ruben melendez - economically justifying it security initiatives

Ruben E. MelendezPresident

Global Lynx Inc.& Glomark-Governan

Economically Justifying IT Security Initiatives

& The Value to IT of Using Standards and Frameworks

This presentation includes Copyright ® 1992-2016 material from Global lynx, Inc. and Glomark-Governan LLC,as well as content from patent-pending models from Glomark-Governan LLC.

OH NO!

…my IT Security Initiative Was Moved to Next Year’s Budget

Kaisen

Lean

6 Sigma

ITIL

COBIT

ISO

DevOps

Balanced Score Cards

SCRUM

PMBOK

PRINCE2DMAIC

CAPO

Pace Layered

MOF

CMMI

Which standard or framework, should we use to economically demonstrate and enable the value of IT Security Initiatives ?

TQM

EVM

RESILIA

NIST COSO

2 Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC

BS

EVC

There is a proliferation of standards and frameworks for IT Management and IT Security.

This presentation is designed to…

Highlight new or enhanced frameworks that can be used to enable the business value of IT, and economically justify IT security initiatives.

Show examples of tools that can be used to discover and enable value creation with IT Security initiatives.

Why this session?


Industrial Age

Information Age

Digital AgeMIS -> ITMicroprocessorElectronicsPC & Client/ServerInternet

CloudMobile Big Data

IoTProcess AutomationAnalytics

Business Cycles ->

Value Management ->

Uncertainty & Risk ->

Business Processes -> Designed Re-Engineered Transformed, Re-Invented, Disrupted

Multi-Year 1 to 2 years Months

Today

TelegraphTelephoneTypewriter

i.e., Deming’s TQM i.e., 6 Sigma i.e., EVC

A Concern High Concern Very High Concern

4

Let’s first discuss what is happening

Copyright © 2016 Global Lynx Inc. and Glomark-Governan LLC

Round ONE:

Round TWO:

Before Implementation

Rank and Approve

Value Discovery

Value Comparison

Ideas for Initiatives

Project Management

Value Enablement

Today, there are islands of communication and collaboration -> Business results are not always achieved

What is Value Management

IT Operations and IT Security

Value Realization

Disconnects in Value ManagementNot enough collaboration

Not enough communicationLack of Metrics Coordination

Lack of Benefits TrackingReactive instead of Dynamic

5

Business Case


In the Digital Age…

The Business Environment is changing drastically. Opportunities and Threats appear constantly. Business Cycles are considerably shorter (from idea to execution). Customer needs (internal and external) are constantly changing. Large portion of IT initiatives and IT purchases occur in the business areas. The high number of Innovation initiatives based on new technologies (i.e. IoT) is creating a higher risk environment, and

higher uncertainty when forecasting benefits. Customer value assessment often ends when initiative is approved. Current IT Standards and Frameworks are very helpful, but they are basically static (e.g., ITIL life cycle), vs. dynamic.

Innovation & Disruption =-> faster business cycles -> more and smaller initiatives -> higher uncertainty -> higher risk


To move from Reactive to Proactive –> from Static to Dynamic.

Reactive = Waiting until next year to assess IT maturity and risk, and redefining our IT Strategy, IT Portfolio and IT Services.

Proactive = Dynamically and proactively participating in each new business initiative, and collaborating in the assessment (prior to decisions) and enablement of “Enterprise Value Creation (EVC)”.

A STRUCTURED FRAMEWORK FOR VALUE MANAGEMENT, to: Better execute initiatives with proactive teams communication,

collaboration, and measurement; in order to enable value creation for each initiative.

Enable TWO MODALITIES (a.k.a. Two-Speed-IT)… for Planning, Budgeting, Governance and Management.

Traditional (governance-based) and Fast (dynamic and fast).

To Succeed in the Digital Age, IT teams need…

7

A more dynamic approach is necessary to ENABLE all IT areas to be proactive, and collaborative with business areas, in order to meet the current market needs, and make business cycle times shorter.


COBIT -> Improved management control and governance

New methods and enhanced frameworks are helping in the assessment and enablement of Value Creation for the digital, innovation and two-modalities age.

Some are providing the Why and When – other the What – and other the How.

ITIL Practitioner -> Increased focus on benefits and customer value

Pace Layered Architecture –> Grouping of IT Initiatives in Tiers

SCRUM and PRINCE2 -> Increased focus on agility, and the need for the business case

DevOps -> Increased collaboration, automation and communication

8

EVC -> Proactive and dynamic collaboration, measurement, and communication on value creation

Resilia -> Proactive and collaborative cyber resilience

New and Enhanced IT Frameworks for IT Value Management


Reactive, One-Speed Orientation

IT ManagementBusiness

Management

Dynamic, Two-Speed Orientation

Enterprise Value Management

* Such as NIST, ISO 27000, Resilia, etc. 9

IT Frameworks Enabling Business and Enterprise Value Management


What is Needed

A Proactive, Collaborative & Dynamic Value Management Framework…

- How? By going beyond the Business Case -> By Implementing a Business Value Plan (BVP) approach…

10

Business Case

Business Value Plan (BVP™)

Focus is on…

Justifying the initiative, and getting funds to move forward.

Focus is on…

Getting approval on a plan that:

Justifies moving forward with the initiative, Determines the pace (degree of urgency), Includes the elements to realize the value

forecasted by the all the initiative’s Stakeholders.

The BVP is based on the elements of the EVC Framework that enable a proactive and dynamic IT results environment, as required in the digital age!

* This, and the following slides, of this presentation are elements of EVC framework from Glomark-Governan.

Copyright © 2016 Glomark-Governan LLC

The Core of a Dynamic IT Value Management Practice

11


Rank and Approve

Value Discovery

Value Comparison


Project Management

Value Enablement


Value Realization

Dynamic, Collaborative and Proactive IT Value Management

The Means for identifying the best value creation metrics for each initiative Involvement of Benefactors and Beneficiaries Validation and/or Agreement on SLAs, KPIs, and Expected Benefits

Business Value Plan (BVP™)


Rank and Approve

Value Discovery

Value Comparison


Project Management

Value Enablement


Value Realization

Business Case

Vs.


Complete BVP -Traditional process - Granular content

Simple BVP -Rapid process - High level content

Content & Speed

Two Modalities for the Business Value Plan (BVP™)

12Copyright © 2016 Glomark-Governan LLC

EVC PRINCIPLES

A set of EVC Principles that are the foundation for a dynamic IT value management practice.

EVC STAGES

A set of capabilities for getting the correct Stakeholders proactively and dynamically involved to enable value creation via a simple, yet effective metrics approach (SLAs and KPIs).

EVC ENABLING TOOLS

Provide the How.

What is the EVC Framework?

ADOPTION and APAPTATION of:

1

2

3


EVC Framework

Business Value Plan (BVP®)

The EVC Framework

EVC Principles

EVC Enabling Tools

EVC Stages

1

2

3

EVC Comparison

EVC Strategy

EVC Discovery

EVC Enablement

Initiative Implementation

Pre-Implementation

EVC Realization

Post-Implementation

Idea Operations


= $2 Million lost in 12 minutes

= $ Billions for shareholders lost

Most IT standards and frameworks tend to be focused on increasing profits->

…but what about maintaining profits?

IT Security and The Importance of Maintaining Enterprise Value


ADOPTION OF EVC PRINCIPLES

Enterprise Profits $

timePre-

Implementation Post-Implementation

Maintain Value

Today

(base line)

Increase Value

• Cost Reduction• Revenue Increase

Economic Benefits

Example: EVC Principle #6: Maintaining Profits/Cash is as important as Increasing Profits/Cash

• Cost Avoidance• Revenue Protection

EVC Framework

Eleven EVC Principles that are the foundation for a dynamic value management practice.

1


Use of the EVC STAGES

A how-to method that provides the necessary capabilities for getting the correct Stakeholders ready to enable value creation; including:

• Benefactors: For proactively participating and validating expectations (SLAs).

• Beneficiaries: To agree and validate benefits, causes, effects, and metrics for success (KPIs).

• Other Constituencies: That need to validate or participate in the realization of the forecasted benefits.

2

17

EVC Framework


EVC Comparison

EVC Framework

EVC Strategy

EVC Discovery

Is the Stage where the

Initiative Business

Value Plan (BVP) is

built.

Two modalities (speed

and content) of BVPs

are required in the new

digital economy.

EVC Enablement

Stages and Capabilities of the EVC Framework

Is the Stage where

executives define

the portfolio

strategy, and

determine the

criteria for

comparing,

prioritizing, ranking,

and selecting

initiatives and

projects.

Is the Stage where

executives compare,

rank and select

initiatives; and assign

budgets.

Is the Stage where

value is tracked and

enabled, via

communication and

collaboration.

Initiative Implementation

Pre-Implementation

Business Value Plan (BVP®)

EVC Principles

Idea Operations

EVC Realization

Is the Stage where

value is managed,

optimized, and

delivered to the

customer on an on-

going basis.

Post-Implementation

EVC Enabling Tools

EVC Stages & Capabilities

18

1

2

3


Adoption and Adaptation of EVC ENABLING TOOLS

Examples:

EVC Matrix -> A Multi-Dimensional Tool.

For Needs Discovery, TBO Identification, and Dependencies Analysis

Degree of Urgency Analysis –> Magnitude of Impact, Likelihood of Risk, and Timing for Execution

Causation Analysis -> Causes and SLAs - Effect and KPIs

Uncertainty Analysis -> Forecasted improvements, and Outcome Dependencies

Benefit’s MQ -> Anatomy of Means of Quantification

Formula structure, Type of Factors – and steps for validation of accuracy

19

3


Means of

Quantification

Uncertainty

AnalysisCausation

Analysis

EVC Matrix

Urgency Analysis

20

ADOPTION and Adaptation of EVC ENABLING TOOLS

Examples:

EVC Enabling Tools Overview


Maintain Value

Strategic Need?

Financial Need?

Economic Need?

Operational Need?

Technological Need?

Increase Value

? ? ? ? ?

? ? ? ? ?

EVC Matrix -> A Multi-Dimensional Tool.Needs Analysis – Strategic Alignment - Benefits Identification – Risk Analysis - Dependencies Analysis

21

Most IT Security Initiatives are justified around “Maintaining” Enterprise Value

EVC Enabling Tool Overview


Low

High

High

Impact (Financial

and Strategic)

EVC Criteria

Degree of Urgency

1st Speed –

Traditional Execution

2nd Speed –

Rapid & Dynamic Execution

1st

Speed2nd

Speed

Financial Return

Profitability Index

Total Cost

Profitability Index

Strategic Criteria

Strategic Alignment

1st Generation

Financially-DrivenReturn vs Cost

2nd GenerationStrategy-Driven

Financial Vs Strategic Impact

3rd GenerationPace-Driven

Impact Vs. Urgency

Low

High

High

Low

High

High

Degree of Urgency Analysis



Uncertainty Analysis -> Type of Benefit and Forecasted improvement

More DIRECT Causation

1. …2. …3. …4. …5. …6. …7. …8. …9. …10. …

More INDIRECT Causation

Type of EVC

CausationType of EVC

EffectRelationship?

Lower

Higher

Predictability Degree of Uncertainty

High

Low

And number of, and type of, dependencies

?More Predictable

1. …2. …3. …4. …5. …6. …7. …8. …

Less Predictable

23



Formula Best Practice: “All” economic benefits start with a common structure, that enables easy quantification and simple measurement during implementation

Anatomy of a Benefit Quantification:

Assumption Type Two XAssumption Type One X (Other Data Needed)

EVC provides a structure and best practices to define any economic benefit formula; and a step-by-step process to validate the accuracy of the means of quantification, and the range in the forecasted improvements.

Benefit’s MQ -> Anatomy of Means of Quantification (Formula structure, Type of Factors, and steps for validation of accuracy)



Q & A’sAdditional questions can be sent to:

[email protected]

25

ruben melendez - economically justifying it security initiatives

Technology