CHAPTER 5
Effective people are not problem-minded; they're opportunity-minded. They feed opportunities and starve problems.
— Stephen R. Covey
Opportunity
This chapter marks the end of Part I of the book. Up to this point, we have reviewed how to read a financial report and equipped you with essential knowledge and vocabulary. We have explored several business strategy tools. Specifically, we reviewed frameworks that decompose a business by examining its business model and value streams. We learned that business decisions often involve uncertainty and are not entirely rational because many psychological factors affect deliberate and snap decisions. Further, we looked at several methods for valuing a business (asset-based, market-based, and discounted cashflow) to help you directly connect the activities you perform inside your cybersecurity program to the value engines of your business. In the process, we showed how important it is to tell compelling stories.
There are a few outstanding concepts we would be remiss to omit. We'll burnish Part I of the book with a review of several cost concepts. Then, we'll illustrate these concepts via the business case. Building a business case is the final, essential skill that will serve as a natural capstone for our discussion on the first pillar of The CISO Evolution, Foundational Business Knowledge.
As I'm writing this, CVE-2021-3156 recently surfaced. If you are not familiar, a heap-based buffer overflow was discovered in the sudo binary, allowing privilege escalation to root. There is exploit code available, and some product vendors have not yet released a fix. As usual, it's a big deal.
Now, assuming you have the correct instrumentation to find which systems are affected, you have a choice. In some cases, you might be able to simply update the sudo library to the latest version. Between the release of the CVE and patch availability, you could declare a change freeze, disable sudo in all environments, enhance monitoring on Linux servers, etc. Or, you could do nothing and wait for vendors to implement a fix. Additionally, you might consider moving to a new method of privileged access management, such as pbrun.
The point is, with every vulnerability, you face risk at the tactical level. You decide upon a remediation strategy informed by the speed and complexity to implement a fix, the impact on operations, ongoing maintenance costs, and other factors.
While these discussions are not likely to be elevated to the boardroom, the concepts present certainly do surface in executive decision-making every day. Look closer and you'll find opportunities to discuss the incremental, opportunity, and sunk cost. Even with such tactical decisions, you are performing a cost-benefit analysis in addition to a risk assessment. Dig further, and you will uncloak cost savings and cost avoidance guarded behind the mist of your risk analysis. In my experience, most cybersecurity leaders fail to integrate these critical business concepts into the discussion.
As a result, some of the symptoms below (which we'll continue to revisit throughout this book) have the appearance of being “just part of the job” when in fact we can do better. Much better. Symptoms include:
· Failure to garner trust from executive leadership
· Misaligned expectations around risk appetite and capital allocation
· Misperception of cybersecurity's role in business
· Demoralization of your team in the face of cyber risk acceptance
· Increased stress and anxiety from managing an underfunded program
Principle
First, we'll review several key cost concepts, and then we'll decompose the elements of a business case with a focus on early messaging and financial analysis. Later, in the Application section of this chapter, we'll review several bona fide business cases to illustrate the presence of cost concepts and the use of these powerful tools.
Cost Concepts
Here we'll briefly review incremental, opportunity, and sunk cost. Further, we'll review the differences between cost savings and cost avoidance. Familiarity with all of these cost concepts will improve your ability to explain the investments you are proposing and making every day.
Incremental Cost
Incremental cost is the change in cost from one alternative to another. The value is comparative and usually positive. For example, above, we considered several alternatives to treating the risk presented by CVE-2021-3156 as follows:
· Option 1: Declare a change freeze, disable sudo in all environments, and enhance monitoring on Linux servers. Eventually patch as usual.
· Option 2: Do nothing and wait for vendors to implement a fix. Eventually patch as usual.
· Option 3: Move to a new method of privileged access management, such as pbrun.
Adding a new control has an incremental cost. Note that often there are economies of scale that may play a role. So, moving from monitoring 10 instances to 100 instances may cost less per instance than increasing from 101 instances to 500 instances, etc., as shown in Figure 5.1.
Imagine that you have decided to monitor 10 more instances as a stopgap in this scenario per Option 1. To calculate the incremental cost, you need to know how many instances you are already licensed to monitor. In this example, we'll suppose that we are increasing from 400 instances to 410 instances. That means that the marginal cost or extra cost incurred per added unit (per added instance) is $40. Further, the incremental cost when comparing monitoring costs in Option 1 vs. Option 2 is $40/instance * 10 instances = $400.
You might be thinking, “Wait! you neglected the labor to install, tune, and respond to these new logs,” and you would be correct in contemplating a complete incremental cost. To keep the example simple, we'll exclude those added costs for now.
FIGURE 5.1 Incremental Cost Curve
Opportunity Cost
An opportunity cost is the potential benefit given up where the choice of one action precludes the choice of another. Recall, we discussed opportunity cost briefly in Chapter 3 – Business Decisions.
There is an opportunity cost in everything you do. Looking inside your security program, you might find areas where you are securing an application or process that provides relatively low value to the business and otherwise not protecting something very valuable.1 Immature programs often over-secure easily defended targets. The energy to over-secure comes at the opportunity cost of developing new skills or improving processes where teams lack sufficient knowledge. An imbalanced focus on the familiar is also prevalent during digital transformation, where leaders may introduce substantial changes very quickly.
As we have discussed in earlier chapters, a well-run business will continuously adapt to optimize value. Naturally, digital transformation initiatives focus on the highest value technology investments. Modern technology such as containers and serverless patterns enable transformation. These technologies improve the overall simplicity, agility, and speed of a business.
Often, businesses adopt modern technology before they have established a robust protection paradigm. Sometimes, innovative technology teams fail to include cybersecurity teams while formulating the adoption of new technology or practices. This omission only ensures a broader disconnect between the two groups. As Chris Laping says, “If people don't ask you to get involved, there's one of two reasons. Reason #1 is that they didn't know you could help. Reason #2 is that they knew you could help but don't like working with you. And the kind truth is, you control both.”2 We'll address reason #1 in Part II – Communication and Education, specifically in Chapter 9 – Relationship Management. In thinking about reason #2, at least part of the rationale for excluding cybersecurity leaders from innovation decisions is control friction.
The 9 Box of Controls is a risk framework that considers control friction.3 As seen in Figure 5.2, using semiautomated methods to detect the change in an environment is far less performant than automating preventive controls. In the context of containers and serverless patterns, it's common for security teams to first attempt to extend the use of existing tools and processes to the practices of agile application development and the use of public clouds. This incremental growth pattern flows as a natural evolution but predictably produces poor outcomes.
Instead, combining tools like the 9 Box of Controls with the Value Chain Mapping exercise we saw in Chapter 2 – Business Strategy Tools can create the clarity needed when considering opportunity costs. Through these mental frameworks, it becomes evident that protecting the company's core value engines requires keeping pace with technology innovation. In a resource-constrained reality, that may even come at the expense of operating existing controls. Force ranking priorities and intentionally managing your calendar is a terrific way to use the concept of opportunity cost. There are only 24 hours each day. You must focus on less, to accomplish more.
For example, redirecting funding for staffing that currently executes manual efforts to respond to incidents in your SIEM to instead fund improvements to the CI pipeline may dramatically improve your ability to focus on securing innovations. Further, the skills needed to automate improvements in software deployment apply to SOAR platforms and their interaction with various public clouds.
FIGURE 5.2 9 Box of Controls
Source: Harkins, M.W., Managing Risk and Information Security: Protect to Enable. Used with permission.
As a reminder, one of the symptoms mentioned above is misaligned expectations around risk appetite and capital allocation. Using the concept of opportunity cost more broadly in your business can help you understand the unenviable decision someone else has to make:
Do we spend more on security, or do we tackle this other value-creating activity?
In summary, incremental change, inertia, and comfort in the familiar prevent us from addressing the truly important. If you find yourself in a position where some important things might not get done, you need to elevate your efficiency, delegate, or secure additional resources. Applying the concept of opportunity cost helps keep you focused on the most critical items in your control.
Reference Tools:
· https://www.mindtools.com/pages/article/zero-base-budgeting.htm
· https://evernote.com/blog/getting-started-with-gtd-templates/
· https://fullfocusplanner.com/system/
· https://kanbanize.com/kanban-resources/getting-started/what-is-kanban
· https://gettingthingsdone.com/
Sunk Cost
Sunk Costs are costs incurred in the past that cannot be altered by any current or future decision. Common sayings related to sunk cost are “That's water under the bridge” and “Don't cry over spilled milk.” When thinking about sunk cost, you need to just let it go – but that's not always easy.
In my experience, politics and ego are two reasons that sunk costs get ignored or miscategorized. Sometimes the political capital required to change direction or kill an initiative is so significant that a project may progress toward failure far too long. In other cases, individuals attach their self-worth to the value of a project or idea. If these individuals are in positions of power or influence, they may fiercely object to reversing or changing course as they defend a sense of self-worth.
If you are the executive sponsor of an initiative and have already spent $1M implementing a solution that isn't working, you may hesitate to call the project off. Even so, there may be a better solution that could be more easily implemented at less cost today than completing the work you have already initiated. If this is true, don't throw good money after bad. Find the humility needed to change course.
Common projects in cybersecurity that have sunk costs include DLP, IAM, and endpoint. Many DLP projects are only successful in narrow use cases and do not deliver the entire value proposition initially expected. Similarly, IAM practices have struggled for years, with Single Sign-On yielding a reduced number of logins but never reducing access to a single username and password. Passwordless initiatives have reduced the number of passwords but have yet to end the need for password management infrastructure. Finally, endpoint protection is a typical rip-and-replace project for new CISOs, and in many cases the incremental benefits are not the most impactful enhancements available.
While the initial work on these projects can supply many benefits, these initiatives tend to consume far too many resources while trying to be all things to all people. Be wary of sunk costs and their influence on decision-making, especially in the face of complex and highly visible projects where politics and ego are likely to surface.
Cost Avoidance vs. Cost Savings
Cost Savings and Cost Avoidance are also relative terms, meaning they compare one outcome to another. So, what's the difference? Generally, cost savings have to do with reducing spending that is already taking place, while cost avoidance is reducing spending that likely would have taken place in the future.4
For example, cutting existing staffing is an easy demonstration of cost savings. In contrast, implementing a SOAR solution to reduce the need for added SOC analysts one to two years into the future is cost avoidance. While you may feel the growth in staff is inevitable, your CFO may have other thoughts. As a result, any time you are making a business case based upon cost avoidance, you are on shaky ground until you have confirmed that all decision-makers agree that the future costs in question are inevitable.
Business Cases
The business case will enable you to secure adequate resources. Generally, a business case will do the following:
· Provide a concise summary of the business needs.
· Enumerate relevant assumptions, risks, and objections.
· Outline anticipated implementation costs.
· Examine the cost of ongoing management of the proposed investment.
· Describe the primary direct and indirect benefits.
· Document a financial analysis of the investment, including future cash flows, etc.
· Establish a timeline and payback period (if applicable).
· Offer an analysis of various alternatives (often including the status quo).
There are plenty of business case development templates on the internet. Your company may even have a prescribed format. For that reason, I'd like to review several different tools to improve your ability to leverage any business case template effectively. First, we'll look at getting your messaging right using a combination of stakeholder analysis, influence maps, and the SCI-PAB® Thinking & Messaging Tool. Then, we'll examine two primary financial analysis approaches, namely Cost-Benefit Analysis (CBA) and Net Present Value (NPV).
In my experience, if you get the messaging and financial analysis correct in a business case, mistakes in other elements of your business case are more readily forgiven and forgotten.
Business Case Messaging
For many years I viewed sales as a necessary evil, but now I know that selling can be a great educator. There are plenty of reasons why many people coming from a technical background are skeptical or distrusting of sales professionals. The justification is usually straightforward and goes something like this: “Salespeople are unscrupulous, morally flexible people that inevitably do anything just to line their pockets.” Before I had the opportunity to help with the sales process during my time as a consultant, I believed that the sales profession did little to add value and often weakened the fabric of trust between people and businesses. While it is true that some salespeople fit this stereotype, it is not true of most salespeople. Further, I strongly feel that you must also be an excellent salesperson to be an effective cybersecurity leader.
At the heart of sales is empathy or the ability to understand and share someone else's feelings. Often when presenting a business case, the most relevant question you can ask is, “What emotion do I hope to evoke in each audience member?”
Initially, I believed that presenting different facts, or emphasizing additional data depending upon my audience, was ultimately a failure of integrity. Earlier, we learned there is an opportunity cost for every investment. So, it is essential to have the ability to consistently empathize with your colleagues and articulate how cybersecurity projects impact the things that are significant to them. I now know that presenting the same topic in different ways to varied audiences is essential.
STAKEHOLDER ANALYSIS
Taking the time to identify and prioritize stakeholders is a great place to start. Common stakeholders are listed in Figure 5.3.
Now that you have a concise list of the people affected by your project, invest some time to understand their perspectives. Questions that can help you understand your stakeholders include:5
|
Your boss |
Shareholders |
Government |
|
Senior executives |
Alliance partners |
Trade associations |
|
Your co-workers |
Suppliers |
The press |
|
Your team |
Lenders |
Interest groups |
|
Customers |
Analysts |
The public |
|
Prospective customers |
Future recruits |
The community |
|
Your family |
Key contributors |
Key advisers |
FIGURE 5.3 Common Stakeholders
Source: MindTools Content Team, “Stakeholder Analysis: Winning Support for Your Projects.” Used with permission.
· What financial or emotional interest do they have in the outcome of your work? Is it positive or negative?
· What motivates them most of all?
· What information do they want from you, and what is the best way of communicating with them?
· What is their current opinion of your work? Is it based on good information?
· Who influences their opinions generally, and who influences their view of you? Do some of these influencers, therefore, become important stakeholders in their own right?
· If they aren't likely to be positive, what will win them around to support your project?
· If you don't think that you'll be able to win them around, how will you manage their opposition?
· Who else might be influenced by their opinions? Do these people become stakeholders in their own right?
INFLUENCE MAPPING
It can be constructive to understand that the normal chain of command is just one way to advance your objectives. Like defense in depth, having a multilayered approach is always a more resilient mode of operating when considering the many internal battlefield objections you may face. Knowing who the real influencers are can help you determine where you should put your effort if you want to succeed. Discovering all your project's stakeholders (not just the obvious ones) and the influence relationships present is what influence mapping is all about. Influence maps help you target the key influencers to win the resources and support you need to reach your goal.
An influence map is a visual model showing the people who influence and make decisions about your project. The map helps you understand how stakeholders relate to one another so that you can quickly see how influence flows.
Remember that even the most powerful people rarely act alone. Top executives and other people in authority rely on advisers. Find out who the advisers are and understand how they operate. This clarity can be vital to your project's success.
There are three primary considerations when you construct an influence map:
1. The importance or weight of a stakeholder's overall influence (represented by the size of the circle representing that stakeholder)
2. The relationships between stakeholders (represented by the presence of lines or arrows between them)
3. The influence stakeholders have on others (represented by the heaviness of the lines drawn between them)
Your completed influence map shows the stakeholders with the most influence as individuals with the most prominent circles. Lines (arrows) drawn to other stakeholders show the presence and strength of influence.6
SCI-PAB® THINKING & MESSAGING TOOL
You need to build a concise message that considers all the information you have gathered in your Stakeholder Analysis and Influence Mapping exercises. Note that creating these resources once allows you to complete this type of analysis efficiently or even intuitively for future projects.
FIGURE 5.4 Hypothetical Influence Map
Source: MindTools Content Team, “Influence Maps: Uncovering Where the Power Lies in Your Projects.” Used with permission.
WHAT IS SCI-PAB® [SIGH-PAB]?
SITUATION→COMPLICATION→IMPLICATION→POSITION→ ACTION→ BENEFIT®7
With amazingly little time needed, this thinking tool helps business communicators to:
· Think efficiently and insightfully about the content they want to communicate from the perspective of their listeners' unique interests, needs, wants, and priorities.
· Use critical thinking to select the most meaningful (“the critical few”) listener-centric elements of their possible content to keep their listeners engaged and open
· Structure the communicators' content (information, ideas, and data) into the most efficient, logical, and understandable flow for their listeners' style and setting
· Organize their content flow into story form
· Move their listeners to the desired outcome
HOW DOES IT WORK?
It's straightforward; just write a sentence or two for each of the following items:
· Situation – State what you know about your listener's circumstances that is relevant to the discussion (e.g. the current state of business, technology, industry, plans). The facts in the Situation shouldn't be controversial or new to listeners. This is always the first sentence in your SCI-PAB®.
· Complication – Identify the critical issues (changes, pressures, demands, etc.) that are impacting the Situation and creating problems or opportunities. Often, the most effective Complication statement provides new, thought-provoking information.
· Implication – Show the personal or business consequences of not acting on the problems or opportunities described in the Complication. The Implication provides a logical transition and adds urgency to your recommendations.
· Position – State clearly and confidently your opinion about what needs to be done to solve your listener's problem. Communicate this at a high level; this isn't the tactical Action step that follows, but rather a strategic statement about your point of view on the issues(s). Keep it short.
· Action – Help your listener understand the role you want them to play or the questions you'd like them to consider during your presentation or conversation. Use action words like consider, discuss, explore, and understand.
· Benefit – Describe how your recommended Position/Action will address listeners' needs. State the results clearly and quantifiably. The benefits you describe should differentiate you and be meaningful to your listeners.8
Now that you know all the stakeholders and influencers and you have tailored a meaningful message to help them frame a discussion topic, let's round out your skills by delving into the Financial Analysis tooling that will support any business case presentation.
Business Case Financial Analysis
In this section, we will review both Cost-Benefit Analysis and Net Present Value. In both types of financial analysis, you outline the benefits a project will deliver, how, at what cost, and how long it will take. Each approach has limitations, and we'll review those, too.
COST-BENEFIT ANALYSIS
Traditional cost-benefit analysis (CBA) is a process where you consider all the costs of executing a project and then examine the benefits. CBA, at first, feels a lot like the Pros vs. Cons analysis that Benjamin Franklin did so many years ago. When conducting a cost-benefit analysis, it makes sense to assign a monetary value to everything you can. Because the CBA is often used to make quick and simple decisions, it is suited for most cybersecurity decisions.
Follow these steps to perform Cost-Benefit Analysis:9
1. Brainstorm Costs and Benefits
2. Assign a Monetary Value to the Costs
3. Assign a Monetary Value to Benefits
4. Compare Costs and Benefits
BRAINSTORM COSTS AND BENEFITS
First, take time to brainstorm all the costs associated with the project and list them. Then, do the same for all the benefits of the project. You should be particularly diligent in exploring unexpected costs. Also, don't be afraid to capture any benefits that you may not have initially anticipated. Remember from Chapter 3 – Business Decisions, we need to work hard to overcome the pitfalls of confirmation bias.
The School of Thought offers several great resources, such as a Creative Thinking Cards Deck (https://thethinkingshop.org/collections/products/products/creative-thinking-cards-deck), that are worthwhile investments. There are a series of cards for each category below that contemplate unique approaches for stimulating your creative prowess:
· Perspective Shifts
· Idea Generation
· Provocation
· Other Mental Models that can be useful at this stage
ASSIGN A MONETARY VALUE TO THE COSTS
Costs include the costs of physical resources needed and the cost of software and labor involved in all phases of a project. Costs are often relatively easy to estimate (compared with revenues). Remember to consider both the impact on your department and the impact on other departments or business units.
When you develop a list of costs, think about the lifetime of the project. Adding a temporal dimension to your thinking will help you consider maintenance costs, tech debt, renewal licensing, incremental staffing, and perhaps control friction. Don't forget about training, context switching, and lost productivity. Also, remember to include opportunity costs in this list.
Ideally, the project will optimize the business and not just your departmental operation. Remember, from the Phoenix Project and the Theory of Constraints, you mustn't introduce a new system-level constraint. Again, a slower process doesn't necessarily produce a lower overall output for a system. Lean tools designed to Exploit the Constraint like Andon, Standardized Work, and Kaizen are excellent indicators of how impactful a change is to the overall system. Further, applying lean tools like Kaizen can be helpful to Subordinate to the Constraint if that scenario arises.10
ASSIGN A MONETARY VALUE TO BENEFITS
Usually, the list of benefits is far more subjective and intangible or “soft.” Revenue forecasting is challenging and often not a core competency of cybersecurity professionals. Further, things like the value of reduced risk or meeting regulatory compliance are difficult to quantify. That's also true of other investments in a business. For example, it is easy to measure the cost of offering a $500/employee stipend for home office equipment during a global pandemic, but what are the benefits? Morale, productivity, loyalty, etc., are all difficult to quantify and likely to be met with skepticism when presenting a business case.
COMPARE COSTS AND BENEFITS
As a final step, compare costs and benefits and decide upon the best course of action. At this stage, it's essential to consider the payback time to find out how long it will take for you to reach the breakeven point or the point in time at which the benefits have just repaid the costs.
For simple examples where the same benefits are received each period, you can calculate the payback period by dividing the projected total cost of the project by the projected total revenues:
FLAWS OF COST-BENEFIT ANALYSIS
For all its advantages, CBA has several limitations. The most relevant limitations for cybersecurity leaders to consider include:
· Revenue forecasts and the value of intangible benefits are very subjective.
· CBA does not gracefully handle a project that has positive cash flow over time, especially when those cash flows vary (which is true in most cases).
· Often the framing of CBA leads to whether-or-not decisions that we learned to be wary of in Chapter 3 – Business Decisions.
Note that the time value of money can make quite a difference in deciding to go ahead with a proposed project. In these cases, consider Net Present Value (NPV) and Internal Rate of Return (IRR) calculations as an alternative to CBA. We'll look at these analysis methods more closely in the following section.
NET PRESENT VALUE (AND IRR)
First, let's examine Net Present Value. Then we can progress to the concept of IRR. You can quickly decompose NPV into two separate concepts:
1. The time value of money.
2. The final gain or loss.
PRESENT VALUE
Here's how I think about this:
EXAMPLE 5.1
If you were offered $100K today, or $100K in 10 years, which would you prefer? You'd likely take the money now even if you weren't going to spend it. Why? Because if you have the money today, you can put it in an interest-bearing account and make a few extra dollars between now and the 10-year time horizon. In contrast, if the money didn't grow, but the overall economy experienced inflation, you will end up with less buying power in the future than you have today.
But what exactly is the difference in value? Selecting a discount rate can be subjective. However, in this example, we'll use 6% each year. Personally, that's a conservative assumption for how I expect my investment portfolio to grow on average over an extended period.
So,
In other words, the present value of $100K in 10 years assuming a 6% portfolio return (discount rate) is worth less today because you wouldn't get the benefit of that interest over 10 years:
I know no one would prefer to receive $56K over $100K today, but this type of thinking is common in our industry.
Present Value of a Multi-Year Project
EXAMPLE 5.2
To secure a contract with a new customer, you must implement additional security tooling to secure the cloud management plane in your SaaS offering. You would otherwise never do such a thing.
Suppose you had to invest an incremental:
· $20K cloud security posture management software
· $25K consulting costs to implement
· $10K internal resources
Then in years 2 and 3, you had to:
· Renew software maintenance at $2K/year
· Invest $5K internal labor to operate and respond to the software each year
Additionally, your prospective customer is at the end of the year, and they would like to spend some cash to retain their budget for next year. So, they ask to pay for the entire contract now.
You want to offer a fair price for the entire expense required to implement and maintain this solution over the contract term. Because it's a competitive bid, you want to keep your costs on this undifferentiated obligation as aggressive as possible without losing margin on the overall deal.
What is the most aggressive price you can offer while maintaining a 30% margin for the engagement, assuming a 15% discount rate?
In this case,
Now add 30%:
Compare this to simply adding the costs and then augmenting that with a 30% margin:
The difference is $3.4K or 4% when comparing these different approaches. At this scale, the differences are most likely inconsequential. However, as the term of the contract extends, the discount rate grows, or the size of the investment scales – these subtle differences can become material (see Table 5.1).
TABLE 5.1 Impact of Variations by Term & Discount Rate
|
Term |
Discount Rate |
Difference |
Percent Difference |
|
3 Years |
15% |
$3.4K |
4% |
|
3 Years |
30% |
5.8K |
7% |
|
5 Years |
15% |
$10.4K |
11% |
|
5 Years |
30% |
$16.7K |
18% |
It can be helpful to keep the impact of these variables in mind when negotiating multi-year contracts for outsourced operations or software renewals.
FUTURE VALUE
Let's go back to our example of $100K now vs. in ten years. Let's look at it from the perspective of Future Value.
EXAMPLE 5.3
Suppose you invest $100K today and receive 6% interest each year for 10 years. What would you receive in 10 years?
Again, everyone would rather have $179K as compared to $100K in 10 years.
NET
Now that you understand Present Value, we need to add the concept of Net before we arrive at our final destination: Net Present Value.
So how do we “net it out”? Simple. Subtract expenses from the present value of the project. Let's review with an example.
EXAMPLE 5.4
Suppose that to receive $100K in 10 years, you'd have to spend $60K in software and labor today.
Recall,
So,
Here we see that this is a terrible investment. You would actually lose money. It is generally not wise to make a decision that produces a negative NPV. Naturally, you want to favor projects that deliver the highest NPV. Note how important the discount rate is in this calculation.
EXAMPLE 5.5
Integrate the concept of opportunity cost by considering the Best Alternative to a Negotiated Agreement (BATNA). We can now easily calculate that $60K invested today with a 6% growth rate will produce $107,450.86 in 10 years.
So, we could reasonably conclude that any investment of $60K today certainly needs to produce a positive NPV, and the Future Value (in 10 years) had better exceed our BATNA ($107,450.86).
As we saw in Chapter 2 – Business Strategy, you should seek to optimize the return of an investment relative to its risk. In this example, you can put the money in a traditional diversified investment portfolio and avoid liquidity risks we might otherwise incur.
INTERNAL RATE OF RETURN (IRR)
Another way to think about opportunity cost is by utilizing the Internal Rate of Return (IRR). To find the IRR, identify solutions for the discount rate where NPV = $0.
EXAMPLE 5.6
Weighted Average Cost of Capital (WACC) is the average rate a company pays to finance its assets. Consider a business that has a WACC and hurdle rate of 20%. For this example, the finance team requires all significant investments to exceed this rate of return.
NOTE: You can ask your finance department for this figure if you are interested. It also wouldn't hurt to inquire if they set the hurdle rate at or above WACC.
You propose spending $60K today to receive $200K in three years. Does this project get approved?
Set NPV = $0,
Substitute the formula for Present Value,
Plug in values,
Solve for the rate,
Certainly, 49.38% exceeds the hurdle rate of 20%. So, the project is eligible to be contrasted with other opportunities that may be more beneficial.
In practice, you are unlikely to perform these calculations. Recognizing the concepts and understanding the terms can help you in navigating the internal battlefield. It's far more likely that by adding security costs at the end of a project, the actual gain or loss of a project changes.
Suppose a project was close to the hurdle rate without security costs involved. In that case, the project sponsor may propose the effort, obtain approval, and then add security after the fact. Many corporate leaders are willing to ask for forgiveness rather than waiting for permission, especially in a consensus-driven culture.
EXAMPLE 5.7
If security requirements slow the delivery of a project, the timeline to realize benefits can be affected. What is the impact on your rate if you add six months to the project above?
Solve for the rate,
Just the time cost of money pulls 8% off the rate of return. Imagine if the delays also result in additional labor (six months of team coordination and status updates, added executive visibility, and mind share, etc.).
You can see why being the department of “No” is career limiting. It destroys value.
Application
This section will use two scenarios from my experience to highlight concepts featured in the chapter. First, we will use the SCI-PAB® Thinking & Messaging Tool to introduce a Password Management business case presentation. Then I will apply CBA to present a business case for Password Management. Finally, I will present the business case utilized for Threat Stack, Inc. that applies Monte Carlo analysis to NPV for the project. Put on your safety belt, this gets pretty advanced.
Case Study 1 – SCI-PAB® to Present a Business Case for Password Management
When I started at the company, I performed a gap analysis. For expedience, my information came almost exclusively from interviews. As a result, my assessment suffered from selection bias and, in hindsight, was undoubtedly optimistic.
As the first CISO, I was naturally working to establish a positive presence in the business. I wanted to dispel the false narrative that security is always inconvenient. I was also working to highlight the difference between security-driven culture and compliance-driven culture.
As I conducted interviews, what became apparent is that there were many strong security-related practices. Still, the underlying beliefs that grounded why and how my colleagues performed these activities were often only partially correct.
Most companies leverage compensating controls and feature deviations from standard best practices. Here too, there were architectural limitations that hinted at excessive privilege and shared accounts. As an auditor, I frequently found people will store passwords on sticky notes. As I toured the office in my new company after hours, I eventually found pockets of this behavior. Luckily all the passwords were for noncritical systems.
I was starting to think about quick wins and some of the longer, more challenging projects required to burn down the risks present in the environment. About that time, I saw the post in Figure 5.5 on LinkedIn:
FIGURE 5.5 Social Media Post from Industry Thought Leader
Source: Mike Johnson.
As a new CISO, often nothing you want in the first year is budgeted. So, the need for a business case was born.
I decided to follow the sage advice and extend the benefits of a Password Manager to my colleagues. My gap analysis revealed that there was a lot of work to be done, and I wasn't going to be able to address single sign-on or privileged access management immediately. However, a password manager seemed like a great starting point. This is what I presented to our Executive Leadership Team (ELT):
· Situation – Everyone in the business is actively managing dozens of passwords.
· Complication – As we scale the business, we will add new SaaS platforms to satisfy unforeseen business requirements. We will increase the volume of staff, which will, in turn, necessitate more complex networks of collaboration and communication. We will add the complexity of supporting additional public cloud platforms. That will require more complex authentication and authorization schemas. And we will need to separate Administrative and Standard user accounts to satisfy the evolution of our compliance obligations.
· Implication – All of this will require exponential growth in the number of passwords each employee will have to manage. And suppose we fail to solve this problem. In that case, our revenues and employee morale will dip, competitors will encroach, and we'll face audit findings or adverse audit opinions that can deter prospective clients from joining our platform.
· Position – We must act now to ensure our colleagues can continue to perform their jobs with ease and enjoyment. We must ensure that our revenues continue up and to the right. We must not distract our engineers with the burden of clumsy password management.
· We can solve these problems with a small investment in software and a dedicated project team to mobilize rapid adoption. There are already several employees taking advantage of free software that solves this problem. I believe we can do better, and we should.
· Action – With your permission, I'd like to organize a small team of senior engineers, purchase the software, and make it available to everyone by the end of this year.
· Benefits – With your support, we can simplify every employee's experience and ensure the growing complexity and quantity of accounts doesn't expose us to lost revenue, plummeting morale, or qualified audit reports.
I was successful in obtaining funding and initially received approval from the leadership team to proceed with the purchase and implementation. Note that I was successful in adapting the SCI-PAB® framework from Mandel Communications. While they have permitted me to present their communication tool above, they do not endorse its use in the example. Nonetheless, it served in capturing approval and funding for the project.
Case Study 2 – Cost-Benefit Analysis
The previous section establishes early messaging for this business case. Now, let's begin to examine the supporting data and presentation that complemented the introductory content. Note that this process gathered all the information that produced the messaging above. It wasn't the reverse.
Summary of Costs and Benefits
Below we consider quantitative and qualitative costs and benefits of implementing a password manager. As with most cybersecurity business cases, it's the storytelling that secures funding. Keep an eye open for the presence of incremental and opportunity costs.
We wanted something likely to achieve high user adoption and very compatible with DevOps and Site Reliability Engineering best practices. Specifically, we needed to ensure any solution we selected would extend itself to enhanced automation opportunities in the future. We had a stated preference for a SaaS solution, and we wanted to ensure at least feature parity with our existing solution.
First, we conducted a competitive analysis of eight solutions available on the market. Figure 5.6 presents the first level of diligence performed by our DevOps team in narrowing the list of solutions that might be suitable:
From there we reduced the number of vendors considered to just two finalists. Armed with a shortlist, we brainstormed the costs and benefits and assigned a monetary value to each. Table 5.2 gives a summary of the primary expenses of the two finalist solutions:
Then we summarized the benefits for our favored solution as shown in Table 5.3:
FIGURE 5.6 Password Management Solution Comparison
TABLE 5.2 Summary of Costs
|
Category |
Details |
LastPass Year 1 Cost |
CompetitorYear 1 Cost |
|
Software |
There is a licensing cost for the software or subscription fee for the hosted SaaS platform. |
$7.2K (incremental) |
$100.3K |
|
Internal Labor – |
We will require a Project Manager, DevOps engineer, and Sr. Engineer familiar with the existing solution. |
120 hours @ $120/hour = $14.4K |
$14.4K |
|
Professional Services |
Consulting services to support the implementation. |
$0 |
$15K (incremental) |
|
Training |
Training Preparation – 8 hours |
158 hours @ $100/hour = |
$15.8K |
|
Internal Labor – |
Password resets, answering questions, configuration, audit support, etc. |
|
|
|
INCREMENTAL COST |
$7.2K |
$115.3K |
|
|
TOTAL COST |
$42.4K |
$157.7K |
TABLE 5.3 Summary of Benefits
|
Benefit |
Benefit Within 12 Months |
|
More efficient operations – estimate saving 6 mins/day/engineer
|
~$200K |
|
Hours saved by moving to a SaaS solution – 72 hours |
$7.2K |
|
Without a tool like LastPass, the inherent risk of data loss and destructive attack is HIGH. Adding a tool to our operations reduces risk significantly. |
Reduced Risk |
|
Without a Password Manager that integrates into browsers, users are likely to continue to utilize sticky notes and other cleartext storage methods that may lead to a data breach or audit findings. |
Improved Audit Performance |
|
As we increase the volume of platforms, identities, and passwords, people are likely to get frustrated and may choose alternative employment. |
Improved Morale + Employee Retention |
|
Keeping engineers focused on their primary value activities will help ensure that we maintain our differentiation in the market. |
Sustained Competitive Advantage |
|
TOTAL BENEFIT |
~$207.2K |
The cost benefit analysis summary concludes that even 25% of the benefits (25% * $207.2K = $51.8K savings vs. $42.4K costs) will leave the business better off than before.
Assumptions and Risks
With every business case, you are likely to identify other essential topics. In this case, several of the key discussion points included:
· Revenue Impact: We should carefully consider the potential impact on sales and customer retention. We may have obligations for disclosures, or the use of such a tool may surface in security diligence, influencing renewal decisions and customer acquisition rates.
· Adjacent Market Pursuit Limitations: Utilizing LastPass will exclude us from achieving FedRAMP certification in the immediate future.
· Legal Liability: By using such a solution, we do not avail ourselves of the inherent liabilities.
· History: Hackers have compromised both LastPass and OneLogin/Team Viewer previously. All solutions of this nature will remain high on the target list for foreign adversaries and organized crime.
Case Study 3 – Net Present Value
In some business models, a CISO can participate in revenue generation. When that is true, the use of NPV and IRR are applicable. One typical pattern that is likely to emerge is SaaS-based providers that charge a base fee for their services and offer an up-charge for additional security services surrounding their infrastructure or applications.
In this case, Logicworks was in a long-standing partnership with a Managed Security Services Provider (MSSP) that offered host-based intrusion detection, log aggregation, and log review services. Over time, the technology and services became less competitive and no longer met the needs of our changing target market segments. Although the company continued to innovate, migrating to the new platform was just as labor intensive as moving to a new platform altogether. So, we decided to explore alternatives in the market, hoping to identify an easier to manage solution that offered improved security outcomes, a more competitive licensing model, and a more attractive price.
Because these add-on security features complemented our Managed Cloud Operations offerings, it was easy to identify many of the costs associated with operating and upgrading the existing features. As a business, our FP&A team had established a revenue forecast and targets for new customer acquisition. Using descriptive statistics features in Excel, we were able to identify our mean instance count per customer, as well as the standard deviation. This provided us a range of potential costs and established with high confidence that the actual outcome would land in a favorable range.
We were also able to garner information from sales like the average deal term and information from our operations team, including customer growth and churn rates. Further, as container adoption increases, the growth of compute instances will slow, and we were able to capture these assumptions in a financial model. This information was important because we were working to identify a marginal cost/instance utilizing an incremental cost curve like the one featured earlier in the chapter.
In the end, we carved out our cost categories as shown in Table 5.4 (note that a nondisclosure agreement prevents us from disclosing bulk pricing information).
Without revealing the core assumptions and actual calculations, we offer a summary of the final business case in Table 5.5.
After a fair bit of discussion, it was clear to all that there was an entire range of potential outcomes that any number of factors could alter. We wanted to dispel any confusion that these variables offered a significantly different result that would change a decision to proceed with a new partnership. We used Monte Carlo analysis, a simulation model that generates many scenarios, to help us gain confidence in our decision. Note that this topic will come up again in Chapter 7 – Translating Cyber Risk into Business Risk.
First, we constructed an NPV calculator and changed from static variables to a set of variables that ranged from very aggressive assumptions to very conservative given the many factors (see Table 5.6).
TABLE 5.4 Summary of Costs
|
Category |
Details |
|
Licensing |
More competitive licensing terms and economies of scale will play a role in pricing the total cost to operate. |
|
Efficiency Savings |
The information, enrichment, user interface, and customer support influence the amount of time it takes to triage, root cause, and respond or escalate to a customer. |
|
Transition |
There will need to be a comprehensive customer transition plan that includes:
|
|
Transition |
The entire organization has training needs. For example:
|
|
Incremental Margin Contribution |
The new vendor is more proactive in the sales cycle and can help bring us leads in our target market. |
TABLE 5.5 Summary of Costs and Benefits
|
Year 1 |
Year 2 |
Year 3 |
Total 3-Year |
|
|
Licensing |
$ 277,848.00 |
$ 326,005.02 |
$ 334,916.39 |
$ 938,769.41 |
|
Efficiency Savings |
$155,664.00 |
$155,664.00 |
$155,664.00 |
$ 466,992.00 |
|
Transition Costs |
$ (73,090.00) |
0 |
0 |
$ (73,090.00) |
|
Incremental Margin Contribution (New Security) |
$ 57,204.00 |
$ 141,048.60 |
$ 219,773.40 |
$ 418,026.00 |
|
Net Savings/(Cost) |
$ 417,626.00 |
$ 622,717.62 |
$ 710,353.79 |
$ 1,750,697.41 |
Finally, we decided to eliminate Incremental Margin from our business case so we are not dependent upon customer growth assumptions (something we cannot control). Instead, we wanted to show only outcomes that are wholly in our control.
Using a pseudo-random number generator, we were able to execute 5,000 simulations for the NPV of the model. Figure 5.7 shows a histogram of resulting values from our simulation.
In the figure, you can see that our NPV is positive and ranges from ~½ million to ~1.3 million. Even though the NPV is positive, other opportunity costs in the business outweighed this investment initially. Nonetheless, I'm happy to say that we did establish a partnership and continue to grow joint revenues as of the date of this writing.
TABLE 5.6 Net Present Value Calculator
|
Trial ID: 10Enter the formula for an inverse uniform in the Random Sample column. |
||||||
|
Input Variables |
Random Sample |
Min. |
Max. |
Variable ID |
Time ID |
|
|
Licensing |
Year 1 |
$ 286,566 |
$ 277,848 |
$ 327,186 |
1 |
1 |
|
Year 2 |
$ 341,682 |
$ 337,813 |
$ 422,762 |
2 |
||
|
Year 3 |
$ 461,112 |
$ 368,098 |
$ 473,809 |
3 |
||
|
Efficiency Savings |
Year 1 |
$ (30,575) |
$ (95,880) |
$ 191,760 |
2 |
1 |
|
Year 2 |
$ 82,736 |
$ (95,880) |
$ 191,760 |
2 |
||
|
Year 3 |
$ (30,135) |
$ (95,880) |
$ 191,760 |
3 |
||
|
Transition Costs |
Year 1 |
$ 156,539 |
$ 73,090 |
$ 181,470 |
3 |
|
|
Year 2 |
$ - |
|||||
|
Year 3 |
$ - |
|||||
|
Incremental Margin |
$ 0 |
$ 0 |
$ 0 |
4 |
||
|
WACC |
9.52% |
5.00% |
15.00% |
5 |
||
|
Cash Flow |
||||||
|
2020 |
2021 |
2022 |
||||
|
Total costs |
$ 156,539 |
0 |
0 |
|||
|
Total benefits |
$ 255,991 |
$ 424,418 |
$ 430,977 |
|||
|
Net benefit |
$ 99,452 |
$ 424,418 |
$ 430,977 |
|||
|
Results |
||||||
|
Net Present Value |
$ 772,669 |
|||||
FIGURE 5.7 Summary of Costs and Benefits
Key Insights
· Familiarity with incremental, opportunity, and sunk cost concepts is critical in presenting business cases.
· Empathy with your audience is essential when presenting business cases. You can leverage Stakeholder Analysis, and Influence Maps to gain a more intimate understanding of the people who will be critical to your success.
· Utilize Cost Benefit Analysis, Net Present Value, and Internal Rates of Return in order to support the business value of proposed investments.
· Cost Benefit Analysis can be used to establish a business case for most cybersecurity investments.
· When positive cash flows result from your initiative, consider utilizing Net Present Value or Internal Rate of Return calculations to support your investment requests. This may not apply in all business models.
· Monte Carlo analysis can help when you must consider a wide range of possible inputs and establish the range of associated potential outcomes.
· Finally, once you have an awareness of your audience, and a solid foundation of the financial parameters that affect a business case, you can utilize the SCI-PAB® Thinking & Messaging Tool to build a tight introduction to your business case presentation.
Notes
1. 1 Sheridan, K., “Security Through an Economics Lens: A Guide for CISOs,” Dark Reading, September 14, 2020. https://www.darkreading.com/risk/security-through-an-economics-lens-a-guide-for-cisos.
2. 2 Laping, C., “If Opportunity Doesn't Knock, Build a Door,” National CIO Review, 2021. https://www.nationalcioreview.com/leadership/build-a-door/.
3. 3 Harkins, M.W., Managing Risk and Information Security: Protect to Enable, Apress, 2016.
4. 4 Schmidt, M., “How to Legitimize Avoided Cost and Opportunity in the Business Case.” https://www.business-case-analysis.com/avoided-cost.html.
5. 5 MindTools Content Team, “Stakeholder Analysis: Winning Support for Your Projects,” MindTools, 2021. Accessed May 22, 2021. https://www.mindtools.com/pages/article/newPPM_07.htm.
6. 6 MindTools Content Team, “Influence Maps: Uncovering Where the Power Lies in Your Projects,” MindTools, 2021. Accessed May 22, 2021. https://www.mindtools.com/pages/article/newPPM_83.htm
7. 7 Mandel Communications, “The SCI-PAB® Thinking & Messaging Tool.” https://www.mandel.com/landing-pages/scipab-prompt.
8. 8 Mandel Communications, “The SCI-PAB® Thinking & Messaging Tool.”
9. 9 MindTools Content Team, “Cost Benefit Analysis: Deciding, Quantitatively, Whether to Go Ahead,” MindTools, 2021. Accessed May 22, 2021. https://www.mindtools.com/pages/article/newTED_08.htm.
10. 10 Lean Production, “Focus Improvement on the Manufacturing Constraint.” Accessed May 22, 2021. https://www.leanproduction.com/theory-of-constraints.html.