Information security and the balanced scorecard

Information Security has long been seen as at odds with business agility and productivity. Whether it uses electronic or physical controls, security often gets a bad reputation for being a burdensome bolt-on required for either regulatory compliance or nebulous what-if scenarios.

Value-Negative Information Security

For some organizations, the what-if threat is less nebulous. Take, for example, Google. Between its January 13 threat to cease operations in China and early April, the search giant lost almost $7.5 billion in market value. Both the NASDAQ and S&P 500 composites rose about 5 percent over the same period, and our research has turned up no other significant negative events for Google during this time, which suggests that this escalating disagreement led to their capital loss.

This case and numerous others show that poor information security can destroy value, in terms of both lost shareholder confidence and future growth. And as the TJX Companies learned from a well-publicized 2005 breach, poor information security can also result in costly legal repercussions.

Defining Security Success

But can an excellent information security program create value? Perhaps the first step to implementing a successful plan is defining success. Many organizations, especially those harshly constrained by regulatory compliance and public scrutiny, define success as the absence of a significant, widely publicized event. Los Alamos National Laboratory was in the same situation: Our security program was deemed a success as long as it kept incidents to a minimum and those that did occur were of low enough severity to satisfy our regulating authority.

The false sense of security created by regulatory compliance can be dangerous, however. Los Alamos, as with many public and private organizations, fell into this trap. It's easy to fall into a check-the-box mind-set, thinking that if all the regulatory requirements have been met, the organization's critical data and assets are secure. It only takes one painful, public breach to realize that this way of thinking is flawed.

After each information security event, we asked ourselves, "If we were compliant, then how did we fail to protect our sensitive information and technology assets?" Over time it became clear that we failed because our security controls were decoupled from the mission of our organization. By focusing on regulatory compliance and ignoring the needs of our core workforce--R&D scientists, experimentalists, engineers and machinists--we forced them to use their computers in an unintuitive way, which caused them to make more errors.

As an excellent paper from Microsoft Research notes, this behavior is common, and is in fact completely rational from an economic standpoint. Unfortunately, information security professionals often deal with it in entirely the wrong way--with still more reactionary, bolt-on compliance measures, rather than by taking a holistic, strategic view of the problem.

In contrast, our current security program strives to blend compliance with ease of use to foster both information security and user productivity. Simply put: we want it to be easy for our employees do the right thing.

If our ultimate goal is to create value through an excellent information security program, then how do we define those terms? The answer necessarily depends on your security paradigm and your business model.

For much more on measuring and communicating the value of security, see The Security Metrics Collection on

For example, at Los Alamos, our shareholders are the U.S. taxpayers, who demand fiscal prudence and return on their investment of trust. Our customers are other government agencies that rely on the world-class products of our science and technology capabilities. And our stakeholders include state, local and tribal governments; the residents of New Mexico; and our workforce. Each of these groups has its own set of requirements, and an information security breach has the potential to negatively affect each in a different way. They must all be taken into account when developing our definition of success.

How would you define success in information security? How do you develop a program focused on value creation? At Los Alamos, we worked directly with our customers to define success as enhancing our competitive position by

(a) reducing security and compliance costs by improving operational efficiency;

(b) reducing the number and impact of security events; and

(c) gaining competitive advantage by facilitating the acquisition of new business by enhancing our reputation, bolstering our workforce's productivity and establishing collaborative partnerships.

Turning Vision Into Action

Developing your vision of success for enterprise information security is only the first step. Equally important are the abilities to translate your vision into strategic direction, develop tactical objectives that move you toward your goals, and establish a quantitative dashboard for evaluating your progress. To this end, Los Alamos focuses on closely on enabling its mission and on strategic execution.

Step 1. Developing your vision. What is your core business model? To what degree are your activities dictated by statutory compliance or legal liability? Almost all organizations have similar concerns about gaining competitive advantage, such as how the company can position itself as a sector leader, provide innovative solutions, and promote an image of trustworthiness, competence and timely delivery. Los Alamos, for example, relies primarily on the U.S. nuclear weapons complex for funding. Our activities are heavily constrained by law and carry significant liabilities. In order to meet our obligations to the nation and our customer base, we must demonstrate that we can safeguard the national security information entrusted to us while enabling the delivery of cutting-edge scientific research and innovation.

Step 2. Create a strategy map. An element of the balanced scorecard methodology, the strategy map is a visual tool that clearly assesses strategic vision from four perspectives:

- financial (the first or top tier in the diagram below);

- customer (second tier in diagram);

- internal processes (third tier); and

- learning and growth (bottom tier).

information security strategy map

Unlike the reactionary, bolt-on approach of many information security operations, the strategy map encourages a holistic view of the people and processes that underlie sustainable success. In our strategy map, we defined overarching themes to focus on and broke those themes down into components with defined objectives that promote long-term growth in each of the perspectives. For example, we defined operational excellence as a theme from the internal processes perspective, and one strategic objective is to improve our compliance processes. When taken together, the components drive the success of the theme, which keeps the perspective on track. When all four perspectives are properly scoped and progressing as they should, your organization is making great strides toward fulfilling its strategic vision.

Step 3. Define initiatives. Initiatives are funded, tactical activities that support delivery of a strategic objective.

It's critical to maintain a strong knowledge of the initiatives currently under way in your organization. When that knowledge is combined with your strategy map and targeted customer feedback, it's easy to identify gaps in organizational structure and funding that are hindering fulfillment of your vision. Conversely, when your organization's initiatives are well aligned with its strategy map, delivering on your vision for information security comes naturally. The model's self-sustaining nature is obvious when examining the interplay between the overarching strategy, themes, objectives and initiatives.

Also see Enterprise risk management: All systems go

For example, when initiatives do not map to the defined objectives, they are easily flagged as misaligned with the overarching strategy and can be re-prioritized or abandoned altogether. Likewise, if certain initiatives seem necessary to successful strategy execution but do not fit in the established strategy map, it is important to review and realign the strategy to ensure that key components are not missing.

The Information Security Value Sphere

Now you have a set of properly aligned, adequately funded, value-creating initiatives to act on. Here, the information security value sphere provides the perfect lens through which to view your unfolding initiatives. Its goal: to ensure thoughtful, sustainable, value-focused implementation of information security objectives.

information security value sphere

Two key aspects of a successful delivery:

1. Establishing a Competitive Advantage

2. Improving Operational Efficiency

If your organization can differentiate itself from the field by delivering its information security objectives, it has gained a competitive advantage. Similarly, outstanding operational efficiency lets you outpace your competitors by delivering cheaper and more effective solutions.

The four most important considerations in the pursuit of competitive advantage and operational efficiency:

1. Solutions

2. Relationship Management

3. Decision Support

4. Performance Management

By taking each value function into consideration when planning, implementing and executing tactical initiatives, you will impart competitive advantage and operational efficiency to the delivery of those initiatives.

The Balanced Scorecard and Security

Applying the balanced scorecard to information security operations at Los Alamos is one of the most promising new developments in our management program. The scorecard is primarily a holistic dashboard for evaluating mission delivery.

security balanced scorecard

When its measures are tied to the objectives and initiatives of the strategy, the scorecard provides excellent insight into the leading and lagging indicators of successful strategy execution, allowing management to foresee problems or quickly identify them as they arise.

A notable bonus of tracking your information security program with the balanced scorecard is that it's self-correcting.

If several of your initiatives are marked in yellow, meaning they're in danger, or red, which means they're unsalvageable, but your organization is delivering on its mission, it's a prompt to reconsider the importance of those initiatives.

If, on the other hand, your dashboard is green but your organization is not delivering, then you know your initiatives are poorly aligned with your organization's mission.


The quality of your information security operations can directly affect the success of your organization, for better or worse. Viewing information security as a cumbersome compliance exercise diminishes its usefulness to the business, and the false sense of security that comes with shallow compliance may be destructive.

Implementing a holistic information security program that focuses on the customer while emphasizing competitive advantage and operational efficiency can actually create value and drive success. Los Alamos's approach, which combines the balanced scorecard with the novel information security value sphere, is one path to achieving information security excellence.

Jamil Farshchi is chief information security officer and Ahmad Douglas is senior cyber security leader at Los Alamos National Laboratory.

This story, "Information security and the balanced scorecard" was originally published by CSO.


Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon