• Ming Zhao, Co-Founder, CTO

An investment banker walks into a control room

Updated: Aug 14



Maybe he thought it was a bar?

Just kidding, he knew it was the control room. Those giant electrical transformers 100 meters away were pretty hard to miss. And nobody else here was even wearing a suit.

But forgetting such trivialities, everything else felt right at home. The red and green lights dancing on the walls looked just like those Bloomberg terminals that lined the trading floors. The L1 analyst sitting in the back corner looked just as sleep deprived as his counterpart back in Manhattan.

“All these tools look really impressive,” the banker points around the room and turns to the CISO. “So how much money have they saved your company from losing?”

--

Three years ago that investment banker was me. My first big shock after joining the Blue team was the massive gap that existed between how risk management was done on Wall Street and how risk mis-management was done in cybersecurity.

The former had fancy Black-Scholes and Markov chains to predict price uncertainty over time and learn from past information; while the latter had IDS/IPS/EDR invoices stacking up faster than Justin Bieber’s TikTok followers with virtually no due diligence performed on the costs vs. benefits to actual enterprise risk.

Why was is this the case? Isn’t cyber risk just a subset of financial risk? After all isn’t a dollar lost to ransomware equal to a dollar deducted from net profits? And where was the data and modeling to translate from red-yellow-green SOC terminals to solvency threats of cyber-physical incidents?

When we set out to form DeNexus, we talked to numerous CISOs and CFOs about their cyber defense strategies, their spending trends, and what kept them up at night. We realized everyone was missing answers to the same burning questions:

  • My team has limited resources, people, and time. Are we investing enough (or too much) in certain controls?

  • How do I measure returns on my cyber defenses?

  • How do I maximize risk management performance when it comes to cyber, and prove this to the Board?

Let’s say you walked up to your financial advisor one day and demanded to know your last month’s returns. “No problem,” he’d say, “It was 12%! God bless Jerome Powell!!” He’d then plop a big fat performance report in your lap, detailing the daily ETF movements and how thanks to his ingenious asset allocation decisions, you managed to beat the equity benchmark by 300 bps!

Now what if instead of all that, your advisor simply looked across the table, shrugged, and said, “Sorry, my friend, but that’s the million-dollar question! I don’t know how to quantify your returns relative to your risk!”

Would you ever let him touch your money again? It sounds ludicrous but unfortunately that’s exactly the kind of response we security vendors have been giving to CISOs today…

Yeah, F-. Not only is that response not helpful, but it’s also not true: cyber risk can be and should be quantified, and our risk management performance can and should be tracked.

Fortunately, the fact that we’ve already solved risk management for stocks and bonds means we definitely can for cybersecurity as well. We can start by bootstrapping a few principles from the banking world into the infosec world.

In banking, a tried-and-true way to calculate the intrinsic value of a firm’s expected future cash flows is called DCF, or Discounted Cash Flow analysis. This is one simple example of where cyber risk management can borrow from investment management. Put into real-world context:

The first step in DCF analysis is to forecast short term cash flows on a chosen time interval.

  • e.g. Bob’s Fish N’ Chips will make $50k this year, $52k next year, $53.5k in two years, and grow at 2% YoY thereafter in the long run.

  • Switching over to cyber risk world…

  • e.g. Roberta’s Clean Energy is considering purchasing an ICS threat detection tool. After negotiating a 20% new customer discount, the tool will cost $80k per year for a 3-year contract plus a one-time $15k installation fee. Roberta expects the vendor to remove the discount in year 4 upon renewal and to raise prices 5% every 3-year term thereafter (~1.7% per year for simplicity). So, annual cash outflows should look like $95k, $80k, $80k, $100k, $100k, $100k, $101.7k, 103.4k, etc.

The second step is to infer the time-value and opportunity cost of capital, also called the “discount rate”— i.e. what else could one do with that money for how much expected returns?

  • e.g. For every dollar Bob invests into his Fish N’ Chips business, he could instead leave it with his financial advisor to grow at the market risk premium (assume on average 8%).

  • Switching over to cyber risk world…

  • e.g. For the $255k+ total contract cost of the threat detection tool, Roberta could instead invest each dollar toward building out more solar panels, at a historical operating margin of 9%.

The third step is to use the previously estimated growth rate and discount rate to calculate “terminal value,” i.e. the sum total of all post-forecast period cash inflows (or outflows, in Roberta’s case) into perpetuity.


Terminal Value = (Last Projected Cash Flow * (1 + growth)) / (discount – growth)

  • e.g. Bob’s Fish N’ Chips: TV = (53.5k * (1+ 2%))/(8% - 2%) = $910k

  • Switching over to cyber risk world…

  • e.g. Roberta’s Clean Energy: TV = (100k * (1+ 1.7%))/(9% - 1.7%) = $1.4 M

The fourth and final* step is to discount each near-term cash flow from the forecast interval to a net present value and sum everything up. The end result is the “today’s value” of an enterprise – or “today’s cost” of a cybersecurity tool.

  • e.g. Bob’s Fish N’ Chips:

  • EV = $50k/(1+8%)1 + $52k/(1+8%)2 + $53.5k/(1+8%)3 + TV/(1+8%)3 = $130k + $720k = $850k

  • Switching over to cyber risk world…

  • e.g. Roberta’s Clean Energy: EV = $95k/(1+9%)1 + $80k/(1+9%)2 + $80k/(1+9%)3 + $100k/(1+9%)4 + $100k/(1+9%)5 + $100k/(1+9%)6 + TV/(1+9%)6 = $412k + $835k = $1.25M

So, in plain English, if Roberta were to purchase the ICS detection tool today and continually renew her contract, the expected lifetime cost of the tool in today’s terms would be $1.25M. If she were to then estimate the expected lifetime value of the tool (an exercise for the next post!) and arrive at an amount much greater than $1.25M, she would have a very compelling argument to convince her Board to invest in this tool. Otherwise, if lifetime value came up short below lifetime cost, Roberta could confidently tell the vendor to lower its prices or forget it!

Now Roberta’s Clean Energy is obviously a fake company, but real-world management teams face similar decisions around cyber investments every quarter. The issue is that (1) these decisions usually lack a systematic economic process—what led to turning down one class of security products versus procuring another versus ultimately turning everything down?—and (2) even with a systematic economic process in place, what’s the point if there’s no feedback loop to tie the cybersecurity outcomes back to prior investment decisions— i.e. no way to learn from and adjust our risk management process accordingly?

Not measuring which cyber investments have been accretive versus which have been dilutive, not measuring which security controls matter versus which are overkill—has led the entire cyber industry down this risk mismanagement rabbit hole where traffic lights have replaced statistics and CISOs go to sleep holding their pagers.

On the other hand, imagine a system where all breaches and almost-breaches are programmatically quantified then mapped to specific network gaps and controls, a system where actual and expected losses are continuously collated and attributed back to specific investment or non-investment choices made. Technical leaders would be empowered to assess the real costs and benefits from the sea of security product offerings. They would be able to track the performance of their cyber risk stack just as wealth managers today track the performance of their index funds. They could dump an underperforming security practice the way investors dump an underperforming stock.

When cyber risk is appropriately measured and managed, organizations and their leaders become empowered to maximize limited resources and focus attention back from reactive to proactive. And we would all get better sleep at night.

* disregard debt considerations for simplicity of this exercise


182 views
Do you want a Proof of Concept?
Or do you prefer a live demo?
logo H color-dark_4x.png

NEED A DEMO?

Blog

Navigation

CCI_logo-white.png

DENEXUS IS CCI MEMBER

LOCATION

1 Harbor Drive, Suite 300.

Sausalito, CA. 94965

CONTACT

Email: info@denexus.io

Phone: +1 (415) 944-6700

© DeNexus Inc. All Rights Reserved.

  • LinkedIn - Grey Circle
  • Twitter - Grey Circle