Monday, July 6, 2015

Balanced Scorecard for Cybersecurity

There is a tendency to view cybersecurity as just another cost center. This kind of thinking denies security its strategic value where it is often relegated as an IT operations function in most organizations. It is no wonder security failures have been increasing in spite of advances in security processes and technologies. Only recently that organizations are starting to realize that breaches can have a huge negative impact on their businesses (e.g., Target and Sony). Cybersecurity should therefore be viewed as a strategic discipline due to its role in the increasing ownership of digital assets, the continued adoption and reliance on software and mobile solutions, and the increasing push for regulatory compliance. 

Once cybersecurity is viewed as strategic and not as an overhead cost, how can we measure if it is performing according to plan? Kaplan and Norton stressed that organizations should not only consider financial measures in measuring performance but it should also consider customer, business process and learning measures. One cannot assess cybersecurity performance through ROSI (return on security investment) alone since outcomes from investments is difficult to quantify let alone measure the state of security (or insecurity) of an organization. This where the balanced scorecard (BSC) comes in. Aside from the traditional financial measures, it adds three more perspectives – customer, internal process, and learning and innovation, for a balanced presentation of both financial and operational measures in a business.

As described in the article1, a balanced scorecard can be thought of as the dials and indicators in an airplane cockpit where relying on just one instrument can be fatal. Cybersecurity should also be viewed not only from a financial perspective but also through the viewpoints of the customers, the internal processes, and learning and innovation. The customer perspective is how users, third parties, etc. see the security function in the organization. The internal business perspective are measures of what the security function must do internally to meet customer expectations, which could be the policies, procedures, and activities that protects the users’ information.  The learning and innovation perspective is the ability of the security function to adapt to the changing security landscape and thereby create value for the organization.

One way the balanced scorecard can be applied to security is the conceptual model for security, as proposed by Herath et al2 (Figure 1). Instead of financial perspective, it used a business value perspective where the objectives are the traditional goals of security – confidentiality, integrity and availability. The customer perspective is viewed as stakeholder orientation where the perceptions of the users are taken into consideration. The internal security processes are assessed by measuring the planning, prioritization, implementation, and maintenance of security initiatives. The learning and innovation perspective is replaced by the future readiness perspective, which includes continuous training, as well as threat and vulnerability management. The model can be modified to suit a unique cybersecurity posture, such as adding auditors and regulatory bodies in the stakeholder orientation. The model is an excellent attempt in using the balanced scorecard model to track cybersecurity’s effectiveness outside the traditional financial measurement models.

[1] Kaplan, Robert S., and David P. Norton. "The Balanced Scorecard: Measures That Drive Performance." Harvard Business Review (1992): n. pag. Web. 4 July 2015.
[2] Herath, Tejaswini, Hemantha Herath, and Wayne G. Bremser. "Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management." Information Systems Management 27.1 (2010): 72-81. Web.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.