Providing Value: Where Do You Stand with the C-Suite?

Session #Title of Your Presentation

© If appropriate, insert your organization’s copyright information

Session 12

Matt Schmidt & Dr. Chip Council

December 3rd, 2008 – 1:00PM

Providing Value: Where Do You Stand with the C-Suite?


Overall Value Goals

ROI & Measuring Success

Monitoring Investments & Tools

Being a Good Steward to the Business

Presentation Overview


Supported by management

Integrated in enterprise risk management processes

Maturity

Providing Value: Goals


A Tragedy of the Commons: Free IT!

As an organization grows, the demand for IT grows

Some demands will go unmet

Dissatisfaction can lead to turnover, low morale, etc.

A finite resource subjected to infinite demand must fail.


A Tragedy of the Commons: IT Budgeting

Many companies still use a model of a centralized budget for IT funding

– Business = supplicants for budget dollars– IT = custodians of IT budget

Both groups are measured by differing standards

– Business = revenue, market share, cost reduction– IT = how the budget was managed


Three Degrees of Policy (AAA)

– Absent…one extreme

– Aspirational…to the other

– Appropriate…just right

"Best practice is intended as a default policy for those who don't have the necessary data or training to do a reasonable risk assessment."

--George Spafford

Example: Security Policy/Standards


What is ROI?

The complete benefit from an investment

This includes risk mitigated To be complete it must include an

assessment of both tangibles and intangibles

KEY THOUGHT: Intangibles CAN BE MEASURED!


Why is Complete ROI Important?

Worthy projects are not getting funding CFOs have become highly skeptical of soft benefits CFOs are insisting on hard, tangible returns for each investment Research shows that up to 90% of the costs and benefits of IT

investments are intangibles Firms are sacrificing their long-term growth to make their short-

term numbers.

-Source- Erik Brynjolfsson, management professor at MIT's Sloan School of Management


Are Capabilities Intangible?

Example of Capabilities?– Capability of identifying intrusions

with immediate notification– Capability of disabling privileged

access directly from the HR System– Capability to prove Compliance

How do we measure the impact of the capability?


How To Measure Success

Establish goals prior to an effort Goals must be measurable Use of “Performance” and “Goal”

indictors Must be understood by non-

technical management


Create a Governance Committee

Focus on agility and results The Structure of the committee Who should be on the committee How often should they meet Ensure clear communication to the top Determine Success Factors


How to Monitor Investments – Val-IT

Allows organizations to get business value from IT investments

Provides a governance framework Includes a set of guiding principles A number of processes conforming to those

principles A further defined set of key management

practices.


Economic Issues & IT Governance

IT Governance surfaces/resurfaces during times of economic crisis

– Survival mode: Marching orders to CUT, CUT, CUT!– Uninformed decisions often produce adverse results

Keys

– Prioritization– Smart use of resources

*Just as critical during times of growth and prosperity*



Speak the language of the business

– Talk in terms of risk

– Save the technospeak for /. responses

Credibility

– Security management needs to establish at C-level

– Give honest feedback



Understand how the business interprets ROI

– Most likely different than Information Security

– Difficult to quantify security benefits

Don’t lose sight of strategy

Be flexible

And…



BE CONSISTENT AND

DON’T OVERCOMPLICATE!!

http://xkcd.com/74/


Questions?

Questions?

Documents

Providing Value: Where Do You Stand with the C-Suite?