Attn: Warren Buffet
CEO, Berkshire Hathaway
Re: The future of cybersecurity and potential investment opportunities.
Dear Mr. Buffet:
You had mentioned during our board meeting earlier today that you were interested in potential investment opportunities for Berkshire Hathaway within cybersecurity companies and emerging technologies in the cybersecurity space. Before we get into the investment options, I would like to give you a brief overview of what the current cybersecurity environment is like, along with what the future holds within this field.
Currently, there lies a sharp dichotomy between security and functionality. That is, the more security a system or network may have, the less functional it will be for the users in terms of access and efficiency. The desire for high security is then often placed second to the desire for an efficient, user-friendly system. One path the evolution of cybersecurity hopes to achieve is to minimize the disparity between these two variables, making a system both highly secure and highly functional.
Many owners of small and medium-sized businesses today may acknowledge that a cyber-threat may exist; however, they often feel that given the relative size and value of their companies, cybersecurity is not a top priority for them. Unfortunately, this type of mindset is not only wrong, but also extremely dangerous. When more and more technologies become interconnected, think “internet of things,” the threat of an attack along any channel within a network or system is vulnerable. As more companies realize this, the need for ramping up cybersecurity will increase, along with the demand for the services of companies that offer cybersecurity or related technologies.
The future of cybersecurity then lies in an increasing demand for such services by all companies but may be constrained by the limited resources available to smaller companies. Currently, it is the larger multinational corporations that can afford an in-house security team, with full access to the network, to monitor and control threats actively. This team is responsible for the security of all sensitive information within the company, and the prevention of any cyber-related attack. As more and more companies become targets of cyber-attacks, the need for a cost-effective solution will increase.
In business, as you know, price is determined by the variance between supply and demand. I don’t need to explain the economics to you, but just to conceptualize: as more and more businesses desire a comprehensive cybersecurity solution, and the companies who offer such services are limited, the pricing structure would still limit a large percentage of businesses who need a complete solution. Naturally, companies offering competitive offers on such solutions will emerge to capture the market of smaller sized businesses.
For investors who may not be up to date on the nuances of cyber-related threats, it may seem unlikely that behaviors on a large scale would change in such a way to increase demand for such services. To counter such an assumption, I want to conceptualize a scenario of what the future may look like:
Imagine a medium-sized company XYZ, which manufactures vacuum cleaners. This company is an expert at manufacturing high-end vacuums for large scale distribution and sale. It has contracts with regional retailers, along with a moderate distribution network within the southwestern U.S. Additionally, the company has a few retail kiosks within the region’s malls to sell directly to consumers. Perhaps the last thing on this companies mind is the risk of a cyber-attack. When internal discussions within the company discuss the relative threats and potential targets to its customer’s information, along with sensitive information of its distributors and retailers, the senior managers acknowledge the concern. It is true; they store confidential information such as customer credit card numbers, addresses, and distributor accounts. The company even has some access to its mass retailers’ systems for monitoring supply. All these channels provide an attractive opportunity for an attacker who may want information either for direct monetary gain, or sensitive information he or she could sell to a competitor.
While management acknowledges the need for a cybersecurity plan, the company is just not in the business of security. The employees do not know the first thing about cybersecurity; they sell vacuum cleaners. Additionally, hiring a team of cyber experts to monitor its internal systems could be very costly. For these kinds of companies, a cost-effective method for comprehensive cybersecurity lies in the offshoring of such services to a third party, I.E. a cybersecurity company, who has the knowledge and expertise to provide such companies with these services at a low cost.
These services tend to be cheaper than an in-house team, mainly since cybersecurity companies can spread costs over a wider number of customers. That is all they do: cybersecurity. These firms do not sell vacuum cleaners or cotton candy; they sell cybersecurity services. As such, the staff is exceptional in handling all classes of threats, a limiting factor when dealing with an in-house team, mainly due to the higher demand and limited population of such experts.
The use of cybersecurity companies is beneficial because these companies have a larger pool of customers. Because of this, they come across a larger pool of threats on a day to day basis and develop action plans to mitigate such risks. In turn, all of the customers are now protected from those threats. With an in-house team, these kinds of advantages are not always available.
In the future, all companies will be cybersecurity firms. To clarify, I was recently invited to partake in a tabletop exercise that simulated a cyber-attack on a company. The end remarks suggested that all companies are primarily cyber companies in addition to what they do. A pharmaceutical firm is a cybersecurity company that sells drugs. A vacuum cleaner manufacture is a cybersecurity company that sells vacuums. It may sound ridiculous to some degree, but the driving fact is that all companies now and in the future will become more and more reliant on networking and offshoring of critical data and system functions within. Thus the threat of a cyber-attack on any channel increases the more and more interconnected things are, as I have alluded to earlier. In turn, each company will need to place a higher degree of concern on its cyber-related technology and the protection of the sensitive information it holds. Offshoring these services then allow a company to focus on what is essential: its core competencies, not cybersecurity.
However, there is one thing I have neglected to mention. That is, I have, to some degree, criticized the need of having an in-house team; however, my criticisms are not to be taken seriously in this regard. To clarify, while a full in-house team may be costly, they do offer a unique advantage. To shamelessly use an evolutionary biology reference, think of natural selection in terms of diversified genetic immunities to certain diseases. If a more significant subset of a population has the same vulnerability (I.E. an identical genetic makeup), and a smaller subset has a different genetic structure, a disease which affects the broader population may not necessarily harm the smaller. Think of the large cybersecurity firms, chiefly its customers, as the larger population. Now think of another firm that has a small in-house team. If a vulnerability is found within the population of those who only use the cybersecurity company (the larger population), the smaller firm is then, to some degree, protected from that exploit, while the larger population is not.
The point of this scenario was not to minimize the benefits of offshoring cybersecurity, in fact, far from it. I use the analogy to propose an additional market opportunity for cyber-related technologies, which may, to some extent, diversify the population and thus mitigate the global effect of cyber-related threats.
While an in-house team of security experts can be costly, having a set of semi-comprehensive in-house technologies to monitor and prevent cyber-related attacks in addition to offshoring to a cybersecurity company, could create a higher degree of security within all companies. The effects of a cyber-attack on any company could be massive. In addition to lost revenue, the brand image of a company could be marred entirely in the event of a cyber-attack, portraying the message that said the company cares little for the privacy of its clients and partners. Additionally, many smaller companies go out of business following a cyber-attack. This is due in part to legal disputes, halted operations, and lost trust from stakeholders.
The bottom line is that all companies are vulnerable to some extent of being a victim of a cyber-attack. Every company has some form of information that may hold some form of value to a potential attacker. While the consequences of such a breach are relatively easy to conceptualize, the types and methods of these attacks can vary significantly, from simple phishing attacks (manipulating employees to click on a malicious link) to zero-day vulnerability found within the operating system of a company’s network (which would give a hacker a novel loophole to exploit a company’s network infrastructure). Because of the breadth and complexity of these attacks, and the nuances in how to prevent them, more and more companies will turn to third-party experts who can safely monitor these things on a larger scale.
Now that we have a better understanding of the future need for comprehensive cybersecurity, I want to discuss the potential market opportunities for Berkshire Hathaway. The demand for such services and technologies continues to rise, particularly with the realization of smaller companies to invest in cybersecurity solutions. Companies are becoming more and more aware of the maladaptive consequences of failing to invest in a cybersecurity plan properly. As such, these companies are looking for cost-effective ways to solve this problem.
Currently, many cybersecurity firms such as FireEye see significant increases in revenue year after year. Berkshire Hathaway is in an excellent position to take advantage of this market. With its diversified portfolio of investments, adding a cyber-branch could provide an attractive return to shareholders. If B.H. acquires a few cybersecurity companies and injects a massive amount of capital post-acquisition for growth, we could capture an untapped market of small to medium-sized companies who require such services at a competitive price.
Furthermore, B.H. could capture the relatively untapped market of semi-comprehensive in-house security technologies. Acquisition of companies in the early stages of developing these solutions could offer B.H. a first-mover advantage into this space, further increasing shareholder return. The demand for cybersecurity products and services will continue to grow, and real-time threat analysis by a group of collective experts is not only recommended but also necessary. The acquisition of companies investing in security-related technologies then offers the two-pronged approach needed, where firms offshore large scale cybersecurity needs to third party firms, and adopt cost-effective in-house measures of user-friendly technologies to monitor and mitigate threats at the local level. To clarify, these smaller-scale technologies could include software (think antivirus, security information, and event management), hardware (such as secure servers with unique encryption methods), or training programs (educating employees on common threats and prevention).
Because every company has a varying need for cybersecurity services and technologies, giving them the option to pick and choose the technologies and services they require allows for a significantly larger pool of customers. The diversification of products and services offered, particularly in this space, is what drives the future demand for cybersecurity companies and related technologies. To visualize, let’s look at the stock price of HACK, the PureFunds ISE Cyber Security ETF, a collective portfolio of investments in various cybersecurity companies. Over the past six months, the stock price of HACK has continued to rise. While six months may not be a long enough timeframe to forecast future returns of a portfolio, when we consider the rising demand for such services, paired with the constant evolution of threats and necessary mitigation efforts, it is clear the nuances offered with these services will continuously increase.
A business does not want the threat of a cyber-attack to hinder its operating profit. After numerous attacks in recent history, companies are keener on the effects such attacks can have on the financial bottom line and thus are looking for more comprehensive methods of prevention. Berkshire Hathaway is in an advantageous position because it has a large amount of disposable cash to acquire such companies, in parts or as a whole. The acquisition of a number of these companies, along with significant investments in emerging cybersecurity technologies could allow us to secure a higher percentage of the market than any standalone company. In turn, with our (B.H.’s) financial backing, we (as these companies) can offer price competitive cybersecurity solutions to all types of companies given the economies of scale we could achieve.
My advice Mr. Buffet is to do a comprehensive valuation on a handful of cybersecurity companies currently operating. Once the valuation is complete, we can look into acquiring a number of these firms (whole or in part), chiefly those which show the most promise in terms of market positioning. Additionally, several smaller firms are investing in cyber-related technology that may not have the necessary cash flow to accelerate research and development. Providing a generous cash influx to such firms in return for equity would also put B.H. at an advantage, primarily as the first mover into an emerging technology or technologies. The latter suggestion would require the use of a few experts to forecast the demand for specific technologies and evaluate current R&D of said firms to establish which technology would create the most value.
My concluding remarks, Mr. Buffet, are
- Cybersecurity is a growing field, and the demand for these services through a third party will only increase, and
- Many emerging technologies offer nuanced protection but do not have the appropriate financial backing.
As such, this allows Berkshire Hathaway a path into an attractive opportunity for investment, and the sooner we take advantage of this market, the higher the future returns will be for B.H. and its shareholders.
Thank you,
– Sherafgan Khan