Security Metrics and the Balanced Scorecard

If you can’t measure it, you can’t manage it.  Metrics, the bane and blessing of corporate citizens, emerge from this truism.  Metrics allow managers to determine the efficacy of process changes and technology implementation.  However, poor metrics sometimes impose an atmosphere of micromanagement that damages employee and customer relationships.

The use of business intelligence (BI) analysis to develop useful Identity and Access Management  (IAM) metrics was discussed by Ericka Chickowski in her article Seven Crucial Identity and Access Management Metrics. While these metrics address specific IAM concerns, they map to an IT management framework known as the Balanced Scorecard.

Drs. Robert Kaplan and David Norton developed the Balanced Scorecard in the early 1990s to “align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization performance against strategic goals.”  A company’s key performance indicators (KPIs) are related to the perspectives analyzed in the scorecard.  According to Gartner analyst Paul Proctor, security professionals should communicate key risk indicators (KRIs) in the context of KPIs.  The balanced scorecard provides us with a model with which we can perform this mapping.

The scorecard’s framework addresses four domains where metrics can be applied:

• Financial
• Internal Business Processes
• Learning and Growth
• Customer

Financial

The financial wellbeing of a company is one of management’s highest priorities.  Financial metrics require accurate and timely information on assets and liabilities.  The scorecard provides a financial context for a discussion of risk controls from a fiscal perspective, including Value Statements and Return on Investment (ROI) calculations.

In any sufficiently large organization, operational funds will be budgeted to different business units as required by strategic and tactical goals.  Chickowski emphasizes that IAM solutions should be evaluated by “average cost per account across the organization, finding numbers that amortize account provisioning, deprovisioning, and maintenance.”  This “Service and Cost Metric” quantifies that products impact on the budget allocation for IAM.  We must be cognizant of the practical and political implications of budget ownership.  Our goal is to orchestrate these business units in the implementation of a security program while recognizing the influence and constraints of those groups.

Internal Business Processes

The business process metric allows executives to ensure that processes are meeting business requirements.  The security team can use this information to identify where threats may have the greatest business impact.  This not only allows us to identify the risks that are relevant to the business, but also allows us to plan controls from the perspective of a would-be attacker.

According to Chickowski, measuring the time it take to “deprovision can tell an organization how good it is about sticking to policies when people leave the organization.”  Similar measurement on account provisioning and authorization may reveal cultural issues that impact compliance programs. This part of the scorecard also provides an insight into the culture of the organization.   According to the SANS Institute, understanding this culture “allows the policy development team to design an information systems security policy that can best ensure compliance.”   Rather than struggle to change existing processes and culture, security professionals must strive to design solutions that leverage these elements.  While change is sometime required, the defining characteristics of a company’s brand must be honored.

Learning and Growth

The learning and growth metric examines attitudes towards knowledge management and corporate education.  Learning extends beyond the immediate enhancement of knowledge.  If inculcated appropriately, it can change the way the business competes for the better.  Given the value of intellectual capital, security proposals must highlight the educational enrichment they have to offer.  A workforce that understands how to counter the risks faced by the organization adds greater value.

Password Hygiene and Failed Log-Ins are two IAM metrics cited by Chickowski that link not only to corporate learning but also to personal security.  Given the prevalence of social engineering attacks on individual employees in and out of the work place, an emphasis on password management education helps both the company and the staff members.

The Customer

Lastly, the customer metric is an indicator of market satisfaction in the products and services offered by the business.  This metric includes the reputation of the organization.  According to the Ernst & Young 2010 Global Information Security Survey, the link between information security and brand equity is recognized by a growing number of companies.  53% of the nearly 1,600 respondents cited damage to corporate reputations and brands as a key motivator for increased security investment. Security professionals must show how their proposals connect to, and enhance, brand equity.

At first glance, Chickowski’s selection of password reset and anomalous access incident metrics seem product centric.  The former provides insight into the effectiveness of the IAM’s self-service components while the latter identifies possible attempts at unauthorized access when seen through that lens.  However, these metrics can be mined and analyzed to reveal internal customer perceptions and possible insider threats.

If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions.   By speaking the language of business they can get the attention of those who control the budget.

Tags: balanced scorecard, enterprise security, security metrics