I just finished a final draft of a presentation on information security executive reporting that I and some colleagues will present at the upcoming Forrester IT Forum in Las Vegas.  For those of you who want more information on the Forum please see Forrester's IT Forum 2011 in Las Vegas. In this presentation Alissa Dill, Chris McClean and I will present an approach for using the Balanced Scorecard to present security metrics for senior level audiences. For those of you who are not familiar to the Balanced Scorecard, it was originated by Robert Kaplan currently of the Harvard Business School and David Norton as a performance measurement framework that added non-financial performance measures to traditional financial metrics to give managers and executives a 'balanced' view of organizational performance[1].  This tool can be used to:

  • Align business activities to the vision and strategy of the organization
  • Improve internal and external communications
  • Monitor organization performance against strategic goals

Information security is characterized by people, process and technology.  It is usually a function that operates “under the covers” until the organization experiences a serious breach. This really belies the value of the security organization and information security specifically.  

Using a management reporting framework to demonstrate the value of information security across additional dimensions including financial may help the overall security posture of the organization. It will do this by making the organization more aware of the overall value of information security and how it contributes to the mission of the organization. I would appreciate your thoughts. Drop me a line here (and for Forrester subscribers schedule an inquiry or advisory). I am very interested in your thoughts.


Please see the website www.balancedscorecard.org for more information.