business. Therefore, tracking the number of customers who generated quotes using the site would be an indicator, as the ratio of the quotes generated to actual conversions to policies sold is known.
If we don’t have Log monitoring, firewalls, IPS, IDS and so on, what would be the value at risk. From a regulatory and compliance point of view, the auditors from the Insurance Regulatory Authority of India tend to look at the steps we’ve taken from the perspective of customer protection, which again plays into the idea of figuring out what’s the value at risk and how the score card will be affected by the absence of certain IS measures.
Business executives look for trends in the form ‘where were we six months ago and what is our position today and where do we want to be two quarters down the line.’ Finding a way to show in a measurable way, which way the risk to the business is moving before and after putting in place various controls, will help CIOs get the backing of their business colleagues.
Dear CIOs,
CTO Forum is happy to present this opinion piece by Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance Company Ltd., in continuing our efforts to bring you expert opinion of substance from peers and specialists. The top management doesn’t want to listen to a technology speech. Show them trends and measurably demonstrate the business value of the various controls put in place Click here for the full opinion. We value your feedback:editor@thectoforum.com. Happy reading, Team CTO Forum 9.9 Media | B - 118, Sector 2 | Noida - 201 301 | I N D I A |
| ||
No comments:
Post a Comment