How CISOs Can Take Advantage of the Balanced Scorecard Method

Arun Mamgai
Author: Arun Mamgai
Date Published: 1 February 2024
Read Time: 10 minutes

Cybercriminals continue to attack enterprises by using sophisticated tools and adopting new methods of breaching. Global cyberattacks increased by 32% in 20221 and it is estimated that the cost of cybercrime will grow to US$10.5 trillion by 2025.2 These statistics have become a topic of discussion in boardrooms everywhere, and chief information security officers (CISOs) are expected to participate and provide updates on cybersecurity readiness accordingly.

At the same time, organizations are looking to leverage technology to deliver enhanced experiences to customers. Digital transformation is top-of-mind for many chief executive officers (CEOs), and CISOs play a critical role in this transformation because transformation without security often causes an enterprise more harm than no transformation at all. The threat of ransomware is real and can cause significant damage to organizations that have misalignment between the CISO’s actions and business priorities. As such, the CISO (and their team) must act holistically to protect enterprise assets from malicious cyberactors and growing cyberthreats.

Organizations with weak cybersecurity practices are at greater risk due to the evolution of malware campaigns, brute force attacks, and vulnerability exploitation. Enterprises need a strategic planning tool that enables them to proactively safeguard their assets from unforeseen threats. This is where a balanced scorecard-based tool comes to the rescue.3

The balanced scorecard (BSC)4 is a planning and management tool used by organizations to articulate intended objectives, align day-to-day activities with enterprise strategy, prioritize projects and actions, and measure and monitor success against enterprise goals. US business theorist David P. Norton and US author Robert Kaplan introduced it in 1992 to help identify, improve, and control business outcomes by measuring financial and non-financial metrics.5

A BSC brings 4 different perspectives together (financial, customer, internal process, and innovation and learning)6 to monitor and measure the success of each category and determine their performance against enterprise goals:

  • The financial perspective measures return on investment (ROI) and is used to manage financial risk involved in running operations (e.g., overall profitability, ROI of the cybersecurity team).
  • The customer perspective measures the value provided to customers (or internal stakeholders) and helps build trust by securing customers’ data privacy. An increase in confidence in an organization's data security approach helps foster customer loyalty.
  • The internal process perspective measures the quality and efficiency of the cybersecurity team and determines how well it provides service to its customers (e.g., how quickly can the team detect and resolve malware?)
  • The innovation and learning perspective includes human capital, assets, technology, culture, and other capacities that are key to breakthrough performance. This determines how well information is leveraged to help employees deliver the best service without any challenges (e.g., determining what percentage of employees have completed cybersecurity training).

Not all cybersecurity teams have been able to adapt to a consolidated strategy or initiative, unlike other departments. In these cases, cyberteams may be using disparate technology and data sources to secure their assets, resulting in delays in forming a consolidated view. Additionally, biased and outdated data (e.g., false positives or negatives) does not provide much confidence in data representation and the ever-expanding attack surface makes it difficult to cover all scenarios exhaustively. As cybersecurity becomes more accessible, the CISO and cybersecurity team must adopt a BSC approach to plan and report its success in alignment with broader business objectives. Implementing the BSC method can begin by developing a cybersecurity strategy map (figure 1).

Figure 1—Cybersecurity Strategy Map
Cybersecurity Strategy Map

A balanced scorecard-based cybersecurity strategy map can reduce business risk, increase productivity, enhance customer trust, and help enterprises grow without the fear of a data breach. The cybersecurity team does not always have a complete view of the business and may not understand which metrics are important. Additionally, multisource data collection and collaboration are often challenging for security professionals because they need to pull data from multiple internal security tools to identify patterns and anomalies. The cybersecurity team may not know which security risk to prioritize and could lack the capability to measure success in alignment with business goals and outcomes.

A Balanced Scorecard-based cybersecurity strategy map can reduce business risk, increase productivity, enhance customer trust, and help enterprises grow without the fear of a data breach.

There is value in identifying key performance indicators (KPIs) for the cybersecurity team to align its activities with organizational priorities. Key financial, customer, internal, and innovation and learning metrics may serve as directional inputs (figure 2). KPIs may vary from organization to organization based on their business priorities and current states of maturity, but the following can help provide a starting point for this critical journey.

Figure 2—BSC for the Cybersecurity Team

Financial Customer
  • Cost of data breach incidents (including penalties/compensation)
  • Direct cost of data breach (i.e., ransomware attack)
  • Cost of customer churn
  • Lost opportunity cost
  • Risk quantification score
  • ROI for the cybersecurity team
  • Volume of customer data affected
  • Number of compliance violations (e.g., Payment Card Industry Data Security Standard [PCI-DSS], EU General Data Protection Regulation [GDPR], US Health Insurance Portability and Accountability Act [HIPAA])
  • Customer satisfaction (CSAT) score for data protection
  • Number of intrusion attempts in past 12 months
  • Number of endpoint systems protected by antimalware solutions
Internal Innovation and Learning
  • Number of penetration tests and audits per year
  • Mean time to detect the breach
  • Mean time to recovery (MTTR)
  • Number of devices running unsanctioned software
  • Number of accounts with administrator (admin)/elevated privileges
  • Number of unmanaged/unknown devices on the network
  • Number of known vulnerabilities (high, medium, and low)
  • Number of employees with cybersecurity training
  • Number of employees with access to sensitive data
  • Phishing test success rate
  • Number of users enrolled in identify and access management (IAM)
  • Amount of manual or automatic patching coverage
  • Volume of data on premises vs in the cloud
  • Number of devices abiding by zero trust or multifactor authentication (MFA) principles
  • Degree of security defense acceleration with artificial intelligence (AI)

Consider an example. The United States Department of Agriculture’s (USDA’s) Farm Service Agency has successfully developed a cybersecurity scorecard to align its activities with its mission and reduce overall risk.7 Identifying which KPIs are lagging has helped the agency identify issues contributing to risk, while leading KPIs have offered insight into potential risk. The USDA's Farm Service Agency scorecard is a proactive and strategic approach that addresses current vulnerabilities, anticipates, and mitigates potential risk, ensuring a resilient cybersecurity framework aligned with its mission and organizational goals.

Conclusion

A balanced scorecard-based approach empowers CISOs and their teams to focus on the issues that matter most. It recommends activities based on business priorities and provides a path for security state analysis, data aggregation and correlation, enforcement of automation and AI-based defense policies, and MFA to avoid a single source of breach. This shifts the culture to focus on outcomes instead of metrics and helps provide an easy path to collect metrics and secure confidence in their accuracy.

Endnotes

1 Check Point Research Team, “Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks,” Check Point Software Technologies, 5 January 2023
2 Morgan, S.; 2022 Official Cybercrime Report, Cybersecurity Ventures, 2022
3 Rao, M.; “The CISO Transformational and Operational Balanced Scorecard: Navigating the Modern Cybersecurity Landscape,” LinkedIn Pulse, 26 July 2023
4 Balanced Scorecard Institute, “Balanced Scorecard Basics”
5 Tarver, E.; “What Is a Balanced Scorecard (BSC), and How Is It Used in Business?,” Investopedia, 10 March 2023
6 Savkin, A.; “Financial Perspective. Estimating the Financial Impact of Data Security,” BSC Designer
7 Wagner, J.; “Developing a Cybersecurity Scorecard,” Farm Service Agency, USA

Arun Mamgai

Has more than 18 years of experience in cloud-native cybersecurity, application modernization, open-source secure supply chains, AI/machine learning (ML), and digital transformation (including balanced scorecards, data management, and digital marketing) and has worked with Fortune 1000 customers across industries. He has published many articles highlighting the use of generative AI for cybersecurity and securely developing modern cloud applications. He has been invited to speak at leading schools on topics such as digital transformation and application-level attacks in connected vehicles and has been a judge for one of the most prestigious awards in the technology sector. He has also mentored multiple start-ups and actively engages with a nonprofit institution that enables middle school girls to become future technology leaders.

Additional resources