For Infosec Pros: How Firms Create Value

Tuesday, August 16, 2011

Nick Owen


This is the first in (hopefully) a series of blog posts. My goal is to provide information security professionals a basis for discussing risks with business professionals and to dispel some myths.

The first myth is that information security needs to contribute to the top line or to reduce costs to create value for an enterprise.

This myth is based on the assumption that firms create value solely by increasing revenue or decreasing expenses. 

In particular, I'm picking on my friend Rafal Los at HP for his post on "Business Relevant Security - The Top and Bottom Lines" in which he states:

When you're working for a business only 2 things matter... the top line and bottom line.  Translated into normal speak that means you need to contribute to the business in one of two ways:

  • Help the business make money (adding to the top line)
  • Help the business save money (managing the bottom line)

If you're not working to one of those two goals, you're wasting company resources.  Nothing revolutionary here, right?

Not right, there is third way: firms that reduce their cost of capital increase their value. (I'm still simplifying here a bit and will clarify in later posts.) 

Let's take a very simple example.  Consider this stream of income (click image to enlarge)

Nick Owen 1

The Net operating profit after taxes is $21 and at 10% the Net Present Value is $79.61.  Now, let's say we are on the second year of the same payment stream.

Everything is looking great with this project and we feel a lot more confident that the five payments will be made, so we reduce the cost of capital to 9%.  What is the affect (click image to enlarge):

Nick Owen 2

So a 1% reduction in cost of capital resulted in a 5.4% increase in value.

These are very clean, made-up numbers. Obviously real life is more complex, with a lot more variance, but the math stands.

So, how do firms create value?  "Increasing revenues" does not in itself create value.  What if the revenues were increased by the same amount as the expenses? No additional cash flow is created.  (Granted, being bigger might reduce risk.)

What if the net income is increased by investing in a project where the cost of capital offsets any increase in net income?  Another wash. 

So, let's revisit our 'ways that firms create value' list:

1.  Increase the return on the existing base of capital: by increasing revenues without increasing expenses, decreasing expenses without decreasing revenues or decreasing risk. 

2.  Invest where the return is greater than the firm's cost of capital.

3.  Divest where the return is less than the firm's cost of capital.

For information security pros, the goal should be to reduce the risks of cash flow streams so that the cost of capital for projects are less than the firms weighted-average cost-of-capital.

Cross-posted from Wikid Systems

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Business Infosec Professional Value Capital
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.