BLUF – Creating concrete baseline measurements with Cost of Operational Impact Metrics (COIM) is the start of effective resource allocation discussions. Effectively communicating what COIM measures follows close behind. The following are COIM framing considerations and further requirements.

Background

The last post introduced COIM – Cost of Operational Impact Metrics. This post will address the application and implementation of the concept of COIM in driving your resource conversations. This will likely need to be built over an extended period of time and will require effort – for the ones collecting the measurement data and from the measured parts of the organisation.

Of primary consideration is determining who/ what needs measured. Just as simple as it sounds, you want to focus your attention to measure the pieces potentially up for debate in the resource allocation discussions. If you are looking to increase the spend on a program (or defend it from budget reductions) it would be best to have COIM established for your discussions. Depending on the program you are measuring, you may need some time to create an average with adequate representation.

As you start implementing this framework, you can see the next few groups/ programs who could use their own metrics, establishing baselines across the programs, and eventually the division as a whole. Eventually you should have a reasonable understanding of where the money is going, to identify areas where other issues might warrant re-examination of the solutions in place as opposed to the ideal.

As a new solution or tool is implemented, it makes sense to revisit the baseline – after sufficient time has passed for process adoption and integration. Solution novelty fades and anyone with audit in their background will say: you look for what is, not what should be. This also opens the dynamics for periodic review of a solution’s effects over time. Especially if a ticketing system is well implemented, no review disclosure is required.

For those without more traditional business experience for resource discussions, implementing COIM may change a number of discussion points you make. A few key points will be important and potentially change preparation/dynamics of the conversation.

1. Be prepared to prove COIM. As with any metrics introduction with a dollar amount attached, expect questioning on methods and findings. Have one or more case studies that break down how much Time, Labour and Money were found used for the span of an incident. The case study should be close to the median.
2. Make certain the tools and other teams/ resources in use are acknowledged separately. Tools may span other uses different from the process measured, other teams’ collaborative efforts are not subject for your discussion. Both should be recognised overall and in the case study, respectively.
3. Consolidate the total number of incidents against the coverage provisioned. This helps create a ratio showing actual implementation numbers against how much or little it is overall. To build proper perspective of what’s needed, honest conversation needs to happen about what’s possible to be done with existing resources.
4. When applicable, add in timelines. If there are potential pebble risks, best to explain.

In resource allocation discussions, the subject is future projections. Offering the baselines leads conversation to the benchmarks we aspire to. A word of caution – set realistic times and goals with the resources required/ requested.

Many elements of cyber are not accustomed to concrete metrics beyond tools and subscription services. Introducing COIM improves not only the footing for the discussion, but also the accountability to deliver as promised.

-scl