Posted by:
admin
13 years, 3 months ago
The first myth is that information security needs to contribute to the top line or to reduce costs to create value for an enterprise. This myth is based on the assumption that firms create value solely by increasing revenue or decreasing expenses. In particular, I'm picking on my friend Rafal Los at HP for his post on "Business Relevant Security - The Top and Bottom Lines" in which he states:
When you're working for a business only 2 things matter ...the top line and bottom line. Translated into normal speak that means you need to contribute to the business in one of two ways:
> help the business make money (adding to the top line)
> help the business save money (managing the bottom line)
If you're not working to one of those two goals, you're wasting company resources. Nothing revolutionary here, right?
Not right, there is third way: firms that reduce their cost of capital increase their value. (I'm still simplifying here a bit and will clarify in later posts.)
Let's take a very simple example. Consider this stream of income:
| Revenues | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Expenses | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 |
| Taxes | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 |
| NOPAT | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |
| Cost of Capital | 10% | |||||||||||
| NPV | $149.17 |
The Net operating profit after taxes is $21 and at 10% the Net Present Value is $79.61. Now, let's say we are on the second year of the same payment stream. Everything is looking great with this project and we feel a lot more confident that the five payments will be made, so we reduce the cost of capital to 9%. What is the affect:
| Revenues | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Expenses | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 | 70 |
| Taxes | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 | 9 |
| NOPAT | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 | 21 |
| Cost of Capital | 9% | |||||||||||
| NPV | $157.22 |
So a 1% reduction in cost of capital resulted in a 5.4% increase in value.
These are very clean, made-up numbers. Obviously real life is more complex, with a lot more variance, but the math stands.
So, how do firms create value? "Increasing revenues" does not in itself create value. What if the revenues were increased by the same amount as the expenses? No additional cash flow is created. (Granted, being bigger might reduce risk.)
What if the net income is increased by investing in a project where the cost of capital offsets any increase in net income? Another wash.
So, let's revisit our 'ways that firms create value' list:
1. Increase the return on the existing base of capital: by increasing revenues without increasing expenses, decreasing expenses without decreasing revenues or decreasing risk.
2. Invest where the return is greater than the firm's cost of capital.
3. Divest where the return is less than the firm's cost of capital.
For information security pros, the goal should be to reduce the risks of cash flow streams so that the cost of capital for projects are less than the firms weighted-average cost-of-capital.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)