Deploy Securely is all about ensuring that cybersecurity supports business and mission operations.

To support a function effectively you need to communicate clearly with it. And security professionals get a (sometimes justifiable) bad rep for using lots of acronyms and obscure terminology.

Unfortunately, people on the “business” side do the same thing and enjoy tossing around jargon themselves. That’s why, after writing a LinkedIn post (and reusing it a few months later) on the topic a while back and getting a good response, I decided to put together a more detailed post on the topic of business terminology.

Below, I break down some of the key buzzwords you’ll hear thrown around in modern businesses. For all you finance nerds out there - and any of my business school classmates who may be reading - I acknowledge that most of the below descriptions are major simplifications. The point of this post is to give security professionals a place to start.

P&L

Profit and Loss Statement, AKA Income Statement

This can apply to an entire company or a subset thereof, e.g. a business unit. It is a financial document that summarizes the organization's revenues and expenses, and as you might guess, profits and losses.

To be said to “own” a P&L implies that an individual has accountability for the numbers that appear on it.

See this comment thread for more details on P&Ls.

Why you should care

P&L owners are often those who should be making - with the advice of the security team - cyber risk management decisions (mitigate, accept, transfer, avoid). This is due to their comprehensive knowledge of and accountability for an entire line of business.

ARR

Annual(ized) Recurring Revenue

Especially important for subscription software businesses. This metric refers to money collected from customers that is expected to continue indefinitely each year (although it can “churn” at renewal points if the customer decides they don't like the product anymore).

This is not the same as bookings (although all ARR must come from bookings), which represents the amount that a customer contractually agrees to pay. The difference comes from, among other things, the fact that not all items (professional services, physical hardware, etc.) represent recurring charges.

ARR is often referred to as the “top line” (of the P&L), although this isn't strictly accurate because the top line includes non-recurring revenue as well.

Why you should care

Knowing the ARR represented by a customer allows you to make quick decisions regarding their relative significance to your business.

EBITDA

Earnings Before Interest, Taxes, Depreciation, and Amortization

This roughly translates to “profit” or “earnings,” in financial terms. Although, to quote Warren Buffet, “treating EBITDA as equivalent to earnings is tantamount to saying that a business is the commercial equivalent of the pyramids – forever state-of-the-art, never needing to be replaced, improved, or refurbished.”

While you should probably leave these esoteric discussions to accounting professionals, know that EBITDA sometimes is used to refer to the “bottom line” of the P&L (also technically incorrectly).

Why you should care

Understand that this is different than cashflow, which is the lifeblood of a business. You may have positive EBITDA but if you don’t have a clear trajectory toward getting to positive cashflow before you run out of money, then you are “default dead.” This is especially a concern for startups and established small- and medium-businesses.

Companies owned by private equity firms and publicly-traded ones, however, are generally very focused on EBITDA.

COGS

Cost of goods sold

In the physical world, COGS is relatively easy to calculate. If you are selling pies, then COGS would represent the flour, sugar, fruit, etc. that you combine to make the finished product. For software businesses, especially Software-as-a-Service (SaaS) ones, this gets a little more complicated.

In these cases, COGS generally represent things like infrastructure and security tool expenses. But they generally do not include salaries (except customer support personnel), which is often the greatest single expense in a SaaS company.

Why you should care

Primarily because knowing COGS is a prerequisite for computing your gross margin.

Gross Margin

The revenue generated from sales minus COGS. Since COGS for software companies are generally low, this number will be relatively high. Above 75% is something of an industry standard for SaaS businesses.

Refer a friend

Why you should care

Software companies are attractive businesses because their gross margins are often high when compared to physical products. Thus, if you work at one, you should understand how your recommended actions or requests will impact the gross margin of your business. Expensive new security tools could potentially be counted as COGS, so understand why your colleagues in finance might wince when you suggest buying them.

M&A

Mergers and acquisitions

Mergers are when two companies join together to form a new entity and acquisitions are when one company takes over another. From a security (or practical) perspective, there isn’t much of a difference between the two.

Why you should care

Active M&A can be an especially risky periods from a cybersecurity perspective. Hackers understand these periods to be one where they might exercise maximum leverage during a ransomware or other attack. Furthermore, it is possible that a merger or acquisition could even lead to “importing” malicious actors into what is now your network, as happened to Marriot when it bought Starwood.

Cost of Capital

An important concept which identifies how “expensive money is.” In frothy markets (e.g. 2021), funding in both the private and public markets was plentiful, and thus starting new companies or products within them is relatively easier. During market downturns (e.g. 2022), the opposite is true.

As a result, the return on an investment or project necessary to justify it will change over time. Purse string may be loose during good times. But during leaner ones, organizations will clamp down on spending and focus only on the most clearly profitable endeavors.

Why you should care

When the cost of capital is high, companies will seek to cut things viewed as “nice to have.” Security can be sometimes viewed through this lens (see the Patreon situation). This may or may not be an accurate perception and it’s incumbent upon security professionals to be clear and describing cyber risks in quantitative terms. Otherwise, business leaders may start cutting the biggest security expenses first, without taking into account the return-on-investment they deliver.

TAM

Total addressable market

Frequently discussed in startup and venture capital (VC) circles, the TAM for a company or product represents in dollar terms how money will be spent in a certain category in a certain geographic area (or globally). When someone says that “XYZ is a $5 billion market,” this is generally equivalent to him saying “the TAM for XYZ is 5 billion dollars per year globally,” the latter part being implied by the lack of any geographic limit.

Why you should care

If you are ever pitching to or interacting with VC investors, this is something they are going to want to know very early in the conversation. Due to the fact that only a few of their investments will make big returns - and these are the ones that make or break their fund’s performance - VCs are heavily focused on opportunities with large TAMs. Some entrepreneurs, however, view VC fixation on TAM as merely cover for other reasons not to invest.

CAC

Customer Acquisition Cost

How much you need to spend to acquire a single new customer. It is calculated by dividing the sum of sales and marketing costs by the number of new customers acquired over a given period of time. So if you spend $20,000 on ads, $20,000 on (pro rata) sales salaries, and $10,000 on sponsoring a conference booth to acquire five new customers, your CAC is $10,000.

Why you should care

Calculating and tracking CAC is almost an entire discipline in and of itself, but know that, generally, if your CAC is:

• 1, your company is almost certainly losing money.

• 3, your company is generally considered to be viable.

• 5, your company is extremely efficient in acquiring new customers, and will generally be viewed as a good business.

Basis Points

Often called “bips”

Quantitatively equivalent to 1/100th of a percent, a basis point is measured from a fixed basis rather than in any relative sense. Thus, when the Federal Reserve announced a 75 basis point hike in short-term target interest rates in November, it meant that its desired rate went from 3.00-3.25% to 3.75%-4.00%.

If one were calculating a relative increase of 0.75%, then the increase would have meant a jump from 3.00-3.25% to 3.0225%-3.274375%.

Most importantly, an increase of 50 basis points in anything is always equal in magnitude (although opposite in direction) to a decrease of 50 basis points. This is not true for a “vanilla” 0.50% increase vs. a 0.50% decrease.

For example, if starting from 1000, then in the first case an increase of 50 basis points followed by a decrease of 50 basis points would put you back at 1000. In the second case, while an increase of 0.50% would still put you at 1005, a subsequent decrease of 0.50% would land you at 9999.975.

Why you should care

Basis points are generally used to describe changes in interest rates, but can be useful for describing other phenomenon. For example, assume your intrusion detection system’s (IDS) sensitivity setting is measured using a 100-point scale and comes with a vendor preset of 50. You increase it to 60, but this begins triggering all sorts of false positive alerts that are causing productivity losses.

After explaining the situation to the owner of this business unit, he asks you for an analysis of what dropping the sensitivity “by 1000 bips” would do from a risk perspective. Having read this post, you know he means dropping the IDS sensitivity back to 50 rather than to 54 (by 10%).

Conclusion

In both the military and cybersecurity communities, I have often been bewildered by the flurry of acronyms that people use on a daily basis. Upon asking what certain terms mean, I have often been even more astounded to find the user of the phrase himself is unable to spell out the acronym and only has some general idea of its usage.

Thus, I thought it made sense to help readers make sense of some of the frequently used terms on the “business” side of things. While you should never be afraid to ask what something means, you will be now better equipped to understand these terms. And, if you sense some confusion on the part of your counterparty, you can dig more deeply to find out what they really mean.

Finally, thanks to everyone who commented on either post - it gave me some great ideas for how to draft this article.