Magnificent 2/7: Balanced Scorecard

The Balanced Scorecard is second on the list of 7. Someday I’ll get past any guilt of referring to Balanced Scorecards for information security teams. I feel a bit dirty because translation is required to make the scorecard fit well within IT security. However I don’t want to change the name because we don’t need more jargon and I want to leverage the knowledge, if not the mystique, around a business focused measurement tool. I can hear the water cooler now, “Hey, what’s up with the CISO balanced scorecard? We’re not on it are we…”  So I’ll wash my hands with this disclaimer: the below is simply my opinion and has no affiliation with other scorecards. If some lawyer makes me change the name I’ll call it, “we-care-about-the-business-too scorecard.”

By now you’ve noticed I like to define position statements for any deliverable (software or otherwise). My statement for the infosec balanced scorecard is:  a management and communication vehicle that measures key performance indicators in terms of costs and benefits with both leading and lagging measures. Primary audience is internal management, secondary is non-IT security stakeholders. It’s better than technical scorecards because it shows value to the business vs. just execution. It’s better than ad hoc communication because its high-level scope scales well across stakeholders i.e. saves you time and broadens your message.

“What makes you Security folks so special you need a fancy scorecard?”

You and your peers already communicate value and operational metrics e.g. in mid and annual reviews. So why create more busy work and publish something new or different? Is security so special that we need more or different reporting? Yes. If people don’t understand why pass them your strategy. IT Security is a complex service and business focused measurement should be welcomed vs. feared. If your execs don’t support this effort I’d love to understand why. And saying you’re too busy is a scary answer.

Scope

The Balanced scorecard is a management tool that shamelessly steals from other measurements in your org. I love this. Leverage data you already have and package it for greater good. Now you have one page that acts as a spotlight and points to other areas of your business. It’s a conversation starter and we need more business focused conversations around security. As always, keep it simple. The goal is to select a few canary’s that enable you to communicate your story across your service. I’ve seen some orgs put 30-40 measures in the scorecard (yawn). A former ciso I spoke with recently said the number should be counted on one hand, two at the very most. My opinion is 12-15. There are 4 stories to a balanced scorecard and each needs a little meat to be interesting.

Translating the Scorecard

Here’s my hack at the balanced scorecard starting with the categories on Wikipedia (Financial, Customer, Internal Business, Innovation and Learning) then changing the title and definition for our use:

• Financial ->transformed into Foundation: financial and people metrics.
• Customer -> Enable Business: operational metrics on services that directly touch the business.
• Internal Business -> Operational Efficiency: key performance indicators and summary metric roll ups.
• Innovation & Learning -> Innovation & Growth: metrics or even status updates on long term initiatives advancing the business directly or IT. It’s ok to break the rules and put a status here if you you want to highlight something. Examples might include multi-year IAM or data protection initiatives, customer/employee phishing activities, or other areas of investment and change.

Here’s an image showing the categories and example content.

Balanced Scorecard Example

Which Metrics to Include?

If you find it’s difficult to select or keep the number of measurements low, try this: for each proposed metric, ask a line of business manager if they care about the metric and what it means to them. Both answers are important because even if a business manager doesn’t care directly, if the metric conveys “security is important and their performance is healthy/sick” then there’s benefit.

My goal in the image above is to provide sufficient examples to get you started. One area I left thin is Operational Efficiency. I’ll cover this in depth when we get to Operational Scorecards. The trick is to provide metric rollups or Key Performance Indicators. If you have a Security Index summarizing the overall trend of progress from baseline to target, this is the perfect place to communicate it. If not, pick the broadest metric for each service area to act as a pointer or canary as I stated earlier.

Notice I don’t have  any compliance or “no reoccurring audit findings” in my example. I live in the camp that compliance is simply a feature of a well run security service. If a key management measure is 100% compliant, that’s all you’ll likely be. Plenty is already written on using compliance as your bar for acceptable risk. I prefer to put compliance related metrics closer to specific services in the Operational scorecard. However in the spirit of Bob Ross, it’s your scorecard and you can put it anywhere you desire.

Tools and Formats

Every scorecard I’ve seen involves excel and some kind of intranet site. If you have a corporate-wide repository and platform for enterprise performance management, fantastic. I’ve never seen one but I hear they exist (I call this a Big Foot solution). We at Envision Security receive feedback that there’s a need for more efficient and standard approaches to defining, inputting, and reporting metrics (management and operational). The benefits software offer this scenario are obvious and we look forward to sharing our plans with you shortly. But don’t wait for us, get started now so you can see how much time our stuff will save you :-)

Wrap Up

The value of the balanced scorecard is efficiently communicating the progress of your core service areas for stakeholders. The scorecard helps keep security top of mind for stakeholders and reminds them you’re more than a cost center. When the scorecard works with it’s partner, the Enterprise Heatmap, they provide a powerful management tool indicating the state of information security. The balanced scorecard also lights the way into more detailed areas such as operational, project, and financial details.

So assuming you already have a few metrics floating around, you can see it doesn’t take much to pull them together and declare the era of “The Information Security Balanced Scorecard.” By any measure, it simply sounds impressive.