1 Raindrop

Gunnar Peterson's loosely coupled thoughts on distributed systems, security, and software that runs on them.

Recent Posts

  • Security Champions Guide to Web Application Security
  • Security > 140 Conversation with Pamela Dingle on Identity
  • 6 Things I Learned from Robert Garigue
  • The Curious Case of API Security
  • Security Capability Engineering
  • Ought implies can
  • Security > 140 Chat with T. Rob Wyatt on MQ and Middleware Security
  • Privilege User Management Bubble?
  • The part where security products solve the problem
  • Four Often Overlooked Factors to Give Your Security Team a Fighting Chance

Blogroll

  • Adding Simplicity - An Engineering Mantra
  • Adventures of an Eternal Optimist
  • Andy Steingruebl
  • Andy Thurai
  • Anton Chuvakin
  • Beyond the Beyond
  • cat slave diary
  • Ceci n'est pas un Bob
  • ConnectID
  • Cryptosmith
  • Emergent Chaos: Musings from Adam Shostack on security, privacy, and economics
  • Enterprise Integration Patterns: Gregor's Ramblings
  • Financial Cryptography
  • infosec daily: blogs
  • Jack Daniel
  • James Kobielus
  • James McGovern
  • John Hagel
  • Justice League [Cigital]
  • Kim Cameron's Identity Weblog
  • Krypted - Charles Edge's Notes from the Field
  • Lenny Zeltser
  • Light Blue Touchpaper
  • Mark O'Neill
  • Off by On
  • ongoing
  • Patrick Harding
  • Perilocity
  • Pushing String
  • Rational Survivability
  • rdist: setuid just for you
  • RedMonk
  • RiskAnalys.is
  • Rudy Rucker
  • Software For All Seasons
  • Spire Security Viewpoint
  • TaoSecurity
  • The New School of Information Security
  • Windley's Technometria
  • zenpundit
Blog powered by Typepad

Berkshire Hathaway Annual Meeting 2013 Notes

 

S-BERKSHIRE-largeI attended the Berkshire Hathaway annual meeting along with Adrian Lane and 40,000 or so other shareholders. Adrian commented on something that is near and dear to my heart:

I am hooked, but not because I want investment ideas – instead I am fascinated by an incredibly simple investment philosophy, that involves an incredibly complex set of rational models, that forms the foundation of their decision process. Both men are contrarians – they choose to invest in a method that for decades people thought was a fluke. Berkshire has been called a 6-sigma outlier. They have been derided for not investing in tech companies during the tech boom – a profound critique when you consider Apple, Google, and Microsoft are some of the fastest-growing and 3 out of of 5 of the largest companies in the world. They have been mocked in the press as being “out of touch” when the market was going crazy during the whole mortgage/CDO fiasco. But they have stayed the course, despite fickle and fashionable trends, on their way to become the most successful investors in history. Berkshire is now one of the top 5 companies in the world, but ultimately their approach to decisions is what fascinates me.

That captures the essence of what I spoke about last year at the SIRA conference on how related the investing mindset and security mindsets are. People are wired to get excited and rush into things (whether its trying to guess the next Google or cram new features into an app), but a rational decision making process should consider the downside not just the upside. Buffett's teacher, Ben Graham pioneered the approach where you first look at the downside and then only consider the upside potential for those that pass the downside test. This is the exact opposite of how most people invest, or how most people build and deploy software for that matter. But the permutation matters, the discipline of analyzing the downside first leads to a more robust process. 

To me, the practice of information security can be improved by learning from the defensive, value-oriented approach to investing - investors should first make sure the Balance Sheet is safe and not over leveraged before looking at projected future earnings; security people should review the Threat Model before looking at the benefits of the new features the business wants to roll out.

As to the rest of the meeting, there sure is not much technology. Buffett and Munger are pretty technophobic, neither has a computer on their desk, neither runs a computer screen for stocks, Buffett does not even have a calculator on his desk, he does the math in his head.

There was a question on Twitter, and Munger replied that he is avoiding it like the plague, adding that when he observes his grandkids doing social media they are multi tasking and most jobs done as multi tasks are done poorly. There was a question on bitcoin, Buffett disclosed "Of our $49 billion, we haven't moved any of it to Bitcoin."

This year was the first year (and I assume first shareholder meeting ever) that had a bear who was short the stock asking questions. This was a great idea because it showed Buffett and Munger's willingness to challenge their own ideas rather than talk a PR game which is how most every annual meeting operates. Instead they invited a bear, gave him a seat on the panel and mic and let him poke holes in the company, live in front 40,000 people. 

Berkshire owns Business Wire which is a source for public companies making announcement, there was a question about the future of Business Wire with the SEC now allowing for disclosure via Twitter, Facebook et al, Buffett's response was "The key to disclosure is accuracy and simultaneity. If I'm buying Wells Fargo, for example, I do not want to have to keep hitting their web page and hoping I'm not ten seconds behind somebody else." Personally, I was kind of surprised the SEC acted so quickly in letting social media serve as a place to distribute official releases. It will interesting to see what if any impact this has on Business Wire's business.

Munger was asked to sum up Berkshire's competitive advantage in a way the questioner's 13 year old daughter could understand, he said "We've always tried to stay sane when other people like to go crazy. That's a competitive advantage."

There were some mentions of banking practices, Munger continues to be worried by the derivatives used at some financial institutions "The more bankers want to be more like investment bankers and less like bankers, the worse I like it."

Five years ago, Buffett bet a hedge fund called Protege Partners $1M that a plain vanilla S&P index fund would outperform a group of hedge funds. As of now, the S&P is +8.69% vs the group of hedge funds +0.13%. As Jack Bogle says - hedge fund provide excellent hedge against getting capital gains! You can track through longbets. The other lesson is the seductive details of a hedge fund's complex, proprietary models do not necessarily lead to better returns than anyone else can get through a boring index fund, though they certainly lead to higher fees!

On Sunday, we attended another highlight of the weekend - the Markel annual shareholder breakfast. They are a so-called baby Berkshire, a small insurance company that follows a similar approach: conservatively investing insurance float. Markel writes niche insurance policies. They eschew property, casualty and other areas where big name insurers play, Tom Gayner (Markel's CIO) describes their business this way: 

Cocktail party definition of Markel if someone asks about Markel, its an insurance company that they've never heard of. Well an easy way to think about that is if you have an insurance policy that you can get easily and quickly, well we wouldn't do that. We do the sorts of insurance where people go 'Oh no. We've got a problem or we've got a situation' This isn't to disparage the other insurance companies, we all have a role in life. What GEICO says yes to is not going to be the same thing that Markel says yes to. What Markel says yes to isn't going to be the same thing that GEICO says yes to. Its a different organization and orientation.


We do 100 different forms of insurance - everything from children's summer camps that are out in the middle of nowhere, that have teenagers supervising teenagers and no fire departments nearby, kids jumping on trampolines and being out in canoes, all the sorts of exposures that go with that

An ongoing challenge in these arenas is that unlike life insurance where the statistics are "disturbingly known", Markel has to piece together a hodge podge of sources to make decisions on how to write policies, and coming full circle on the theme of this post when Steve Markel was asked for an example of this challenge of managing risk absent optimal data, the example he gave was one of Markel's products - Cybersecurity and Data breach insurance.

May 10, 2013 in Investing, Security | Permalink | Comments (0) | TrackBack (0)

Price is What You Pay, Value is What You Get

The analyst firm RedMonk in general and Stephen O'Grady in particular do a lot of great analysis on software, open source and other tech issues. A recent post on the Microsoft Surface has some good examples of the firm's push the envelope thinking, in a nutshell software is waning and hardware is waxing. 

However, the data framework used to justify the core point (however valid it is or not, we'll see) does not stand the test. Price reflects what investors are willing to pay, but value reflects the earnings and quality of the company. This point is important enough that it bears repeating, for one thing conflating price and value is a big part of what led to the 2008 horror show.

Stephen leads off with: "On December 24th, 1999 Microsoft was trading at $58.719 a share. In the decade plus since, it has generally traded for approximately half that valuation. As I write this, a single share of MSFT can be had for $30.90." 

That sounds pretty bad, but let's go inside the numbers. Think back to 1999. Pets.com raised $82.5 Million for its IPO, never mind that a) pet food is mostly sold at a loss for stores who want you to come into visit their stores and buy other stuff and b) its pretty heavy and hard to move around and shipping costs unlike say books. Their shares went up to $14 and oh by the way, the next year they were bankrupt. Mr. Market was at his manic-depressive best,  the valuations in 1999 were certifiably insane. 

But, please don't take it from me, listen to Scott McNealy talking about his own company's ludicrously priced stock during the dotcom era

"But two years ago we were selling at 10 times revenues when we were at $64. At 10 times revenues, to give you a 10-year payback, I have to pay you 100% of revenues for 10 straight years in dividends. That assumes I can get that by my shareholders. That assumes I have zero cost of goods sold, which is very hard for a computer company. That assumes zero expenses, which is really hard with 39,000 employees. That assumes I pay no taxes, which is very hard. And that assumes you pay no taxes on your dividends, which is kind of illegal. And that assumes that with zero Ramp;D for the next 10 years, I can maintain the current revenue run rate. Now, having done that, would any of you like to buy my stock at $64? Do you realize how ridiculous those basic assumptions are? You don't need any transparency. You don't need any footnotes. What were you thinking?

Anyone buying Sun for $64 or Microsoft for $58 was making a "well maybe these trees really can grow to the sky" bet. So the starting poitn metric of $58/share for Microsoft is flawed, we all know what happened, dotcoms dotbombed. But Microsoft unlike dear departed Sun, survived and as we will see, its business thrived.

What about now? Well these days many stocks are pretty darn cheap, the simplest metric is Price/Earnings ratio (P/E) to show cheapness. And using this metric we find that large, blue chips like Walmart, Johnson and Johnson, Procter and Gamble and yes Microsoft are quite cheap.

  P/E Dividend
Procter & Gamble 18 3.8%
Johnson & Johnson 18 3.7
Walmart 15 2.4
Microsoft 11 2.6
S&P 500 15 2.1

Compared to the S&P 500 market average none of these global franchises require paying a premium price, and they all pay a higher dividend than the market average. So analyzing a companies' prospects based on stock price does not say much about the company, it just tells you what investors are willing to pay.In 2008, the flawed use of the Value at Risk metric (among others) conspired to bring many large financial institutions because they assumed that price an value were the same thing. However, we can see that Microsoft (and Sun and Pets.com for that matter) all experienced irrational pricing on the upside in 1999, and you can look at the table above and ask - is Microsoft irrationally priced on the downside today?

Its selling a big discount to the market - 11 P/E versus 15 P/E, so to buy a $1 worth of Microsoft's future earnings, you are getting a double digit discount over buying a $1 worth of the market's earnings. Also, this is not a just a paper gains exercise, Microsoft is returning cash to its shareholders. 

Microsoft begun paying a dividend (and probably led the way for Cisco, Apple and others), their dividend is 2.6% currently ~30% higher than the market average. They've returned over $3.25B in cash to their shareholders via dividend, and raised it every year since inception in 2003. The 2003 dividend was $0.08/share, its now $0.72/share - 9x increase through all the bubbles and turbulence - that's not fake growth that's a sign of a healthy business. And dividends matter way more than people think, in fact they are responsible for the majority of returns to the long term shareholder.

What we have really seen with Microsoft and other Blue Chips is P/E compression, Microsoft's P/E was 50(!) in 1999 and today it is 11, the price reflects investor sentiment not reality (remember these are the same people who put the "rational price" of hundreds of millions on Pets.com).

In 2002, MSFT had $28B in top line revenue, this year they are on track for $73B that's real growth. ~3x growth through two downturns while retaining earnings quality. The core metrics show Microsoft with a very healthy core  business - the key measures of quality are knock the cover off the ball great: current Net Profit Margins at 31%, Return on Equity at 40% and these have held up high standards over this whole period whilst the price fluctuates up and down based on Mr. Market's manic dperessive swings. This does not debunk the Innovator's Dilemma/Disruptive Innovation parts of Stephen O'Grady's analysis, but it does show that once you look inside the numbers that currently the core engine is thriving across the board.

Msft

So in a nuthsell, you can look at Microsoft's stock as overvalued in 1999 and undervalued today, this does not tell us anything about the strength of Microsoft's business, it only tells about what investor's emotions and sentiment.

Why might this happen? Who knows. Markets overreact on the upside and the downside, sometimes they are even right, but only modeling academics believe in Efficient Market Theory. The old joke rings true - two Wall Street economists are walking down the street. One sees a $20 bill on the ground. The other says - don't both picking it up if it was a real $20 bill someone would have picked it up by now. Dotcom stocks were clearly overvalued in 1999, whether Microsoft is undervalued and a $20 bill waiting to be picked up today, is an exercise left to the reader.

In the late 90s dotcom stocks as a group were overvalued, today blue chip companies as a group are undervalued. Microsoft is one of the few to be a member of both groups. But there is one other to have made the leap, Oracle. In the dotcom era, Oracle traded as high as $45/share, today its $27, is that a failed business? Much like Microsoft, the earnings show that they are successful. In 2002 Oracle's P/E was over 29 and today its 14, like Microsoft they started paying a dividend, like Microsoft they have strong Return on Equity (24%), margins (24%) and their revenue has more than tripled over the decade from $9.6B in 2002 to $35B today.

So this P/E compression is less about the specific businesses and more about Wall Street fashion trends, though the academics tell us otherwise, Wall Street mainly operates on greed and fear.Fixating on price as an indicator is to miss the point, in Buffett's words - markets are there to serve us not guide us. Its the earnings that count.

Finally, the main point of Stephen O'Grady's article and points on hardware waxing and software waning are very interesting, I don't have a strong opinion on this right now, but as with most of his analysis its a pretty compelling analysis, and btw you can even use the HIGH quality core business earnings numbers from Microsoft to specifically make the disruptive innovation point.

June 26, 2012 in Investing | Permalink | Comments (0) | TrackBack (0)

I am a better Security Pr​o because I am an Investor & I am a better Investor Because I am a Security Pro

I am a better Security Pr​o because I am an Investor & I am a better Investor Because I am a Security Pro. - Why investing is important, and why Security Pros are uniquely suited to it

Society of Information Risk Analysts Conference

By Gunnar Peterson

May 7, 2012

Thanks to Jay Jacobs for allowing me to speak on this topic. I am going to take you a little off track but I hope the journey will be worthwhile from personal and professional development standpoint, we will return in due time to infosec topics. 

Effective information security and investing require similar skills - risk management is the obvious one but it goes way deeper than that.

First, good investors foster a defensive mindset - they know they are playing a losers game and act accordingly.

Next, investors deal with data ( but only to a point) - investors have great historical data and next to nothing about the future risks - sound familiar?

Last, "Hacking the system" mentality pays off - good investors find obscure features nobody cares to see and figure out how to exploit it.

 What I really want to talk about is the shared mindset of successful investors and what infosec can learn from it. I would like to offer my thoughts on this and leave plenty of time for Q&A and open discussion.

 Learning about and practicing investing offers security pros concrete benefits - on a personal level protecting money (always welcome), but really we're used to thinking in terms of retirement pensions and this is no longer the case. Most everyone will need to manage their own retirement, start now; finally there is a professional benefit in the sense that once you understand the capital dynamics of certain business decisions that formerly made zero sense become crystal clear with an capital allocation hat on.

Part 1. Why You Should Care

What's one of the most common complaints in infosec? managers, developers, execs don't understand the threats, the state of the vulnerabilities and the assets in play. in short they don't understand the risks they are taking they simply stick with status quo, kicking the can down the road.

However it turns out that in our own lives most infosec people do the exact same thing with their own family balance sheet.

Most of the people in this room are probably not saving enough for their own retirement. there are good reasons for why this is happening, people never learned to save and invest. America's track record on saving is awful. and in the old days investing did not matter so much and so it was not a skill passed down the generational tree. For one thing, people would rely on their company to take care of them, they used to have pensions. Anyone here have a pension they are counting on? Hands? Bueller?

So we cannot rely on pensions, what's next well there is the government and social security, medicare, medicaid and so on, however we saw in 2008 as well as last year in the debt ceiling showdown precisely how little value add the "management" in DC brings to the table to protecting your assets. I am sure we are all somewhere on the priority list but there is a long line of lobbyists and lawyers ahead of us.

It turns out that financial planning has the same problem to solve as infosec, getting people to envision their future self and act accordingly.

The Wall St Journal reported on a set of studies to see if people would turn from spenders to savers if they looked through VR at their older self. What would your older self want you to do? Buy that humungous TV or put some money away for a rainy day?

For some perspective, China's saving rate is close to 50%, while the US hovers close to zero percent.  This study showed that people's willingness to save increased when looking at their future selves. Jim Rogers has a great practice on saving - when you think of buying something today, simply multiply its cost by twenty to see how much it will be worth down the road when you are retired. A dinner out is "only" $75, but would you still go out to eat if you figured the cost at $1,500? Warren Buffett pithily sums this up as - do I really need a $300,000 haircut?

A shocking number of professional people have said to me over the years, I know you are into investing but I don't have time and/or interest to do that. Hello? To that I would quote - Deming you may not be interested in the future, but the future is most certainly interested in you. Whenever you decide to allocate a percentage of your income to you 401k, IRA or whatever versus spending versus debt like home and student loans, you already are making these decisions today. The only question is are you making them consciously or are you kicking the can down the road like so many middle managers we all deal with from 9-5 M-F who fob off the hard decisions until a tomorrow (they think) never comes. Hope is not a strategy.

To be clear, when I say I am going to talk about investment, I am not talking about short term trading. When I talk about investing I mean 3-5 year time horizons or more. This context is important because the financial world is filled with short term thinkers where close of business this Friday is considered long term.

In terms of investment strategy, most people save too little and what they save they put into a mutual fund. Again this common practice sets you up for future failure. First consider that 80% of mutual funds underperform the S&P 500 index, and that is before fees. Gains in the stock market are temporary but fees are forever. Charlie Munger said on Saturday if you are reviewing an investment and the fees are too high don't even read the prospectus - run. Fees are a tapeworm that eat your returns (if you are lucky enough to have any in the first place), Paying a Management fee of 2% over 20 years in a mutual fund is identical to paying a 33% upfront load. You would never think about doing the latter, so you should avoid the former. individuals should defend against fees and regularly review the cost structure.

Instead, we're lucky that Jack Bogle at Vanguard [1] in the 1970s invented the low cost index fund to solve precisely this problem for individual investors. If you are like many people I have talked with over the years and don't want to spend time and don't care much about investing, then low cost index funds that allow you to "buy the whole market return" at a very low cost are where you should focus. Still I hope you will stay for the rest of this talk.

Part 2. Defensive Mindset

Now that we've looked at why you should care, let's consider some of the advantages a career in infosec may give you over the general population. Part two of this talk is on the defensive mindset which is of course a requirement on some level for everyone in infosec.

In infosec, we are constantly bombarded by people wanting to ship risky products and we're faced with daily challenges as to what, where and how to both assess the risk and figure out how to protect our companies' assets.

In investment, every single day there is a barrage of information on CNBC and the like of hot new companies that will manage your facebook follower, keep you social media up to date, check you in for your flight and cure cancer all at the same time, now wouldn't you want to pay $500 a share for that?

The question in both cases is not can i believe these claims, but rather must i believe these claims that I am being presented with?

Asking these questions in infosec is why infosec people are not the most popular in their companies. Its reminiscent of what Warren Buffett described what the role of the chairman of the Federal Reserve should be, which is to take away the punch bowl right when the party gets started. Everyone thinks that they can stop dancing right 11:59 pm, but at midnight someone is still dancing and it all goes to pumpkins and mice.

Despite not winning popularity contests, Infosec people should take heart from the great value investor Jean Marie Eveillard. He famously refused to buy tech stocks during the dotcom hey day saying - I would rather lose half my clients than half my client's money.

In infosec, we won't be the most popular across the organization but we're paid to find ways to protect assets not win beauty pageants.

Steven Sears [2] in his great new book The Indomitable Investor says bad investors try to make money, good investors try to think of ways not to lose money. 

Like good investors, Infosec people should recognize we're playing a loser's game.

Charley Ellis looked at studies of professional tennis which pointed out that professional tennis is a “winner’s game,” in which the match goes to the player who’s able to hit the most winners: fast-paced, well-placed shots that his opponent can’t return. But the tennis the rest of us play is a “loser’s game,” with the match going to the player who hits the fewest losers. The winner just keeps the ball in play until the loser hits it into the net or off the court. In other words, in amateur tennis, points aren’t won; they’re lost. A loss-avoidance strategy the version of tennis amateurs try to play.

Howard Marks [3] applied this idea it to investments. "on market efficiency and the high cost of trading led him to conclude that the pursuit of winners is unlikely to pay off. Instead, you should try to avoid hitting losers. I found this view of investing absolutely compelling. I can’t remember saying, “Eureka; that’s the approach for me,” but the developments over the last three decades certainly suggest his article was an important source of my inspiration.

Because of his conviction that markets are efficient, Charley recommended passive investing as the best way to end up the winner – let others try the tough shots and fail. Our view is a little different. Although we believe in the existence of inefficient markets as well as efficient ones, we still view the avoidance of losers as a wonderful foundation for investment success. Thus we diversify our portfolios, limit the fundamental risk we’ll take, try to buy things that provide downside protection, and emphasize senior securities. We, too, try to win by not losing."

So the defensive mindset pays off in investing and in infosec. Protect the downside. The question for infosec people is what and where should we defend. our systems are so complex, this question matters a lot.

In infosec a good game to play is if you have a $100 to spend where should you spend it? Unfortunately today, probably $40 goes to firewalls, $30 to antivirus and a chunk of the rest goes to so-called risk assessments that tell you whether or not spending 70% of your budget on legacy technology is a good idea.

If we can focus on efficacy not legacy where should we invest our mythical $100, what should we defend? Lots of people say its threats, threats, and more threats. And they say they give me $120 to do it. These people will always get some funding because they have great stories, and people love stories for the same reason people would pay $300/share for nonsense companies pets.com during the dotcom phase. Dotcom was a great story in 1999 and cyberwar or cybersecurity anything is a great story today, however this does not mean that throwing money at threats is the best use of your time, capital and resources.

We'll always have threats, yes we need to focus on them but not solely; if you have something someone else wants threats are never going to zero. Its better to focus on the thing you have that someone else wants and where you should have a knowledge advantage - your assets.

What matters in investing and what matters in infosec is building margins of safety. Assume failure. This is stark contrast to how the rest of your business operates and its a valuable service that infosec provides when its done constructively.

When we're faced with such complex IT systems and increasingly complicated business structures and supply chains where should infosec people focus their time and energy? And further, what's the main thing to protect? Is it financial or intellectual property or the transactional backbone or the supply chain? It varies on an industry by industry basis, so much in infosec is driven by the financial industry that if a martian visited earth, they would think the entire information security reason for being is to protect credit card numbers.

Certainly, for companies in that industry it is job one, but other companies have vastly different concerns. Financial data is not the sum total of information security. A better way to model this in my view is to look at competitive advantage, so a financial fraud isn't necessarily a game changer for financial institutions because those domains have fraud hard wired into their models. If it gets above a certain level then its a problem. But in the case of events that eat into a firm's long term competitive advantage then its a different story, stealing intellectual property and locking your company out of a market, so you can't sell your products there against a local entity that uses your designs which they stole. For some companies its not financial data or IP as their biggest competitive advantage, though/ There's not a universal model the same way measuring financial fraud isn't applicable to a biotech, there are only domain models.

So in our job infosec to figure out what should we defend? The investment world has some answers for us here.

Buffett says “The key to investing is ..." as an aside, any time one of the world's greatest investors starts out with 'the key to investing is' you really want to hang around for the end of the sentence.

“The key to investing is ..." Buffett says is "determining the competitive advantage of any given company and, above all, the durability of that advantage.”

 Probably the best work on this is done by Morningstar[4] which pioneered the concept called moats (patterned on Michael Porter's work on competitive advantage)

 Morningstar identified five kinds of moats

1. Low Cost producer: better profit margins through lower cost, example Walmart

2. High Switching Costs: disincentive for a customer to switch to competitor leads to customer retention and pricing power example banks or proprietary software

3. Network Effect: virtuous cycle where the network gets more valuable the more people use it example Google

4. Intangible Assets : brands, IP, trademarks, patents, government agreements

5. Efficient Scale: a limited market served by small number of vendors example Lockheed Martin - you only need one nextgen strike fighter supplier

When I teach secure coding to developers, most of the examples we use to say show SQL injection works involve stealing credit cards. So I joke that stealing credit cards is the "Hello World" of computer security, I stole the cards out of the database so now I know how SQL Injection works, but of course this is not the end of the story just like Hello World isn't everything you need to know to write Python.

Businesses that have one of the above types of moats have widely different assets that they require to ensure their moats endure, the old school notion of breach does not pertain directly to most of their competitive advantage, but its more than just IP that's only one type of moat and most businesses don't have IP moats. So the campaigns to be concerned about are the ones targeted at your business' moat and for us to begin to value those that requires at least five different models to analyze across industries.

This is a core lesson - defenders who try to defend everywhere defend nowhere. You have to pick your spots. The two most important things in infosec are Identifying what kind of moat your business has and then defending that moat.

From identifying the oat type the lesson for infosec is clear: Making the moat around the castle wider, deeper and filling it with alligators. Defend the moat.

Be defensive - remember Howard Marks - there are old investors and there are bold investors, but there are no old, bold investors.

Part 3. Dealing with Data

One of the most fun things in life is to steal models out of one knowledge silo and adapt it for use in another. Steal models, but please steal ones that at least work in their own domain, before trying to apply them in infosec.

People in general have a hard time admitting that they don't know something, however this is at least as important as recognizing what you think you know.

Howard Marks calls this the "I know" school versus the "I don't know" school

"One thing each market participant has to decide is whether he (or she) does or does not believe in the ability to see into the future: the “I know” school versus the “I don’t know” school. The ramifications of this decision are enormous.

If you know what lies ahead, you’ll feel free to invest aggressively, to concentrate positions in the assets you think will do best, and to actively time the market, moving in and out of asset classes as your opinion of their prospects waxes and wanes. If you feel the future isn’t knowable, on the other hand, you’ll invest defensively, acting to avoid losses rather than maximize gains, diversifying more thoroughly, and eschewing efforts at adroit timing.

Of course, I feel strongly that the latter course is the right one. I don’t think many people know more than the consensus about the future of economies and markets. I don’t think markets will ever cease to surprise, or thus that they can be timed. And I think avoiding losses is much more important than pursuing major gains if one is to achieve the absolute prerequisite for investment success: survival."

For infosec, the different mindset required for survivability is clear from Howard Lipson's 3 R's of Survivability [5] - Resistance - ability of a system to repel attacks, Recognition - ability to recognize attacks and the extent of the damage, and Recovery - ability to restore essential services during attack, and recover full services after attack

The notion of risk is certainly at heart of this, Pat Dorsey [6] recently wrote an insightful piece on this point, he wrote that risk means different things to different people

"a little bit like discussing the existence of God with a theologian. An academic says risk is volatility--the more an asset bounces around in price, the riskier it is.

A mutual fund manager might say it's career risk. If he lags his benchmark for too long, he gets fired.

An individual might frame it as pain. Of course, we feel losses much more than we value gains. So just seeing your portfolio go down is a lot of risk.

And of course Warren Buffett would just define it as permanent capital impairment--the odds that an asset's value will go down and never recover.

Those are pretty different notions."

In my view, these varying definitions of risk are at the heart of what we saw in 2008. In particular, academic models of risk as volatility were hard wired into trading algorithms, and then further juiced by leverage (up 30x-40x leverage!). The risk as volatility assumption by itself would have just led to dumb trades and losses. But with the extra weight and status of the false precision that academic models can provide, this gave large institutions the courage to lever up 40 to 1 and this turned bad trades into catastrophes and meltdowns. Overconfidence in what one could count and ignoring what one couldn't model.

In the late 1990s, Long Term Capital Management (an early hedge fund) almost blew up the financial system a la 2008 crisis. This fund was run by a small cadre of the smartest people in the business, who had most of their own money in the fund, the staff included two Nobel prize winners (Merton and Scholes) whose work is at the center of modern financial and risk theory, and they went bankrupt very quickly. This is a fascinating story recounted in Roger Lowenstein's "When Genius Failed", and its essential to read it to understand the limitations of models, exactly how the way models are used and the false confidence they create leads to failure. The counterweight to any model is embedding it inside rigid process to enforce sane behavior and limit risk taking.

From Howard Marks in the The Most Important Thing:

"According to the academicians who developed capital market theory, risk equals volatility, because volatility indicates the unreliability of an investment. I take great issue with this definition of risk.

It’s my view that — knowingly or unknowingly — academicians settled on volatility as the proxy for risk as a matter of convenience. They needed a number for their calculations that was objective and could be ascertained historically and extrapolated into the future. Volatility fits the bill, and most of the other types of risk do not. The problem with all of this, however, is that I just don’t think volatility is the risk most investors care about.

There are many kinds of risk. . . . But volatility may be the least relevant of them all. Theory says investors demand more return from investments that are more volatile. But for the market to set the prices for investments such that more volatile investments will appear likely to produce higher returns, there have to be people demanding that relationship, and I haven’t met them yet. I’ve never heard anyone at Oaktree — or anywhere else, for that matter — say, “I won’t buy it, because its price might show big fluctuations,” or “I won’t buy it, because it might have a down quarter.” Thus, it’s hard for me to believe volatility is the risk investors factor in when setting prices and prospective returns.

Rather than volatility, I think people decline to make investments primarily because they’re worried about a loss of capital or an unacceptably low return. To me, “I need more upside potential because I’m afraid I could lose money” makes an awful lot more sense than “I need more upside potential because I’m afraid the price may fluctuate.” No, I’m sure “risk” is — first and foremost — the likelihood of losing money."

In obsessing over volatility and price movements, the Value at Risk and Efficient Market Theory models missed human behavior in markets (driven by fear and greed), the safety of an asset, the liquidity of an asset in the face of certain events, and an overall conservative approach to investing - try to buy dollars for 50 cents, and not lever up 40 to 1 to buy many $100 bills for 99.95 each. This, of course, goes to the heart of risk management - namely building a wide margin of safety as a hedge against your own ignorance, instead overconfidence in flawed models.

Hedging against your ignorance up front (usually by paying a cheap price) means that you have more time and resources to spend on constructing a margin of safety to protect assets and ensure they are there when you need them. It also means you live to play another day. Ill placed confidence in risk models like Value at Risk (VaR) instead of conservative process led people to ignore these  virtues. When events began to unwind the dominoes fell quickly because there were no buffers and no foundation just algorithms gone wild running atop a mountain of leverage. As Buffett says you don't know who is swimming naked until the tide goes out.

The Lesson here from Howard Marks is that you can't predict with models but you can prepare by limiting your downside and planning for failure.

Although risk models don't help us much and have only limited utility, fortunately we have checklists.

Checklists are essential for both infosec and investing. Checklists are vital in complex domains where failure is governed not what we don’t know but what we know but don’t apply.

Jean Marie Eveillard said that sometimes what matters is not the probability of something happened but the impact if it did. We all know that attacks in the DMZ are more likely than "inside the firewall", but what about impact? The resources that infosec throws are high probability, but rather low impact attacks on DMZ dwarf the attention given inside the firewall systems. Anyone run unauthenticated web apps on the Internet? But there are many enterprise messaging systems where all you need to know is the address and you have a trail right to the keys to kingdom.

its not that we don't know that authentication is not important. Its not that we don't know that our mainframes, ESBs, and databases are not critical to the businesses, its that we don't apply what we already know.

A checklist is also vital as part of a process to check for failure in behavior and protect against biases and unchecked emotion. Every day there are events that trigger greed, fear, and anxiety radically change people's willingness to take risk. Investors should always have a checklist or more formally an Investment Policy Statement that spells out precisely the purpose of their portfolio, its goals, time horizons, asset class mix, and other factors. The Investment Policy Statement should include a set of "We Will Never.." to check against bad behavior such as use of margin and leverage.

In 2008, the models missed the most important part - safety. Howard Marks describes that a six foot tall person can easily drown in a river that is on average 5 feet deep.

Although, we're limited in what infosec can learn from financial models, I am optimistic that infosec can do better than finance in models, just that we will need to mainly rely on models from other fields like biology, transportation safety and other domains that account better for behavior.

Part 4. Hacking the system - Reverse engineering for fun and profit

In part 2 we talked about the defensive mindset, but this would not be an infosec discussion without looking at the breaker side in addition to the builder side. Wall Street is a rigged game, its rigged against me and you, individual investors. Luckily there are some structural weaknesses that we can exploit if we know where to look.

I would bet a lot of money that I can beat both Garry Kasparov and Michael Jordan in a game. The way I would do this of course is to play Kasparov at basketball and Jordan at chess.

Buffett noticed long ago that Wall Street observed that markets are mostly efficient and immediately leapt to thinking (through lots of Nobel winning mathematics) that they are always efficient. The difference here is night and day and that's the area that individual investors can readily exploit.

The first as I mentioned early on is the importance of time horizon. Looking out three to five years as an individual automatically gives you two big advantages over Wall Street. For one thing you can wait for a thesis play out. You invest money you don't need for three years or more, who cares if it goes down next week. Whereas Wall St shops are just like any other big company - short time horizons, forced closing out of unprofitable trades, long term may be next Friday. The other advantage is efficient taxes. If you are paying 15% long term cap gains you have an immense head start over someone paying 30% even if their before tax return trumps yours.

The long term orientation means that you can buy at the point of maximum pessimism. John Templeton said that "bull markets are born on pessimism, they grow on skepticism, and they die on euphoria."

If you can decouple price and value somewhere around the first two stages is when to buy and stage three when every thinks the future will be perfect forever is when to sell. Again, infosec is no stranger to contrarian behavior and going against the crowd, this trait is very helpful in investing.

The high priests of Efficient Market Hypothesis tell us that assets priced perfectly, reflecting all the available information. The standard retort to this is about two Wall St economists walking down the street, one spots a $20 bill on the ground the other says don't bother stopping to pick it up, if it was real someone else already would have.

The market overreacts on the upside and the downside, finding these opportunities is the job of the investor.

To demonstrate the myth of EMH in action, we do not need to go back any further in time than this past Friday. Let's consider the (not so) curious case of Arcos Dorados

Arcos Dorados has the license to operate McDonalds' in Latin America. McDonald's stock has done quite well over the years and emerging markets is one of the major investing trends of the decade. The franchise is solid with plenty of room to grow.

The US has 14,000 McDonald's for 300M people vs Latam/Arcos 1,800 McDonald's for 500M people, Arcos just opened 86 restaurants in the last 12 months so this is pretty nice combination. They even pay a dividend approaching ~1.4% with plenty of room to grow. The market average is ~1.8% so for a startup with a ton of runway ahead of it, and dividends matter way more than people think

If you were an Arcos Dorados investor on Thursday night this is what you were buying: a solid franchise, great management team, in region with lots of room to grow. What happened on Friday? All hell broke loose. Why? Arcos reported quarterly earnings that included net income rose 9% (not bad), same store sales rose (good), they opened 86 new restaurants (know anyone doing this in the US? or eu for that matter?), and oh and they  chose to do some accounting the Brazilian real not the dollar. And the real hit a low on the exchange rate versus the dollar. That shaved $600 Million of their market cap (22%) in the time it takes you to eat a Big Mac. While this was certainly fast, was this "efficient"? On Thursday night you went to bed thinking that the solid franchise and management team were important. The Latam region is important for global diversification and yet one of the reasons for the dramatic one day move had zero to do with business fundamentals, it was a currency reaction.

Who knows if Arcos will be a good or a bad investment, only time will tell. May be kids in Latin America will prove to hate French fries, but one thing seems sure a 22% move in one day over a currency issue is not tied to the value proposition of hamburgers and fries. Things like fluctuations in Real are short term noise in my view but its noise that individuals can exploit.

Just as we do vulnerability assessments in infosec, as the pentesters say we don't break standards we break implementations, individuals should look beyond Wall Street theory and find Wall Street blindspots, biases, and structural weaknesses and use them to your advantage.

I'd like to thank Ivan Arce for suggesting the idea for section 4, and thank you all for your time.

References

1. “Little Book of Common Sense Investing” by John Bogle

2. “The Indomitable Investor: Why a Few Succeed in the Stock Market When Everyone Else Fails” by Steven Sears

3. “The Most Important Thing” by Howard Marks

4. “The Five Rules for Successful Stock Investing: Morningstar's Guide to Building Wealth and Winning in the Market” by Pat Dorsey

5. Howard Lipson on Survivability, http://1raindrop.typepad.com/1_raindrop/2005/11/howard_lipson_o.html

6. "High Ticket Price on Flight to Safety" by Pat Dorsey, http://www.morningstar.com/cover/videocenter.aspx?id=532937

 

 

May 08, 2012 in Investing, Security | Permalink | Comments (0) | TrackBack (0)

Making a *Gasp* Tech Dividend Growth Fund

Well it took til 2012, but Apple is paying a dividend (not quite actually they had paid one previously all the way back in 1995). But in honor of this latest entrant in the dividend paying companies lets look at the possibility of build a dividend index out of canyoubelieveit a set of tech companies. Ten years ago tech companies were mocked as bogus and lumped under the heading of pets,com style flameouts and the *real* companies, Financial services, were all the rage as "adult" investments for the sober investor. What a difference a decade makes.

Who was really the risky bet in 2002? The likes of Apple and Microsoft or the likes of Lehman and company? As we sit here the large tech companies are sitting on pristine balance sheets with tens of billions in cash, and the financials still standing are happy to be, well, still standing, and high fiving that they passed the stress tests after some governmental CPR.

What do companies do when they have a warchest of cash? Well they can reinvest it in the business, but many tech companies operate on a pretty asset light model. The only really large expenses come when they buy other companies and this often works out poorly. The second thing they can do is buy back shares, which may provide a boost to share price. And the third thing they can do is to pay a dividend to shareholders. 

It used to be the case that the chances of a tech company paying a dividend were slim and none. Dividend paying companies are a pretty dowdy lot, and so dividend investors needed to look at Utilities and the like as options for income. But as tech companies grew, and the options for how to deploy cash were exhausted paying dividends is now trendy.

The S&P Index yields around 2% and its possible now to pick a basket of tech stocks that pay a better current dividend yield with arguably more attractive growth possibilities. 

The yield is in part a function of price. IBM shares have been on a tear and even though the company has raised its dividend from $0.59/share in 2002 to $2.90/share (almost 5x growth over the decade) the yield works out to only 1.5%. Other companies like SAP (0.9%) and Oracle (0.8%) pay only a token yield. Cisco recently joined other big techs and now pays a 1.6% dividend.

So with a goal of beating the S&P's ~2% yield with tech companies here is a basket of four companies to do just that

  • Apple                      1.8% dividend yield
  • Applied Materials,    2.9%
  • Intel                       3.0%
  • Microsoft                 2.5%

There are three questions to ask when examining dividends. The first and easiest to answer is current yield. An equally weighted basket in the above companies equates to current yield over 2.5% which beats the S&P by around 25%.

The next question is how safe is the dividend? Each of these four companies has billions of cash on its Balance sheet, AMAT has the least at $6 Billion. Probably enough to weather a storm or two.

At this point you might ask, besides the fact that its a hot topic this week - why include Apple on the list? After all, they pay less than the market average dividend yield. This brings us to the third topic in dividend investing - dividend growth. Remember the IBM example of 5x dividend growth over the past ten years? Who know if Apple can pull this off or not, but if so this would mean a vurry, vurry tasty 9% dividend yield in 10 years. Microsoft began paying a dividend in 2003 when it paid $0.08/share, today its dividend has grown 8x to $0.68/share. Intel paid $0.08/share dividend in 2002, and today doles out $0.78/share, AMAT initiated a $0.06/share dividend in 2005 which its grown to $0.31/share today.

             AMAT            INTC             MSFT
2002   0.08  
2003   0.08 0.08
2004   0.16 0.16
2005 0.06 0.32 0.32
2006 0.16 0.40 0.34
2007 0.22 0.45 0.39
2008 0.24 0.55 0.43
2009 0.24 0.56 0.50
2010 0.26 0.63 0.52
2011 0.30 0.78 0.61

 

2.5% by itself isn't that much to get excited about, but at the same time its way better than what your cash pays you (nothing). Bonds may have a little better current yield but as Buffett says today "bonds should come with a warning label" meaning they will not fare well in an inflationary environment. Plus bonds can't grow their yield, and certainly not like the level of growth Intel, Microsoft and Applied Material managed. 

Without getting into the specific business dynamics, the four companies mentioned all exhibit desirable characteristics for a dividend investor - above average current yield, safety ensured by robust cash flows and strong balance sheets, and with a decent chance to grow their yield over time.

As an historical note, one of the things that has worked best in investing is to find firms with higher than average yields with low payout ratios. Google is the last behemoth tech to not participate in the tech dividend revolution, let's hope they get on board soon.

As always this is not investment advice, just ideas, you need to do your own research. What I find interesting its that its possible to find companies, tech companies, where the stocks offer both higher returns and a safer return than cash and bonds.

March 22, 2012 in Investing | Permalink | Comments (0) | TrackBack (0)

Global Market Dynamics in the Small and Short

Markets have interesting dynamics and network connectivity via globalization makes it interesting to watch.

Its still early days in the Chinese markets, you can think of them like the pioneer days in the US. But many large companies are not afraid to go in and do the hard work to integrate into those emerging markets. Today, Walmart announced that they will start selling online in China, for example. Walmart has around 300 stores in China already and booked $7.5 Billion in revenue there last year.

There are lots of stories about how worried we're supposed to be about buying stock in Chinese companies, but what about the impacts of open US markets on China companies? Turns out there is a whole cottage industry in the US of short sellers talking BS about China companies to drive their share prices down.

A recent example of this is a shot attack on China Agritech that drove the share price from $15 to $6, because the shorts claimed the company was a scam with no real operations, but a large shareholder is fighting back:

“It would be easy to walk away at this point,” said Glickenhaus, whose family company has $1.3 billion under management. “It’s not nothing, but it’s not a big deal for us financially. The real reason we’re fighting is because we believe someone blatantly lied to short the stock.”

And as it turns out, there are collaborators working on ideas to publish hit pieces to hammer other small China companies, shorts "throw some stink" as Mark Cuban was alleged to on CFSG on the companies to drive share prices down. A number of these collaborators' messages are available here and talk about ways to get creative on ideas that will bash the stock and make a fast, easy profit for the shorts, while the company's price gets hammered and the investors suffer.

Smaller, Chinese companies are easy targets, they lack a big Four auditor and PR savvy execs, plus like the penny stock fraudsters know its much easier to manipulate the shares of a $50M China Ag firm than a couple hundred billion China telco. It will be interesting to watch if the large shareholders and/or any SEC actions begin to curb this dynamic.

May 13, 2011 in Investing | Permalink | Comments (0) | TrackBack (0)

Google and Baidu

Logo1w  Last January, Google announced it had a new approach to China and eventually moved its servers to a Hong Kong address. The main destination for the search consumers that Google left behind has been Baidu. In fact Baidu is now aiming for 79% market share (I guess they don't understand the 80/20 rule yet in China)

Search Engine

Q1 2010

Q4 2009

Baidu

64%

58.4%

Google

30.9%

35.6%

Sogou

0.7%

1%

Soso

0.4%

0.7%

Others

4%

4.3%

This growth translated into a great quarter for Baidu
Revenue climbed 60% to $189.6 million. Earnings soared 165% to $2.02 a share. Analysts figured that the company would earn just $1.50 a share on $180.1 million in revenue.

Better yet, the company is targeting $268.1 million to $274 million in revenue for the current quarter -- 67% to 70% ahead of last year's showing. Now that's accelerating sales growth! Analysts figured that revenue would only grow at a 49% clip, to $240.1 million, for the next quarter.

Definitely seems like the Chinese search space is a good place to do business.

Baidu_logo  

Now, five months is not that long a time in the stock market, but I thought it would be worth checking the shares of Google and Baidu since Google's announcement of their new approach to China. So compared BIDU (up about 80%) and GOOG (down around 20% (hey maybe they do get the 80/20 rule in China!)). Since they trade on different markets I included both the S&P 500 index for US and the Hang Seng Index for China. They are both down slightly for the year (then again we knew that), but GOOG is actually underperforming both indices as well. 

Bidugoog
 
Not sure how much of this is attributable to Google's China policies, but it is interesting. Granted Baidu has more room to grow with a $23B market cap compared to Google's battleship-like $150B market cap, but still click the above chart - those are starkly different (albeit short term) results for two competing companies.

What to do

I am not sure you can call Google's stock cheap by most metrics, but the current P/E is only 21 (Salesforce.com is 144(!), Rackspace is 62, Amazon is 51) and the forward P/E is under 15. That is not super pricy for a company with $6B in free cash flow and I think we'd agree that outside of China a pretty good moat. In addition to China, one other reason Google is cheap relative to its sector is that they have a history of mistreating shareholders. They have used dark arts like repricing options and other shenanigans. But still when you line them up next to Salesforce, Rackspace, Amazon, and others, they look to be selling at a good price. 

Did I miss anything? Any other comparative companies that should be included? How much of the underperforming the index is due to China? WIll that be a long term drag on earnings? Do they have any other rabbits that they can pull out of their hat?

June 09, 2010 in Investing | Permalink | Comments (0) | TrackBack (0)

On Risk

Its funny how the human mind deals with risk. Last year at this time, no one but no on wanted to invest in stocks, you had supposed gurus saying put all your in a mattress and if you brought up stocks or investing at a party the person you were talking to would flee. 

Here is the thing, you didn't need to be Bruce Berkowitz to see that stocks were cheap, you just need to be objective and analytical. If all you did was buy the S&P index fund a year ago, then you have over 30% gains by today. If you bought individual stocks you probably did even better.

Now, the market is up and if you go to parties people actively talk about investing and "getting back in", why start now? Why buy once the prices have risen so much using dollars that were sold on the cheap in the crisis? Where is the logic? People are clearly more comfortable buying things once they have risen in price, but if you get an Ivy League MBA you are taught the fairy tale markets are rational. 

Of course, its not logical, and neither is how we deal with risk. Your required reading for today is the great Jason Zweig's Your Money and Your Brain. This is a book about neuroeconomics, but its really about risk.

This all brings us to Jeremy Grantham's Q4 letter which contains good news (Volckerization) - wait wise regulation is helpful? Bad news - corporations are now people - wtf?!? Does this mean APT is identity theft? And then a decade review that includes following:

Education and training are the keys to increasing wealth on a sustainable basis and the U.S. is in danger of losing its once large edge here.
I am sad to report but I see nothing to refute this. Its one thing to run large fiscal deficits, its another thing to run trade deficits on top of that, but to compound that by not investing the money in something that will pay back over time - for example education - makes no sense. 

When FDR dug us out of Depression 1.0, he ran crazy deficits but built up a ton of infrastructure that we're still leveraging today

Today we are again running deficits to dig out a financial hole - but where is the payback coming from? Where is the education stimulus? I work on projects all the time that are primarily built outside the US, I have no problem with this. I realize the world is flat  the US Is not gonna win all the bids,but here is the thing - I am not sure that based on current trends the US will even compete. Why not sponsor a High tech High School in every state or every major city? There are big honking problems to work in robotics, biotech, fabs and nanotech. There's tons of engineering to be done in computers. Do you want to send that all outside the US? What do we have to do to move the conversation towards investing for the future rather than spending in the present? 

In many ways this is an easier problem to solve than FDR, he had to invest in expensive infrastructure projects, he was in the industrial age. We are in the information age, we need knowledge workers, all we need to do is invest in people - how hard is that?

So coming full circle back to the beginning of this post, just like the financial nuclear winter of 2009 was a great time to buy stocks and the relatively fat and happy winter of 2010 is less so, isn't the time when you are paying for (but not necessarily sourcing/delivering) big tech projects the time to invest to make sure you pay/source/deliver those same big projects in the future?

January 29, 2010 in Investing | Permalink | Comments (0) | TrackBack (0)

Munger Interview with Stanford Law

One more Berkshire note, here is an excerpt from a must read interview with Charlie Munger from Stanford Law.


Grundfest: As we look at the current situation, how much of the responsibility would you lay at the feet of the accounting profession? 

Munger: I would argue that a majority of the horrors we face would not have happened if the accounting profession developed and enforced better accounting. They are way too liberal in providing the kind of accounting the financial promoters want. They’ve sold out, and they do not even realize that they’ve sold out. 

Grundfest: Would you give an example of a particular accounting practice you find problematic? 

Munger: Take derivative trading with mark-to-market accounting, which degenerates into mark-to-model. Two firms make a big derivative trade and the accountants on both sides show a large profit from the same trade. 

Grundfest: And they can’t both be right. But both of them are following the rules. 

Munger: Yes, and nobody is even bothered by the folly. It violates the most elemental principles of common sense. And the reasons they do it are: (1) there’s a demand for it from the financial promoters, (2) fixing the system is hard work, and (3) they are afraid that a sensible fix might create new responsibilities that cause new litigation risks for accountants.  


This situation is very comparable to what happens in when auditors interview infosec. Auditor asks -do you have a firewall? Infosec says yes. Check.

Its too bad but assumptions of yesteryear lead to building things on shaky foundations
Innovatecompare

May 14, 2009 in Investing, Security | Permalink | Comments (0)

Omaha recap

Omahadq For the second year in a row I attended the Berkshire Hathaway (NYSE:BRK.A) annual meeting, aka Woodstock for Capitalists. This year the group included John Steven, Richard Bejtlich and Andre Durand. You can read Richard's "False Precision" and Andre's "Buffet the Anti-Trump" notes. Here are some of mine:


* First off Warren Buffett and Charlie Munger answered questions for six hours and only presented one slide. (The slide as you might expect was pretty interesting it showed a T bill they purchased in Dec 08 that paid out a *negative* yield in April 09)

* One theme throughout was simplicity. If you need a computer to figure it out then just put it in the "too hard" pile, plenty of money to be made with lower risk doing things you can understand. (one quote I keep on my security checklists is from Buffett - "the sign above the players' entrance to the field at Notre Dame reads 'Play Like a Champion Today.' I sometimes joke that the sign at Nebraska reads 'Remember Your Helmet.'  Charlie and I are 'Remember Your Helmet' kind of guys. We like to keep it simple.)

* Munger said a lot of the new regulations wouldn't be needed if accountants had simply done their job

* Buffett said if he ran a business school there would be two courses 1) how to value a business 2) how to think about markets. You can get most of this from Ben Graham's Intelligent Investor. Instead MBAs are trained on fairy tales like efficient market theory which leads to madness like excess leverage, derivatives and all the rest. As Buffett said "I would have to have to teach efficient market theory. You stand up in class the first day facing all these eager fresh young minds, and you say 'well everything is priced perfectly', what do you do the rest of the semester?"

After the big meeting on Saturday, I spent Sunday morning listening to Tom Gayner and Steve Markel from Markel, I wrote up the notes here. One thing I neglected in the earlier post was Gayner's comments on being careful about bi-modal outcomes. He gave the example of several financial companies and said, well they are trading in single digits now, and there is tremendous upside if they come out Ok. But you don't know what will happen and there is a bi-modal outcome problem where they could be worth $50/share and you could make 8-10x your money or they could be worth zero. It struck me that many of our security architectures have bi-modal outcomes - either things work perfectly or they break wide open, instead we should strive for defense in depth.

May 13, 2009 in Investing, Security | Permalink | Comments (0)

Got an IQ of 155? Sell 30 points

Got back yesterday from Omaha trip to Berkshire Hathaway annual meeting aka Woodstock for Capitalists. There were many takeaways, I am going to blog here about the last event we attended and will fill in other details in future posts.


The last event we did was Sunday am, a breakfast hosted by Markel (NYSE:MKL). Markel is a Richmond, VA based specialty insurance company, they actually offer data breach protection now among many other things. Anyway, they follow the Berkshire model -write conservative policies, and invest the float. We got to see their CEO and CIO answer questions for two hours on all manner of investing questions. They have been compounding book value at ~ 20%/year going back to the 80s by following simple processes. I was struck by how often simplicity came up throughout the weekend. Buffett said on Saturday "if you are investor with an IQ of 155 then sell 30 points to someone else, you don't need them." 

DSCF0347 The most interesting part of the Markel breakfast for me was hearing firsthand what their CIO Tom Gayner had to say about investing. He has four basic rules of investing:

1. Invest in businesses that are profitable and earn good returns on total capital (w/o excessive leverage!). This seems basic but its important to remind yourself of its primacy (simplicity in action...also recall that avoiding leverage is important not just in the business you are investing in but also its customers)

2. People running the company must have talent *and* integrity. One without the other does you no good.

3. Reinvestment dynamics - best business in the world is one that makes good return on capital and can reinvest it to make the same or better rate - that's a compounding machine.

4. Fair price - a business that meets the first 3 criteria & as an outside shareholder earn the same sort of return the business would. Be on the same side of the table as management.

Finally there was this "I hope you notice the elements we describe didnt talk much about geopolitics, interest rates, the economy, commodity, oil, gold prices, etc" All important but you have no control over them. (just like threats vs vulnerabilities)

This approach has led Gayner and Markel to a very successful decade plus track record. Its also led them to "boring" companies like Pepsi and Diageo. However, I also noticed that SAP (NYSE:SAP) was in their portfolio. They have 0.8% invested in tech, didn't do the math but I guess SAP is the bulk of that. I have always been struck that despite being the 2nd or 3rd largest software company in the world you never hear about people investing in SAP and yet here it is in a value investor's portfolio next to the usual dowdy brands that value people love.

I got the chance to talk to Mr Gayner at the end and said " I am a software guy and was surprised to see SAP in your portfolio, we always joke that it stands for Shut up And Pay. Once you get it in it runs your business and you can't get it out. Can you comment on why you selected a tech company?"

Gayner said "I think you just answered your own question."

He had heard a bunch of people at companies complaining about their SAP implementations, when he asked them what they were going to do about it, the answer was - send another check to Germany. So he jumped in. Value investing is pretty simple.

Good video of a similar talk by Markel and Gayner here.

May 04, 2009 in Investing | Permalink | Comments (0)

»
My Photo

SOS: Service Oriented Security

  • The Curious Case of API Security
  • Getting OWASP Top Ten Right with Dynamic Authorization
  • Top 10 API Security Considerations
  • Mobile AppSec Triathlon
  • Measure Your Margin of Safety
  • Top 10 Security Considerations for Internet of Things
  • Security Checklists
  • Cloud Security: The Federated Identity Factor
  • Dark Reading IAM
  • API Gateway Secuirty
  • Directions in Incident Detection and Response
  • Security > 140
  • Open Group Security Architecture
  • Reference Monitor for the Internet of Things
  • Don't Trust. And Verify.

Archives

  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015

More...

Subscribe to this blog's feed