Net Present Value. Since coming to IT, I have spent much time focused on the topic of business value.  This topic has dominated customer presentations and events, CIO forums, internal discussions several blog posts and even a few twitter discussions that I've been having.  Whether an IT organization is attempting to justify investment to support a new project or communicating the benefit of an existing one, being able to communicate, demonstrate and deliver the value of those projects is critical.

What I have learned is that there are many different ways to communicate the savings or value created by a project.  Matt Beckert, Intel IT finance, and I have spent several hours discussing this topic.  Let me provide the cliff notes (simplified version) and why Intel IT is moving to a standard methodology focused on Net Present Value.

Many times you will hear individuals talk about how much they saved by doing something.  Example, yesterday I saved 10% by using a coupon buying a coffee at Starbucks.  I saved $0.35 on my $3.50 latte. So while I avoided spending $0.35, did I create value for myself – not really.

Value is often a collection of costs that include what I had to spend (my capital outlay), cost avoidance (what I didn’t have to spend), operational cost savings (how my daily costs are affected), additional revenue generated (what I earned), productivity gained (greater output for equal or less input) and several other variables.  Intel IT looks at a variety of business value metrics for our project portfolio.

In the terms of IT projects, the business must invest in something to achieve a goal.  The collective measure of money spent vs. benefit received is a Net benefit.  If I buy 100 t-shirts to sell for a charity and each t shirt costs me $5 and then I sell those t-shirts for $15 each, then the net benefit to my charity of that project is $1,000 (100 x $15 minus 100 x $5).

Expanding on my example further.  What if I did not sell those shirts immediately but I held on to them for five years.  In this case, my net benefit would still be $1,000 from the project but because of inflation, the value of that earnings is worth less to me than if I sold them immediately.  If inflation was 10% per year, then the $1,500 that I earned from sales would [when discounted back with inflation $1,500 / ((1+inflation rate) ^(# years))] would only be worth about $931 in today’s dollars today.  So taking into account the time-value of money, now this t-shirt project was only worth $431 to me in today’s currency or Present Value.

(Readers Aid.  If you anything like me, this topic makes my head spin, Matt helped me build a cheat sheet table that shows the time value of money depending on how long it is held and the annual inflation rate or discount rate applied over that period of time.  See the table at the end of this blog.)

It is possible that I could have earned more than $431 by doing another project or by maybe investing my original capital of $500 in the financial market and getting a better ROI (often called the “hurdle rate” for financial planning).  With many IT projects affecting a many types of cash flows over different time horizons, it is critically important from a financial perspective to compare apples to apples when looking at projects. 

This is why a Net Present Value is so important – it allows business leaders to compare the net value (return on capital) in present value (accounting for time value of money) across many projects, thus prioritizing the most important ones with an eye on the bottom line.

I have to admit, while communicating savings in terms of NPV is a lot more confusing and often less interesting (the numbers are lower than gross undiscounted multiple year savings numbers), it does enable a more level playing field and better articulates the actual impact projects are having on an organization.  For example, in the recent data center paper published by Intel IT, our gross benefit is estimated at $1B, while our NPV is estimated at up to $650 Million - depending on when we make the investments and how quickly we realize the benefits.  Either way you look at it, you can draw one common conclusion: our eight year Data Center IT strategy is creating a lot of business value for Intel.

Read Matt’s perspective on our Data Center Strategy.

Chris, follow me on twitter

NPV Table. The net present value of receiving $1,500 cash five (5) years from today assuming a 10% annual rate of inflation is $931.

No.  Just the people who use them.

Passwords of reasonable strength (8 characters or more consisting of upper/lower case and special keys) coupled with timely expiration, are secure.  Passphrases with comparable measures are equally secure.  The systems and users are currently the weakest links in the security chain. 

The interfaces and tools which we input the passwords may be vulnerable.  This includes but is not limited to key-loggers, sniffers, input redirections, etc.  But it is the user, where the most significant weakness exists.  They can be duped into divulging their passwords (phone, web, chat, email, etc.) and in many cases make them available in other ways (sticky note under the keyboard).

A recent Newsweek article covered the topic of building a better password:

"...a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. (Two hundred nineteen years is actually very good, but the lesson remains: simpler can be stronger.) The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity-mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"-somehow became the sole determinant of password strength."

The difference between passwords which can be cracked in two-hundred versus a billion years is immaterial if users are forced to change passwords every few months.   The bad guys just don’t have the time to crack the password before it is changed or the data is sufficiently aged to not be of value. 

To undermine cracking attempts, we force users to use 'strong' passwords so that dictionary attacks are fruitless and threat agents must resort to a laborious brute force attack, trying massive numbers of combinations in order to be successful.  All passwords can be cracked via brute force, but it takes time.   It becomes an exercise in how many attempts can be made over a given period.  The faster the process the more combinations can be tried and therefore the shorter the time to discover the one which works.  The length and possible characters determines the number of combinations.

Undermining the strength of a password is not the biggest concern.  It is far more likely for a password to be sniffed on the network, captured on a system, or duped from a user, rather than be cracked.

The most significant vulnerability is with the user and systems where passwords are entered and stored.  There is no practical benefit to further abuse users with new diabolical password schemes.  We should pay less attention to stronger and better password formats and instead invest in better behavioral controls, user education, and the strengthening of system and interfaces.

Watch Diane Bryant, Intel CIO, talks about the cash machines in data centers in this press breifing. Haven't heard about the amazing cash machines for your data centers yet?! Better check it out now: Installing Cash Machines in your Data Center

Yesterday I wrote a blog titled “Submarines, Stealth Fighters and Evolving Needs of Information Security” in the Server Room where I discuss some new server technologies aimed at better securing data from hackers, viruses and new malware called rootkits.

After writing that blog, I began to think about the variety of levels by which information security is delivered.  To truly manage risk and provide information security for a business, you need many levels of controls and defenses. In fact, I learned that Intel IT has a Defense in Depth strategy for information security

Within Intel IT, every strategic discussion I have witnessed from implementing cloud architectures, deploying server virtualization and client virtualization, evaluating Windows 7  (more coming soon on our plans here), developing business intelligence and social media collaboration solutions, designing for security is a paramount factor.  Every IT solution must take into account aspects of information security – the risks of not considering it are too great.  There is a rich set on content dedicated to Intel IT’s approach to security solutions.

Of course the question for IT is how much is enough. Is meeting the minimum regulatory requirements sufficient – or should we strive for a higher level of protection – at what cost.  There is no formula here.  It is a delicate balance to match risk, investment costs and ROI to deliver sufficient information security protection.  Over-invest in security and you could be constraining business growth or restricting process improvement … under-invest and you risk exposure to information loss could be too high; or (worst of all) don’t innovate business processes because of worries concerning security exposure

It was only after taking our required annual IT security training mandated for all Intel employees last week did it really hit me that PEOPLE are our primary defense against information theft.  Within the Intel IT organization, I have found a huge focus on the value of our people – our subject matter experts.  From the engineers, architects and IT strategists to the training of all employees on the principles, expectations and tools we all need to use to maximize the effectiveness of what IT has put in place.  This was reinforced by a recent Gartner call I attended where the speaker proposed that people are our most agile and important asset.  I agree.

The bottom line: IT’s job is simultaneously deliver business value through innovation aimed at enabling growth, boosting productivity, maximizing efficiency and maintaining continuity.  This is what makes PEOPLE so critical because the balancing act is a question of IT governance – the formal means to evaluate, benchmark and decide how to balance these critical questions – in close collaboration with partner business units, HR, legal and senior management.

Technology can’t do it alone – we have to deploy technology with intelligence, purpose and controls.  That is only possible by enabling people to be trained, educated and empowered with the ability, tools and support to be successful. 

Do you agree?

Chris Peters

@Chris_P_Intel (twitter)