More than a decade ago, Malcolm Harkins explained that the cybersecurity leader must navigate two (2) battlefields concurrently. More recently, the lexicon for this paradigm has shifted (see Run Security / Do Security for Value Assurance), but the concept is the same. We need to build resilience in our organizations by understanding them as complex systems and communicating the value of the programs we build. That value must resonate with the larger organizational mission.
Indeed, navigating the Internal Battlefield (Run Security) successfully helps you defend against the External threat (Do Security). To succeed on the Internal Battlefield, you must excel in two vital areas - economics and psychology.
In Part I: Foundational Business Knowledge, from our book The CISO Evolution: Business Knowledge for Cybersecurity Executives, I established a prescriptive roadmap detailing how to systematically develop the vital skills necessary to thrive on the Internal Battlefield. Specifically, after grounding ourselves in financial principles, we dive into business strategy tools, business decisions, value creation, and finally, articulating the business case.
Through these concepts, we demonstrate how to establish a cyber-value agenda that serves key stakeholders (value stories that promote value assurance).
In this multi-part series, we’ll briefly review the learnings from The CISO Evolution and then apply them in a case study. To complement the reader’s journey, we present several free downloadable digital tools on our website and refer the reader to other authoritative and often free sources.
As you read this series, here’s what you can expect:
First, we’ll provide a primer on Value Creation using a simple but effective framework - 5Ws + H. That is to say, we will review the who, what, where, when, why, and how of value.
Next, we’ll examine business decisions from a variety of angles. We’ll start with the scientific method and then build in a touch of reality by examining the use of leading decision-making frameworks that can enhance our decision-making and help us over-determine decisions others make through choice architecture and influence strategies.
Then, we’ll decompose helpful elements to improve your skills when building and articulating a business case. In particular, we will review stakeholder analysis, the business model, and the emerging use of cyber risk quantification.
Finally, using a case study, we’ll highlight how to tailor your value storytelling to link investments in application security directly to revenue, operating costs, and enterprise value.
Value Creation
To examine value in more detail, it is helpful to examine the following questions:
- Who determines value?
- What delivers value to investors?
- Where is value created?
- When is value created?
- Why is value so important?
- How is value determined?
WHO - It turns out that value varies by audience. That is to say, in business, the things that a customer values might be dramatically different from the things an employee or investor values. For example, the lowest price for a customer might come at the expense of lower retained earnings or dividends paid to an investor, and lower wages for an employee. The important thing to note here is when we talk about value; our perspective needs to focus on the investor's perspective of value.
WHAT - There are three basic ways investors get a return on their investment:
- Dividends
- Redemptions
- Capital appreciation
Dividends are regular distributions of profits to shareholders, typically yearly or quarterly. Then you have instruments of debt and equity used to raise capital. Redemptions are essentially a loan for a business. Usually, they include regular interest payments (cash or Payment-In-Kind), voluntary or nonvoluntary prepayments, conversions, or at-maturity redemption. Finally, capital appreciation occurs when the equity an investor holds appreciates.
Remember that value varies by context. Your board of directors may appreciate a well-formed metrics program with a transparent methodology for risk management and capital allocation. Indeed, a robust cybersecurity program can help an individual board director limit her liability and fulfill her fiduciary duties to shareholders. But be careful to avoid confusion when mere appreciation diverges from enterprise value.
WHERE - For now, it suffices to say that investors assign value to a company typically with some objective metric. “When pricing companies, it is not your place or mine to determine what investors should be using to price companies, but what they actually are using. Thus, if the metric investors focus on when pricing social media companies is the number of users these companies have, you should focus on that metric in pricing your company.”
WHEN - The maximum valuation (or, in reality, range of values) at a point in time is a function of numerous factors, including:
- Conditions in the stock market
- The level of interest rates and the availability of financing
- Conditions in the relevant economic markets (national, regional, local)
Industry conditions
- Current interest of competing strategic buyers in similar businesses
- Availability of investment funds in private equity funds focused on similar businesses
- When irrational buyers abound
- The level of earnings and conditions in the business being sold
Notice that a company's owners and management directly control only the item in bold.As a business matures, the value levers tend to shift too. Early on, a company will focus on revenue growth and later operating margins, and once in decline, cash flow is the determinant value lever. This evolution of maturity is termed the company life cycle.
WHY - The decisions you make about structuring your team, the controls you implement, the architectures you choose, and the partners you leverage must be congruent with your company's value agenda. The things you prioritize and protect, the risks you accept, and the stories you tell must also align with the value agenda.
It doesn't matter if the value agenda comprises evolving your business model, streamlining your operating costs, heavy M&A activity, or maximizing an EBITDA multiple. Cybersecurity leaders need to be aware of the value agenda and be able to design programs that support and accelerate it. In short, cybersecurity operations that impede the value agenda are doomed.
HOW - In the CISO Evolution, we reviewed three methods to determine value. They are asset-based, market-based, and discounted cash flow. Market-based (multiple) valuations are more common, but DCF is still genuinely relevant. To perform a relative valuation using a multiple, select a set of comparable companies and decide upon a metric. Then you examine each asset's characteristics and decide if the differences justify the variation in value relative to one another. The sector you operate in will determine the metric you use and with good reason. These multiples correlate more highly with the value engines that power the sector or business model.
Now that we share a common understanding of value, the remaining posts in this series will explore BUSINESS DECISIONS (Post 2), ARTICULATING THE BUSINESS CASE (Post 3), and APPLICATION SECURITY VALUE ASSURANCE CASE STUDY (Post 4).
To ensure you don't miss this exciting series, plus additional expert insight and the latest developments, subscribe to Cyber Security Tribe today!
