Margin of Safety or Speculation? Measuring Security Book Value
暂无分享,去创建一个
The measure of success is not whether you have a tough problem to deal with, but whether it is the same problem you had last year. —John Foster Dulles I n the stock market, financial institutions that are considered to be well run sell at a premium: their stock price is greater than their tangible book value, the price/book ratio. What is that book value? A simple number that is easy to acquire and understand, book value is the asset's dollar value carried on your balance sheet. Applying book value to IT, what cost did you incur to develop, deploy, and operate your system? That's its book value. Why would anyone pay more than book value for a bank's assets? Because some banks make higher quality loans and take less risk. Investors deem Wells Fargo and US Bank to be well run: Wells Fargo trades at 1.5x book value and US Bank trades at 2.0x book value. Conversely, banks that are thought to be less well run sell below book value: Citigroup has traded at near half its book value since 2008. The stock market's premium for Wells Fargo and US Bank and its discount for Citigroup may or may not prove to be well founded, but what those price ratios tell you is the value that investors place on the quality of the assets and the risk management of those companies. In this spirit, we propose using a Margin of Safety calculation to compare the book value of a company's IT assets (software, servers, development, and so on) to book value of the security controls and services used to defend those assets. We suggest that the difference between these two numbers assesses the level of safety for assets in your enterprise. If the assets' book value is well covered by the book value of the security controls, then you are making minimal assumptions as to the efficacy of your security systems. If the gap is wider, you may be asking for heroic efforts—too much—from your security services and team. In investing, paying less than $1 for $1 of assets is an example of a Margin of Safety. What we seek to show here is where the line between safety and speculation occurs in information security systems. A disclaimer: we make no attempt here to address a number of important concepts. We consider the basic book value to be a …