Information security, value creation, and the balanced scorecard

By taking a balanced approach to information security and keeping the organization's mission in mind, you can create agility and value

. What's this?

By Jamil Farshchi and Ahmad Douglas, Los Alamos National Laboratory

September 20, 2010CSO

information security value

Information Security has long been seen as at odds with business agility and productivity. Whether it uses electronic or physical controls, security often gets a bad reputation for being a burdensome bolt-on required for either regulatory compliance or nebulous what-if scenarios.

Value-Negative Information Security

For some organizations, the what-if threat is less nebulous. Take, for example, Google. Between its January 13 threat to cease operations in China and early April, the search giant lost almost $7.5 billion in market value. Both the NASDAQ and S&P 500 composites rose about 5 percent over the same period, and our research has turned up no other significant negative events for Google during this time, which suggests that this escalating disagreement led to their capital loss.

This case and numerous others show that poor information security can destroy value, in terms of both lost shareholder confidence and future growth. And as the TJX Companies learned from a well-publicized 2005 breach, poor information security can also result in costly legal repercussions.

Defining Security Success

But can an excellent information security program create value? Perhaps the first step to implementing a successful plan is defining success. Many organizations, especially those harshly constrained by regulatory compliance and public scrutiny, define success as the absence of a significant, widely publicized event. Los Alamos National Laboratory was in the same situation: Our security program was deemed a success as long as it kept incidents to a minimum and those that did occur were of low enough severity to satisfy our regulating authority.

The false sense of security created by regulatory compliance can be dangerous, however. Los Alamos, as with many public and private organizations, fell into this trap. It's easy to fall into a check-the-box mind-set, thinking that if all the regulatory requirements have been met, the organization's critical data and assets are secure. It only takes one painful, public breach to realize that this way of thinking is flawed.

After each information security event, we asked ourselves, "If we were compliant, then how did we fail to protect our sensitive information and technology assets?" Over time it became clear that we failed because our security controls were decoupled from the mission of our organization. By focusing on regulatory compliance and ignoring the needs of our core workforce—R&D scientists, experimentalists, engineers and machinists—we forced them to use their computers in an unintuitive way, which caused them to make more errors.

As an excellent paper from Microsoft Research notes, this behavior is common, and is in fact completely rational from an economic standpoint. Unfortunately, information security professionals often deal with it in entirely the wrong way—with still more reactionary, bolt-on compliance measures, rather than by taking a holistic, strategic view of the problem.

In contrast, our current security program strives to blend compliance with ease of use to foster both information security and user productivity. Simply put: we want it to be easy for our employees do the right thing.

If our ultimate goal is to create value through an excellent information security program, then how do we define those terms? The answer necessarily depends on your security paradigm and your business model.


For much more on measuring and communicating the value of security, see The Security Metrics Collection on CSOonline.com.


For example, at Los Alamos, our shareholders are the U.S. taxpayers, who demand fiscal prudence and return on their investment of trust. Our customers are other government agencies that rely on the world-class products of our science and technology capabilities. And our stakeholders include state, local and tribal governments; the residents of New Mexico; and our workforce. Each of these groups has its own set of requirements, and an information security breach has the potential to negatively affect each in a different way. They must all be taken into account when developing our definition of success.

How would you define success in information security? How do you develop a program focused on value creation? At Los Alamos, we worked directly with our customers to define success as enhancing our competitive position by
(a) reducing security and compliance costs by improving operational efficiency;
(b) reducing the number and impact of security events; and
(c) gaining competitive advantage by facilitating the acquisition of new business by enhancing our reputation, bolstering our workforce's productivity and establishing collaborative partnerships.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER