Home » Security Leadership » Metrics/Budgets

Value Made Visible

How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time

By Scott Berinato

April 01, 2006 — CSO —

Thank God for the Welchia worm.

In retrospect, says Bruce Larson, security director at American Water, it was that particular piece of malware that helped to legitimize his information security program.

Just before Welchia hit in 2003, Larson had gained responsibility for security operations at a partner water company in England, RWE Thames. (Both American Water and RWE Thames were part of the water division of RWE AG, a German multiutility company; that water division is now being divested.) Larson wanted to export to RWE Thames processes and products he used at American Water (including standards for a consistent architectural reference model, intrusion and anomaly detection systems from Arbor Networks, vulnerability assessments and identity management tools, among others). But he'd have to prove the benefit of making the investments required to bring Thames's security up to American Water's level, since Thames was not consistent in using these tools and practices.

Enter Welchia. It was an odd, antihero kind of worm that attempted to infect a computer in order to remove an older worm, Blaster, and then update the system's defenses. Whatever nobility it aspired to, Welchia nevertheless was a virus that could break computers and, like all worms, disable networks by jamming them up with its own traffic as it attempted to propagate itself.

"Welchia affected both of our enterprises on the same day near the same hour," Larson says. "We were able to measure the differential in impact between the two." The gap was stark: At American Water, 19 computers were initially infected, and response started in minute one. After two weeks, just 100 computers had been infected and all were fixed. Welchia resulted in zero days of downtime and required 40 man-hours of response and recovery time.

At RWE Thames on the other hand, "Every computer that could be infected was," Larson says. "Every business subnet was offline. The routers clogged, and the networks went dark, and we had to manually rehabilitate the operation." RWE Thames endured eight days of total or partial downtime and, compared with American Water's 40 man-hours of recovery, RWE Thames needed thousands of man-hours.

Not surprisingly, executives across the pond bought in to American Water's infosecurity program. What's more, Larson also found that American Water's effective defenses gave him a baseline, a normal cost of operations, to measure against. "Before that, we were trying to use ROI to justify funding. After Welchia, we realized we really could measure how much value we protected. This is hard evidence of the differential between good security and OK security," he says. "It's perhaps unique to have hard data like this, but we do. We have the metrics. So, in a twisted sort of way, thank God for Welchia."