Where Are The Infosec Activists

In continuing our exploration of the world of Corporate risk and the markets we will take a look at the role of activist investors, who they are and what they want. Activists are becoming a prominent factor in how the Board and C-Suite address investor demands. Their activities affect all aspects of a company and when they arrive your department may be in for the shock of its existence.

Who are the activists and what do they want?

According to Investopedia an activist investor is:

An individual or group that purchases large numbers of a public company’s shares and/or tries to obtain seats on the company’s board with the goal of effecting a major change in the company. A company can become a target for activist investors if it is mismanaged, has excessive costs, could be run more profitably as a private company or has another problem that the activist investor believes it can fix to make the company more valuable.

The most common type of activist investor believes they can improve a company’s value for the shareholders by attempting to direct divestures, cost cutting measures, breaking up a big company, or a change in strategy. The more uncommon type of activist investor may buy shares and attempt to control a company for the purposes of making an ethical change such as environmentalism or removing child labor from the supply chain. Activist investors also fight among themselves, as Carl Ichan and Bill Ackman have been for years. Ichan likes Herbalife, while Ackman thinks it’s a scam (paraphrasing for him). Ackman even put up a site, Facts About Herbalife along with a 300+ slide presentation as to why they’re a ripoff. Ichan keeps buying the stock while Ackman was the biggest shortseller. When activists attack it will either make or break your company. These guys are serious about what they do. Starboard Value published a 294+ slide presentation on what needs to change at Darden Restaurants, especially at Olive Garden.

As you can guess, a lot of their activities are focused on cutting costs and increasing revenue. The latter is always great, but what happens to your Infosec or sustainability program when the Wall Street pole axe meets your budget? You should read what happened to Timkin. No, seriously you need to read it to understand what an activist takeover and breakup looks like. Bill George of Harvard Business School gives a hint,

“Activists think long term is 12 months and the first thing that goes is the stuff that pays off in five or 10 years,”

Let’s pretend you had an infosec program at Timkin. This is what you would be dealing with (****emphasis mine****)

Buried in a November Timken investor presentation is a chart bound to please Wall Street. Titled “Yesterday and Tomorrow,” it sketches how capital was allocated before the split, and how it will be used now. Pension fund contributions drop from nearly a third of cash flow to near zero, ****while capital spending is roughly halved. And instead of using 12 percent of cash flow to buy back stock, share repurchases will consume nearly half of cash flow over the next 18 months. In other words, less cash is being invested in the business or earmarked for benefits to employees, and more money is going to investors.**** While TimkenSteel’s board has authorized a three million share buyback by the end of 2016, Timken has plans to repurchase 10 million shares by the end of next year.

For academic purposes let’s assume all budgets will be cut by 50%. Don’t think it won’t happen. I’ve been on the buying end where the acquirer says cut everything by half in 1 year and tell management they’ll need to figure out how to make things work with half. In terms of Infosec and Environmental programs you look at what was required by law or regulation and then make a list of what wasn’t a requirement and begin pricing out the synergies obtained by downsizing personnel and equipment. But on the bright side there will be a complete Compliance checkup as part of the Freddy Kruegar cutting. Don’t think Symantec will protect you from Dokken.

But enough of the scary Halloween stories. Did activist investors have something to do with the Sony hack? When we look at the Q3 2014 Third Point Investor Letter on page 9 we find this bit of information (****emphasis mine****)

 

In May of 2013, Third Point announced a significant stake in Sony and suggested to the company’s CEO, Kazuo Hirai, that he should seriously consider spinning out 15‐20% of the company’s undervalued, American‐based Entertainment business. At the time, we explained that partially listing the Entertainment segment would have three positive effects: 1) highlighting its profitability; 2) increasing investor transparency, thereby allowing the market to properly benchmark the company against its global media peers; and ****3) incentivizing Entertainment’s management to run the company more efficiently by engaging in cost cutting and laying out clear earnings targets****

While, regrettably, the Company rejected our partial spin‐out suggestion, they made some changes that were consistent with our goals. ****In the Entertainment business in particular, Sony has cut costs, improved its dialogue with investors, and undertaken key management changes. **** In Electronics, Mr. Hirai’s team deserves credit for transitioning away from personal computers this year and improving television profitability in 2015. They have also improved investor transparency. Still, they have a long way to go and we continue to believe that more urgency will be necessary to definitively turn around the company’s fortunes.

A key tenet for us in making constructivist investments is our margin of safety. While we are most focused on the potential upside available to shareholders if management undertakes changes, we are unlikely to make a significant investment in a situation where constructivist‐driven change is the chief catalyst unless we see minimal downside. Sony was exactly the type of investment where the risk/reward ratio was skewed in our favor. Thanks to this investment principle, despite enduring profit warnings nearly every quarter we were invested, incurring worse news about Electronics than we expected, and suffering from market disappointment at the pace of Japanese macroeconomic reforms, we still managed to generate nearly a 20% return on this investment before exiting.

By the way Third Point is the No. 3 most well-known activist firm according to the 2014 Activist Investing Annual Review.

If we read into the report we can see that Third Point wanted Spin off its entertainment division. Sony didn’t go along with the plan. They did engage in cost cutting, but not to the level that Third Point wanted. Still, they exited with a 20% gain. Now let’s step back and drink a dose of reality. We have heard terms such as clueless or incompetent used to describe the security program at Sony. There may have been some of that, but in reality they had an activist investor who was pressuring them into some serious cost cutting. We also have to stop and consider that management isn’t clueless either. They know exactly what they are being told to accomplish. Are the activists clueless MBA’s who just “don’t get it” when it comes to Infosec? That’s an irrelevant question because they make a ton of money doing what they do. They don’t need to get Infosec at all. We won’t know how much Sony Entertainment’s Infosec program was cut, but don’t expect a well funded Infosec program or any program if you have an activist in house. Based on Third Point’s opinion they didn’t cut their overall budget enough. I would have to agree with Third Point that management has a long way to go to make Sony an efficiently run shop.

 Where are all the Infosec Activists?

If there are activist investors who attempt to stamp out child labor in shoe factories, or prevent the dumping of waste into rivers then where are the activist investors who buy companies and make them spend more money on Infosec? Children working in sweatshops and oil covered birds are things that matter to the public. Data breaches, not so much.  As an industry Infosec is still struggling to quantify what the ROI is on all those headcounts and equipment. In order for an Infosec activist fund manager to make change they would need to increase spending before a breach and demonstrate to the rest of the shareholders that was a good idea with real numbers.

One thing Wall Street has figured out is that nothing bad will happen if you don’t spend money on a JPMorgan sized Infosec program. While it’s likely every Infosec Professional’s fantasy to force management to spend money on a better security program it’s nothing but a fantasy out of touch with the financial reality of our world. There’s no money in spending on security, the preventative benefits are dubious at best, and consumers just don’t care. There’s a lot of money in cutting expenses and carving companies up like a roast. The hackers may not get you, but the activists will. Better call Dokken.