By VP, Steve Hunt & VP Craig SymonsNorton and Kaplans Balanced Scorecard (BSC) method of measuring performance has been around since the early 1990s and appears to be gaining momentum in many companies. In fact, recent research suggests that 45 percent of US-based companies and 40 percent of European companies claim to be using the Balanced Scorecard approach. For IT security organizations, the biggest payoff from the BSC comes from organizational alignment with the business units and a concrete method for demonstrating the value added by the security. The Balanced Scorecard and its creation of a shared language between IT and its business unit customers enable the emergence of a strategy-focused IT organization. Giga believes that by adopting the BSC approach, security organizations can significantly improve relations with the business units and close the gap between how security views itself and how business managers view it. In a November 2002 Harvard Business Review article, Six IT Decisions Your IT People Shouldnt Make, the authors, Jeanne W. Ross and Peter Weill, research scientists at the Center for Information Systems Research at the Massachusetts Institute of Technologys Sloan School of Management, demonstrated that successful companies set their IT budgets by first determining the strategic role that IT will play in the organization, then establishing a companywide funding level that will enable technology to fulfill that objective. Since the first step in implementing a Balanced Scorecard starts with strategy, it follows that this can be an effective method for aligning security with that strategy.The Balanced Scorecard approach to measurement and management was first introduced in a Harvard Business Review article, The Balanced Scorecard: Measures that drive performance, written by Robert S. Kaplan and David P. Norton in 1992. It was later expanded as a book, Translating Strategy into Action: The Balanced Scorecard in 1996. The Balanced Scorecard balances measurements across four dimensions, or views of business: the financial, internal processes, the customer, and learning & growth. The original BSC approach was built around four dimensions. These included the traditional financial dimension and three others: the customer dimension, the internal process dimension and the learning and growth dimension. In recent years, some implementers have substituted or added additional dimensions, or perspectives, that better reflect their overall vision and strategy or include constituencies that the original approach left out, such as employees, suppliers and regulators. For example, four dimensions that may be suitable for a security department or chief security officer may be reflected in Table 1.Table 1: The Four Security PerspectivesCustomer Orientation How should employees, business unit managers and external users perceive security? Mission: To be the supplier of choice for all security requirements Objectives: User satisfaction Alignment with the business Service-level performance Business Value How should senior management perceive security as a contributor to company success? Mission: To enable business strategies through the effective application of security. Objectives: Buisness value of security initiatives Stewardship of security investments Strategic contribution Operational Excellence Which services and processes should security excel in? Mission: To deliver effective services at or below budget and service-level objectives Objectives: Optimize efficiency & effectiveness Enterprise architecture evolution Promote partnerhips throughout business units Responsiveness Awareness & Growth Orientation How will security promote growth and learning to better meet corporate goals? Mission: To facilitate awareness of secure behaviors, and promote grass-roots partnerships with security Objectives: Employee knowledge and effectiveness Security staff professional growth Emerging technology research Source: Giga Information GroupFor each of the views, the security manager and others can measure the number of contributions or actions toward each of the respective objectives. One may also measure the costs or efforts associated with each, projected vs. actual budgets, improved service levels, and the TEI” or Total Economic Impact of each.In the new and pressing quest to articulate the value of IT security to the business, the Balanced Scorecard may be one of the most useful tools at our disposal. Related content news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Security feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security news US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks Cyber insurance claims frequency increased by 12% in the first half of 2023 while claims severity increased by 42% with an average loss amount of more than $115,000. By Michael Hill Sep 20, 2023 3 mins Insurance Industry Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe