Cyber security Story teller

Security owes part of its DNA to finance.

Financial management decisions are all about risk management.

This makes logical sense: We must consume time, money, and raw resources to create a product or service of value. This is inherently risky if the final product is not more valuable than the sum of its parts. Finance manages these risks. Regardless of any one investment’s success or failure, finance manages the equitable collection and spending of resources on behalf of a group of investors. This includes prioritizing returns to this group, providing an amount of certainity to the risk.

Information spread governs market equilibrium, and the market must always be in equilibrium or the math falls apart. These get-rich-quick schemes rely on a shared secret that is hidden from common market knowledge. Financial statements distribute information to interested parties equitably. Exactly what goes into these statements has shifted over time, largely thanks to high-profile incidents like “Ponzi” or “Enron”. Interpreting these statements is also a subject of wild debate; I’m not sure the finance world has fully recovered from the Gamestop incident.

A fun new element in these statements is measuring cybersecurity risk.

The basic equation is: Assets = Liabilities + Equity. Anything that has positive value for the business — land, equipment, cash — must equal the amount invested into those assets either by debt or investment. Financial metrics get into the weeds of interpreting this equation for specific stakeholder concerns. If a debt-holder wants to collect easily on a debt, they will want to separate easy-access assets like cash from those assets harder to convert to cash, like land. Internally, assets are taxed at different rates. Investors focus more on the total asset value and how that shakes out to value-per-share.

Much fanfare accompanies the quarterly balance sheet and income statement publications, since most of the information required to lower an investment risk lives on those two documents. However, cash is king, making the cash flow statements just as important. The other statements subtract out items like depreciation of equipment — important for tax, but not something that actually changes the amount of cash on-hand. Big investments like equipment or land will show up in the cash flows before they show up on the income statement. An inability of the incoming cash to cover debt payments is a key sign of financial distress, even if the balance sheet and income statement look just fine.

Given the sheer amount of information in these statements, it’s no wonder fraud is so easy to commit.

A second basic-but-key concept is that time is money. Stick $100 in a savings account, wait a year, and that $100 magically turns into $105. We can compute this forward-and-backward time movement fairly accurately with a given, stable interest rate. At any given time, the net present value of an organization is the present value of money coming in minus the present value of money going out. The hard part is accounting for compounding interest over an unknown period of time. Calculus lets us make this calculation in one step, saving the effort of calculating each time period (usually a year) by hand. However, for particularly complicated money-related time travel (or just to check your work), calculating by hand is always an option.

Of course, I don’t really mean “by hand” with an abacus and a pencil. This math usually calls for a spreadsheet. (Or not. This is a judgement-free zone.)

This brings us to how to choose which projects are worth investment. Specifically, what makes a security project worth investing in?

An organization usually has an expected rate of return for any investment. If the calculations show an investment won’t meet a minimum standard, then it’s not worth investing the limited resources of the organization into that project. A common “minimum standard” is if the future revenue of the project is more than the cash needed to run the project at present.

Security projects rarely bring in future revenue. We’re a cost center; we spend money.

That doesn’t mean we don’t provide real value. We need to show quantitatively how much we reduce the organizational risk, to give an organization options to hedge that risk. Which means, yes, we need to do the hard work of switching from qualitative assessments given in tidy traffic-light dashboards to hard, raw quantitative numbers.

Hard asset value is easier to get as a data point than we think: It is on the balance sheets! Data value is a little trickier, sure, but finance puts a currency value on nebulous concepts like “brand reputation” or “intellectual property” all the time. Incident clean-up is another underutilized data point. The costs of an incident only get fuzzy after the actual costs of replacing hardware, time to rebuild, and investigation resources. We can build from that.

The security industry is collecting real historical data to help drive likelihood predictions. We have threat intelligence reports. We will continue to collect this information and build out these databases, which is fantastic for continuing to refine our guesses.

The historical data is also bullshit. We have 100 years of financial market data that informs investment decisions but ultimately cannot predict the future. We can throw all the math on it we want to make reasonable, data-driven educated forecasts — and it is all just vibes in the end.

To answer the question: A security project is worth investment if it has a provable positive investment value. That could be because the project has a return higher than its costs, the project is over some defined minimum, or even that it pays for itself over some defined time period.

Of course, once this data is collected, every project the organization can do has to be racked and stacked against each other. Not everything is about security! It is about optimizing value for the organization across the total set of projects with the resources.

Another helpful question in prioritizing projects is looking at the impact on the cash flows. Budgets are built and crumble around cash flows. At a high level, budgets start with the gross profits. Interest, taxes, depreciation, and fixed costs come out off the top to leave net profits. The math juggles around how the non-cash depreciation affects the cash-based corporate taxes. Practically, the security department just gets a total budget number handed down from the C-suite. This is where discussions about capital expenditures and operational expenditures happen. We buy a tool; we need capital money; it comes out of that final budget number. That tool has ongoing license costs; that’s part of those pesky fixed costs that come out of the gross profits. Increase those operational costs too much, and there’s nothing left over for new capital projects.

A good security project will spend money now to prevent spending more money later. The problem with that is that dollars now and dollars later can be two very different numbers. Interest rates bridge the gap between “now” and “later”. Finance law states that the value of something will always be one price. If something is worth 5 of today’s dollars, that value does not change if it is measured in either yesterday’s or tomorrow’s dollars. If no one can agree on what the value is — if this One Price Law does not hold — we cannot make any useful comparisons with other items. Everything must be evaluated at the market price.

Great. So how do you get a value that’s useful in a comparison? A majority of the math depends on a baseline “risk-free” rate. What is a risk-free investment, you ask? Great question. Bonds, specifically the US 10-year treasury bonds, are a popular baseline. There are others. Bonds can be traded on the open market, so the value of a bond is proportional to the time left on the bond and the interest rate. Another way to look at it is that the bond value now is the total value of all the cash flows later. It is considered “risk-free” because it is still unthinkable that the US government would ever, ever, default on the bonds. If this risk-free assumption ever fails, we are all in much bigger trouble.

The lesson here is that while we cannot eliminate all security risk, we can establish an agreed minimum baseline, then measure risk from there.

A quick note on credit ratings: governments and corporations have credit scores just like us. And just like us, the lower the rating, the riskier these bonds are for investors. These credit ratings are granted based on an independent third-party auditor’s risk assessment. Almost like … showing compliance with a security framework of choice.

Stock valuation shares the same concept as bond valuation: The value now is the sum of all later dividends and eventual sale of the stock. This carries some level of risk over and above the risk-free rate for which an investor expects compensation. If a stock pays dividends — not all do — the dividends can fluctuate over time with things like inflation rate and organizational growth rate. Various stock valuation models account for this fluctuation, and no one model is optimal. We are trying to predict the future, after all.

Of course, more than dividend manipulation affects stock price. Wall Street is skittish; investors like predictability. Anything that threatens that predictability means a fluctuation in the stock price. Political or economic changes in the force? Erratic and/or scandalous C-suite behavior? Hype train gone wild? All drive up the risk that either a) no one will buy the stock, effectively rendering it worthless or b) dividends will never be paid, also effectively rendering it worthless.

High-profile security incidents do not do the stock price any favours. CrowdStrike took a hit after their outage, as did SolarWinds after their incident. Time will tell how filing a Form 8-K with the SEC will affect the stock price.

How do we put a price on risk?

One method is to look at the historical data — as the future data is rudely not available — and apply some statistics. What did the stock actually do? What is the statistical margin of error in that evaluation? Importantly, we can break this risk into two components: the amount the market itself moves and the amount an individual stock moves in relation to the market. This whole-market fluctuation affects all organizations relatively equally; this risk cannot be diversified away. No one could have predicted how COVID-19 would affect the economy; so it is a market risk. The likelihood of any single organization experiencing a security incident is a market risk.

Meanwhile, individual stock fluctuation is a risk that good portfolio management can handle with diversification. The beta value of a stock determines its overall investor risk relative to the current market. Beta is calculated by dividing the covariance between the stock and the market by the overall market variance. If we measure the impact of security disclosures on the stock price and on the organizational cash flows, we will see the effect of these disclosures on the stock beta, and put a price on security risk.

All of this math assumes investors are perfectly rational. This is a bad assumption, because investors are anything but rational. Everyone is always after the next big hype machine. The real investment advice is to diversify your portfolio and hold. Trading stocks constantly creates volatility in the stock, which disrupts the desired predictability of the stock. That’s it, that’s the advice: Diversify and hold.

Let us return to the idea that the dividends can be manipulated to pay for projects. This is called the equity cost of capital, as opposed to the debt cost of capital. Corporate debt is not bad; the interest payments can create a tax shield for the organization by deducting interest paid from taxes owed. Together, the equity and debt costs of capital represent the weighted average cost of capital for the organization.

If security projects are funded that reduce the security risk of the organization, and we have the price of security risk, this increases the predictability of the stock price, therefore lowering the equity cost of capital. This is a good thing! The cheaper it is to execute projects that increase the value of the organization, the more projects can be done, which optimizes organizational growth.

If we evaluate security risk like the financial risk it is, we can improve our risk management practices by truly working with the business.