Measuring what never happened

It's hard to measure the impact of something that never happened. But that is exactly what federal agencies and private companies must do in risk management, and in determining the return on investment in IT security.

That challenge is something that organizations increasingly struggle with as investing in IT security becomes more commonplace, more of a requirement and more of a prominent line item in tightening budgets. "The return is really more than just trying to calculate the dollars and cents," said Bob Brese, Energy Department CIO. "If you don’t go after the ethos and pathos of the program and the mission owner, and make it real and life-threatening...then you can't get them to invest. The ROI is about staying in business and it's about the mission."

Brese was one speaker on a panel at the FOSE trade show in Washington, D.C.

It can be tough to determine ROI when it is not even clear how or where money is being spent on security. The funding is often scattered throughout programs and under names that are not obvious.

"Sometimes when we look for security funding, we look within the budget and it happens to be permeated throughout the entire structure; other times we look very specifically at projects and identify security for them," said Ira Levy, CIO of the Howard County, Md., government. "It makes it challenging to get a sense of what is the total security spend across the organization."

Insiders say it also is a mistake to treat IT like any other budget line item – but at the same time, keeping it at a completely different level than the rest of the items in the portfolio can be a mistake as well. Funding IT security, unlike other areas, involves taking stock in investments over which half the control already is ceded to someone else.

"For those that try to make the ROI argument a math problem, it doesn’t work," Brese said. "The assumptions under which you do the math change every day, and you don’t have the bandwidth to manipulate the model on a daily basis. In the end it comes down to capability times the intent of the adversary – neither of which you can control."

It's critical to measure the right things in order to make the best, most well-informed decisions. But how do managers figure out what those right things are?

Collecting and scaling data is a key place to start so organizations can understand what the direct threats are – and what some of the vulnerabilities there may be that may not have such a significant impact on a given system, according to Julie Anderson, managing director of Civitas Group.

"We can look at the way controls are built and say, what if you didn’t have this data for a week? What kind of impact would that be?" Brese said. "And you kind of have to iterate through this. You can capture, in this business-impact type analysis – some subjective and some objective – relationships between costs to the program."

It comes down to performance management, but not in the traditional sense, Anderson added.

"As it relates to cybersecurity, performance management is about measuring what's effective and collecting data that can be used to make decisions," she said. "Measuring success is the hardest part – changing the measurement system from process-oriented to outcome-oriented."

In the government today, too much emphasis lies in measuring how fixes are implemented rather than if the fixes address the problem, sources said. Instead, more focus should be on outcome-based decisions that help measure what really improves cybersecurity – not measuring how far along an agency is in implementation.

"This capability is evolving," Anderson said. "Even the most well run organizations in the world still struggle with performance management. It started out as input metrics; now it's output metrics. Eventually it will be outcome-based data that will be most useful in future planning and investment. It will take time, but the government is on the right track."

1105 Media, parent company of FCW, produces FOSE.