Recently my colleague, John Fremer, recommended an article to me written by Michael Santarcangelo, a consultant. The author suggests how an individual can improve his or her chances of having a security project funded. The article discussed security generically and likely referred to another type of security than that needed for tests. But, in my opinion, the principles are sound and address a similar need often expressed by our clients. I thought I would share those principles, using three questions that should be asked by the person requesting test security funding:
- What is the urgency and priority of this project?
- What can we learn from others?
- How much are you asking for, and what do we get?
What is the urgency and priority of this project?
More often than not, the urgency of a test security project becomes apparent immediately after a breach has occurred. It is clear to everyone that something must be done quickly, even when that “something” isn’t well defined or even useful. But how do we communicate the urgency and need of implementing the test security project before a breach happens, when everything seems to be going smoothly? Let me provide an example of how to communicate the importance of test security projects using a highly likely “what if” scenario.
Test thieves are using new electronic devices to photograph, steal, and distribute exam items worldwide in a matter of minutes. These activities are virtually undetectable and therefore, unstoppable. From widespread news articles, we learned that this happened a few weeks ago to AccuTesting, Inc., causing them to cancel the scores of 15,000 certification candidates, to stop testing, and to create a new exam. Immediately, AccuTesting must spend more than $250,000 to replace the exam. Accutesting’s reputation has been damaged and the organization faces potential costly legal challenges arising from the score cancellations. On the other hand, BetterTesting, LLC, funded a test security project last year for much less than its exam development costs to reduce the likelihood of exactly this type of breach. With these new devices becoming more capable and less expensive each month, it is only a matter of time before we have a similar breach. I recommend we look at improving our security immediately.
What can we learn from others?
I reported that BetterTesting improved their security system last year in order to address the threat of electronic devices being used to steal their items. They put in place test security measures effectively detect pre-knowledge of exam content by its students. Furthermore, they supported their detection system with modifications to policies, procedures and agreements so they could invalidate exam results when pre-knowledge of exam content by individuals was detected. Very recently, GlobalAssessment enhanced its test delivery system so that unique exams with disposable items are automatically created for each student, completely eliminating the motive for someone to steal the exam. Our security systems can handle older, traditional threats, but they have not been updated in 15 years. We are currently vulnerable to this particular threat and to others.
How much are you asking for and what do we get?
Here is a proposal to upgrade our test security. As you can see, we can add features to our new test administration system to reduce the costs of implementing a new test design and improving on GlobalAssessment’s solution. The new security features will let us reduce spending immediately on test development and outdated security methods. The amount of funding requested, admittedly the largest investment we’ve made in security in 15 years, will be recouped in the next three years. Given that we have directly addressed a very dangerous security threat and reduced the chance it will affect us, we will have a state-of-the-art test security system.
Other good points from Santarcangelo…
First, you should give decision makers the information that will help them decide between the many “high priority” requests they receive. Your test security story must be complete, simple and address a critical problem quickly and effectively. Second, good executive decision makers want to implement current, proven solutions; not untested, speculative projects. You should present them with the opportunity to be at the forefront by solving an obvious test security problem with minimal risk. Third, test security projects are more difficult to sell than other projects, because they address losses that might or might not happen. It, therefore, takes significant effort to create a compelling story supported by evidence. You should take the time to learn what others are doing, what other options are available, and to document why your solution will work. Finally, it is important to measure before and after success, to demonstrate the return on investment to the decision makers and all others involved.
You can find the complete Santarcangelo article at this link: http://www.csoonline.com/article/2845052/security-leadership/answer-these-3-questions-if-you-want-to-get-your-security-projects-funded.html