Lecture Notes

📈 Step 2: Business value analysis

• Cyber Coffee Hour on the Alive Podcast Network
• Dr. Joseph J. Burt-Miller Jr.
• Alfredzo B. Nash Jr.
• Cyber Coffee Hour on X!
• Cyber Coffee Hour Podcast on Linkedin
• Buy the Cyber Coffee Hour a Coffee ☕

Even up to a couple years ago everyone always looked at cyber as a cost center: it was something that cost our business money it wasn't something that enabled business functionality that made us money.

Jason Dion

https://a.co/d/8d9I8cj

Speed of Trust Key Principles

Trust leads to speed and lower costs

In a high-trust environment, people collaborate more effectively, and decisions are made faster, with less bureaucracy. Conversely, in a low-trust environment, processes slow down, and costs increase due to inefficiencies, misunderstandings, and undue friction (e.g. from the cybersecurity team).

The economics of trust

Covey emphasizes the "trust tax" and "trust dividend" concepts. A low-trust environment incurs a "tax" in the form of inefficiencies, whereas a high-trust environment yields a "dividend" through improved relationships, reduced friction, and faster execution.

13 specific ways you can build and sustain trust

• Talk straight
• Demonstrate respect
• Create transparency
• Right wrongs
• Show loyalty
• Deliver results
• Get better (continuous improvement)
• Confront reality
• Clarify expectations
• Practice accountability
• Listen first
• Keep commitments
• Extend trust (while balancing with appropriate caution)

Transcript

When we say in the cybersecurity department that we want to protect and enable the business, it's not just about avoiding undue friction to end users so they can get their work done. It's not just about aligning your cybersecurity strategy to business objectives so you can enable those. It's also about being perceived not just as a cost center, but as one that is directly tied to adding business value. So let's watch a quick clip here about Jason Dion, about how times are changing and how this perception is shifting and how we want to help drive that. And then we'll come on back and get into business value analysis, which is part of CR-MAP process step two.

If you could have any superpower to help you in cybersecurity, what would it be and why? That's a good question. Any superpower in cybersecurity. I think it would be to be able to convince people to do the thing that I tell them they need to do. And the reason I say that is if you've ever worked as a cybersecurity consultant or as a director or whatever, even if you're a CSO or a CIO, you always have a boss. There's always somebody else controlling the purse trade. So even if you're the CSO of a large organization, you've got multimillion-dollar budgets, you've got all the people working for you, and you know the right answer of what to do. But guess what? You still got to go to the CFO, the chief financial officer, the CRO, the chief risk officer, the COO, the chief operating officer, and the CEO, the chief executive officer, to get their buy-in and approval for whatever big plan you need.

I can build the most secure network in the world, but if I can't get the money or the resources or the people behind it, I can't do anything. I have lots of great ideas, but if I don't get funding for them, they'll never happen. That's why I said it's all about the language of risk, money, and business. If you can understand that, you'll be better off. And so if I had a superpower, it would be like I would like to be able to do the little "I Dream of Jeannie" nose wiggle, and all of a sudden, Joseph goes, "Yes, Jason, whatever you need, I will write that blank check." I agree. And depending on your organization, you may get to the point where you almost have that superpower. I've been in a couple of places where I've had that superpower because I've been there for two or three or four years. And within the first three or four months, I go, "Oh, Jason does know what he's talking about. And I don't know cyber, but Jason does. I should listen to Jason."

I've had some of those bosses over the years, those C-suite executives who go, "Yes, they implicitly trust what I tell them, and they will give me the funds to do it." I've had other places where I have to basically fight for months and months to convince them that this is the right thing to do because, again, everything is a competition inside the business. If our business budget is $10 million this year for operations, and we have to split that up between operations and manpower and recruiting and software and everything else, and I say, "I need $1 million to protect this," that's 1/10 of the budget. Good freaking luck, right? Not going to happen. But being able to go, if I could have the magic wand to get whatever I want, that'd be great. But we can't. And so generally, we have to figure out-- when I come up with a proposal, I usually come up with three proposals to my bosses.

"OK, here is my low, my mid, and my high. If you give me all the money and time and resources in the world, this is what I would do, and this would perfectly protect your network." And they go, "Well, that's too expensive." I said, "OK. Then I have number two. This is kind of the mid-grade solution. I can do this much, but you're giving up this, this, and here's your risks. And here's number one. This is the minimum you need to do. This minimum is based on regulatory legal requirements. We must do at least this. But here's all the risk you're going to be taking." And then they can make their decision. Because at the end of the day, the CEO and the COO, they're the ones who have to fund this, and they are the ones who have to live with the decisions they make. Because this is a business decision unless you're working in an IT company.

And most of us aren't working in an IT or cyber company. We are working as IT or cyber in a different business. I have a friend who works for an airline. He does cyber, and he does a great job at it. But guess what? They don't really care about cyber, except in the fact that it helps them continue to fly planes and make money. I have another friend, and she works in manufacturing. She only cares about cyber inasmuch as it means the machines are still running, and that toilet paper is coming off so we can sell it in the store because that's their business, right? It's not like we're working in an MSP or cybersecurity consulting firm where what we do is cyber. It's really easy when you work in those organizations because they understand cyber, right? And now you can be a technical expert.

I suppose you're trying to convince the business why they need you. To give some context to what Jason's saying about being perceived as a cost center and not something that's enabling business functionality to make us money, let's take a look at an income statement. These are also called a profit and loss statement, a P&L. And those costs we identified for gap-closing activities are going to hit these yellow lines here. So that labor cost we calculated is going to hit management and office salaries, benefits, and incentive pay. And so it's more than just a salary, right? A fully loaded line item here would include also benefits, and if there's a variable incentive pay bonus during the year.

We needed people's time to develop and socialize and communicate policies, to introduce contract language with the legal team, or more broadly, just run GRC functions, security operations, and IT functions. So that salaries, benefits, and incentive pay line is under SG&A, selling general and administrative expenses. Another word for that is overhead. And that is not a cost of sales. It is not directly tied to revenue. And SG&A, as you can see, reduces net income, which is our bottom line. Other general and administrative expenses from our gap-closing actions would include software licenses and maintenance fees for the centralized identity management system with single sign-on and MFA and the email gateway. And you might have some consulting fees if you bring in an outside expert to implement these tools, to run your security awareness training, or do the tabletop exercise as an example.

Maybe outside legal counsel needs to be brought in as a consultant to review the contract language that you're introducing. If we look at other expenses our cyber resilience investments are competing with, it includes advertising and marketing, bad debts, which is people not paying their bills, office rent and professional fees for non-security things, like accounting, and insurance repair, maintenance, and utilities. So starting with a fully allocated budget, if you want to get an investment in security, it can be a hard question to answer of, which of these things should we cut to make room for that?

So Jason notes that the language of business we need to speak in this conversation is money and risk. So do any of these security investments reduce expenses? That could be possible if you're consolidating technologies. Are any of them enabling revenue? So it's possible that you have a contract with a customer who has a condition of doing business with you that requires a third-party audit or requires a certain security control that you contractually agreed to perform, and they might ask you to self-attest to. You can make an argument probably more so for the security certification side or attestation report side that that could be a cost of sales.

But probably the most impactful approach you can take here to speak the language of business is to talk risk, right? So this investment in labor, software, and consulting helps us reliably achieve that revenue because we'll be resilient and we can keep operating when cyberattacks happen. And also look at the big costs in fines and downtime to our peers in the industry and even just the general business headlines. Those are material dollars, and so we're buying down the risk that a scenario like that could happen to us. Our textbook gives us a picture and some terminology around this concept, calling it business value analysis. It's centered on trust and it's about four things-- financial returns, technical risk mitigation, legal risk mitigation, and increased reliability of operations.

To understand the importance of trust in establishing business value, there's a great read that I recommend. It was recommended to me by a mentor, and I'll pass it on to you. It's called Speed of Trust by Stephen Covey Jr., who's the son of the guy with the same name who wrote Seven Habits of Highly Effective People. Stephen Covey, you've heard of that one. The powerful lesson in this book Speed of Trust is that to help a business, when you establish trust, it leads to higher speed and lower cost because in a high trust environment, people collaborate more effectively, decisions are made faster, and there's less bureaucracy.

If you contrast that with a low trust environment, where processes slow down, costs increase, there's inefficiencies, misunderstandings, undue friction-- that's not good. You don't want to be in that scenario. So the economics here are that high trust pays dividends, and low trust costs you a tax. There are 13 specific ways you can build and sustain trust, according to this book. Talk straight, demonstrate respect, create transparency, right wrongs, show loyalty, deliver results, get better, confront reality, clarify expectations, practice accountability, listen first, keep commitments, and extend trust while balancing with appropriate caution.

There is a ton of wisdom distilled into that bullet list from many successes and failures of others over decades. Learn it, live it, breathe it, it'll serve you well. And applying these principles is going to guide you to making the right decisions in the workforce and the right decisions in case studies on your ACCRP exam.