Measuring what never happened

world map

It's hard to measure the impact of something that never happened. But that is exactly what federal agencies and private companies must do in risk management, and in determining the return on investment in IT security.

That challenge is something that organizations increasingly struggle with as investing in IT security becomes more commonplace, more of a requirement and more of a prominent line item in tightening budgets. "The return is really more than just trying to calculate the dollars and cents," said Bob Brese, Energy Department CIO. "If you don’t go after the ethos and pathos of the program and the mission owner, and make it real and life-threatening...then you can't get them to invest. The ROI is about staying in business and it's about the mission."

Brese was one speaker on a panel at the FOSE trade show in Washington, D.C.

It can be tough to determine ROI when it is not even clear how or where money is being spent on security. The funding is often scattered throughout programs and under names that are not obvious.

"Sometimes when we look for security funding, we look within the budget and it happens to be permeated throughout the entire structure; other times we look very specifically at projects and identify security for them," said Ira Levy, CIO of the Howard County, Md., government. "It makes it challenging to get a sense of what is the total security spend across the organization."

Insiders say it also is a mistake to treat IT like any other budget line item – but at the same time, keeping it at a completely different level than the rest of the items in the portfolio can be a mistake as well. Funding IT security, unlike other areas, involves taking stock in investments over which half the control already is ceded to someone else.

"For those that try to make the ROI argument a math problem, it doesn’t work," Brese said. "The assumptions under which you do the math change every day, and you don’t have the bandwidth to manipulate the model on a daily basis. In the end it comes down to capability times the intent of the adversary – neither of which you can control."

It's critical to measure the right things in order to make the best, most well-informed decisions. But how do managers figure out what those right things are?

Collecting and scaling data is a key place to start so organizations can understand what the direct threats are – and what some of the vulnerabilities there may be that may not have such a significant impact on a given system, according to Julie Anderson, managing director of Civitas Group.

"We can look at the way controls are built and say, what if you didn’t have this data for a week? What kind of impact would that be?" Brese said. "And you kind of have to iterate through this. You can capture, in this business-impact type analysis – some subjective and some objective – relationships between costs to the program."

It comes down to performance management, but not in the traditional sense, Anderson added.

"As it relates to cybersecurity, performance management is about measuring what's effective and collecting data that can be used to make decisions," she said. "Measuring success is the hardest part – changing the measurement system from process-oriented to outcome-oriented."

In the government today, too much emphasis lies in measuring how fixes are implemented rather than if the fixes address the problem, sources said. Instead, more focus should be on outcome-based decisions that help measure what really improves cybersecurity – not measuring how far along an agency is in implementation.

"This capability is evolving," Anderson said. "Even the most well run organizations in the world still struggle with performance management. It started out as input metrics; now it's output metrics. Eventually it will be outcome-based data that will be most useful in future planning and investment. It will take time, but the government is on the right track."

1105 Media, parent company of FCW, produces FOSE.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group