Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hello, everyone. Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, the Chief Security and Compliance Architect here at Input Output, and really excited to have you here with us.
This is our very, very first episode. Cash in the Cyber Sheets has been an idea in the back of my brain here for quite a while. Finally decided to get over the pain of hearing my own voice, get past the perfectionism, and just start getting episodes out there.
So very, very happy you're here with me. It's my first time, be gentle. So today, since it's our first episode, I figured that starting, we should start in the same place with every risk management review, with every business, and this is going to dive into really how to better understand the business, which is going to help us on the risk management side.
But what's really crazy is that even though these metrics, we'll go over here in just a minute, are fairly easy to identify, most businesses completely miss them, and not just on security compliance risk management side, but the business as well, and whatever business you're in. Understanding these metrics is going to help you understand the business, drive productivity, drive profit, help you make decisions. It's almost, it's a wonder, it's a wonder pill.
So also, I just wanted to take a few seconds here to explain how the future shows will go, what those will look like, besides just hearing about me, talking about all of my experience, and diving into the topics, and what I'm seeing with clients, and what's working, what's not. We're also going to have a lot of business owners on, to get their perspective as far as what's working in their business, what are they having trouble with, where have they skinned their knees, where have they failed, and how they work through that. Also, have access to a lot of really great industry experts in a lot of different fields, security side, business side, development, you name it.
We've got a lot of different experts that we're going to have in future episodes to get their insight, which is very, very good. And also, as the show develops a little bit, as we get the full website, everything up and running, I want to provide a lot of tools that I use, that clients have used, things that can help spark the right conversations you should be having, and also just hopefully make things easier for you each day. So, again, real happy you're here, eventually we will have the full website up, I'm not going to spend time going into myself, if you want to read about me, about Input Output, you're more than welcome to go to www.inputoutput.com, we also have some of that in the description, but I don't want to bore you with that today.
Long story short, I've been doing it a long time, seen a lot of stuff, I'm going to share it with you. Before going any further, I don't want to forget, please, please, please click that subscribe button on whatever platform you're listening to, Apple Podcasts, Google Play, whatever, hit that subscribe, and please leave some comments, love to hear from you, that also helps us get in front of a lot more listeners, so it's really appreciated. So without any further ado, I want to dive into the topics, our primary focus, and like I said before, this is where it's typically completely overlooked, but it's where every business, every risk manager, every really security and compliance practitioner needs to start.
We need to understand the business, and what we're going to go through are some of the key metrics that are fairly easy to identify, but that are going to pay dividends in how they're going to help us create our plans, drive the profit of the company, and generally interact with everybody else in the company, especially leadership. So I'm not trying to do clickbait here, the five metrics we're going to talk about are going to be number of leads that the company has, how many leads opportunities do we have to make a sale, how many of those do we have coming in every month. We're also going to want to identify our conversion percentage.
How many of those leads, of those prospects, of those opportunities are we actually turning into paying clients. The next one we'll look at, these kind of go, the next two kind of go hand in hand, is average lifetime value, which is how much we're going to make over the course of our relationship with a client, and then average lifetime of the client, typically looked at in years. So once we convert them, how long is that client going to stay with us until, for whatever reason, they go somewhere else or stop being our client.
The final one, which surprisingly is overlooked by a lot of companies, is simply expenses. How much are we spending to provide all of our services, our capabilities, manage our operations, really just what's our total expenses. So what I want to do is dive into each of these a little bit and show, one, what it means, how that's going to help us on the risk side, and then how that's also going to help us relate more to the business, and also start laying the foundation, start planting those seeds for us to move away from just risk management, but over to opportunity management, where we're not just identifying what could go wrong, how things could go sideways, but we're actually going to start identifying new revenue streams, new opportunities for the business.
So it seems very, very simple. A lot of people overlook it, and I can't stress enough. I've been doing it for a long time.
Don't overlook identifying each of these and tying them to everything that you do. So the first one we have is leads. That really just comes down to, again, how many opportunities do we have coming in to make a sale? Is that on our website? Is that on our phone system? Wherever it's at, we just want to get that number, and just like with a lot of our other metrics we're going to talk about here, once we identify that number, we want to identify all the supporting systems.
What are the inputs? What are the outputs that allow us to get those leads? Is that, say, something like MailChimp or Constant Contact? Is that our phone system where they're coming in? Is that our marketing platform or our outside sales agents? Whatever that is, identify all of those different inputs where everything is coming in to bring us our leads. Here's where we can start to really leverage this. One, if we're looking at it from just a risk management perspective, now we've identified all the different inputs, all the different supporting systems that bring us our leads.
These are critical to the business, so we've quickly identified critical supporting systems. What we can also do is identify if one of these goes down, how many leads are we going to not receive? How many opportunities are we going to lose? As we go a little bit farther down the line and identify average lifetime value in our conversion rate, we can even quickly see what that's going to mean for our business. Easy numbers.
If we have 100 leads coming in from one channel and we convert 10 of those, if that channel goes down, we've now lost 10 customers. Maybe we can get them back in another way, but easy math, this can let us start to identify what these systems going offline, what that availability part of the CIA triad, what that availability really means for us at the business. As we identify these though, sometimes when we look at especially the leads, we may have leads coming in from so many different sources that if one, two, three, a few of those sources go down, it doesn't matter too much.
We're always filtering more in. Sometimes however, especially with smaller businesses, we only have one or two revenue streams, sometimes only one. Especially with startup companies, a lot of the leads are coming in as a referral base.
So if something happens, whatever that something is, something happens to stop those referrals, that's a major impact to the company. So where we can start identifying opportunities is a quick scenario, quick brain exercise of what happens if we take that input away? What happens if we take that lead channel away? We don't need to go right now into all the different ways that can happen, how likely it is, how unlikely it is. Just let's assume, let's say we're a restaurant.
Let's assume people can't come into our restaurant anymore. Now back in 2017, 2018, that would seem like a pretty ridiculous statement. Around 2020, not so ridiculous.
So if we're looking at this as far as what could cause that, or if that went away, what would happen to the business, well that would be catastrophic. We can ask ourselves, are we just going to shut our doors if that happens, or are we going to try and figure out a way to manage it? And here we can start identifying different things that we could do if we were to lose that source. So the restaurant, let's say people can't come in, we can start creating all these contingencies, business continuity plans.
How are we going to continue to operate if things go sideways here? Well perhaps what we could do is start delivering food to people. Perhaps we could sell packets of pre-sliced meats, steaks, ribs. Some restaurants did that.
Perhaps we could create meal plans. There's a lot of different things, there's a lot of what-ifs, but we can identify all the different ways that we could continue to operate the business. What's really powerful about doing this here though is that some of those continuity solutions might actually be viable solutions right now.
But maybe it wouldn't cost us a whole lot of money to start selling pre-packaged cases of sliced meat. Maybe we could do that when people are sitting in our restaurant. Hey, you like our steak, would you like to take a few home, they're pre-cut, and start now identifying new revenue streams before things ever go sideways.
And that's how, just looking at this very first metric, we can start shifting our risk management, our security, our compliance focus, that whole program, away from just a doom and gloom, a FUD, fear, uncertainty, and doubt, and like an expense department, and turn it into a company asset that can start identifying new revenue streams, new profit, and new ways of operating the business. So a lot to unpack there with leads, a lot to go into it. But moving on to conversion percentage, that just comes down to, again, how many of those leads do we have coming in, those opportunities, that we're actually turning into a paying client.
Whatever that percentage is, that's fine, we can identify that. And what the conversion rate can show us is, what are all the supporting systems that we need to be able to convert? That can be like our CRM, that could be our payment portal, that could be our phone system, that could be a particular department, maybe a particular physical location. There's a lot of what ifs there, a lot of different things that can support this, and we want to identify all of them.
And just like with the leads, we can have that conversation as far as, what would happen if one of these went offline, or if multiple of these went offline? How's that going to impact us? Sometimes, not that much. Maybe our email's delayed for a while, that's fine, we can call the customer, it's not going to make a big difference. Sometimes it's extreme.
In one case that we had, supporting a call center, they had a massive amount of leads coming in. They were an absolute marketing engine, absolutely incredible, but tons of leads coming in. And they were generating roughly about $100,000 a week in revenue from all of their conversions.
When they implemented a new texting system, they would send out SMS's, the lead would come in, the system would automatically send a text, say, hey, we got your information, we're excited to talk to you, here's who's going to be calling you, we'll reach out to you soon. When they started doing that, getting that initial contact in that kind of golden hour, when they put that in place, the revenue went from $100,000 a week to a million dollars a week. That's a major difference, and incredible, that's awesome.
What it also shows, if we're doing this exercise, we can show that, say in their case, our conversion rate went from 20% to 50%. If that's all based on that texting platform, if that texting platform goes offline, not even that, if we lose the ability to send text, and that could be for whatever reason, we're not going to focus on those reasons now because they're too numerous to count, and we're honestly going to miss some, there's things we could never even think of, but we can make it simple by saying, what happens if we lose this functionality? What are we going to do then? That's where we can start to, again, identify, in this case, maybe there's not another technical solution, perhaps there is, perhaps there's another way that we can reach out and touch these clients. Perhaps we identify a whole other way of business operations, this may not be a new technical control, it may not be some new system, or making sure that we do updates, it might be a new business process to help make sure that when we have an impact, it's not causing such a major impact to the company, that we can survive it a lot better.
And again, this is where we start moving into opportunity management by being able to see what can we do right now to restructure how we're doing business, still get the results we want, we're better, obviously we're okay with better results, but what can we do to get those, and then later, we can discuss in other chats, but later on the risk side, we'll look at the vulnerabilities, what are the ways that it could go sideways, and then how can we help prevent that, reduce the likelihood, or reduce the total impact from those specifics, but before even getting there, just that business perspective, we can start identifying where it is that we need to put our focus, what do we need to look at. The next two that are going to tie into these is our average lifetime value of a client, how much we make from a client relationship, and the average lifetime of the client. Typically in years, you could look at it in months, days, whatever you want to look at it is fine, but identify those two metrics, so for example, if we sell a client and over their lifetime of three years, we make $30,000 off of them, the average lifetime value is $30,000, their average lifetime is three years, and then we can do a lot of different things with that number to say, on average, we're making about $10,000 per year per client, and there's a lot of different things that we can do with these numbers.
One, we can identify what the impacts to our lead supporting systems, what happens if our leads get reduced, well, that's going to trickle right down to less customers, so if, say, from our first example, we lose those 10 customers, well, that's potentially $300,000 in lifetime revenue, $300,000 over the next three years that we're not going to have. And same thing with our conversion rate, if something happens to reduce our conversion rate, we can easily see roughly how many customers we're now not going to get and what that's going to mean for our bottom line, how that's going to impact us. It also allows us to see what our acquisition cost is, so we can look at all of the different expenses, all of the different tools and time, everything that goes into getting to that client and compare that to what their average lifetime value is.
So now we can identify different areas of what systems, what processes should we focus on to try and tighten up, to help reduce those expenses, which helps that final metric. The average lifetime value in lifetime can also help us identify if we have a data breach and we're going to use, say, data from the IBM data breach report that companies that lose business lose 20% or more, we can look at that as far as our lifetime value. So let's say we're making hypotheticals, we're wanting to put actual hard numbers, we have a data breach, each client, we could say we're going to lose about $6,000 in lifetime value.
Or we could look at it from the perspective of we're going to lose 20% of our clients or whatever number we want to put there, and here's what that would mean for our bottom line. However you want to structure that is okay. And again, future discussions to really dive into it.
But what this will do is allow us to identify, again, where we need to focus and what actual impacts could be and help us to start moving away from the high, medium, and low scales and into a more quantitative, actual dollar amount, actual business impact. The final one right here doesn't need a whole lot of explanation is expenses. How much money is going out to support everything that we're doing? This is important to know because as we go and have those budget discussions, as we make requests, if we know these other numbers, we can tie them all together to show here's what it's going to mean for the bottom line, here's why I'm asking for this money, here's why it makes sense.
Interestingly, sometimes we look at it and say this doesn't make sense at all. I'm not even going to bring this up. So not too much to go into expenses just today, but overall, and I think we've touched on it, but the reason it's so important is, again, all of these start pulling us away from that typical high, medium, and low review of risk, the rating of risk, and starts moving us to where we can give hard dollar values, actual impacts, and really put that together to see would we be able to weather this type of impact or do we need to figure out something else to do before this happens and puts us out of business.
What it also does is it allows us on the risk security compliance side to start speaking the same language as senior management, as business owners, as the business itself, because typically where we talk about risk, where we talk about the different impacts and security issues, a lot of times that's left up to the business owners, to the business leadership to put the pieces together as far as what that means ultimately for the business. When we know these metrics, when we tie these to what it is we're doing, not only do we have very clear KPIs, which allow us to create smart goals and easy milestones for if we're implementing a new solution, what this should mean, we want this to increase our conversion rate by 5%, or we want this to increase our lead generation by 10%. It allows us to tie what it is that we're wanting to put in place, what we're suggesting, directly to the business bottom line and what that means for the business.
And for those at the top levels that want to get deeper, we'll have all that data. But those that don't will be able to just have that very easy conversation. Here's what we're recommending to preserve this amount of revenue, or here's what we're doing and recommending to generate or to potentially capture new revenue.
So again, this is really the foundation. This is where you should start with any risk management program, with any security and compliance program. And as I said, most completely overlook this.
I can't stress enough. Don't overlook it. And I promise if you dive into it, if you identify these things, your budget request, your interactions, your conversations, everything that you have with the different business departments with business leadership will be considerably better.
I guarantee you'll notice the difference. So there's a lot of opportunity with these, a lot of stuff to talk about. We'll stop here for today.
I think this all plants a very good seed for, one, definitely future conversations, where you should take your risk approach, but also should hopefully give a decent flavor for what cash in the cyber sheets is going to be about. This is really where we're going to bring all of that real-world experience, what we're seeing, what's happening, and tie that more to the business, what that actually means for the business. So if you like today and want to hear more, please, please, please click that subscribe button.
And I can't wait to see you here next Thursday at 10. We're here every Thursday, 10 a.m. Thank you so much for listening to Cash in the Cyber Sheets, and I look forward to seeing you next week.
