Over the last ten years, CIOs have been tasked with steering the ship of security without the luxury of a chart. Changing winds (priorities) and unforeseen obstacles (threats) have resulted in a turbulent journey that, quite literally, is making many leaders seasick. When the Board asks about the costs and direction of your security investments, will you realize your security strategy is adrift?
One of the most reliable tools for a captain is his compass. For CIOs, layering security perspectives onto the balanced scorecard (BSC) provides a well-understood framework for communication with executives. It can help organize your security strategy, reset decision-making, and ensure measurable results—a requisite in an age when IT must align its operations to the priorities of the business, or else, be outsourced. Data-driven security investment planning can help right the ship.
That’s where the Security BSC approach can help. It’s a strategic planning system that organizations use to:
- Communicate objectives
- Align day-to-day work
- Prioritize projects, products, and services
- Measure and monitor progress towards strategic targets
The BSC looks at organizations from four perspectives (Customer, Financial, Process, and Organizational Capacity) and develops objectives, measurements (KPIs), and initiatives relative to each point of view.
Fine-tuning the BSC to focus on Security Perspectives allows for measurement of security customers, security technologies, security operations, and security culture. Within each perspective, CIOs can identify their most important initiatives and align them to an industry-appropriate cybersecurity framework, such as the NIST 800-53. This allows CIOs to communicate their security investments and priorities in language their counterparts in the business can understand.
Next, the Security BSC needs to have Key Performance Indicators (KPIs) that help measure progress over time. A key step is to monetize KPI Improvements through a security business case. This ensures that security investment decisions are tied to the strategic framework and traceable over time. Investment evaluation should seek to quantify return as a function of KPI improvement. Use the Annual Loss Expectancy (ALE) formula to bring quantitative rigor and capture assumptions.
How does this approach look in practice? Here are a few examples:
Security Customers. A KPI for security customers might be monetized regulatory risk, aligned to the NIST Governance (ID.GV) category:
- Investment Evaluation: If investing $250k to broaden awareness of GDPR impacts across the organization can reduce my regulatory risk (ALE reduction of $2M), my Security ROI would be 800%.
Security Technology. A KPI for security technology might be monetized data breach risk, aligned to the NIST Protective Technology (PR.PT) category:
- Investment Evaluation: If investing $1M in a Web Application Firewall (WAF) can reduce my data breach risk (ALE reduction of $4M), my Security ROI would be 400%.
Security Operations. A KPI for security operations might be incident response performance, aligned to the NIST Information Protection Processes and Procedures (PR.IP) category:
- Investment Evaluation: If investing $100k in a Lean incident response workshop can identify and reduce waste in my Security Operations Center team’s processes by 10% (ALE reduction of $750k), my Security ROI would be 750%.
Security Culture. A KPI for security culture might be security workforce tenure, aligned to the NIST Governance (ID.GV) category:
- Investment Evaluation: If investing $25k in a retention bonus program would help increase my security team’s proficiency by improving workforce tenure rates (ALE reduction of $500k), my Security ROI would be 2000%.
At the end of the day, CIOs should monitor their investments as any business leader would monitor an investment portfolio. Look for changes in rate of return to help you know when to change course. As a leader, your attention is a valuable commodity. The Security BSC can help you provide equal monitoring to all parts of the portfolio, and only focus attention when KPIs within a perspective begin to signal an issue.
Creating a Security BSC can help CIOs quickly understand if something is a good security investment by answering the question, “Where does this fit among my other priorities?” And it can help you understand whether the investment is paying off by measuring how investments are performing over time.
