PART I
CHAPTER 1
Embrace Reality and Deal with It.
— Ray Dalio
Opportunity
It's easy to get distracted by how you think things should be. Yet, it is critical to understand how they really are. Early in my career, I often identified ways that would make my work more efficient. When there was a dependency on resources I didn't have, I usually stewed in frustration about how stupid the people were who designed such a flawed system in the first place.
It wasn't until years later that I learned optimizing all parts of a system does not necessarily optimize the system itself. You see, every organization has a mission and limited resources. Today, nearly all organizations in the modern economy deliver value through technology. However, not all organizations and leaders agree upon the importance of cybersecurity.
As a cybersecurity leader, it's your job to educate, build consensus, and secure necessary resources. Organizational mission and cybersecurity goals must be aligned. I think Malcolm Harkins said it best: “We provide protection that enables information to flow through the organization, our partners, and our customers. We protect the technology that our organizations create to provide new experiences and opportunities for our customers.”1
Now, imagine for a moment you are on vacation and you've decided to travel internationally. The country you're visiting speaks another language. You've done your part to learn a few keywords before your arrival, so you have the basic vocabulary. You can count to 10, you can ask about the time, and you know different words that indicate modes of transportation.
There you sit in the terminal at the bus station, and the time comes for your bus to leave. You make your way to the platform and discover – no bus. Of course, you don't know if you missed the bus, if it is late, or if they simply changed the platform. When you turn to ask a passerby, they don't speak your language. You go back to the information desk and ask for help. The attendant offers hints at what to do through gestures, but you remain a bit uncertain. The attendant tells you what you can only make out to mean “The bus will come 8.”
What does that mean? Bus #8, platform 8, at 8 p.m., in 8 minutes – there's no way to be sure because neither of you possesses adequate language.
It is precisely this experience that happens worldwide as companies decide how much they should invest in cybersecurity. Without a foundational understanding of accounting and financial principles you are unlikely to succeed in securing the appropriate resources required so that you may effectively protect and enable your organization.
What is also true is that business leaders speak the language of business. They are dependent upon you to communicate about your topic of expertise, cybersecurity, in a language they can understand.
This concept isn't new – we've been hearing about it for several decades now. You'll encounter the phrase “speak in business language” in professional journals and conferences alike. Yet, there seems to be very little information available to outline the critical vocabulary and concepts that cybersecurity practitioners need to secure their “seat at the table.”
Principle
The focus of this first chapter is to establish critical vocabulary and fundamental business knowledge. We will briefly overview several terms only to the extent required to understand their application. Naturally, these terms have been covered in detail elsewhere. When possible, we will point to our favorite resources. These resources emphasize cheap or free, easy to consume, and available in a convenient format. That should help you dig into various topics that pique your interest or prove weak points in your knowledge base. We think you'll pick up a few of the most valuable nuggets right here in this very first chapter, so resist your temptation to skip forward.
To get you started, I'll share the approach I used to structure my pursuit of business acumen. At the time, I was a consultant, and a high percentage of my work weeks included commuting by plane to a customer site.
That's where I learned about Josh Kaufman's The Personal MBA (https://personalmba.com/), which touts “A world-class business education in a single volume.” Since I am perhaps the slowest reader in the world, I decided to expedite my knowledge acquisition by leveraging getAbstract (https://www.getabstract.com/), which as of this writing, claims to contain “the key insights of 20,000+ nonfiction books summarized into compelling 10-minute reads.” These were a great start, but ultimately, I obtained an MBA because I wasn't confident that my cursory review was sufficient. We hope this book can be an alternative, serving as a shortcut to the long nights and imbalance that a master's degree can impose on your personal life.
Conceptually there are relatively few things you need to master from this chapter. You need to know a handful of vocabulary words, how to read and understand financial statements, and how to apply them to your role as a cybersecurity leader. The good news is – that's it – from an accounting and finance perspective!
It is worth mentioning that later in the book, we'll continue to infuse these foundational business concepts with other topics intended to develop more complete business acumen, including Part II – Communication and Education and Part III – Cyber Security Leadership. So let's dive in with our first topic.
Financial Statements
There are three financial statements. The Income Statement offers a window into profit performance on a specific date. The Balance Sheet describes the financial position comprised of assets, liabilities, and equity at a particular point in time. And finally, the Statement of Cash Flows describes what cash came into the business and what went out in a given period (typically a quarter or a year).
Income Statement
As with any complex topic, it can be helpful to start at a very high level and then pursue a more nuanced understanding. To get started, we're going to review the critical elements of an income statement:
· Revenue
· Cost of Goods Sold (COGS) / Cost of Revenue
· Gross Profit (GP)
· Sales, General and Administrative (SG&A) Expenses
· Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA)
· Depreciation Expense
· Amortization Expense
· Earnings Before Interest and Taxes (EBIT)
· Interest Expense
· Income Tax Expense
· Net Income (Bottom Line)
The order of each item conveys a story. A few items appear in gray. They are not required and, therefore, may not be present in all income statements. However, you can always calculate them from the information available. The elements in gray often serve as metrics that have a significant influence on behaviors in business. Let's cover each of the items and reveal the story they tell.
REVENUE
First, we start with revenue, which can often be called the top line. Revenue is essentially the amount of money that the company received for the sale of its product or services. Without revenue, you can't pay for any of the expenses that follow, so this is a great place to start. Some companies focus on Net Revenue. You can calculate it by subtracting discounts, returns, and allowances from revenue.
Depending upon your business model and perhaps the economic sector, there are often compelling arguments that a cybersecurity leader can make about how their team contributes to enhancing revenue acquisition. Accelerating revenue is especially true for software or SaaS companies serving highly regulated industries, as their customers undoubtedly have significant compliance obligations. One good indicator is if your cybersecurity team is helping sales complete diligence questionnaires for your customers and prospects. If so, then you are certainly part of the sales cycle and serve as an advocate of revenue acquisition. Third-party risk management (TPRM) is undoubtedly a complicated endeavor that may seem duplicative and, at times, even unproductive. Do not fall prey to the trap.
Instead, embrace your role here. More sales activity means more revenue to fund operations – including cybersecurity operations. TPRM also gives you a view into revenue sources, what types of customers you will soon serve, and what value expectations exist. These insights can help you anticipate demands on other areas of your security program.
COST OF GOODS SOLD/COST OF REVENUE
Next, we see the term COGS, which only makes sense in a company that produces a physical product. In a services (or software) business, you are more likely to see the term cost of revenue. It means the same thing, but the terminology is a bit different. There are all kinds of nuanced language with financial statements that mostly get us to the same outcome. Start with what your customers paid you, subtract the costs, and determine what remains for retained earnings, future investment, or dividends.
Suffice it to say that there are generally accepted accounting principles that specify what expenses you must group and where they must appear in the financial statements. COGS / cost of revenue includes raw materials, shipping costs, sales commission, and direct labor costs.
If your business is not primarily in the delivery of cybersecurity services or software, you probably don't have a role to play in this line item. However, you may be able to augment funding sources or support the cybersecurity program by partnering with other business stakeholders with a heavy COGS expense concentration. It may be easier to obtain security champions in other teams that perhaps establish a dotted line reporting structure. Partnering in this way can be a great source of operational leverage by ensuring more consistent security outcomes but requiring less of your direct managerial attention.
GROSS PROFIT
Gross profit (GP) is the profit a company makes after removing the costs associated with manufacturing and selling its products or delivering its services. You calculate GP by subtracting the COGS from revenue.
Note that gross margin is a commonly used and very similar term. Frequently people (incorrectly) use it interchangeably with GP. In short, gross margin is a percentage value, while GP is a monetary value. They both represent the resources available to invest in your business and accelerate growth after you have directly delivered upon your commitment to your customers.
To calculate gross margin:
Margin profile can be a value gate in deriving a company's worth. That is to say, some business models anticipate a high gross margin (SaaS, professional services, etc.) while others will not (such as an electronic components distributor, value-added reseller, airline, etc.). Either way, you want to be clear on gross margin expectations. Ask your financial planning and analysis (FP&A) team if you don't already know.
SALES, GENERAL, AND ADMINISTRATIVE EXPENSES
Some costs can be difficult, if not impossible, to assign to specific revenue-generating activities directly. These are things like rent, phone, utilities, and salaries for shared services such as Legal, IT, and Cybersecurity. They all frequently fall into the category of Sales, General, and Administrative (SG&A) expenses, and this is why cybersecurity is often a “cost center.” For now, just know that no enterprise cost reduction or transformation effort is complete without some consideration of SG&A expenses. Note that SG&A may also appear under the title operating expenses.
EBITDA
One way to calculate Earnings Before Interest, Taxes, Depreciation, and Amortization (EBITDA) is by building up from the bottom of the income statement. Starting with Net Income, we'll add each item to derive our final value, or we can start with the top line and subtract.
OR
We'll go into business valuation in much more detail in Chapter 4 – Value Creation. For now, it's essential to know that using an EBITDA multiple is one of the most common methods for valuing a company. EBITDA is particularly useful to investors as it provides a more transparent view of financial results. Unfortunately, accounting methods selected (for depreciation in particular) can enhance profits artificially. Using EBITDA helps expose the underlying cash generating profile of the business. In any given year, there are one-time expenses that may impact EBITDA. The goal is not to make you an expert in calculating EBITDA (leave that to your accounting and finance departments). Instead, the purpose of reviewing the formulas is to offer you an awareness of the relationship each of the income statement line items has with the metrics your company executives care about most.
DEPRECIATION AND AMORTIZATION
In the course of operating a business, assets wear down or become obsolete. Obsolescence applies to both tangible and intangible assets. For example, servers may break down over time, and a company can only legally enforce intellectual property rights, such as patents, for a limited number of years. Because assets have useful lives that frequently last longer than one accounting period, accountants reduce the value of these assets over their estimated service lives. The term depreciation applies when the asset is tangible, such as furniture or computers. Similarly, accountants use amortization when an asset is intangible.
EBIT
Earnings Before Interest and Taxes (EBIT) is similar to EBITDA. In this case, we pull the depreciation and amortization expenses back into the picture. Operating profit considers the Capital Expenditures that span more than one accounting period and reflect the profit or loss resulting from operations more accurately. Investors examine operating profit to separate a company's operational performance from the costs of the capital structure and tax expenses.
OR
INTEREST EXPENSE
Interest expense reflects the payable liability resulting from any borrowing management has done to fund operations. It is often evaluated outside the operational analysis and is called a nonoperating expense. Interest expense includes loans, lines of credit, bonds, and any type of convertible debt. There is often very little that cybersecurity teams can do to affect the interest expense.
INCOME TAX EXPENSE
The government collects taxes to finance public services or national programs. One source of funding that contributes to these services is income tax. So, a tax expense is a liability owed to the government. Again, cybersecurity teams cannot impact the tax expense materially.
NET INCOME
Net income is what you have left after you have subtracted away everything you spent. For that reason, it is also known as the bottom line. As you will see, net income connects to retained earnings, which is the cash a company keeps to finance further operations. The relationship becomes much more apparent in the Connections Between the Financial Statements section later in this chapter.
If by this point you are feeling pretty good, then, by all means, keep reading. If you're feeling a little uncertain or unsettled about your mastery of the materials, spend some time settling in with these concepts. Here are several great resources to help you close the knowledge gap:
· http://www.responsive.net/Accounting.skills.html
· http://www.accountingcoach.com/
· http://accountingexplained.com/financial/introduction/
Balance Sheet
A balance sheet offers a view into the capital structure or how an organization finances its assets through a combination of debt and equity. A simple formula summarizes the information contained on the balance sheet:
The financial condition includes ensuring that the company has enough cash and controlling liabilities relative to assets and revenues. The financial state is primarily a Chief Financial Officer (CFO) responsibility.
One standard financial ratio on the balance sheet is the Debt-to-Equity (D/E) ratio. A heavily leveraged company will have a relatively high D/E ratio. Meaning, the company has borrowed a lot to finance operations. Typically, analysts compare a D/E ratio of one company to another company competing in the same or similar industry.
That is to say, comparing the debt-to-equity (D/E) ratio of a high-growth SaaS technology company to an energy company wouldn't be an informative analysis. The risk profile, stability of revenue, equipment required to operate, and borrowing costs will be very different given the risk to lenders for each of these very different business models. In my experience, the only time I ever considered any of these balance sheet topics was in deciding to take the job or not. Even then, the issue surfaced indirectly via a line of questioning: “Do I have a budget? How is it funded? What control do I have over it?”2
While the balance sheet is essential to company managers, it is not typically a driving force in conversations outside of one key element that appears indirectly on the balance sheet – Capital Expenditures.
CAPITAL EXPENDITURES
Capital Expenditures (CapEx) are expenses that a company capitalizes. That means it records expenses on its balance sheet as an investment rather than on its income statement as an expenditure. This process was touched upon briefly in the Depreciation and Amortization section. Again, for clarity, assets have useful lives that last longer than a given accounting period. So, accountants reduce the value of these assets over their estimated service lives. This value appears as a depreciation or amortization expense, which is a fraction of the actual cost in most cases.
CapEx becomes particularly crucial in a business where Enterprise Value (EV), or what the company is worth to investors, is determined by an EBITDA multiple. Notice that EBITDA, the value driver of the business, does not include depreciation and amortization expense.
In some cases, CapEx may include capitalized labor associated with the development of intangible assets – such as software, intellectual property, and patents. There are several cybersecurity activities in the new cloud era you can consider capitalizing.3
Additionally, consider the Productive Asset Investment Ratio (PAIR). If capital expenditures exceed annual depreciation, the business is likely expanding as more fixed assets are added than have depreciated over the same time. This ratio can be a clear indicator of a company's willingness to maintain its current level of investment. If the value is below 1.0, the business may have accounting or operational challenges. Companies with a value greater than 1.0 have more valuable earnings (because they aren't delaying capital expenditures to boost their profits).
Statement of Cash Flows
Cash flow statements show the change in cash over the accounting period. Cashflow statements are structured to demonstrate how the cash balance was affected by Operating, Investing, and Financing activities.
Operating activities may include selling, collecting payments and interest, building or purchasing inventory, paying salaries, and contracting third-party suppliers and service providers. Investing may comprise buying and selling noncurrent assets, typically termed Property, Plant, and Equipment (PPE). Finally, Financing activities include paying down debts, issuing equity and dividends, borrowing funds, and even repurchasing stock.
There is value in clarifying: the statement of cash flow tells you nothing of profit. That is to say, your cash balance can, and often does, go down during profitable growth. Also, it is equally probable for cash to increase while a business operates in the red (unprofitably).
The relationship between cash and profit is perhaps one of the most common points of confusion. At the heart of the difficulty is accrual accounting. Accrual accounting matches revenue and expenses at the time of a transaction, rather than when payment is received or made. This matching simplifies accounting in practice but conceptually results in some very unintuitive implications for managers.
For example, if you outsourced your third-party risk management (TPRM), you may pay an annual subscription fee upfront, say on January 1. However, to consummate the transaction, the partner must deliver the service in full. So, if there was a $120,000 subscription for the year, your expenses may accrue $10,000 per month throughout the year. In this example, you paid the TPRM vendor in January, but the service must be delivered to complete the transaction. Now imagine, in this case, that your TPRM vendor heavily discounted the sale to a point where providing the service was not profitable. On January 1, you paid the service in full, but the business proceeded to operate unprofitably, and your vendor realized a loss by the end of the year. Indeed, cash flow is not profit.
You may be wondering, “Then what good is cash flow, and why should we care?” Simply stated, it's the inflows and outflows of cash for a business. To operate a business, you have to pay your debts when they come due. If you cannot, you may be declared insolvent. Cash flow and balance sheet insolvency tests are the two ways of determining insolvency.4
As a cybersecurity leader, managing operating activities is likely the most significant lever you have to impact insolvency, for example, by negotiating extended payables when you contract with third-party providers. There are assuredly prescriptive procurement processes in larger companies that ensure your contracting practices align with company standards. Otherwise, you can try requesting Net 45 rather than Net 30 in your terms and conditions. That just means payment is due 45 days after the invoice date rather than the typical 30. Everyone recognizes it takes time to make a payment. While that time passes, essentially, one company is “financing” the amount for the other. Let's be honest; the payment terms on cybersecurity consulting engagements aren't likely to make a sizable difference for the business. But your finance department will at least appreciate awareness of the issue. Also, tactically conceding terms like this helps create reciprocity when negotiating a contract. More on negotiating in Chapter 12 – Negotiation.
Now, let's briefly contrast insolvency with bankruptcy. An organization may declare bankruptcy if its only option to resolve a distressed financial position cannot be addressed by selling off all assets to clear its total debt. At this point, the courts initiate a legal process to resolve the debt. The court decides how the bankrupt company will repay debts. Debt repayment plans may include selling tangible and intangible assets.
While your ability to impact insolvency is low, your ability to protect against bankruptcy is more pronounced. Some examples where cybersecurity failures led directly to bankruptcy include (Dante, 2019):5
· Intellectual-property loss (Westinghouse Nuclear, Nortel Networks, SolarWorld)
· Loss of cash resulting from cryptocurrency exchange compromise (Mt. Gox, YouBit)
· Wire transfer fraud (Little and King, LLC)
· Lost revenue from contract termination (Altegrity Risk International)
· Ransomware (Colorado Timberline)
· Other extortion (Code Space)
In many businesses, cash is king. To successfully navigate the political landscape, you must know what figures business managers are looking to optimize either for their benefit or the company as a whole. Next, we'll examine the best resource I know of to empower your understanding of how financial statements impact behaviors and decisions.
Connections Between the Financial Statements
How to Read a Financial Report: Wringing Vital Signs Out of the Numbers by John A. Tracy is one of the most profoundly productive resources presented during my MBA. In particular, he offers an exhibit that provides a visual overview of the connections between the three financial statements (see Figure 1.1).
Throughout this chapter, I mentioned we would pull together a few concepts in this section, including:
· Net Income and Retained Earnings
· CapEx and EBITDA
· Cash and Profit
NET INCOME AND RETAINED EARNINGS
As you can see in Figure 1.1, the balance sheet features retained earnings. Retained earnings are the cash that a company decides to keep at the end of an accounting period. But notice that in this example, retained earnings are less than net income. Where did the rest of the cash go? Follow the arrows, and you quickly discover a Cash Dividend from Profit paid to owners.
CAPEX AND EBITDA
Again, using Figure 1.1, it is easy to connect the relevant elements in the financial statements. In this case, the Accumulated Depreciation contra account on the balance sheet relates to the Depreciation Expense on the income statement. Ironically, because depreciation is a noncash expense, it is added back to the cash flow statement in the operating activities section, alongside other expenses such as amortization. This accounting trick keeps the books balanced but tends to be conceptually very difficult.
The point is only to clarify relationships in the figure. It's worth noting that long-term equity investors will prefer another value, Free Cash Flow, which we will discuss further in Chapter 4 – Value Creation. This preference is that EBITDA ignores CapEx, which is an issue to be considered in capital-intensive industries.
FIGURE 1.1 Connections Between Three Financial Statements
Source: J. A. Tracy and J. Wiley (2013). How to Read a Financial Report: Wringing Vital Signs Out of the Numbers (7th ed.). John Wiley & Sons. Reproduced with permission of John Wiley & Sons.
CASH AND PROFIT
Finally, in this example, it's evident that the Decrease in Cash during Year on the Statement of Cash Flows has nothing to do with the Net Income (bottom line) of the company on the Income Statement.
Tracy dedicates an entire chapter to the Impact on Growth and Decline on Cash Flow if you're interested in understanding this relationship in more detail.
The conclusion I hope you have drawn is that when you are uncertain of the relationship between an action you are taking and a key metric in the business, it is always a good idea to consider this resource as an aid in helping you connect the dots.
Application
Imagine there are two CISOs hired at the same time in different companies. They both identify the need to create and operate a threat and vulnerability management (TVM) program.
You estimate the new TVM program will require a Vulnerability Risk Management (VRM) platform to integrate scanning tools, inventory, asset criticality scoring, software-driven risk analytics, threat feed ingestion, and efficient ticket operations.
Case Study 1 – Gaming the Financial Statements
In this first case, a product company has raised capital by selling equity. They are a publicly traded global product manufacturing company, and their new investors believe they can enhance market capitalization by compressing the SG&A costs to optimize profitability while growing revenue through more efficient deployment of capital in the marketing department.
The CISO reports to the CIO. The company believes that higher revenue growth, coupled with stronger EBITDA, will provide the return on investment they need to satisfy their new equity holders.
What are the key challenges you see in this situation? What actions might you recommend?
In this case, likely, the CISO budget primarily comprises SG&A. This account is already a target for cost reduction, so you can anticipate more scrutiny before you begin.
Unfortunately, “One size fits all” targets are all too common when performing cost reduction.6 Deloitte reports that “it is common for companies to tackle SG&A cost reductions by implementing across-the-board cuts without fully understanding the potential impact on their business. A company may use an opportunity assessment and a high-level business case to identify optimal savings and improvements. Targeted restructuring or cost reductions may be better suited to optimize growth strategies.”7
While it's not clear how your company will behave, one approach to consider is to capitalize the program build-out while noting in the future you will eventually need an operational budget to manage and maintain the program.8 There are accounting rules that guide what can be capitalized, so if there's any confusion, a quick conversation with your accounting team will provide the clarity you need.
By capitalizing costs in the first year, you can move the expense from SG&A to a much smaller depreciation expense by spreading the investment over several years. For example, a purchase of $1M can be expensed equally over four years of its useful life, implying an annual expense of $250K. The yearly impact on EBITDA is only $250K. Your employer's FP&A can advise you on the threshold over which specific amounts are capitalized, as well as timeframes for useful lives.
Case Study 2 – Proper Team Structure and Tooling Enables Value Creation
The other business is a professional services firm. The CISO reports up through Legal and to the Board of Directors via the Audit Committee. The company recently hired a new CTO to transform the business by bringing new digital platforms online to support more efficient operations and innovative new service offerings for customers. The company's focus is on building an agile and more entrepreneurial business by encouraging the rapid adoption of state-of-the-art technologies in the public cloud.
Also, the company plans to test and iterate through various technology platforms rapidly. As such, you don't want to make any large investments with significant implementation timelines where incorrect assumptions could lead to poorly tooled security operations.
Knowing your company's key financial metrics helps you better structure your budget and potential investments. In this case, the company's focus is on growing revenue and market share.
By now, you should be thinking about how the business will consider OpEx. Yes, your CTO will favor an approach that heavily leans into cloud-native technologies and augments that with additional independent software vendors (ISVs) that play well in a multi-cloud environment.
There will be a much larger appetite for you to hire team members with skills that help guide DevOps teams. By collaborating to implement best practices that are architecturally sound and congruent with rapid development, you might even consider placing budget and staff outside the security team directly under the control and supervision of the CTO. Expensive scanning tools that integrate into traditional endpoint and SIEM solutions might be great for the existing technology stack and security operations. However, be conscious of the need to accommodate new requirements stemming from emerging technology such as Amazon Machine Images (AMIs), Kubernetes (k8s) Clusters, Docker Images, and serverless approaches. Suppose the technology you select and integrate does not have a flexible pricing model. In that case, you might inadvertently commit your mid- to long-term security roadmap to a set of technologies that your company isn't using in a few short months! Instead, consider the following as reported by CSO Online:
· CISOs could depart for their organization suffering a damaging breach, but could leave too in the event of failing to spot or report a bug, poor purchasing decisions, or because of disagreements with senior management.
· One head of information governance, previously working in the US media sector, tells me that there were two occasions she saw her CISO asked to leave. Both dismissals, she said, “mostly centered about [an] inability to address risk to a satisfactory state and in an economical manner.”
· Other sources, speaking to me anonymously, recall occasions where their firm's CISO was dismissed for poor reporting, exceeding their budget, not following business strategies, or even spreading FUD (Fear, Uncertainty, and Doubt) rather than delivering practical solutions to these same problems. It was, as one CIO remarked, a case of the CISO “talking the talk, but not walking the walk.”9
Certainly, exceeding budgets, poor purchasing decisions, and impractical solutions likely stem from a poor understanding of the business. So talk to your finance department. No, really, go send out the invite!
Key Insights
· Align to critical business activities: Depending upon your business model and perhaps the economic sector, there are often compelling arguments that a cybersecurity leader can make about how their team contributes to enhancing revenue acquisition. More sales activity means more revenue to fund operations – including cybersecurity operations.
· Leverage insights that help you plan your future security program: Third-party risk management (TPRM) gives you a view into revenue sources, what types of customers you will soon serve, and what expectations of value exist. These insights can help you anticipate demands on other areas of your security program.
· Know which financial metrics derive your company's valuation:
· Revenue
· Enterprise Value
· EBITDA
· Debt-to-Equity (D/E) ratio
· Productive Asset Investment Ratio (PAIR)
· Etc.
· Understand the role CapEx plays in your business: A $1M capital expenditure can be spread over a useful life of four years, leading to a run rate of $250K per year. Understand how this can impact valuation metrics like EBITDA.
· Place security champions in other teams to keep your CFO happy (depending upon your business model).
· Know how cybersecurity failures can lead directly to bankruptcy.
· Don't commit your mid- to long-term security roadmap to a set of technologies that your company isn't using in a few short months.
Notes
1. 1 Harkins, M.W., Managing Risk and Information Security: Protect to Enable, Apress Open, 2016, 6.
2. 2 Hayslip, G., “Questions to Ask Before Accepting That CISO Job Offer,” LinkedIn, October 21, 2018. https://www.linkedin.com/pulse/questions-ask-before-accepting-ciso-job-offer-gary-hayslip-cissp-/.
3. 3 Scaled Agile Framework, “CapEx and OpEx,” October 2, 2018. https://www.scaledagileframework.com/capex-and-opex/.
4. 4 Udofia, K., “Establishing Corporate Insolvency: The Balance Sheet Insolvency Test,” July 2, 2019. https://blogs.harvard.edu/bankruptcyroundtable/tag/cash-flow-insolvency-test/.
5. 5 Dante, E., “Cybersecurity Breach Bankruptcy: It Does Happen – Virtual CISO,” January 23, 2019. https://fractionalciso.com/cybersecurity-breach-bankruptcy/.
6. 6 Hawke, K. et al., “Reset and Reallocate: SG&A in the New Normal,” June 10, 2020, McKinsey. https://www.mckinsey.com/business-functions/operations/our-insights/reset-and-reallocate-sga-in-the-next-normal.
7. 7 Elliott, D., Kruger, L., Babu, A., and Grobicki, A., “Selling, General and Administration (SG&A) Cost Reduction Focus: A Systematic Approach: The Opportunity Assessment and the Business Case for Improvements,” Deloitte, 2016.
8. 8 Golden, B., “IT Moves from SGA to COGS,” CIO, March 17, 2016. https://www.cio.com/article/3045279/it-moves-from-sga-to-cogs.html.
9. 9 Drinkwater, D., “These CISOs Explain Why They Got Fired,” CSO Online, April 20, 2016. https://www.csoonline.com/article/3057243/these-cisos-explain-why-they-got-fired.html.