How Francis Bacon - the 17th Century Philosopher - Can Help Develop Your InfoSec Business Case
October 25, 2013
You might be surprised to learn that lots of today’s process improvement techniques (Six Sigma, Lean, and TPS) have elements rooted all the way back in 1620.
Back then, English philosopher Francis Bacon created the scientific method, the “hypothesis – experiment – evaluation” triad (also known as the Baconian method). It is essentially a phased process of “plan – do – check” and, indeed, can be applied to most any improvement activity.
In times of economic turbulence and spending cuts, any improvement can present an opportunity to differentiate in the market. Any successful business model requires lean, agile and constantly refined business processes. Enterprise security policy is no different. In fact, it should be re-evaluated even more frequently due to its importance and sensitivity.
Identity and Access Management (IAM) is an integral component of enterprise security policy and requires granular implementation and execution processes. IAM activities are mainly aimed at administering users’ identities and related access requirements throughout their lifecycle within the organization.
Core IAM processes can be too manual, inefficient or may not support the required level of business intelligence or regulatory compliance. Legacy technology may obsolete, a vendor may discontinue product support or new compliance regulations may be introduced that are not met by the existing solution. These challenges often require action so that IAM processes meet their intended business objectives and security policy as a whole remains effective.
When it comes to the IAM business process improvement and re-engineering, convincing business case is one of the key factors helping change advocates win C-level executives spending approvals for required funding.
Return on Investments (ROI) analysis supporting the need for change is usually seen as a key element of a successful business case. However, in complex and long term projects affecting numerous business processes and involving highly customized software deployments, conducting a granular and decisive analysis can sometimes be challenging. There is no way someone will spend high dollars just to validate the hypothesis of whether a new tool can address security threats. The experiment would be too costly, to paraphrase Bacon.
On the other hand – and this is often omitted – effective ROI analysis shall be taken as a business case element, not its end goal since ROI calculation can (and sometimes will if expectations are set inappropriately!) easily turn into a project on its own.
Modus operandi for any business case development, not just IAM, is to have a “process view” approach and establish a logical action plan that contains identified pain points, detailed remediation initiatives, risks analysis, spending justification analysis (ROI) and desired outcome. In a nutshell, any analysis is a comparison of a current state (point A) to a hypothetical future state (point B) plus the steps required to move from A to B.
This, however, assumes that a current state can be measured. Or, in other words, there are metrics (also known as Key/Operational Performance Indicators (KPI/OPI)) that have been implemented and tracked for the purposes of a business process monitoring. IAM-related metrics can vary depending on an enterprise or vertical but usually include:
- Time spent on access provisioning/de-provisioning activities;
- Time lost by employees due to access setup delay;
- Time spent by employees/customers entering access credentials;
- Number of password resets;
- Number of access change requests;
- Time spent processing access change requests;
- Time spent on audit and compliance activities;
- Time spent on access certification;
- Time spent on user identities management.
These metrics do also have monetary equivalents, and the purpose is to find metrics mostly suitable and descriptive for your organization. Prediction is the weakest point of any ROI analysis when it comes to spending justification (remember, any improvement is a sort of an experiment), and this is where process view is important to reduce the uncertainty and feel confident about the business case.
If, say, excessive time spent on password reset requests or access reviews are the identified pain points, then there is high probability that self-service password reset functionality or automated access review campaigns will address the challenges and improve metrics. In the latter case, compliance risk is also addressed, thus adding more value to the investment.
Ideally, any business case shall include the following elements:
- Track metrics. Metrics are important if you want to know where you currently are and where you want to be. Additionally, these are what ROI analysis is based on. Establish metrics and monitor them.
- Identify pain points. Metrics compared against industry averages or independent consultants’ estimates can help identify problem areas or predict future challenges. However, you might know the pain points based on daily operations, no matter what metrics say.
- Set goals. “If you do not think about the future, you cannot have one.” – John Golsworthy
After drivers have been identified, desired improvement goal needs to be set in line with most effective change initiative. Think strategically, act tactically as this approach will help achieve quick wins and will help legitimate the whole initiative.
- Analyze costs/benefits. List benefits that will come from the advocated changes. Associate benefits with required costs and try to establish priorities. Prioritization can also be based on risk reduction analysis. Reducing regulatory, financial or reputational damage risks can be associated with higher costs, but will pay off in future.
- Apply ROI analysis. Stay reasonable and do not turn into “a hostage of numbers.” Otherwise “plan, do, check” can turn into “plan, plan, plan…” For a global company with tens of thousands of employees and customers, calculating password reset labor costs can be complicated and may require some assumptions. Plugging numbers into equations and financial modeling, however, shall be intuitive, easy to follow and in line with business case internal logic.
- Implement change. Implementation projects should be well-structured and well-managed. Trying to hit all targets at once is a mistake. On the contrary, goals should be reached one by one based on priorities (see no. 5), and the business case should look like a continuous improvement. “A journey of a thousand miles begins with a single step.” – Lao Tzu.
The process of business case development might be even more important compared to an analysis summary because it guides the organization through the project’s goals, reasoning and contribution to the overall business needs. In the end, dynamic combination of the described elements, gives a strategic vision and better understanding of investment’s implications and consequences.
Organizations will spend IT budgets anyway; however, comprehensive business case will help the C-levels feel comfortable and confident regarding required investments, which (due to reach $4.6 billion on IAM alone by 20147, according to Gartner).
Obviously, Sir Bacon could not have envisioned the variety of applications of his scientific model before he famously passed away due to pneumonia contract while testing meat preservation through freezing, but when I’m grilling freshly-thawed steaks this weekend I’ll be thankful for his many contributions.