Information Security Metrics & The Balanced Scorecard

I just finished a final draft of a presentation on information security executive reporting that I and some colleagues will present at the upcoming Forrester IT Forum in Las Vegas.  For those of you who want more information on the Forum please see Forrester's IT Forum 2011 in Las Vegas. In this presentation Alissa Dill, Chris McClean and I will present an approach for using the Balanced Scorecard to present security metrics for senior level audiences. For those of you who are not familiar to the Balanced Scorecard, it was originated by Robert Kaplan currently of the Harvard Business School and David Norton as a performance measurement framework that added non-financial performance measures to traditional financial metrics to give managers and executives a 'balanced' view of organizational performance[1].  This tool can be used to:

  • Align business activities to the vision and strategy of the organization
  • Improve internal and external communications
  • Monitor organization performance against strategic goals

Information security is characterized by people, process and technology.  It is usually a function that operates “under the covers” until the organization experiences a serious breach. This really belies the value of the security organization and information security specifically.  

Using a management reporting framework to demonstrate the value of information security across additional dimensions including financial may help the overall security posture of the organization. It will do this by making the organization more aware of the overall value of information security and how it contributes to the mission of the organization. I would appreciate your thoughts. Drop me a line here (and for Forrester subscribers schedule an inquiry or advisory). I am very interested in your thoughts.


Please see the website for more information.


The enterprise’s investment

The enterprise’s investment in information security over the last fifteen years has largely been driven by regulatory compliance and mandates. Leveraging balanced, metrics-based scorecards to align business activities to business strategy is a truly compelling idea, in part because one of the market trends impacting all of us centers around IT organizations and information security groups becoming more and more vital to the success of the enterprise.

We see now that simply throwing down infrastructure and plumbing, and then answering help desk calls, will no longer suffice. As more and more transactions and paper-based processes move online, today’s security tools and IT infrastructure can actually drive revenue to a business, and it’s up to security and IT teams to figure out how to leverage those interactions accordingly.

The concept of linking the information security profile (infrastructure + ecosystem), connecting securely to external communities and constituents, and putting all of that into a framework and model like a balanced scorecard, is very compelling. It’s a practice that will help align investments with the success of the business, and it will surely play a critical role as newer trends – such as cloud and mobile devices – emerge at the edge of the network.

Information Security Evolution

Thank you for your comments. I met with a client this week that echoed the sentiments you express here. He essentially said, the reporting of malware infections and other traditional metrics won't work anymore. "We need to up the level of conversation and start talking more effectively about business risk." This is a recurring theme with all CISOs that I speak with. There does need to be an information security framework that allows us to understand the "state of information security" and to do so in a more comprehensive way.