• 
• Business
• Enterprise Apps
• Hardware
• Internet
• Networking
• Productivity Apps
• Security
• Software Dev
• Storage
• IT Weekly

More Related Stories EOS Rebel T1i Black SLR Digital Camera Kit w/ 18-55mm Lens (15.1MP, SD/SDHC Card Slot) 1
From: $677.95
Wii Console 88
From: $199.95
UN55B8000 55" LED TV (Widescreen, 1920x1080, HDTV) 6
From: $2449.95
iPhone 3G S 16GB Black Smartphone (GSM, Bluetooth, 3MP, 16GB) 2
From: $199.00
VIERA TC-L32X1 32" LCD TV (Widescreen, 1366x768, HDTV) 1
From: $369.99

Feature: Page (1) of 1 - 09/21/09

email article print       

Selling Security with the Balanced Scorecard

By Steven Fox

Information security practitioners at all levels must realize they are sales people. We are selling information security's value proposition. In order to be successful, we must understand what the business feels is important in order to know what the business will buy. In other words, we must understand our customer - what makes them happy and what makes them mad. We must be able to form a relationship with our business customer that satisfies their needs. How can we do this?

Drs. Robert Kaplan and David Norton developed the balanced scorecard in the early 1990s to "align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization performance against strategic goals." (1) A company's key performance indicators (KPIs) are related to the perspectives analyzed in the scorecard. According to Gartner analyst Paul Proctor, security professionals should communicate key risk indicators (KRIs) in the context of KPIs.(2) The balanced scorecard provides us with a model with which we can perform this mapping.

The scorecard's framework is composed of four perspectives on the company.
* Financial
* Internal Business Processes
* Learning and Growth
* Customer

Financial
The financial well-being of a company is one of management's highest priorities. The financial metric requires accurate and timely information about the fiscal health of the organization. This includes data on assets, liabilities, and risks. All investments boil down to an analysis of this metric. Thus, the financial impact of a security solution must be communicated appropriately. The scorecard provides us with the financial priorities we must address in our discussion of risk controls.

In any sufficiently large organization, operational funds will be budgeted to different business units as required by strategic and tactical goals. We must be cognizant of the practical and political implications of budget ownership. Our goal is to orchestrate these business units in the implementation of a security program while recognizing the individuality of those groups.

Internal Business Processes
The business process metric allows executives to ensure that processes are meeting business requirements. The security team can use this information to identify where threats may have the greatest business impact. This not only allows us to identify the risks that are relevant to the business, but also allows us to plan controls from the perspective of a would-be attacker.

This part of the scorecard also provides an insight into the culture of the organization. According to the SANS Institute, understanding this culture "allows the policy development team to design an information systems security policy that can best ensure compliance." (3) Rather than struggle to change existing processes and culture, security professionals must strive to design solutions that leverage these elements. While change is sometime required, this change must be honor the characteristics that define the company's brand.

Learning and Growth
The learning and growth metric examines attitudes towards knowledge management and corporate education. Learning extends beyond the immediate enhancement of knowledge. If inculcated into the business, it can change the way the business competes for the better. Given the value of intellectual capital, security proposals must highlight the educational enrichment they have to offer. A workforce that understands how to counter the risks faced by the organization adds greater value.

The Customer
Lastly, the customer metric is an indicator of market satisfaction in the products and services offered by the business. This metric includes the reputation of the organization. According to the Ernst & Young 2008 Global Information Security Survey(4), the link between information security and brand equity is recognized by a growing number of companies. 85% of the 1,400 respondents cited damage to corporate reputations and brands as a key motivator for increased security investment. Security professionals must show how their proposals connect to, and enhance, the equity of the company's brands. They must also show how the business can enhance its value proposition via security investments.

If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions. By speaking the language of business they can get the attention of those in control of the budget.

1-http://www.balancedscorecard.org/BSCResources/AbouttheBalancedScorecard/tabid/55/Default.aspx

2- http://searchcio-midmarket.techtarget.com/news/article/0,289142,sid183_gci1360671,00.html#

3- http://www.sans.org/reading_room/whitepapers/policyissues/developing_effective_information_systems_security_policies_491

4- http://www.ey.com/Publication/vwLUAssets/2008_Global_Information_Security_Survey/$file/2008GlobalInformationSecuritySurvey.pdf