Well, I survived my only Accounting class. I received a phone call prior to the class, warning me that this class might require more than the advertised 20 hours of work a week. I would say I spent about 15 hours of time per week, but math is a strong area for me.
Since we all have to buy the “Connect” access to do homework, some textbooks have also switched to rolling updates rather than static editions.
The first week was all about the concepts of cost management. The textbook primarily focused on manufacturing organizations but talked about service and non-profit organizations as well. Cost management is all about – like it says on the tin – controlling costs. If you keep your costs down, the lower you can set the sale price to reach more of your target audience. Alternatively, the higher you can set the sale price to increase profits. It’s all a management balancing act between the two with both options relying on making the thing as cheap as possible without sacrificing quality.
The textbook waited until page 7 to mention Toyota. It also mentioned the power of AI, the blockchain, and the internet as Tools That Will Save Us All. Cost management is all about gathering and analyzing more data as fast as possible.
For what it’s worth, there was significant attention paid to the “balanced scorecard”, which basically means management should pay attention to non-financial factors as critical success factors. Financial indicators still matter, obviously, but so do customer factors (service and quality), internal processes (productivity and safety), and learning/growth (morale and innovation).
Naturally, we have to know what the costs ARE in order to manage them properly. It’s easy when you’re making a THING since you can track you need 8 pieces of lumber and 14 hours to build the THING. It’s less easy when you have a giant factory and build half a dozen THINGS. Ideally, you split up overhead costs like utilities, administrative costs, and security amongst the various THINGS. The easy way is to make it an even split – divide the electric bill by the number of THINGS you make, call it a day. Using a concept called Activity-Based Costing, you might look at the number of production lines each THING needs. If you have 12 lines, and THING 1 uses 1 line, it gets 1/12th of the overhead. If THING 2 uses 3 lines, it gets 3/12th the overhead. The metric used to divvy up costs proportionally is dealer’s choice.
The concept is straightforward enough but the math to track it and apply it properly is fiddly and tedious.
Once we know how much the THING costs to make, we can start making a budget. Want to sell 1000 THINGS? It should cost XYZ for materials, labor, and overhead. Want to scale that to 2000 THINGS? Some of those costs will fluctuate (materials), some won’t (overhead). Here’s where you can start analyzing for the break-even point, operating budget, and cost-volume-profit ratios. Model estimates will show how many THINGS you need to make to get the desired amount of profit.
Of course, this isn’t a unicorn-and puppy-dog paradise, and resources are not infinite. Workers need breaks. Machines need maintenance. You can only make so many THINGS in a specified amount of time, so the trick is figuring out what mix of THINGS will get you the most profit. It isn’t always the THING that is losing money on paper; dropping a product line moves the overhead costs onto the other THINGS that survive. If you did the cost math wrong, the math for these business decisions will be wrong. Same idea if you want to make a NEW THING; it’s important to determine the impact of the NEW THING on the OLD THINGS. The trick is determining what are relevant costs for the choice at hand. Sunk costs aren’t relevant.
For security, I think a good analysis would be the cost of implementing security controls versus the cost of a security incident. My gut tells me implementing security controls is cheaper than an incident, but I don’t have the math to back that up. This is important information to show management to justify a request to bring in the shiny new security tool. We have to look at the risk the tool would address and be able to put some kind of quantitative measure on that risk. Let’s take endpoint security tools as an example. They have a license cost per seat, require administrative support to install and manage an agent, and require security support to monitor reports and investigate weirdness. In return, the tools reduce the risk of malware. Determining if the tool is worth the investment will need to look at the likelihood and impact what malware could do – what are the access controls around the user account for that machine, what other machines could be a target of lateral movement, what are the network controls around large outbound traffic? If you have a robust set of security controls already in place, that shiny new tool seems less shiny.
I am not saying to get rid of endpoint security; I am saying security has better odds to keep and get budget if we go in with math and data, and can show a comprehensive risk analysis.
The next part was all about budgets. How many THINGS do we expect to sell? How much do we have to spend to make that many THINGS? What will the cash flow look like as we collect money from sales and spend it on materials, labor, and overhead? This is also where “What-If” analysis can be done. What if we offer a discount if people pay within 10 days? What if we want to have a sale price of $100? What if customers default on payments? What if we have a security incident that stops production for a week?
Budgets are all about estimates and forecasting. Maybe purchasing secured a discount on the raw materials. Maybe that’s a bigger bulk order than usual, so now we have to pay to store the materials. Maybe it accidentally took twice as long to make. At the end of the period, take stock of what ACTUALLY happened and compare it to what you THOUGHT would happen. Use that to make the next budget more accurate. Repeat until death, or a world-wide pandemic completely upends your business model.
Finally, we covered the all-important return on investment and rewarding managers for good behavior. If managers get rewarded for hitting a certain metric (reducing costs), then, naturally, managers will work toward that metric. However, if a department can shift costs around – less fluctuating costs, more stable costs – on paper costs will appear reduced. The managers get rewarded for hitting the metric of “reduce costs” but the organization ends up in either the same or worse position. The trick here is to align the reward metrics with the organizational goals.
As always, where security falls in this world depends on the question. IoT device security should have the cost of securing the product built into the sale price of the product. Security of the enterprise or production line is more of a stable cost … which is going to be calculated as production overhead. As practitioners, we have a responsibility to keep the costs down and get a great return-on-investment for the business.
If you take any certification that covers risk analysis (CISSP), you learn about quantitative and qualitative risk analysis. Either way, you end up with the pretty-colored risk analysis matrix that combines likelihood and impact. I’ve seen a lot of qualitative analysis and not a lot of quantitative, or even semi-quantitative, analysis. If we put numbers on our gut feelings, our budget discussions will probably go a lot smoother.
I think a good starting point for any organization is a cost analysis of a breach. That’s something that could be built into the incident response plans we already make. (We make those, right?) What’s the lost revenue? What’s the labor cost of rebuilding machines and restoring from backup? What’s the material cost of buying new machines? That’s all resources that are redirected from working on other critical tasks.
Is this an estimated guess? Yes, yes it will, because recovery costs are difficult to expect. That’s fine, most of accounting is just vibes, anyway. The only “real” numbers are when you compare the estimate to the actual costs at the end of the period.
For lesser risks, we can still run a cost analysis of the risk coming to pass and establish proportional controls. Business wants to run an out-of-date operating system – what’s the cost of that process or data being unavailable or disclosed? Compare that to the project cost of just upgrading the system, and to the cost of extra monitoring and administration.
Armed with the costs of good, bad, and worse case scenarios, we can make actual data-driven risk-based choices. We can direct security resources effectively and drive up the overall security of the organization.
We won’t always “win” budget discussions, but we can give ourselves a fighting chance against the rest of the business priorities.
Cyber security Story teller 
Leave a comment