• United States



by No Analyst or Consultant

Aligning Security with the Business: The Balanced Scorecard

Jan 29, 20034 mins
CSO and CISOData and Information Security

By VP, Steve Hunt

& VP Craig Symons

Norton and Kaplans Balanced Scorecard (BSC) method of measuring performance has been around since the early 1990s and appears to be gaining momentum in many companies. In fact, recent research suggests that 45 percent of US-based companies and 40 percent of European companies claim to be using the Balanced Scorecard approach.

For IT security organizations, the biggest payoff from the BSC comes from organizational alignment with the business units and a concrete method for demonstrating the value added by the security. The Balanced Scorecard and its creation of a shared language between IT and its business unit customers enable the emergence of a strategy-focused IT organization. Giga believes that by adopting the BSC approach, security organizations can significantly improve relations with the business units and close the gap between how security views itself and how business managers view it.

In a November 2002 Harvard Business Review article, Six IT Decisions Your IT People Shouldnt Make, the authors, Jeanne W. Ross and Peter Weill, research scientists at the Center for Information Systems Research at the Massachusetts Institute of Technologys Sloan School of Management, demonstrated that successful companies set their IT budgets by first determining the strategic role that IT will play in the organization, then establishing a companywide funding level that will enable technology to fulfill that objective. Since the first step in implementing a Balanced Scorecard starts with strategy, it follows that this can be an effective method for aligning security with that strategy.

The Balanced Scorecard approach to measurement and management was first introduced in a Harvard Business Review article, The Balanced Scorecard: Measures that drive performance, written by Robert S. Kaplan and David P. Norton in 1992. It was later expanded as a book, Translating Strategy into Action: The Balanced Scorecard in 1996. The Balanced Scorecard balances measurements across four dimensions, or views of business: the financial, internal processes, the customer, and learning & growth.

The original BSC approach was built around four dimensions. These included the traditional financial dimension and three others: the customer dimension, the internal process dimension and the learning and growth dimension. In recent years, some implementers have substituted or added additional dimensions, or perspectives, that better reflect their overall vision and strategy or include constituencies that the original approach left out, such as employees, suppliers and regulators. For example, four dimensions that may be suitable for a security department or chief security officer may be reflected in Table 1.

Table 1: The Four Security Perspectives
Customer Orientation How should employees, business unit managers and external users perceive security? Mission: To be the supplier of choice for all security requirements Objectives:
  • User satisfaction
  • Alignment with the business
  • Service-level performance
  • Business Value How should senior management perceive security as a contributor to company success? Mission: To enable business strategies through the effective application of security. Objectives:
  • Buisness value of security initiatives
  • Stewardship of security investments
  • Strategic contribution
  • Operational Excellence Which services and processes should security excel in? Mission: To deliver effective services at or below budget and service-level objectives Objectives:
  • Optimize efficiency & effectiveness
  • Enterprise architecture evolution
  • Promote partnerhips throughout business units
  • Responsiveness
  • Awareness & Growth Orientation How will security promote growth and learning to better meet corporate goals? Mission: To facilitate awareness of secure behaviors, and promote grass-roots partnerships with security Objectives:
  • Employee knowledge and effectiveness
  • Security staff professional growth
  • Emerging technology research
  • Source: Giga Information Group

    For each of the views, the security manager and others can measure the number of contributions or actions toward each of the respective objectives. One may also measure the costs or efforts associated with each, projected vs. actual budgets, improved service levels, and the TEI” or Total Economic Impact of each.

    In the new and pressing quest to articulate the value of IT security to the business, the Balanced Scorecard may be one of the most useful tools at our disposal.