CHAPTER 4
Nowadays, people know the price of everything and the value of nothing.
— Oscar Wilde
Opportunity
Until your organization can relate cybersecurity activities directly to the value they preserve or create, your budget will be a function of compliance. Business executives need to know that you are thinking about value the way they do. As CISO, it isn't your job to determine the value of the business. In fact, quite the opposite. Determining business value should come from other offices. However, CISOs should use the knowledge presented below to ensure they understand what other execs say about business value. My goal here is to establish a foundation that enables you to immerse yourself in your own company's value creation engines. Then you should leverage that knowledge to drive cybersecurity priorities and investments.
By the time you finish this chapter, I hope you are equipped to more easily:
· Structure and align your thinking to the business,
· Engage others in your company to fully understand the unique ways your company creates value, and
· Identify additional resources that can help you quickly and continuously align your cybersecurity program with the primary value drivers in your business.
We start with an analogy. Real estate is often the most significant investment most individuals make. Likewise, it is through real estate that I have learned the most about value. Early in my life, there were several transitions, each featuring real estate. When I was 11 years old, my parents bought a new home. I recall there was an eight-foot-high basketball hoop. I imagined slam dunking on my friends. There was a backyard overgrown with weeds that held the potential to become a beautiful garden. My brother, sisters, and I hoped to play soccer, splash on a slip 'n’ slide, and have water fights with super- soakers in that yard. At 11 years old, I assembled my own story about what the property meant to me, and my parents had their accounts too.
Later, I learned that this home's value and banks' willingness to provide cash-out refinancing funded my childhood. Our bikes, vacations, and large screen televisions were all purchased on credit cards. My parents then rolled those debts into our home's refinancing with an adjustable-rate mortgage (ARM). They gradually extracted the equity value through this process, over time, until there was none.
Transitioning from college, I struggled to find a job and returned home to live in that same house for another six months or more. I was a terrible interviewer. I didn't know that I could easily prepare to answer a set of predictable questions. I didn't know how to research a company. I wasn't aware of the need to tailor my experiences or skills to match the job description, company culture, or interviewer. Instead, I figured my skills and resume spoke for themselves. I had completed several internships and held a competitive grade point average when compared to my peers. I eventually watched all my friends get jobs before I was hired as a web developer. Writing code was the last thing I wanted to do!
Before I got that technical role, I became so discouraged that I decided to pursue a real estate license, which I eventually obtained but never activated. In the early 2000s, sites like Zillow didn't exist. Pricing residential real estate was a manual exercise your real estate agent did by searching the Multiple Listing Service (MLS) and finding comparable properties. Then they evaluated the differences to derive a target price. In theory, the methodology for establishing the price played into the eventual price negotiation.
Now, we have access to tons of information about real estate. There are photos and virtual tours, information about the surrounding neighborhood, nearby schools, restaurants, and even tools that use machine learning to offer suggested pricing ranges and appreciation rates. Today, rather than sourcing information you don't have, your real estate agent emphasizes what information you should prioritize.
They also find alternative ways to add value to your purchasing process. One of the first things they do is establish credibility and trust with their clients. To add value, they may listen with empathy, provide references, demonstrate real estate domain proficiency, orchestrate the sales process, lead price negotiations, and connect you with supporting resources such as mortgage brokers, lawyers, inspectors, appraisers, etc.
Ironically, I failed to recognize that becoming a real estate agent only amplified the need for all the soft skills impeding my technical job search progress. However, becoming a licensed agent wasn't a total loss because I acquired the knowledge to buy real estate confidently. So, in Q4 2007, I purchased a small condominium in Westminster, Colorado.
By that time, I had indirectly benefited from both the long- and short-term debt cycles. I didn't even consider that property values could go down! But then those adjustable-rate mortgages from my childhood came due for my parents and many others. These defaulted mortgages ultimately led us into a global financial crisis. In the end, we lost about 10% of our home's value when we sold it in Q2 of 2011.
All the lessons I learned from real estate over the years have influenced my decisions as a CISO. Looking closer now, I can identify the salient concepts as follows:
· Value varies by context. The value of a real estate agent putting you at ease during a significant financial transaction is quite different from the value a real estate agent adds when negotiating the price of your home.
· Value varies by audience. Moderate differences in your home's listing value may significantly affect the time and effort required to sell it. At the same time, these changes result in a negligible increase in a real estate agent's compensation. What may be worth tens of thousands of dollars to you may only be worth hundreds of dollars to your real estate agent. The incremental value to you is significant. Meanwhile, your real estate agent might not gain much at all given the increased effort and expense to secure that value on your behalf.
· Macroeconomic and geopolitical conditions. The broader economy impacts supply and demand and thus value.
· Timing is critical. Increasing home equity plus available credit helped finance my childhood. However, poor timing also led to a loss on the sale of our first home.
· Stories matter. The homes we buy tend to be a combination of the future we imagine plus the value we can afford. What is affordable is governed by rules of thumb loosely agreed upon by bankers, appraisers, brokers, agents, and lawyers. And so, stories are essential to decisions we make and have an outsized influence on the jobs we secure, the budgets we control, and the teams we lead. We'll discuss this in more detail in Chapter 8 – Communication – You Do It Every Day (or Do You?).
In the Principle section, we will become more intimate with value. We will decompose the concept using the Five W's + H (who, what, where, when, why, and how) framework. In the process, we will bridge the gap between property value and enterprise value and introduce standard business valuation methods at a high level.
Then, once we know more about business valuation, we can use that lens to examine decisions inside a cybersecurity program. Aligning your cybersecurity program with your business's primary value drivers is the focus of this chapter's Application section.
Principle
My goal is not to convert you into a Chartered Financial Analyst® charter holder. However, to be an effective business operator, you need to know how alternative strategies will affect shareholder value. Further, as a cybersecurity leader, you should supply your Board of Directors with an appropriate set of levers to manipulate the cost, value, and risk your program facilitates. After all, if you don't possess a clear understanding of value, how can you optimize your program to preserve and create it?
To examine value in more detail, we will ask the following questions:
· Who determines value?
· What delivers value to investors?
· Where is value created?
· When is value created?
· Why is value so important?
· How is value determined?
Who Determines Value?
As I learned in my journey with real estate, stories matter, and value varies by audience. Interviewing for a job or selling a home involves telling a story. Either you intentionally control the narrative or simply present facts and let someone else fill in the gaps. As a CISO utilizes storytelling to add value inside a business, it is important to tailor each story for the audience, just as you would highlight unique features of your experience in a job interview.
“Your business story may not be the same when you are talking to different stakeholders (employees, customers, or potential investors) because each has a different interest in the story. While employees may share your enthusiasm for the success of the business, they are just as interested or perhaps more so in how you plan to share that success with them and the personal risks they face from failure. Customers are more interested in your products than in your profits and want to hear the part of your story in which you explain how your product or service will meet their needs and what they will have to pay in return. Investors want to know about these same products and services, but generally from the perspective of how you plan to convert potential into revenues and value. Even among investors there can be big differences in time horizon (short term vs. long term) and how they expect to generate their returns (cash return vs. growth in value), and your story may succeed with one while failing with the other.”1
This chapter will focus on the investor or shareholder perspective, noting the strong relationships among customer benefit, employee satisfaction, and shareholder value.
Just because we are looking at business value from the investor perspective doesn't mean we have enough information to understand what might create value for the investor. We can consider two investor personas: The Financial Investor and the Strategic. Each invests with a unique perspective and varied skills and resources to enhance an acquired business's value.
The following list describes the generic differences, although the specifics will vary by investor:2
· Financial Buyers
· They are usually long-term investors interested in the return that they can get by buying a well-managed company. Some financial buyers are willing to invest in earlier stages and help companies become best in class/well managed, and others expect their investments to have mature operations already. As you might guess, the maturity of an operation will affect a company's valuation.
· Look to generate cash flow by boosting revenue, cutting costs, or creating economies of scale by buying similar companies.
· They are also focused on what exit strategies they can build, such as private market methodologies (sale to other financial buyer or strategic buyer), structural methodologies (redemptions/dividends/conversions), or public market methodologies (IPO or merger with SPAC).
· Strategic Buyers
· They are more interested in how a potential acquisition fits into their own long-term goals.
· They are often more prominent companies that are well-capitalized, spend more, and are less interested in whether a company can generate quick cash flow.
· They care about cultural fit more than financial buyers because they will probably be integrating the acquired company with an existing business.
Another way to stratify the investment community is by considering the differences between venture capital, private equity (PE), and hedge funds. The type of investor and age of the fund can give clues to the intended time horizon of an investment, in addition to the control and impact an investor may have on management, operations, or other methods.
The following list offers a generic summary of each type of investor, but there are always exceptions:
· Venture Capital Firms
· Focus on investing in early-stage startups that cannot otherwise secure bank financing due to the inherently high-risk nature of entrepreneurship.
· Usually invest in 50% or less of the company equity.
· Operate a fund on a 7- to 10-year cycle.
· Dedicate the first 1 to 3 years of the fund to finding investments.
· Direct energy in the later years toward portfolio management and seeking a successful exit of each portfolio company to provide a return to investors.
· Exit their investment via the sale of their equity position, complete acquisition, or an initial public offering (IPO).
· Private Equity Firms
· Focus on either growth stage $10 million, or more mature companies targeting investments of $100 million or more.
· Secure controlling interest in the firm. This is generally via majority ownership, except for growth equity–focused private equity firms.
· Often execute a leveraged buyout (LBO), and plan to add value in one of three ways:3
§ Reengineering the firm – many PE firms have experienced former executives that share their expertise and contacts with portfolio firm managers.
§ Helping obtain debt financing on more advantageous terms.
§ PE ownership can focus on long-term performance because they are not facing pressure from public market shareholders and sell-side analysts.
· The investment horizon tends to be 5 to 7 years.
· Hedge Funds – although some hedge funds have a flexible mandate and can be “hybrid” doing public equities with some private deals, the following is generally applicable:
· Investments happen all at once
· Tend to be very liquid
· Invest in many things, not just the equity of companies
· Tend to be riskier investments attempting to make large profits on shortened timelines
Table 4.1 provides an excellent summary of factors by investor type.
In summary, most companies in the early venture capital funding stages don't already have a CISO. Hedge funds tend to be more liquid, and so the terms of their deals are less likely to include control mechanisms that put them in direct control of the day-to-day management. However, PE firms play an active role in adding value through financial contributions, better access to capital, and a more hands-on steering approach that includes placing Board Directors and executives within the company.
TABLE 4.1 Factors by Investor Type
|
Investor Type |
Target Return |
Time Horizon |
Risk Tolerance |
|
Venture Capital |
25%–30% |
3–7 Years |
Very High |
|
Private Equity |
20%–25% |
4–10 Years |
High |
|
Hedge Fund |
8%–10% |
Liquid Assets |
Very High |
As a final note, Chris Castaldo has done a great job walking founders through how to Start-up Secure. In his book, he describes how to integrate cybersecurity into a business during the key stages of company formation, validation, and growth.
What Delivers Value to Investors?
Remember, we are focused on the investor perspective. So, another way to ask this question is – How does an investor get paid?
There are three basic ways that investors get a return on their investment.
1. Dividends
2. Redemptions
3. Capital appreciation
Dividends are regular distributions of profits to shareholders – typically, on a yearly or quarterly basis. Then you have instruments of debt and equity used to raise capital. Redemptions are essentially a loan for a business. Usually, they include regular interest payments (cash or Payment-In-Kind), voluntary or nonvoluntary prepayments, conversions, or at-maturity redemption. Finally, capital appreciation occurs when the equity an investor holds appreciates.
As a final note, remember that value varies by context. Your board of directors may appreciate a well-formed metrics program and a transparent methodology for risk management and capital allocation. Indeed, a robust cybersecurity program can help an individual board director limit her liability and fulfill her fiduciary duties to shareholders. But be careful to avoid confusion when mere appreciation diverges from enterprise value.
Where Is Value Created?
In every business, there are value levers, just as there are cost drivers. Suppose your business delivers value primarily through profitable operations. In that case, at least a portion of the value your company provides to investors likely comes from the dividend they receive. Stocks that commonly pay dividends are more established companies that don't need to reinvest their profits. For example, more than 84% of companies in the S&P 500 currently pay dividends.4
If your business delivers value to investors via capital gains, you need to be clear on how investors determine your business's value. Traditionally there are three common ways that investors determine the value of a company (see Figure 4.1):
· Asset Based: Calculate the assets of a company in case of dissolution, replacement, or liquidation.
· Market-Based: Utilize relative pricing models that compare features of one business to another business or set of similar companies. Note: This is analogous to the real estate comparable sales pricing method.
· Discounted Cashflow: Commonly, discounted cash flow (DCF) methods attempt to project future cash flow discounted to a current value. You can estimate the future revenues and expenses of a business and apply a formula to calculate the present value of future cash flows. Discounting is used because a dollar today is worth less than a dollar tomorrow, assuming inflation. Other considerations, such as execution risk, control premiums, and marketability, also come into play.
For now, suffice it to say that investors assign value to a company typically with some objective metric. “When pricing companies, it is not your place or mine to determine what investors should be using to price companies, but what they actually are using. Thus, if the metric investors focus on when pricing social media companies is the number of users these companies have, you should focus on that metric in pricing your company.”5
FIGURE 4.1 Valuation Methods
Source: Corporate Finance Institute, “Valuation Methods,” 2021. https://corporatefinanceinstitute.com/resources/knowledge/valuation/valuation-methods/. Used with permission.
When Are Gains Realized?
Equity investors may have a long-term or short-term view on their investment depending upon the fund's type and cycle. They can obtain a return on their investment in many ways, including dividends, profit sharing, operating and monitoring fees, and capital gains upon exit. Investors realize capital gains by selling an asset for more than they paid for it. Nevertheless, equity investors have many other paths within the law to realize profits.
The macroeconomic environment is vital to consider when realizing gains. When the broader economy is thriving, there is more confidence in the continued growth and availability of capital. When the market sentiment is optimistic, companies and individuals are likely to spend more freely. Valuations will tend to be larger when markets are thriving and investors are confident about growth. The maximum valuation (or, in reality, range of values) at a point in time is a function of numerous factors, including:6
· Conditions in the stock market
· The level of interest rates and the availability of financing
· Conditions in the relevant economic markets (national, regional, local)
· Industry conditions
· Current interest of competing strategic buyers in similar businesses
· Availability of investment funds in private equity funds focused on similar businesses
· When irrational buyers abound
· The level of earnings and conditions in the business being sold
Notice that a company's owners and management directly control only the item in bold.
As a business matures, the value levers tend to shift too. Early on, a company will focus on revenue growth, later operating margins, and once in decline, cash flow is the determinant value lever. This evolution of maturity is termed the company life cycle.
As a final comment on the timing of realized gains, awareness of a fund's life cycle can be helpful. A fund manager operating a fund in its later stages will have less appetite for an extended investment horizon and will be eager to see high growth or large profits.
Why Is Value So Important?
The decisions you make about structuring your team, the controls you implement, the architectures you choose, and the partners you leverage need to be congruent with your company's value agenda. The things you prioritize and protect, the risks you accept, and the stories you tell must also align with the value agenda.
It doesn't matter if the value agenda comprises evolving your business model, streamlining your operating costs, heavy M&A activity, or finding ways to maximize an EBITDA multiple. Cybersecurity leaders need to be aware of the value agenda, and they need to be able to design programs that support and accelerate it. In short, cybersecurity operations that impede the value agenda are doomed.
As a side note, understanding how these dynamics affect decisions in your business will make a difference in the executive visibility you are permitted. Failure to understand the value agenda will limit what resources you obtain and form your perspective on resource allocations, the organizational support you garner and thus determine satisfaction in your role (see Figure 4.2).7
FIGURE 4.2 Drivers of CISO Satisfaction
Source: IANS Research, 2020 CISO Compensation and Budget Study, 2020. Used with permission.
How Is Value Determined?
Value comes in many forms. Previously we reviewed three methods to determine value. They are asset-based, market-based, and discounted cash flow. Because the asset-based approach leaves little room for the CISO to influence, we'll only address the market-based and DCF methods in this text.
The valuation process involves the following steps:8
1. Understanding the business. Industry and competitive analysis, together with an analysis of financial statements and other company disclosures, provides a basis for forecasting company performance.
2. Forecasting company performance. Forecasts of sales, earnings, dividends, and financial position (pro forma analysis) provide the inputs for most valuation models.
3. Selecting the appropriate valuation model. Depending on the characteristics of the company and the context of valuation, some valuation models will be more appropriate than others.
4. Converting forecasts to a valuation. Beyond mechanically obtaining the “output” of valuation models, estimating value involves judgment.
5. Applying the valuation conclusions. Depending on the purpose, an analyst may use the valuation conclusions to make an investment recommendation about a particular stock, provide an opinion about the price of a transaction, or evaluate the economic merits of a potential strategic investment.
In practice, market-based (multiple) valuations are more common, but DCF is still genuinely relevant. The valuation methods most widely used by Morgan Stanley Dean Witter's analysts for valuing European companies place the DCF in fifth behind several different multiple methods such as PER, EV/EBITDA, and EV/EG (see Figure 4.3).9
It's worth noting that the above valuation methods apply to public stocks and public markets. Generally, VC and PE funds do not invest in the public markets. I'll assume you have done your homework to understand your business, using the tools of Chapter 1 – Financial Principles and Chapter 2 – Business Strategy Tools. Trust that your Finance team will know how you are valued, and rest assured it's likely either of these:
FIGURE 4.3 Common Valuation Methods
Source: Fernandez, P., Valuation Methods and Shareholder Value Creation, 1st ed. Reproduced with permission of Elsevier.
· Multiples Valuation Model
· Discounted Cash Flow on Free Cash Flow to the Firm Valuation Model
Multiples Valuation Model
To perform a relative valuation using a multiple, you must select a set of comparable companies and decide upon a metric. Then you examine each asset's characteristics and decide if the differences justify the variation in value relative to one another. The sector in which you operate will determine the metric you use, and with good reason. These multiples tend to be more highly correlated with the actual value engines that power the sector or business model.
As with real estate, the comparable assets you select will significantly impact the value you derive. You could have picked the S&P 500, Russell 3000, or any other grouping to perform your analysis. However, the most common approach used by investors is to find a similar industry or industries with which to compare the target company. Investors also use recent comparable transactions. Bankers will have similar data about how privately held companies are valued.
“Multiples almost always have a broad dispersion, which is why valuations performed using multiples are always highly debatable.”10 Further, asset characteristics will play a significant role. For example, in real estate, how do you adjust the value for square footage, a mountain view, being just inside a “good” school district, etc.? It turns out there are agreed-upon ways to handle these differences, and those same subjective methods exist when determining enterprise value as well.
Let's examine a hypothetical example to make this more concrete. Select all the publicly traded companies in your industry. Look up the price-to-earnings ratio (PER) for each. There are plenty of places to source this data. I typically just reference https://finance.yahoo.com/ or https://www.morningstar.com/.
Then compute the average PER for all companies in the industry. Now tell a story about your company relative to the competition. One common way to collect and analyze the varied factors that influence your business is to perform an analysis using Porter's Five Forces (https://hbr.org/1979/03/how-competitive-forces-shape-strategy) framework. We review Porter's Five Forces in more detail in Chapter 6 – Cybersecurity: A Concern of the Business, Not Just IT.
According to Ken Ziegler, if you have four of the following six items present in your comps, your business is going to be valued favorably:
· Growth
· Revenue Model
· Margins
· Scale
· Supply vs. Demand
· Differentiation
Cyber-professionals can do a ton to contribute to many of these. To be effective, you have to be able to answer questions like:
· Are you able to out-innovate, and do you anticipate gaining market share?
· What is unique about your business model? Are there networking effects, recurring revenue implications, or first-mover advantages that enhance your value?
· Are you better positioned to acquire talent because of your brand?
· Do economies of scale permit you to operate more efficiently?
· What about your intellectual property impacts the value story?
· Are there barriers to entry in your industry, or do market forces make your business different or scarce?
Whatever story your business projects, it must be grounded in the numbers on your financial statements. Investors will look to validate the story by examining performance. They will evaluate things such as: What is your cumulative annual growth rate in the last three years? Is your capital structure heavily biased with debt? How much cash are you generating each year? What percent of your revenues can be dependably accounted for because they are already under contract? What does your operating margin look like compared to your competitors? Do you have a history of paying a dividend? Depending upon how aligned your story is with the objective answers to these questions, you might justify a higher multiple.
Likewise, suppose you anticipate a significant patent infringement ruling that will impact your revenue growth or material regulatory enforcement fines. Investors might decide the average PER is an overvaluation of your firm.
Discounted Cash Flow on Free Cash Flow to the Firm Valuation Model
The DCF model leverages a forecast of future cash flow to the firm (FCFF). Once calculated, the model discounts FCFF to present value using a discount rate. Thus, every valuation starts with a story, and the business forecast is born from the story.
It's simple in concept. Over time, you learn the value drivers that have the most considerable effect on the terminal value in a DCF model are growth, profit, risk, and interest rates. So, these will tend to be the things to consider as you set a strategy for your cybersecurity program. As you can see in Figure 4.4, many other considerations may also play a factor depending upon your specific scenario:
Notice that risk plays a material role in valuation. The primary risks considered are operating risk and financial risk. A data breach impacts both, so in theory, cybersecurity should play a role in the company's valuation.
Areas where cybersecurity risk could affect the valuation of a company are:11
· The discount rate through the company-specific risk premium that is adjusted for cybersecurity risk
· The cash flow that is adjusted to account for losses due to cybersecurity breaches
· A direct adjustment to the value of the company
FIGURE 4.4 Equity Value Drivers
Source: Fernandez, P., Valuation Methods and Shareholder Value Creation. Reproduced with permission of Elsevier.
In practice, most risk disclosures for public companies have converged on common language. Therefore, the chances of cybersecurity posture impacting a discount rate (or multiple) in an analyst valuation report are low. So long as you can demonstrate adequate security diligence and cyber liability insurance and have a reasonable degree of confidence that there are no ongoing cybersecurity incidents, the DCF terminal value is not likely to be affected.
As a cybersecurity leader, your business's narrative, supporting assumptions, and the resulting forecasts in your business are not your responsibility. Typically, your CEO, CFO, and CRO lead those efforts. However, understanding the story and the key metrics that impact valuation is absolutely a part of your job. For now, it's enough to know that there are many nuances to selecting the discount rate and a precise formula to calculate FCFF.
Let's review to close the real estate analogy. Business value is affected by many variables, including:
· Context: investor vs. employee vs. customer
· Audience: investor type, such as VC vs. PE vs. hedge fund, and financial vs. strategic
· Macroeconomic conditions: capital markets, sector, and industry performance, etc.
· Timing: the company life cycle and stage of the investment fund
· Stories: set the stage for forecasting, which informs valuation
Now that you know the driving forces and influencing factors of value in a business, figure out who in your company serves in the Financial Planning and Analysis (FP&A) function. Have a conversation with them and clarify how the variables above appear in your business.
If you can already answer the questions posed below, then validate your understanding with your CFO. If you are in a publicly traded company, you MUST listen to the earnings calls first. In my experience, there's a good chance you might learn something subtle about your business that you didn't already know by validating your understanding.
On earnings calls, corporate executives will tend to describe their business very differently than they do when speaking to employees at an all-hands meeting. For example, I once observed company leadership speak very frankly in an earnings call about the number of retail stores that would be closed in the coming months. Then, the next day, there was no mention of closing stores in our company all-hands meeting. Instead, the conversation focused on all the positive benefits employees should anticipate.
Essential questions to understand value drivers in your business include:
· Who are the primary investors? Do they have seats on our board?
· What value do our investors add to our company? How?
· Have our investors played a role in placing any executives in the company?
· Which fund are we part of, and where are we in the fund life cycle? Does that influence how the Board views or business or how our executive team makes decisions?
· What is our hurdle rate, internal rate of return, or the average cost of capital?
· What type of exit is likely? What story are we likely to tell investors about our business to enhance our valuation?
For a complete overview of financial valuation techniques, consult any of these brief courses:
· https://courses.corporatefinanceinstitute.com/courses/business-valuation-fundamentals-certificate-course
· https://execed.stern.nyu.edu/products/advanced-valuation-with-aswath-damodaran
· https://future.aicpa.org/cpe-learning/course/introduction-to-business-valuation
Application
This section will put the concepts shared so far to practical use by exploring the value agenda for a beverage manufacturer. Specifically, we'll examine the business and demonstrate how to place competing priorities relative to one another in the context of business value. With a complete picture, you can help your business balance investment and risk with the need to achieve desired business outcomes. From a cost perspective, the business may spend more, spend less, or reallocate spending to achieve the appropriate level of risk for a particular business initiative.
Case Study – Beverage Manufacturer with Competing Priorities
Imagine you are the new CISO for a large soft drink manufacturer. The quarterly earnings call was last night, and you decided to tune in and see what information you might glean. You learn that although your company is not a growth company, you continue to see single-digit revenue growth numbers that outpace inflation and competition. You note that growth seems important. Further, your primary business of carbonated beverages is declining, and you have managed to diversify revenues by acquiring snack brands and developing healthier drinks. Also, increased marketing spend has translated to better consumer brand recognition and more shelf space from retailers. Finally, as a business, you are also finding ways to take your sales direct to customers, omitting retailers from the equation.
The next day in the lunchroom, you find yourself seated next to a colleague from the Finance department, and you gather that you have a long-established history of paying dividends. Then a week later, you hear from your CIO that combined with your modest top-line growth, the business continues to find ways to compress company expenses. He will support this cost reduction effort by implementing warehouse and distribution center robotics automation. Ideally, this will result in more profits for the company.
In a relatively short period, you have just learned several critical business priorities. Naturally, you may want to seek to be involved in these initiatives. Unfortunately, you haven't been invited by others to participate.
Before you set out on crashing meetings, initiating security tool proofs of concept, or crafting job descriptions, you decide to ensure you fully understand the value agenda.
You begin by asking yourself some basic questions (featured earlier in the chapter), and here's what you come up with:
· Who determines value? Investors in the NYSE.
· What delivers value to investors? Dividends + Capital Appreciation – not sure which is more important.
· Where is value created? Market-Based or DCF – not sure which one.
· When is value created? Quarterly dividends and upon sale of equity.
· How is value determined? Earnings per Share (EPS) or Price to Earnings (PER) – not sure.
You are confident in some of your answers. Meanwhile, other questions have you feeling a bit uncertain. For example, you know you have a stock ticker symbol, so the stock market determines your market capitalization. You know that you are dividend stock, and based on the general tone of conversations, you decide that profit is a significant focus for the company. Some quick research on the internet reveals that the markets regard your company as an “Established dividend payer with a mediocre balance sheet.” In other words, you deliver value to investors via both dividends and capital appreciation. You assume the market utilizes a multiple-based valuation of your company, but in truth, you don't necessarily know which multiple.
You figure it behooves you to understand which multiple the analysts are using to value your company and calculate the multiple. Maybe once you determine that, you can examine the business's various activities that directly impact the metric. You also identify that you might not be as aware of the macroeconomic conditions that affect your industry, so you resolve to seek out a source of information that can help you get up to speed on these factors.
The Multiple
To get started, you find an analyst in your FP&A team. She advises you that the market, and most importantly a small number of institutional investors that own a large percentage of shares, values the company on an EV/EBITDA ratio (in reality, it's probably PER, typical of cyclical manufacturing, but indulge in the scenario). She also reinforces that the market considers your company “an established dividend payer with a mediocre balance sheet.” Given this primary determinant of value, you decide to decompose the formulas and assumptions used to calculate the ratio.
In the numerator of the ratio, you have EV:
And in the denominator, EBITDA can be calculated as follows (review EBITDA formulas in Chapter 1):
OR
Where
In your conversation with Finance later that week, you discover that pressure from analysts and shareholders has influenced some past managers in the business to focus on short-term results while pursuing a long-term strategy. You note that quick wins for new executives will be necessary. In particular, during the research you did to prepare for your interviews, you noticed that your Chief Marketing Officer was recently promoted from within the organization.
Armed with the multiple, you wonder – is a large or small ratio good? You reason that this depends upon the perspective of your audience. As an employee, you want your EV/EBITDA to be large, assuming restricted stock units (RSUs) comprise part of your compensation. You believe correctly that your incentives align with those of the shareholders in the stock market. In contrast, your customers would no doubt be happy to pay less for your product in exchange for you realizing lower profits.
You conclude that mathematically, you want to either make EV (the numerator) larger or make EBITDA (the denominator) smaller. In reality, no one is pursuing a strategy for less EBITDA. Since the market determines EV, which stems directly from your business story, you make a note to examine the role you might play in that narrative.
You notice how the calculations seem to exclude depreciation and amortization from the valuation calculation (if needed, see the section on Capex and EBITDA from Chapter 1 for a refresher on what this means). Next, EBITDA has several formulas above. You quickly observe that you don't play a role in determining interest or taxes. You also recall that you may be able to take advantage of depreciation or amortization in funding your program in the short term. You finish your assessment with some more clarity, given that the only natural area in the first formula to focus on is net income. Unsurprisingly, that means more revenue and less cost.
The Value Agenda
As a CISO, you can now examine the role you play in each value agenda component. You have a limited budget, time is scarce, and you already know that talent acquisition will be a challenge. So, you need to know what to prioritize and how to spend the dollars you have available. If you can't quite achieve what is necessary for the business to be successful, you need to outline what limitations you face and how that will impact the broader value agenda. You decide to build a picture that will help your C-suite optimize cost and risk while pursuing an increased market cap.
Gartner has a model that uses risk, value, and cost (RVC) to put cybersecurity priorities and investments in a business context (see Figure 4.5).12 The bubbles are business outcomes, the vertical axis is business value, the horizontal axis is risk posture, and the size of the bubbles are relative costs to maintain the desired risk posture. We will use this model to show how all the concepts presented in this chapter can be consolidated into a single representation to engage your executives and drive security investment.
Logically, to increase net income, you either increase revenues or reduce expenses. Naturally, your business story will give you a feeling about where to focus. In this case, you decide that the earnings call seems to indicate as a business; you are pursuing both. Better marketing and diversification should drive top-line growth. Increased automation in factories and distribution centers and a direct-to-consumer strategy should result in cost reductions.
To cozy up to the value agenda, you now decide you need to explore each of the four key initiatives to more intimately understand how those initiatives impact individuals, teams, and the performance of the company overall. These initiatives will represent the business unit bubbles in our RVC diagram in Figure 4.5. Later we'll add the risk perspective. For now, you take solace in your belief that risk is ultimately a choice related to investments and priorities. To get started, you schedule four meetings, each holding one of the following meeting titles:
· Marketing
· Diversification
· Warehouse and Distribution Center Automation
· Direct-to-Consumer
Here's what you learn in each meeting respectively:
MARKETING
Anticipating the meeting, you think to yourself that cybersecurity teams often play no role until there is a significant cybersecurity incident when it comes to market communication. Even then, the CISO isn't likely to speak with the press or analysts unless legal and PR teams have coached that message. So, you expect that there's a real chance your marketing team hasn't given much thought to cybersecurity. It's even less likely that your new CMO actively concerns himself with cyber risk.
To prepare for the meeting, you craft a few questions you hope to explore, as follows:
· Where is your marketing team funneling increased spending?
· Better market segmentation
· Improved targeting
· Enhanced differentiation
· Adapted positioning
· How is the marketing team measured? What are key goals related to variable compensation plans, raises, or recognition for individuals or the department as a whole?
· Does the initiative mentioned in the earnings call include new technologies such as AI Marketing platforms? (They are currently “in vogue”.)
· Does this innovative platform cause any concerns about preserving consumer privacy as required by GDPR?
· How does cybersecurity impact the four P's of marketing: product, price, place, and promotion? (See MindTools – https://www.mindtools.com/pages/videos/4ps-transcript.htm.)
· What role does cybersecurity play in differentiation and positioning?
Leaving the meeting, you now know that AI/ML technologies will touch customer data directly to enhance segmentation and targeting. You confirm that in the beverage business and the consumer-packaged goods (CPG) industry in general, cybersecurity isn't likely going to feature as a prominent point of differentiation. There's no interest in pursuing that discussion further.
You also get an education on overall marketing strategy, which doesn't follow the four P's of marketing you learned in your MBA class. Your CMO appreciated the initiative in preparing for the meeting and corrected your attempt to describe the value his department delivers. Your CMO excitedly declares his initiatives are a “game changer” that will undoubtedly catapult revenues forward, but it will take time. He also assures you it isn't any singular thing he has planned, but instead how they all play together. He declares attribution is difficult, and you think to yourself how true that is in cybersecurity, too!
Then, your CMO reveals that, in truth, this is the first time he's ever spoken to a CISO and wasn't aware of the privacy implications that you raised concerning customer analytics. Nevertheless, he agrees that you should partner to explore that in a bit more detail to make sure everything is on the up and up. You agree to set a follow-up meeting in 30 days as a touchpoint to reengage.
DIVERSIFICATION
As you have been getting to know your team, you validated that you already have a robust third-party risk management (TPRM) program. However, while speaking with your Corporate Development (corp-dev) team, you learn that the business is not yet taking advantage of that program. In fact, the corp-dev team was hesitant in accepting a meeting with you and rescheduled several times before you met in person. You offer that InfoSec participation might help to create a more risk-aware transaction during the M&A diligence process. You comment you are surprised the capability isn't being used, recalling for everyone that after Yahoo disclosed two massive breaches in recent years, Verizon cut its offer by $350 million, or about 7% of the original price. Also, the part of Yahoo that wasn't sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches.13
The corp-dev team explains that once they have completed an acquisition, there is a post-merger integration (PMI) process. You decide that your team needs to play an active role despite the corp-dev team's apparent disinterest. In thinking about how to structure a proposal, you ask your TPRM team to evaluate how they might fit into the 10 critical work streams of PMI and instruct them to map that to the existing corp-dev playbooks:
1. Executive leadership roles and responsibilities
2. Business integration planning and implementation
3. Internal and external communications
4. Organization structure and staffing
5. Retention of key customers
6. Retention and re-recruitment of key talent
7. Cultural integration
8. Human resources integration
9. Measurement and feedback
10.Integration program management14
You think it's essential to have an active role in the M&A process, but you realize getting started with visibility might be enough at first. You can't shake the feeling that there is something unusual about the corp-dev team's less than inviting treatment.
WAREHOUSE AND DISTRIBUTION CENTER AUTOMATION
You decide to speak with your CIO on this one since it seems more likely that the technology team leads the charge rather than the operations group. It turns out that there are many automated warehouse robotics investments that your business is likely to explore. In this case, the decision has been made to start with pick-to-light systems to help enable the emerging direct-to-consumer strategy. However, the vision is much larger, including potential sortation systems and, perhaps eventually, drones.
In the discussion, you identify that there's likely a need to answer a few basic questions, but perhaps a threat model might be in order for each new technology. You explain that you minimally should be considering questions such as:
· What robots are being tested or considered for purchase?
· How are they connected to your networks?
· What data is being produced and processed?
· Are you leveraging cloud-based technologies to enhance robot decision-making capabilities?
· What are specific processes in the warehouses and distribution centers affected?
You note that your CIO is very excited about the potential of these investments. He's convinced that he may be able to automate away labor costs on the order of 1–2% of revenue. He quips, at that scale of return, we would offset a decent percentage of the entire cost of IT.
DIRECT-TO-CONSUMER
Direct-to-consumer strategies can vary by company, but in this case, you learn that the investments will include mobile and web applications and engage customers via social media. These are new motions for your business. They will require entirely new processes, tools, and skills in many teams across the enterprise.
Interestingly, you thought this initiative was about cost reduction, but it is not. It's going to be an expensive endeavor, and the investment goals are almost exclusively about revenue growth. In the end, it will provide your product to customers at a lower cost. In the first few years, the expenses your company saves by removing the middleman will fund the new capabilities. The company already has teams working on web and mobile projects. However, as a growing practice, some structural changes for the cybersecurity team will need to be made to fit into the modern DevOps processes introduced. You note that your CIO is less energetic about these projects but thinks building technology competence will be a fun endeavor.
Now you have a clearer picture of the value agenda, but it's far from perfect. To place each initiative in context, you create the following table (see Table 4.2). The value of each initiative sets the value of our business outcomes in the vertical dimension of the RVC diagram (Figure 4.5).
Security Strategy
As a skilled choice architect, you are conscious of utilizing the WRAP and NUDGES frameworks in preparing your presentation and framing of the issues. Having completed a study of the value agenda, you recognize that you need to overlay the risk and mitigation costs into a single picture. If you can pull this off, you are confident your executive team will appreciate the holistic view. More so, you recognize that they are the best-equipped decision-makers in the business to strike a balance between risk and the associated means to achieve business outcomes. By the time you are done, you hope to have all stakeholders aligned on the relative importance and defensibility of how you have selected the allocation of resources.
To layer in the cost and risk perspective, you dig into each initiative, this time utilizing the more familiar lens of people, process, and technology via the risk management perspective. Aligning cyber risk management with enterprise risk management practices to form a holistic view of risk is covered in depth in Chapters 6 and 7. The goal is only to establish relative ratings of risk and cost for each initiative.
TABLE 4.2 Relative Comparison of Strategic Initiative Value
|
Strategic Initiative |
Value |
Notes |
|
Marketing (Business Unit C) |
Moderate |
Suspect CMO is hyperbolic in expectations. The strategy seems sound but admittedly experimental. |
|
Diversification (Business Unit A) |
High |
It is proven to be helping to outpace the competition and expand customer reach. |
|
Warehouse and Distribution Center Automation (Business Unit D) |
High |
Realistic opportunity to reduce 1–2% of overall company revenue in labor costs. |
|
Direct-to-Consumer (Business Unit F) |
Low |
D2C initiative seems experimental. |
MARKETING
People – Naturally, you want to consider the value agenda when constructing your team. Your team comprises full-time employees, contractors, and partners. You can also work with other executives to ensure that their teams are staffed and trained to help you achieve security and compliance objectives.
The broader macroeconomic environment is also important to keep in mind. Cybersecurity talent in the marketplace is limited. Finding data security and privacy experts with cloud-relevant skills may be challenging, so this is an area to consider building a center of excellence. Interdepartmental partnerships and cross-training are also good options.
Process – Process areas to consider are software development, data privacy, and how projects get funded. The initiative is the first step in digital transformation for this department, so it is essential to consider how your team structure integrates with the more agile software delivery cadence that is likely to emerge. Until you see things stabilize, you surmise that having a consultant in the short term is a good option.
Next, it certainly makes sense to consider how the security implementation of Privacy protections will work. You decide it's also time to engage your legal team to evaluate your approach and solicit buy-in. It's an excellent opportunity for you to examine whether they already have resources or initiatives underway that you could readily leverage.
Finally, you note that it may be possible to capitalize some of this work, which would be in line with the company's focus on EBITDA. To be sure, you plan to check with accounting to see if this is possible or desirable.
Technology – Securing a data warehouse, enabling the use of emerging AI/ML pipeline tools, and ensuring privacy are incremental investments for your team. You will no doubt have pressure to contain labor costs and keep pace.
You aren't sure how it will work out. Still, if the timing of these investments precedes the broader market adoption of such technologies, you will not likely be able to rely upon traditional security companies. Although conventional players are making strides in certain areas, and many are pursuing an M&A approach to maintain relevance, your best bet is to survey the startup landscape to see if you can find support from innovators building new companies. This ability to survey cybersecurity innovators may be a new capability or network you need to develop.
In the end, you decide that it's not fair to assign all these costs to this initiative alone since you will get leverage out of the investments in other areas of the business as well. You note that upon initial review, the Marketing initiative has these properties:
· Risk: High
· Cost: Moderate-High
DIVERSIFICATION
People – Luckily, you already have a core team prepared to conduct third-party diligence. Depending upon the deal pipeline, you may need a slight increase in staff.
Process – Although you are collecting all the necessary data as part of your third-party risk management program, there's a good chance that you need to put energy into developing a new deliverable format to present the data to a new audience, that of the M&A team.
For example, as a buyer in an M&A transaction, your report could be translated into a representation or warranty as part of the deal consummation. If your diligence was primarily driven by interviews and questionnaires, without detailed testing of evidence and artifacts, having a deliverable that is detailed and establishes the sellers' assertions of the state of their cybersecurity could be important in settling any post-closing disputes. Although not a customary practice, cybersecurity could also be considered in break fees or reverse fees, which are deal protections where one party agrees to pay a fee to another party if the transaction fails.
Consider your audience, the structure of your diligence process, and the application of the report in your deal structure.
Technology – In our example, no technology investment is necessary to integrate into the Diversification value stream.
You note that upon initial review, the Diversification initiative has these properties:
· Risk: High
· Cost: Low
WAREHOUSE AND DISTRIBUTION CENTER AUTOMATION
Your team proposes to start with a functional threat model for new or evolving technology investments. From there, you agree that you can determine the skills required for your team. Once the trust boundaries and risks are understood, you will devise a plan to secure the designated technology investments.
You push the team towards using free and open-source methodologies and tools to enable your threat model practices:
· https://owasp.org/www-project-threat-dragon/
· https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
Based upon your early exposure, it's clear the team might benefit from some immediate training in these methodologies.
Finally, you note that upon initial review, the Warehouse and Distribution Center Automation initiative has these properties:
· Risk: Moderate
· Cost: Moderate
DIRECT-TO-CONSUMER
People – The D2C website is leveraging Docker containers on Kubernetes (k8s), and this is the first time your business will allow containerized deployments. It is time to consider new tools and evaluate if you have the demand for your team to find and keep a full-time application security expert with container expertise.
Further, it's essential to consider the orchestration engine and how to secure it. The skills and knowledge will vary depending on your choice of k8s variants such as Azure Kubernetes Service (AKS) or Amazon Elastic Kubernetes Service (EKS).
Whatever configuration you start with will certainly not be where your development team ends as they look for the optimized application deployment model and build their code deployment pipeline. So, attracting talent that is continually willing to tackle the accelerating learning curve is undoubtedly a cultural consideration.
Process – Given the introduction of many new DevOps principles, it is time for you to examine your team structure to ensure that you are congruent with the faster, iterative development of applications that rely upon cloud-driven business processes.
Technology – You will want to dive into the four C's of Cloud-Native Security and ensure you have a clear understanding of how you will secure technology investments to address the cloud, cluster, container, and code.15
You note that upon initial review, the Direct-to-Consumer initiative has these properties:
· Risk: Low
· Cost: High
Based upon what you know, you craft Table 4.3, hoping to capture a picture of how the investments sit relative to one another. The risk scoring of the business outcome sets the position on the horizontal axis (risk posture) of the RVC diagram. The cost to mitigate sets the relative size of the bubble in the RVC diagram for each business outcome (see Figure 4.5).
TABLE 4.3 Relative Comparison of Strategic Initiatives
|
Strategic Initiative |
Value |
Risk |
Cost to Mitigate |
|
Marketing (Business Unit C) |
Moderate |
High |
Moderate |
|
Diversification (Business Unit A) |
High |
High |
Low |
|
Warehouse and Distribution Center Automation (Business Unit D) |
High |
Moderate |
Moderate |
|
Direct-to-Consumer (Business Unit F) |
Low |
Low |
High |
Shortly after that, you translate the table into Figure 4.5.
At your next Quarterly Risk Committee Meeting, you introduce the model and ask the executives to confirm that you have properly assessed the relative value from the executives' perspective. The power of the RVC diagram is to show the executives what security looks like in a business context to support business decision-making in security investment. You can now use the assessment to develop a prioritized list of investments.
From there, you propose that you can redeploy resources currently allocated to the Direct-to-Consumer initiative and apply those to the Diversification initiative. Even though you initially had push back from the corp-dev team, in this context, it's hard to argue that the application of more resources to such a high-value and high-risk initiative is anything but diligent. You explain that it leaves your team fully utilized and that you'll need help to address the additional marketing initiative. You suggest that one option is to bring in a skilled cloud partner to help mitigate the risks. Perhaps you can define additional support in the form of outcome-driven measurement, and SLAs embedded into the contract with the technology partner marketing intends to leverage.
FIGURE 4.5 Optimizing Risk, Value, and Cost for Security Readiness
Source: Gartner, “Optimize Risk, Value and Cost in Cybersecurity and Technology Risk.” Used with permission.
The meeting adjourns, and you have a feeling of accomplishment. Although there's still work to do, you have engaged the executive team in a meaningful discussion that resulted in a credible and defensible series of decisions that balance cyber risk with a desire to grow revenue and cut costs. Your diverse audience has aligned on value and context. You have demonstrated you understand the value agenda. Your conversation focused on business issues, and you now share a common story that includes the macro-economic realities of your situation.
As a follow-up, you have agreed that you will establish a much tighter plan that articulates a direct line of sight between security capability measures and risk to business outcomes. Work breakdown structures, more precise budget estimates, and outcome-driven metrics illuminate the path forward for you, your team, and your business.
Key Insights
· Lessons from real estate highlight unique elements that affect value, including the importance of context, audience, macroeconomic and geopolitical conditions, timing, and stories.
· It is crucial to understand investor personas and the expected drivers behind their actions.
· You should understand the three methods for valuing a company. You should also know the common multiples and fundamentals of deriving a discounted cash flow terminal value.
· You may appreciate a real estate agents' friendly, accommodating approach, but in the end, the price you pay for a new home is the primary source of value. Similarly, shareholders may appreciate the assurance of robust security operations, but in the end, protecting value, as determined by the investor community (often in the form of market-based multiples or DCF calculations), is what matters.
· It is possible to combine the value agenda, the risk to business outcomes, and the cost to mitigate those risks to obtain stakeholder alignment. Once aligned, it is much easier for executives to weigh the trade-offs of their decisions and take ownership of their selected outcomes.
Notes
1. 1 Damodaran, A., Narrative and Numbers: The Value of Stories in Business, Columbia University Press, 2017.
2. 2 Twin, A., “Financial Buyer,” Investopedia, August 30, 2019. Accessed January 16, 2021. https://www.investopedia.com/terms/f/financial-buyer.asp.
3. 3 2012 CFA Level II Book 4: Alternative Investments and Fixed Income, Kaplan Schweser, 2011.
4. 4 Marquit, M., “What Is a Dividend?” Forbes Advisor, December 16, 2020. Accessed January 16, 2021. https://www.forbes.com/advisor/investing/what-is-dividend/.
5. 5 Damodaran, A., Narrative and Numbers: The Value of Stories in Business.
6. 6 Mercer, C., “How to Maximize Business Value: Focus on Increasing EBITDA and Not the Multiple,” chrismercer.net, February 15, 2019. Accessed January 16, 2021. https://chrismercer.net/how-to-maximize-business-value-focus-on-increasing-ebitda-and-not-the-multiple/.
7. 7 IANS Research, 2020 CISO Compensation and Budget Study, 2020. Accessed January 17, 2021. https://www.iansresearch.com/ciso-comp-study.
8. 8 Equity Level II, 2012 (CFA Program Curriculum), vol 4, Pearson, 2012.
9. 9 Fernandez, P., Valuation Methods and Shareholder Value Creation, 1st ed. Academic Press, 2002.
10. 10 Fernandez, P., Valuation Methods and Shareholder Value Creation.
11. 11 Ekeu, A., “Impact of Cybersecurity Risk on the Valuation of Businesses,” The Washington Valuation Group, October 8, 2019. Accessed January 17, 2021. https://www.washingtonvaluation.com/post/2019/10/08/impact-of-cybersecurity-risk-on-the-valuation-of-businesses.
12. 12 Gartner, “Optimize Risk, Value and Cost in Cybersecurity and Technology Risk,” February 12, 2020. Accessed May 27, 2021. https://www.gartner.com/document/3980889?ref=solrAll&refval=292102879.
13. 13 Moldenhauer, C., Potter, J., Cunning, M., Falciani, L., and George, J., “When Cyber Threatens M&A,” PwC, 2018. Accessed January 16, 2021. https://www.pwc.com/us/en/deals/publications/assets/pwc-when-cyber-threatens-m-and-a.pdf.
14. 14 Galpin, T., Winning at the Acquisition Game: Tools, Templates, and Best Practices Across the M&A Process, Oxford University Press, 2020. https://books.google.de/books?id=D3%5C_4DwAAQBAJ.
15. 15 Kubernetes, “Overview of Cloud Native Security,” December 13, 2020. Accessed January 16, 2021. https://kubernetes.io/docs/concepts/security/overview/.