For most companies, they determine their business value through return of investments, or ROI. To me that is not a very accurate way to get the real value of your business.
For one, a company’s bottomline has to be checked against the defects in the processes and evaluate. The ROI may register positively but how far is your business processes from the standard deviation, and how are you able to sustain your ROI through the years?
Tom Bowers, writing for SearchSecurity.com, shares his experience with working in the security department at a large pharmaceutical company. In his own words, they had success using Six Sigma to identify relevant data that can show the value of initiating a new project or technology. Instead of attempting to prove ROI, we used Six Sigma tools to define what can be measured, conduct the “measurement” and provide an analysis of that data to show business value to the CFO. The bottom line is always showing “business value” — hopefully in real dollars saved.
Basing on DMAIC, Tom’s department only used the DMA and added their own methodologies:
Define. The goal in this case is simply to identify events that can be measured. Let’s consider, for example, the theft of laptops storing valuable data. Another example might be a paper-based information risk audit thrown into a regular (versus shred) trash basket.
Measure. We decided what “units” will be used to define the measurement. What is measured and what units to use are completely based upon the process being measured. For example, a forensic examination can be measured as “each” or in dollar terms based on the information recovered or lawsuit won. The measurement for the example of the stolen laptops might be each or a dollar value (of the information and/or the device itself) – or both.
Analyze. We evaluated the business value of our measured events versus a planned security project, a headcount increase – anything that requires approaching the CFO for funding.
Next we looked regulatory compliance breaches, and then used external events such as information theft reports and regulatory noncompliance reports at other firms.
To create a larger statistical sample, we used freeware and commercial risk assessment tools.
For the IT security data points, we looked at our SEM/SIM, which provides log and event correlation that supports events seen in one location by providing corroborating evidence in other locations. These tools provide data points that are of higher quality and can speak more clearly of the ROI/business value provided by security in protecting infrastructure.
It’s good that Tom’s company uses the tools of Six Sigma, and enjoys the benefits brought by it. While the complete DMAIC process, may not be the answer to all process improvement initiatives, I think the Improve (continue to do better) and Control (institutionalize the improved system) phases of DMAIC will still prove useful in determining or presenting the ROI to senior management.
The popular question from management is always, “What’s in it for us?” or “What do all those figures mean to our business?” I believe the Improve and the Control phases will determine the impact or implication of ROI or data leading to the determination of ROI. This is where the value lies.
Source:
SearchSecurity.com, “Forget ROI; Use Six Sigma to prove business value” with link provided by iSixSigma.com
*Photo credit: MorgueFile.com
