The Balanced Scorecard is second on the list of 7 must have CISO tools. Someday I'll get past any guilt of referring to Balanced Scorecards for information security teams. Fitting the traditional categories into a cost center is a bit challenging. However I don't want to change the name because I want to leverage the knowledge, if not the mystique, around a business focused measurement tool. I can hear the water cooler now, "Hey, what's up with the CISO balanced scorecard? Do we need one..?
By now you've noticed I like to define position statements for any deliverable (software or otherwise). My statement for the infosec balanced scorecard is: a management and communication vehicle that measures key performance indicators in terms of costs and benefits with both leading and lagging measures. Primary audience is internal management, secondary is non-IT security stakeholders. It's better than technical scorecards because it shows value to the business vs. just execution. It's better than ad hoc communication because its high-level scope scales well across stakeholders i.e. saves you time and broadens your message.
"What makes you Security folks so special you need a fancy scorecard?"
You and your peers already communicate value and operational metrics e.g. in mid and annual reviews. So why create more busy work and publish something new or different? Is security so special that we need more or different reporting? I think so. If people don't understand why walk them through your strategy. IT Security is a complex service and business focused measurement should be welcomed vs. shunned. If your execs or peers don't support this effort I'd love to understand why.
The Balanced scorecard is a management tool that borrows verbiage from other measurements in your organization. It's a great conversation starter and we need more business focused conversations around security. The goal is to select a few canary's that enable you to communicate your story across your service. I've seen some orgs put 30-40 measures in the scorecard which makes it difficult to identify the important stories. A former ciso I spoke with recently said the number should be counted on one hand, two at the very most. My opinion is 12-15. There are 4 stories to a balanced scorecard and each needs a little meat to be interesting.
Translating the Scorecard
I originally posted about balanced scorecards in 2010. Back then I modified the traditional categories to fit with a cost center like security. I'll leave the original content, then share my latest thinking after gaining more experience.
<original>Here's my hack at the balanced scorecard starting with the categories on Wikipedia (Financial, Customer, Internal Business, Innovation and Learning) then changing the title and definition for our use:
Innovation & Learning -> Innovation & Growth: metrics or even status updates on long term initiatives advancing the business directly or IT. It's ok to break the rules and put a status here if you you want to highlight something. Examples might include multi-year IAM or data protection initiatives, customer/employee phishing activities, or other areas of investment and change.
Which Metrics to Include?
If you find it's difficult to select or keep the number of measurements low, try this: for each proposed metric, ask a line of business manager if they care about the metric and what it means to them. Both answers are important because even if a business manager doesn't care directly, if the metric conveys "security is important and their performance is healthy/sick" then there's benefit.
My goal in the image above is to provide sufficient examples to get you started. One area I left thin is Operational Efficiency. I'll cover this in depth when we get to Operational Scorecards. The trick is to provide metric rollups or Key Performance Indicators. If you have a Security Index summarizing the overall trend of progress from baseline to target, this is the perfect place to communicate it. If not, pick the broadest metric for each service area to represent a collection of related metrics.
The value of the balanced scorecard is efficiently communicating the progress of your core service areas for stakeholders. The scorecard helps keep security top of mind for stakeholders and reminds them you're more than a cost center. When the scorecard works with it's partner, the Enterprise Heatmap, they provide a powerful management tool indicating the state of information security. The balanced scorecard also lights the way into more detailed areas such as operational, project, and financial details.
Balanced scorecards for information security is an advanced management practice i.e. I've only seen two in my travels. One idea is to craft a mock up and see if you boss supports the direction. There's a great leadership opportunity awaiting you. The era of "The Information Security Balanced Scorecard" may be upon us. By any measure, it simply sounds impressive.
Please let me know if this is helpful and if you're considering a similar or different approach.