ruben melendez - economically justifying it security initiatives
TRANSCRIPT
Ruben E. MelendezPresident
Global Lynx Inc.& Glomark-Governan
Economically Justifying IT Security Initiatives
& The Value to IT of Using Standards and Frameworks
This presentation includes Copyright ® 1992-2016 material from Global lynx, Inc. and Glomark-Governan LLC,as well as content from patent-pending models from Glomark-Governan LLC.
OH NO!
…my IT Security Initiative Was Moved to Next Year’s Budget
Kaisen
Lean
6 Sigma
ITIL
COBIT
ISO
DevOps
Balanced Score Cards
SCRUM
PMBOK
PRINCE2DMAIC
CAPO
Pace Layered
MOF
CMMI
Which standard or framework, should we use to economically demonstrate and enable the value of IT Security Initiatives ?
TQM
EVM
RESILIA
NIST COSO
2 Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
BS
EVC
There is a proliferation of standards and frameworks for IT Management and IT Security.
This presentation is designed to…
Highlight new or enhanced frameworks that can be used to enable the business value of IT, and economically justify IT security initiatives.
Show examples of tools that can be used to discover and enable value creation with IT Security initiatives.
Why this session?
3 Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
Industrial Age
Information Age
Digital AgeMIS -> ITMicroprocessorElectronicsPC & Client/ServerInternet
CloudMobile Big Data
IoTProcess AutomationAnalytics
Business Cycles ->
Value Management ->
Uncertainty & Risk ->
Business Processes -> Designed Re-Engineered Transformed, Re-Invented, Disrupted
Multi-Year 1 to 2 years Months
Today
TelegraphTelephoneTypewriter
i.e., Deming’s TQM i.e., 6 Sigma i.e., EVC
A Concern High Concern Very High Concern
4
Let’s first discuss what is happening
Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
Round ONE:
Round TWO:
Before Implementation
Rank and Approve
Value Discovery
Value Comparison
Ideas for Initiatives
Project Management
Value Enablement
Today, there are islands of communication and collaboration -> Business results are not always achieved
What is Value Management
IT Operations and IT Security
Value Realization
Disconnects in Value ManagementNot enough collaboration
Not enough communicationLack of Metrics Coordination
Lack of Benefits TrackingReactive instead of Dynamic
5
Business Case
Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
In the Digital Age…
The Business Environment is changing drastically. Opportunities and Threats appear constantly. Business Cycles are considerably shorter (from idea to execution). Customer needs (internal and external) are constantly changing. Large portion of IT initiatives and IT purchases occur in the business areas. The high number of Innovation initiatives based on new technologies (i.e. IoT) is creating a higher risk environment, and
higher uncertainty when forecasting benefits. Customer value assessment often ends when initiative is approved. Current IT Standards and Frameworks are very helpful, but they are basically static (e.g., ITIL life cycle), vs. dynamic.
Innovation & Disruption =-> faster business cycles -> more and smaller initiatives -> higher uncertainty -> higher risk
6 Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
To move from Reactive to Proactive –> from Static to Dynamic.
Reactive = Waiting until next year to assess IT maturity and risk, and redefining our IT Strategy, IT Portfolio and IT Services.
Proactive = Dynamically and proactively participating in each new business initiative, and collaborating in the assessment (prior to decisions) and enablement of “Enterprise Value Creation (EVC)”.
A STRUCTURED FRAMEWORK FOR VALUE MANAGEMENT, to: Better execute initiatives with proactive teams communication,
collaboration, and measurement; in order to enable value creation for each initiative.
Enable TWO MODALITIES (a.k.a. Two-Speed-IT)… for Planning, Budgeting, Governance and Management.
Traditional (governance-based) and Fast (dynamic and fast).
To Succeed in the Digital Age, IT teams need…
7
A more dynamic approach is necessary to ENABLE all IT areas to be proactive, and collaborative with business areas, in order to meet the current market needs, and make business cycle times shorter.
Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
COBIT -> Improved management control and governance
New methods and enhanced frameworks are helping in the assessment and enablement of Value Creation for the digital, innovation and two-modalities age.
Some are providing the Why and When – other the What – and other the How.
ITIL Practitioner -> Increased focus on benefits and customer value
Pace Layered Architecture –> Grouping of IT Initiatives in Tiers
SCRUM and PRINCE2 -> Increased focus on agility, and the need for the business case
DevOps -> Increased collaboration, automation and communication
8
EVC -> Proactive and dynamic collaboration, measurement, and communication on value creation
Resilia -> Proactive and collaborative cyber resilience
New and Enhanced IT Frameworks for IT Value Management
Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
Reactive, One-Speed Orientation
IT ManagementBusiness
Management
Dynamic, Two-Speed Orientation
Enterprise Value Management
* Such as NIST, ISO 27000, Resilia, etc. 9
IT Frameworks Enabling Business and Enterprise Value Management
Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC
What is Needed
A Proactive, Collaborative & Dynamic Value Management Framework…
- How? By going beyond the Business Case -> By Implementing a Business Value Plan (BVP) approach…
10
Business Case
Business Value Plan (BVP™)
Focus is on…
Justifying the initiative, and getting funds to move forward.
Focus is on…
Getting approval on a plan that:
Justifies moving forward with the initiative, Determines the pace (degree of urgency), Includes the elements to realize the value
forecasted by the all the initiative’s Stakeholders.
The BVP is based on the elements of the EVC Framework that enable a proactive and dynamic IT results environment, as required in the digital age!
* This, and the following slides, of this presentation are elements of EVC framework from Glomark-Governan.
Copyright © 2016 Glomark-Governan LLC
The Core of a Dynamic IT Value Management Practice
11
Before Implementation
Rank and Approve
Value Discovery
Value Comparison
Ideas for Initiatives
Project Management
Value Enablement
IT Operations and IT Security
Value Realization
Dynamic, Collaborative and Proactive IT Value Management
The Means for identifying the best value creation metrics for each initiative Involvement of Benefactors and Beneficiaries Validation and/or Agreement on SLAs, KPIs, and Expected Benefits
Business Value Plan (BVP™)
Before Implementation
Rank and Approve
Value Discovery
Value Comparison
Ideas for Initiatives
Project Management
Value Enablement
IT Operations and IT Security
Value Realization
Business Case
Vs.
Copyright © 2016 Glomark-Governan LLC
Complete BVP -Traditional process - Granular content
Simple BVP -Rapid process - High level content
Content & Speed
Two Modalities for the Business Value Plan (BVP™)
12Copyright © 2016 Glomark-Governan LLC
EVC PRINCIPLES
A set of EVC Principles that are the foundation for a dynamic IT value management practice.
EVC STAGES
A set of capabilities for getting the correct Stakeholders proactively and dynamically involved to enable value creation via a simple, yet effective metrics approach (SLAs and KPIs).
EVC ENABLING TOOLS
Provide the How.
What is the EVC Framework?
ADOPTION and APAPTATION of:
1
2
3
13Copyright © 2016 Glomark-Governan LLC
EVC Framework
Business Value Plan (BVP®)
The EVC Framework
EVC Principles
EVC Enabling Tools
EVC Stages
1
2
3
EVC Comparison
EVC Strategy
EVC Discovery
EVC Enablement
Initiative Implementation
Pre-Implementation
EVC Realization
Post-Implementation
Idea Operations
14Copyright © 2016 Glomark-Governan LLC
= $2 Million lost in 12 minutes
= $ Billions for shareholders lost
Most IT standards and frameworks tend to be focused on increasing profits->
…but what about maintaining profits?
IT Security and The Importance of Maintaining Enterprise Value
15Copyright © 2016 Glomark-Governan LLC
ADOPTION OF EVC PRINCIPLES
Enterprise Profits $
timePre-
Implementation Post-Implementation
Maintain Value
Today
(base line)
Increase Value
• Cost Reduction• Revenue Increase
Economic Benefits
Example: EVC Principle #6: Maintaining Profits/Cash is as important as Increasing Profits/Cash
• Cost Avoidance• Revenue Protection
EVC Framework
Eleven EVC Principles that are the foundation for a dynamic value management practice.
1
16Copyright © 2016 Glomark-Governan LLC
Use of the EVC STAGES
A how-to method that provides the necessary capabilities for getting the correct Stakeholders ready to enable value creation; including:
• Benefactors: For proactively participating and validating expectations (SLAs).
• Beneficiaries: To agree and validate benefits, causes, effects, and metrics for success (KPIs).
• Other Constituencies: That need to validate or participate in the realization of the forecasted benefits.
2
17
EVC Framework
Copyright © 2016 Glomark-Governan LLC
EVC Comparison
EVC Framework
EVC Strategy
EVC Discovery
Is the Stage where the
Initiative Business
Value Plan (BVP) is
built.
Two modalities (speed
and content) of BVPs
are required in the new
digital economy.
EVC Enablement
Stages and Capabilities of the EVC Framework
Is the Stage where
executives define
the portfolio
strategy, and
determine the
criteria for
comparing,
prioritizing, ranking,
and selecting
initiatives and
projects.
Is the Stage where
executives compare,
rank and select
initiatives; and assign
budgets.
Is the Stage where
value is tracked and
enabled, via
communication and
collaboration.
Initiative Implementation
Pre-Implementation
Business Value Plan (BVP®)
EVC Principles
Idea Operations
EVC Realization
Is the Stage where
value is managed,
optimized, and
delivered to the
customer on an on-
going basis.
Post-Implementation
EVC Enabling Tools
EVC Stages & Capabilities
18
1
2
3
Copyright © 2016 Glomark-Governan LLC
Adoption and Adaptation of EVC ENABLING TOOLS
Examples:
EVC Matrix -> A Multi-Dimensional Tool.
For Needs Discovery, TBO Identification, and Dependencies Analysis
Degree of Urgency Analysis –> Magnitude of Impact, Likelihood of Risk, and Timing for Execution
Causation Analysis -> Causes and SLAs - Effect and KPIs
Uncertainty Analysis -> Forecasted improvements, and Outcome Dependencies
Benefit’s MQ -> Anatomy of Means of Quantification
Formula structure, Type of Factors – and steps for validation of accuracy
19
3
Copyright © 2016 Glomark-Governan LLC
Means of
Quantification
Uncertainty
AnalysisCausation
Analysis
EVC Matrix
Urgency Analysis
20
ADOPTION and Adaptation of EVC ENABLING TOOLS
Examples:
EVC Enabling Tools Overview
Copyright © 2016 Glomark-Governan LLC
Maintain Value
Strategic Need?
Financial Need?
Economic Need?
Operational Need?
Technological Need?
Increase Value
? ? ? ? ?
? ? ? ? ?
EVC Matrix -> A Multi-Dimensional Tool.Needs Analysis – Strategic Alignment - Benefits Identification – Risk Analysis - Dependencies Analysis
21
Most IT Security Initiatives are justified around “Maintaining” Enterprise Value
EVC Enabling Tool Overview
Copyright © 2016 Glomark-Governan LLC
Low
High
High
Impact (Financial
and Strategic)
EVC Criteria
Degree of Urgency
1st Speed –
Traditional Execution
2nd Speed –
Rapid & Dynamic Execution
1st
Speed2nd
Speed
Financial Return
Profitability Index
Total Cost
Profitability Index
Strategic Criteria
Strategic Alignment
1st Generation
Financially-DrivenReturn vs Cost
2nd GenerationStrategy-Driven
Financial Vs Strategic Impact
3rd GenerationPace-Driven
Impact Vs. Urgency
Low
High
High
Low
High
High
Degree of Urgency Analysis
EVC Enabling Tool Overview
22Copyright © 2016 Glomark-Governan LLC
Uncertainty Analysis -> Type of Benefit and Forecasted improvement
More DIRECT Causation
1. …2. …3. …4. …5. …6. …7. …8. …9. …10. …
More INDIRECT Causation
Type of EVC
CausationType of EVC
EffectRelationship?
Lower
Higher
Predictability Degree of Uncertainty
High
Low
And number of, and type of, dependencies
?More Predictable
1. …2. …3. …4. …5. …6. …7. …8. …
Less Predictable
23
EVC Enabling Tool Overview
Copyright © 2016 Glomark-Governan LLC
Formula Best Practice: “All” economic benefits start with a common structure, that enables easy quantification and simple measurement during implementation
Anatomy of a Benefit Quantification:
Assumption Type Two XAssumption Type One X (Other Data Needed)
EVC provides a structure and best practices to define any economic benefit formula; and a step-by-step process to validate the accuracy of the means of quantification, and the range in the forecasted improvements.
Benefit’s MQ -> Anatomy of Means of Quantification (Formula structure, Type of Factors, and steps for validation of accuracy)
EVC Enabling Tool Overview
24Copyright © 2016 Glomark-Governan LLC