This is the first of our two-part series on how to use Proof of Concept and Proof of Value processes to evaluate industrial cybersecurity solutions.
Unlike Proof of Concept (PoC), which proves a concept will work, Proof of Value (PoV) takes a deeper dive into the value of that solution for your organization so you can justify adoption and measure success.
If you’re evaluating new vulnerability management software or adopting a new technology for your organization, Proof of Concept (PoC) is a term you’ve likely heard more than once.
But what about Proof of Value (PoV)? Are your vendors talking about PoV and what it means for your business?
PoC and PoV are two distinct processes. Some organizations ask for a PoC when, in fact, they actually want a PoV, or vice versa. As you evaluate cybersecurity solutions for your operational technology (OT) needs, it's worth looking at both PoC and PoV and considering what they actually mean in a real-world scenario.
Here, in part one of our two-part series on PoC vs. PoV, we explore the differences between these two processes. In part two, Navigating an Industrial Cybersecurity Proof of Concept (PoC), we offer tips on how to perform an industrial cybersecurity PoC.
Proof of Concept (PoC)
Proof of Concept is a process to prove a solution works and there’s a practical application for it.
In terms of software, let’s say a new technology is designed to automate a business critical task for you. You apply that concept to a single work process within your organization. It works. Proof of Concept is good to go.
But PoC by itself may not be enough to determine if a new solution is right for you. It proves something can be done, but there’s no focus on what it can do for you. There’s no emphasis on the value or overall business impact for your company. That’s where Proof of Value comes in.
Proof of Value (PoV)
Unlike PoC, Proof of Value (PoV) takes a deeper dive into what that solution means for your organization. You can use, for example, a detailed business use case to explore why your organization should adopt the PoC solution.
PoV can help you better understand the anticipated value the solution will bring to your business so you can justify adoption and measure success.
The Differences Between PoC and PoV
Let’s look at the differences from a high level, removing the complexities of industrial cybersecurity and talk in terms of automobiles.
In this example, hypothetically, my company produces unique shelving units for custom delivery vans. We claim our shelving units reduce delivery times and make room for more packages in your vehicle.
Your company delivers packages and you’re shopping for a new fleet of vans. You’re interested in our shelving units.
First, in a PoC, we could test the concept of using custom shelving in your new vehicles by addressing the following questions:
- Does it hold your boxes?
- Can you load and unload them easily?
- Does the van operate safely?
- Does it have airbags, windshield wipers, etc.?
- How does the van handle on the roads?
- Do packages shift in certain types of driving, bumpy roads, etc?
The PoC may show you that yes, the shelves fit in the new vans and you may get more packages in them.
Now, to measure the value of the custom shelving, we would conduct a PoV.
We already know the shelving and van work, because of the PoC, but do they improve delivery times and increase efficiency to the point where they reduce your operational costs? That’s a value component to evaluate with PoV.
Without putting a custom van into operation, it’s difficult to measure all of the variables, such as driver fatigue, actual cost of delivery, maintenance costs, weather, etc.
So, to measure the actual value of the improved delivery van shelves, your company would deploy a few or a few dozen vans and see how they hold up after a certain time period. You’d look to answer the following questions:
- Did drivers call out sick more often?
- Did operational costs on those routes drop as much as anticipated?
- Do the vans actually carry more packages in real-world uses?
Do I need a PoC or PoV?
When determining whether you need a PoC or a PoV, start with your overall business objectives, aka your success criteria.
Your success criteria will help determine what you need to do. If you’re working with theories, testing concepts or working with abstracts, like “what if...”’ scenarios, a PoC is probably the most appropriate route to take because it’s a bit more qualitative.
If your goal is to prove or measure the value a product provides while in operation, which is quantifiable, then a PoV might be best.
Unsure whether you need a PoC or PoV for your vulnerability management solution? Tenable can help with both a quantitative and qualitative analysis. Not sure where to begin? Start with these five key considerations to help you improve the efficiency and effectiveness of your vulnerability management program: “How to Choose the Right Vulnerability Management Solution.”
In the second part of the series we take a closer look at Navigating an Industrial Cybersecurity Proof of Concept (POC) including processes, success metrics, pitfalls and best practice recommendations.