October is Cybersecurity Awareness Month, an ideal time to thoroughly assess an organization’s cybersecurity policies and procedures.
A breach can cost a company an average of $9.44 million, according to Ponemon Institute and IBM Security’s 2022 Cost of a Data Breach report. More than 83 percent of organizations surveyed have had more than one data breach, according to the report. I’d add that cyberattacks often pull valuable resources away from other pressing concerns such as growing a business and taking care of employees, and that a breach can create major mistrust between an organization and its customers.
With cybersecurity in mind, I invite readers to attend the Michigan 2022 Cyber Summit. Deloitte is a sponsor of this annual event, scheduled for Thursday, October 27 at the Suburban Collection Showplace in Novi. State leaders as well as Jen Easterly, director of the state’s Cybersecurity & Infrastructure Security Agency, plus cybersecurity experts from other states and from business and industry will present at the conference. To register for the summit, click here.
There are many business reasons to attend the summit. You will have an opportunity to network with peers, hear from industry leaders on the latest happenings, and gain insight into the latest issues, threats, and innovations in cyber.
A recent report from Deloitte’s Center for Board Effectiveness DCBE highlights questions organizations can consider to better integrate their business and cyber strategy, Strengthen risk management and governance, and refresh incident management processes to keep up with the evolving regulatory landscape:
1. What is our organization’s holistic cyber risk policy?
Cyber risk policies should include what happens in the event of a ransomware attack, an assessment of the risk to operational technology in addition to information technology, risk mitigation for third parties and contractors, and cyber assessment processes for mergers and acquisitions. It also includes a review of the last assessment and revising it to accommodate any changes in the business (for instance, a new IT system).
2. Does our policy align with National Institute of Standards and Technology (NIST) cybersecurity framework guidelines?
NIST’s framework helps guide companies in assessing and improving their ability to prevent risks and respond to breaches. These frameworks set guidelines for identifying areas at risk; protecting critical infrastructure from attacks; detecting attacks when they do happen; responding to attacks; and recovering from them.
3. What role do management and the board play in implementing this policy?
It shouldn’t just be “the IT people” responsible for cybersecurity policy. The National Association of Corporate Directors suggests that boards approach cybersecurity as the organization-wide issue that it is.
4. Who on our board has cybersecurity experience?
As is the case with many reporting tasks, at least one board member should have deep expertise in cybersecurity.
Overall, then, two suggestions to commemorate Cybersecurity Awareness Month: Attend the Michigan conference to obtain a wealth of information and leading practices, and review Deloitte’s Center for Board Effectiveness report on board oversight of cybersecurity.
About the Center for Board Effectiveness
Deloitte’s Center for Board Effectiveness helps directors deliver value to the organizations they serve through a portfolio of high quality, innovative experiences throughout their tenure as board members. Whether an individual is aspiring to board participation or has extensive board experience, the Center’s programs enable them to contribute effectively and provide focus in the areas of governance and audit, strategy, risk, innovation, compensation, and succession.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today’s marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte’s approximately 415,000 people worldwide connect for impact at www.deloitte.com.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by certain (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
The world of cryptography moves at a very slow, but steady pace. New cryptography standards must be vetted over an extended period and therefore new threats to existing standards need to be judged by decades-long timelines because updating crypto standards is a multiyear journey. Quantum computing is an important threat looming on the horizon. Quantum computers can solve many equations simultaneously, and based on Shor’s Algorithm, crypto experts estimate that they will be able to crack asymmetric encryption. In addition, Grover’s algorithm provides a quadratic reduction in decryption time of symmetric encryption. And the question these same crypto experts try to answer is not if this will happen, but when.
Today’s crypto algorithms use mathematical problems such as factorization of large numbers to protect data. With fault-tolerant quantum computers, factorization can be solved in theory in just a few hours using Shor’s algorithm. This same capability also compromises cryptographic methods based on the difficulty of solving the discrete logarithm problems.
The term used to describe these new, sturdier crypto standards is “quantum safe.” The challenge is we don’t know exactly when fault-tolerant quantum computers will have the power to consistently break existing encryption standards, which are now in wide use. There’s also a concern that some parties could obtain and store encrypted data for decryption later, when suitably capable quantum computers are available. Even if the data is over ten years old, there still could be relevant confidential information in the stored data. Think state secrets, financial and securities records and transactions, health records, or even private or classified communications between public and/or government figures.
U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) believes it’s possible that RSA2048 encryption can be cracked by 2035. Other U.S. government agencies and other security-minded entities have similar timelines. Rather than wait for the last minute to upgrade security, NIST started a competition to develop quantum-safe encryption back in 2016. After several rounds of reviews, on July 5th of this year, NIST chose four algorithms for the final stages of review before setting the standard. IBM developed three of them, two of those are supported in IBM’s Z16 mainframe today.
The new IBM crypto algorithms are based on a family of math problems called structured lattices. Lattice problems have a unique characteristic that will make it reasonably difficult to solve with quantum computing. Structured lattice problems require solving for two unknowns – a multiplier array and an offset and is extremely difficult for quantum computing to solve the lattice problems. The shortest vector problem (SVP) and the closest vector problem (CVP) – upon which lattice cryptography is built – is considered extremely difficult to a quantum computer to solve. Each candidate crypto algorithm is evaluated not just for data security, but also for performance - the overhead cannot be too large for wide spread use.
The final selections are expected in 2024, but there’s still a chance there will be changes before the final standards are released.
IBM Supports Quantum Safe in New Z-Series Mainframes
IBM made a strategic bet before the final NIST selections. The recently released IBM Z16 Series computers already support two of the final four quantum safe crypto candidates: the CRYSTALS-Kyber public-key encryption and the CRYSTALS-Dilithium digital signature algorithms. IBM is set to work with the industry to substantiate these algorithms in production systems. Initially, IBM is using its tape drive storage systems as a test platform. Because tape is often used for cold storage, it's an excellent medium for long-term data protection. IBM is working with its client base to find the appropriate way to roll out quantum-safe encryption to the market. This must be approached as a life cycle transformation. And, in fact, IBM is working with its customers to create a crypto-agile solution, which allows the exact crypto algorithm to change at any point in time without disrupting the entire system. It’s not just a rip and replace process. With crypto-agility, the algorithm is abstracted from the system software stack so a new algorithms can be deployed seamlessly. IBM is developing tools making crypto status part of the overall observability with a suitable dashboard to see crypto events, etc.
These new algorithms must be deployable to existing computing platforms, even at the edge. However, it's not going to feasible to upgrade every system; it’s probably going to be an industry-by-industry effort and industry consortia will be required. For example, IBM, GSMA (Global System for Mobile Communication Association), and Vodafone recently announced they will work via a GSMA Task Force to identify a process to implement quantum-safe technologies across critical telecommunications infrastructure, including the networks underpinning internet access and public utility management. The telecommunication network carries financial data, health information, public-sector infrastructure systems, and sensitive business data which needs to be protected as it traverses global networks.
What’s Next for Quantum Safe Algorithms
Fault-tolerant quantum computing is coming. When it will be available is still a guessing game, but the people who most care about data security are targeting 2035 to have quantum-safe cryptographic algorithms in place to meet the threat. But that’s not good enough. We need to start protecting critical data and infrastructure sooner than that, considering the length of time systems are deployed in the field and data is stored. Systems such as satellites and power stations are not easy to update in the field.
And there’s data that must be stored securely for future retrieval, including HIPAA (for medical applications), tax records, toxic substance control act and clinical trial data, and others.
Even after the deployment of these new algorithms, this is not the end – there may still be developments that can break even the next generation quantum-safe algorithms. The struggle between those that want to keep systems and data safe and those that want to crack them continues and why companies should look to building in crypto agility into their security plans.
Tirias Research tracks and consults for companies throughout the electronics ecosystem from semiconductors to systems and sensors to the cloud. Members of the Tirias Research team have consulted for IBM and other companies throughout the Security, AI and Quantum ecosystems.
Cyber Security loves buzzwords, but they get over-exposed faster than Kevin Hart. Looking at you, Zero-Trust.
If you haven't heard about Attack Surface Management (ASM) yet, you will. But bear with me, because that's not a bad thing.
ASM is still on the 'shiny and new' slope of Gartner's hype cycle, but it's already real and out in the wild keeping organisations safer.
From cloud migrations to IoT integration and hybrid working, IT environments are changing fast – and that’s also true for their attack surfaces, leading to poor visibility of risk in real-time.
Q/ When is the best time to find weaknesses?
A/ Before an attack happens.
It’s a beautiful concept that may seem naïve when measured against the daily reality of a SOC. Cyber-nirvana is the goal but hard to get there if you’re stamping out fires all day.
And this is where we approach the paradox at the heart of cyber security today, having largely abandoned the concept of the completely defensible perimeter. Almost all the technologies in the SOC are designed to spot things after they happen; that is – after the threat actor is doing something we don’t want them to do inside our network. AI and machine learning driven uber-suites of clever code that spot, correlate and jump on those trails before they snowball into a full-blown cyber heist. I’m not suggesting that we don’t need all of that and a perimeter – because we do, but threat actors understand our defenses and are finding ways to slip under the radar of reactive security tooling in a never-ending game of cat and mouse.
There’s a lot of different numbers for the average dwell time of an attacker before an event like ransomware detonation – but broadly the numbers agree that it’s more than 100 and less than 300 days. That’s a long time to provide someone to figure out how your operation works.
Add to that that only about 1 in 5 enterprises can monitor their attack surfaces for changes in real time, or to put it another way, four fifths of the world’s enterprises can’t.
The old question of how you would break into your own home if you were locked out is useful here but falls short when describing the cyber-attack surface, because you’d need to talk about windows you didn’t know you had and prevent an attacker from getting in through a plughole.
The typical attacker has a laptop, some tools and an internet connection when they begin looking for a way in. But it’s best not to underestimate our adversary – marketing shows us a lot of people in hoodies hunched over laptops, but it would be scarier to show a 24x7 Ransomware-aaS operation in the C2C marketplace. This is organized and profitable crime, but regardless of the maturity of the organisation or individual attacking you, they begin on the outside of your environment. What they look for is internet facing services, IPs, domains, networks, hostnames and so on. In the process they will uncover your shadow IT, forgotten assets (like that test/dev environment everyone assumed someone else tore down), and other blind-spots and process failures, for example a brute-forceable and exposed login applet, or down-rev web server. Those are the chinks in the armour offering a route in, and because they face out into the internet, they are highly tempting. But (of course) they can’t be fixed until you know about them – which means that we need to wait for the lights to blink on the big reactive dashboard, and then you’ve got another fire to stamp out.
If we want to move to a proactive posture, using an Attack Surface Management tool like IBM Randori which scopes your attack surface like an attacker is a smart move. If we can see what they see when they look at us from the outside, then we have a prioritized inventory of attack risk.
That’s important because the last thing anyone needs is a report with an overwhelming list of to-do items on it, because we’re already putting out fires as it is. Having issues ranked by their ‘temptation score’ lets the SOC team focus on the urgent fixes, and then schedule work on the less urgent stuff. And because Randori only looks at your attack surface from the outside, it’s agentless and doesn’t need appliances.
Having a prioritized inventory of risk let’s you find those open windows and close them, which makes it harder for the attacker to get in.
Nobody wants to be over exposed, not even Kevin Hart.
IBM has acquired Randori, a leading Attack Surface Management provider and recently named a cool vendor by Gartner. Although ASM is an emerging technology IBM has never been afraid to be at the forefront of innovation. Find out more here https://www.randori.com/
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.
In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.
Nearly nine out of 10 businesses (88%) consider themselves advanced in cloud adoption, with just 9% exploring cloud computing at a limited, measured pace and 3% keeping computing in house while evaluating the cloud option, KPMG found in a survey of 1,000 enterprise technology leaders.
Four out of five survey respondents consider their companies’ cloud adoption successful, with two out of three noting improvements in business strategy, KPMG said. At the same time, two out of three respondents say they have yet to see substantial ROI from cloud spending.
In order to increase ROI, “you need to look more holistically, not down at an individual department,” Hunter said.
A CFO should examine the steps between “generating an idea to getting revenue from that idea,” she said, or what she called the “value stream.”
For example, a major airline upgraded its app after identifying ways to Strengthen the experience of a passenger during the day of a flight, she said. It achieved savings, greater efficiency and higher customer satisfaction by streamlining check-in, baggage handling, re-booking and other contact with customers.
Also, a large bank used cloud computing to speed up new product development and approval, cutting costs and gaining an edge on its competitors, Hunter said. A company that focuses hybrid cloud on value streams can be “more elastic, enter new business spaces more quickly, shorten processes, introduce automation.”
At the same time, CFOs can measure ROI in more isolated projects, such as a “lift and shift” of entire applications to the cloud or by packaging software in “containers” that bundle application code with essentials such as configuration files and libraries.
“Containerization” speeds development, improves security and eases the portability of an application to another operating system. It can achieve ROI as high as 300%, Hunter said.
A CFO seeking to measure ROI of cloud migration can track the reduction in time from the conception of a new product to its launch, Hunter said. “That’s a really key metric that we often see as a core consideration because it points to how quickly the business can respond to changing market demands and to competitors.”
“We’ve seen organizations go from only being able to release new functionality every quarter to releasing functionality in days or weeks,” she said.
A CFO can also find ROI by assessing savings on security and compliance, Hunter said.
For example, a shift to the cloud often leads to elimination of “technical debt,” or software imperfections that were tolerated because of an emphasis on rapid deployment, Hunter said. “There’s a lot of technical debt that can be removed when you move to the cloud.”
President Biden spoke last Thursday at IBM in Poughkeepsie, New York, praising the companies that are investing in America, “because they see we’re coming back.” He doubled down on his view that Democrats are presiding over a hell of an economy. “Since I came to office, our economy has created 10 million jobs, 668,000 manufacturing jobs.” He reminded listeners that last month, he heralded the building of a semiconductor factory outside of “Columbus, Ohio, where Intel is investing $20 billion, 10,000 good paying jobs.”
Biden also reminded voters he’s gotten the unemployment rate lower than President Trump. “It’s more jobs created in the first term of a President than any time in American history.”
This rhetoric is sure to create new barriers for Democrats to get over, when their campaigns are contesting who is better at addressing the top issue in the election, the daunting cost of living.
Why are such statements about “ten million jobs” a red flag for working people?
More from Stanley B. Greenberg
I was instantly taken back to listening to focus groups with working people after the financial crisis crashed their lives. Millions lost their jobs at the start of the Great Recession, and millions more came back to work in lesser-paid and lesser-skilled jobs, while the top 1 percent, Wall Street financiers and CEOs got back on their obscene ascent. Working people fell into a deep hole that most didn’t get out of until the last year of President Obama’s second term.
They also watched the banks get bailed out, senior executives get their bonuses, and no executive held accountable for crashing their companies and the country. Anger about CEOs grew, as did the belief that politics was rigged.
I wrote in my book America Ascendant, “In the years after the financial crisis, few things have enraged people in our focus groups more than simply practicing a positive jobs report. One moderator was almost attacked after practicing a news report on the jobs gained in one month during the recovery. Voters in Ohio and Denver talked over each other as they disputed and qualified the news, rushing to dispel the conventional wisdom about the recovering economy.”
“[They] keep saying they created 225,000 jobs,” one non-college-educated man in Ohio said. “And what is the job doing, I mean, you can work for McDonald’s for $9 an hour to $11 an hour!” A non-college-educated woman in Ohio followed on: “What was the average salary of those jobs … That would be my first question.” Others asked: “Where are these jobs?” “What kind of jobs are they?” “Are these jobs that people can live on? Or are they jobs you take because you have to?”
I concluded from my research between 2010 and 2014 that two principles dominated the economic consciousness of the time. The first was that “jobs don’t pay enough to live on,” and the second, “people face an endemic cost-of-living crisis.” Fewer and fewer people were thinking about reaching for the “American dream” or even reaching the income level of their parents. Many talked about the middle class disappearing or being on life support.
“In the years after the financial crisis, few things have enraged people in our focus groups more than simply practicing a positive jobs report.”
Of course, that was just the midpoint of a two-decade period where wages, income, and wealth declined or stagnated.
It has been a long time since the country saw a decade like Bill Clinton’s term in office, when real median income rose sharply and inequality declined. Blacks totally shared in those gains. That was a decade where we approached full employment, but changes in tax law enacted by Democrats helped ensure there was a shared prosperity. Clinton greatly expanded the Earned Income Tax Credit, a new top tax rate of 39.6 percent, as well as a “millionaire’s surtax.” He raised the tax rate for capital gains so it was equal to the rate paid by workers. (Other changes in trade agreements and financial services would contribute to the problems in later decades.)
Real median household income reached $66,000 in 2000, fell sharply under George Bush, and got back to $65,000 before the financial crisis in 2008 when it crashed again. It was still at $60,000 in 2012 when President Obama ran for re-election. That is when so many in my focus groups responded so angrily to President Obama’s job reports.
In 2015 and 2016, income finally got back to the level of Clinton’s last year in office. Most Americans had seen 15 years of pay cuts. Median income rose to $73,000 under President Trump, but that hardly made up for the years of decline. Incomes fell with the pandemic, and spiking inflation has cut real incomes by 4.4 percent this year.
Black and Hispanic families experienced an even darker period. Median income for Blacks reached $49,000 in 2000, at the end of the Clinton decade. It fell sharply to $43,000 under Bush, and after the financial crash fell to a desperate $39,000 in 2011. Black income spiked in 2014 but stopped its ascent in 2016. The average Black household was earning $45,000. That was 8 percent below Clinton’s last year.
Black household income rose and finally got back to the Clinton level under Trump, but has stagnated since 2019. Black families had gained only $2,000 in annual income compared to the end of the Clinton decade.
Hispanic household income also rose sharply under Clinton, reaching $52,000 in 2000. Then, it fell and stagnated before crashing in 2007. And as with Blacks, household income hit a low of $46,000 in 2012. Then, incomes went up steadily until 2019, then stalling at $58,000 for two years. Hispanic households ended up only 12 percent above 2000 levels, more than two decades later.
Those stark results explain why 60 percent of Blacks and Hispanics—and a like number of millennials—say that “cost of living” is the top problem. If there is an emerging “enthusiasm problem” for these voters, it is because Democrats aren’t speaking to their economy and lives.
That is why our most impactful economic message includes the statement “working people haven’t seen a real pay raise in decades.” And our strongest overall message says, “Washington doesn’t get it.” To be honest, our elected leaders live in a different world and don’t feel what is happening to the great majority of Americans. They don’t feel their anger that the political game is rigged for the very richest, the big corporations and billionaires.
OBVIOUSLY, WE WANT A PRO-UNION PRESIDENT who is working to grow the number of jobs, building and modernizing America’s infrastructure, and shifting production of critical semiconductors, batteries, and electric vehicles produced at home. You want new trade agreements that are more American worker–centered, as the president has promised. I agree with President Biden when he says, “America is in a better place than any other country coming out of the pandemic to lead the future.”
But that doesn’t put food on the table or deal with rising gas prices, electric or oil bills, rents and mortgages, medical and drug costs. Those problems are just multiplying in this period of high inflation. People truly haven’t seen a pay raise in decades. They have been mostly living with pay cuts and lost wealth and declining security.
President Biden and Democratic leaders are able to say, authentically, that Americans haven’t seen a pay increase for years under both Republican and Democratic presidents and that is not OK. Biden used to say, “I know people are living paycheck to paycheck,” and that gave him an audience campaigning in the Rust Belt states.
People now expect government to provide new kinds of support to raise their family income and to deal with essential expenses. They are looking to the government to make work affordable.
The economic terms of the debate have moved to an entirely new place.
The passage of the Affordable Care Act changed the focus of the economic debate and what was possible to make work affordable. The ACA was initially unpopular with working people, for pretty good reasons. The insurance was expensive and had high deductibles that made it difficult to use. If you want to know what people are really looking for, see the broad support for expanding Medicaid, even in the most Republican states in the country. Working people want and expect the government to help with the high cost of health care.
When I listed to Trump voters in Macomb County, Michigan, during the congressional debate over whether to “repeal and replace” Obamacare, I found out the Trump voters took him seriously when he said he would provide “MUCH less expensive and MUCH better healthcare.” They wanted government-supported health care that dramatically reduced their family’s health care spending.
All working people—whether they voted for Trump or Clinton, Trump or Biden—now expect government to do more to make health care affordable.
With health care spending such a big proportion of household costs, health care has been one of the very top issues in 2016, 2018, 2020, and now in this midterm election. It is Democrats who have passed legislation to reduce health care premiums and the costs of prescription drugs and insulin. That is addressing the cost of living.
Another formative event, the pandemic, has educated people on how government can help their families deal with essential expenses.
The pandemic took unemployment back to double digits, a frightening scenario to those who have lived through two decades of falling or stagnant wages. But the government responded like almost no other time in our history. For the first time, unemployment benefits nearly replaced wages, and didn’t expire in six months. Just as important were the direct per-person payments to households, and limited paid sick leave for those with COVID. The direct payments were the same for each household, not linked to the household’s income level.
Democrats gained control of the Senate when the two Democratic candidates ran on continuing those direct payments. And with their majorities, Democrats passed the expanded Child Tax Credit that was paid in monthly payments to families with children. I wrote in The American Prospect, “Low-income recipients spent more than 90 percent of the added money for food, utilities, clothing, diapers, and education,” as well as child care.
That program captured the priorities Democrats must have if it they are to win the support of a majority of Americans who live with an endemic cost-of-living crisis. If Democrats had successfully enacted the huge expansion of help with child care, it no doubt would have been part of the new equation.
All these initiatives are very popular with white working-class voters under 50 years and disability families, as well as our base of Blacks, Hispanics, Asians, Gen Z, millennials, and unmarried women—all the groups Democrats need to run better with to get to a dependable majority.
Imagine how desperate all of those people are when post-pandemic supply chains, combined with the cutoff of Russian energy, produced today’s high inflation. They know what global events produced. And they are focused like a laser on what you are doing to help in the very short term, not what America’s economy will look like in the future.
Hearing that Democratic leaders get it will get their attention. And so will recognizing that they failed to get a raise under both Democratic and Republican presidents.
Hyperinflation imposes impossible costs on them, and we believe government must help make work affordable. We are urgently implementing legislation to cut your taxes, reduce health care premiums, prescription drug and energy costs. Republicans are just in the pockets of the big corporations, pharma, the NRA, monopolies and billionaires. That is the urgent choice in this election.
‘I want to increase the number of clients, also, not just wallet share,’ IBM CEO Arvind Krishna says at The Channel Company’s Best of Breed conference in Atlanta. ‘That means that we need your help. We are not going to go there directly at all.’
Under Arvind Krishna’s watch, IBM has decreased the number of direct customers from about 5,000 in 2020 to about 400, the CEO told a crowd Monday. And the tech giant plans to leave potential new clients to partners.
“I want to increase the number of clients, also, not just wallet share,” Krishna said. “That means that we need your help. We are not going to go there directly at all.”
The CEO of Armonk, N.Y.-based IBM discussed his company’s investment in partners, the integration of subsidiary Red Hat, encouraged partners to raise their prices given the inflationary economic environment and even weighed in on chipmaker Broadcom‘s pending acquisition of cloud vendor VMware at CRN parent The Channel Company’s 2022 XChange Best of Breed (BoB) conference in Atlanta.
Krishna was on stage responding to questions from The Channel Company Founding Partner Robert Faletra and CRN Executive Editor of News Steven Burke.
[RELATED: IBM Assimilates Red Hat Storage Technology Into Own Storage Business]
Mark Wyllie, CEO of Boca Raton, Fla.-based IBM partner Flagship Solutions Group, told CRN in an interview that he’s glad to hear IBM plans to continue integrating different parts of the Red Hat business.
Earlier this month, IBM announced that it had absorbed storage technology and teams from its Red Hat business to combine them with IBM’s own storage business unit as a way to help clients take advantage of the two without requiring extra integration or having to deal with multiple sales teams.
Wyllie wants to see IBM further integrate Red Hat services into its portfolio to help partners push the services out to existing IBM customers.
“I think that’d be a benefit to us and IBM,” Wyllie said.
Red Hat’s autonomy within IBM has been essential to its position as an open source software vendor. Krishna clarified Monday that the Red Hat brand will stay in areas where it has a stronger brand than IBM. For storage, “maybe we already have a storage channel, which Red Hat kind of didn’t,” Krishna said.
He said IBM gave Red Hat more security and management capabilities after its acquisition in 2019. Partners can expect more integration between Red Hat and IBM in areas involving Linux.
“So if you can take maybe 50,000 Linux servers and consolidate them using OpenShift on LinuxOne, maybe that‘s a play to be made,” Krishna said. “There’s a few clients who have woken up to that and are doing it right now. So I think that’s going to be a really big play you’re going to see.”
During his talk, Krishna encouraged partners to explore more opportunities in IBM’s artificial intelligence operations (AIOps) offerings, including Turbonomic, Watson AIOps and Instana.
Customers will continue to spend on automation tools, he said.
“The ability to go into an enterprise and tell them, ‘Look, we can do things a lot more automated. We can take some cost out. We can do monitoring, and eventually go closed loop on AI’ – which I don‘t think is happening yet,” Krishna said. “I think is a massive opportunity given the current labor market.”
IBM’s security offerings, as well as Red Hat and containerization offerings, are also areas for partners to invest in, Krishna said.
As for Broadcom and VMware, Krishna said that VMware remains an important partner for his company. And as long as VMware keeps investing in its products, it should remain “a strong franchise.”
“I think it’ll come down to what is going to happen in 2023 and 2024,” Krishna said. “As long as they keep innovating on the products, they keep giving more function back to their clients – it’s a strong franchise. That falls away, then that‘s a different question. But I think the virtualization world likes those products. Now it’s up to them to keep innovating.”
Krishna also told partners they should raise prices to cover the growing cost of labor with such high inflation in the U.S.
“From our conversations with clients, I would tell you that nobody loves it, but they all understand,” he said. “Because most of our clients are doing the same out to their clients. … Pricing power comes down to something simple. Is the product highly valuable and is it sticky? … In a world of fewer skills, if you have the skills, you can price those skills.”
I think IBM has had a good run, [and] not all companies last forever. There is a life cycle to a company. They are born [to] grow and then decline. They [IBM] have been in decline for 10 or 12 years...When you’re 75, you’d love to be 35 again, but you’re not going to...So that’s the way I think of aging companies. Trying to turn them around might be the most dangerous thing you can do. - Aswath Damodaran, July 22, 2017
I included the quote above in one of my prior IBM (NYSE:IBM) analyses back in early 2020 when I took an in-depth look at the firm’s newer (at the time) hybrid cloud and artificial intelligence (“AI”) strategy. It’s strong, if understandable logic. But, in the particular case of IBM, is it accurate?
With IBM’s earnings date set for next Wednesday, October 19 to report Q3 FY ‘22 results, investors might wonder if Dr. Damodaran is right. If we were only to consider the share price, his words might seem prescient since the stock was trading around ~$140/share at the time the article from which the quote was referenced was published; as compared to today’s close of $117.57. In fact, the stock has barely nudged above $140/share over the last 18 months.
Data as of market close October 12, 2022.
Yet, 2022 has proved to be a reasonably good year for IBM…so far.
As other Seeking Alpha authors have noted, the stock has held up fairly well, dropping “only” ~(14%) YTD as compared to ~(25%) YTD for the S&P 500.
Q2 FY ‘22 revenue of $15.5B reflected 16% growth versus the prior period in constant currency.
The revenue performance in Q2 FY ‘22 demonstrated strength across all geographies and the company’s key operating segments, namely software, infrastructure, and consulting.
The software, infrastructure, and consulting segments racked up sales of $6.2B, $4.2B, and $4.8B respectively during the quarter, reflecting growth of 12%, 25%, and 18% respectively versus the prior period in constant currency.
TTM hybrid cloud revenue stood at $21.7B at the end of the quarter, up 19% in constant currency.
YTD cash from operating activities was $4.6B at the end of Q2 FY ‘22, driving YTD free cash flow of $3.3B.
Management’s confidence exiting Q2 FY ‘22 allowed CEO Arvind Krishna to reaffirm full-year guidance noting that "[with] our first half results, we continue to expect full-year revenue growth at the high end of our mid-single digit model.” Free cash flow for the full-year is expected at $10B.
With the foregoing in mind, we might predict a strong Q3 FY ‘22 performance as well. But, recently lowered price targets by several analysts might hint that dark clouds may have already formed over IBM’s 2H FY ‘22.
To put IBM bulls at ease, recently lowered price targets by two analysts reflect a minor “trimming”, with both maintaining their buy ratings.
However, UBS Group, who had previously slashed their price target from $136/share to $124/share in early January, did so again dropping their price target to $112/share while maintaining a sell rating.
UBS analyst David Vogt had suggested early in the year that the firm was trading at “...an ‘elevated valuation’ [leaving] the shares ‘vulnerable’ over the next 12 months”.
The contrast between UBS and Morgan Stanley/Credit Suisse above could not be starker. Even without practicing their research notes, we might assume the Morgan Stanley and Credit Suisse analyst teams are pleased with the performance of the core business, even if they are dropping their price targets a bit. And, on that point, I think there are reasons to be bullish.
1. IBM Consulting demonstrating strength.
During the recent Goldman Sachs Communacopia and Technology Conference, John Granger, Senior Vice President of IBM Consulting, noted that “[IBM is] a big consulting player…[with] 150,000 professionals across the world. Revenue is approaching $20 billion. And within the IBM family, [consulting is] about a third of IBM’s revenue, but nearly two-thirds of IBM’s people.” As customers, particularly large enterprises, evolve existing legacy systems and/or digitize non-digital processes, they will draw upon such services as provided by IBM Consulting, including business transformation and technology consulting. These engagements are typically high-margin and high-value, often driving revenue in other parts of the business. Hence, as Mr. Granger also pointed out, the segment is extremely important with respect to IBM’s ongoing success.
There are not many companies that can do what IBM is capable of doing via its IBM Consulting segment. To reiterate the statistic that Mr. Granger mentioned, the organization reflects two-thirds of IBM’s entire employee headcount. The ability to put a large number of “feet-on the-ground” for a given project is somewhat unique to IBM, as it is for key consulting competitors like Accenture (ACN) and Cognizant (CTSH).
2. IBM has found its footing again in the APM and Observability space.
IBM’s acquisition of Instana in 2020 gave the company a boost in the large, multi-billion dollar application performance management (“APM”) market. Consider IBM’s position in Gartner’s APM Magic Quadrant from March 2019 versus their Magic Quadrant for June 2022 below.
As a leader, it is noteworthy to see IBM ranked higher, overall, than Cisco’s AppDynamics and Splunk, among others. Quoting myself from a prior article on Datadog (DDOG), “...the architecture of modern applications is radically different from even just 10 years ago – they are far more complex with many ‘moving parts’ that may reside in one or more clouds, and/or in on-premise environments.” This complexity – which is increasing in many ways – drives the need for APM solutions, and I theorized in the same article on DDOG that investors might see a certain resiliency within that market despite the economic slowdown. Time will tell if I am right about that. But, the point is that it is a large market, growing double-digits year-on-year by some estimates, and IBM is well-positioned to grow with it.
3. Management’s move deeper into security and automation technologies is a smart move.
During the Q2 FY ‘22 Earnings Call, Mr. Krishna noted that “[given] the importance of cybersecurity, in this past quarter, we also acquired Randori, a leading attack surface management, and offensive cybersecurity provider. This builds on the recent acquisition of ReaQta and the launch of QRadar XDR.” As the computing environments become more complex (see the prior point), security becomes that much more difficult. I think management shows good judgment pushing further into the security space as it is somewhat hard to imagine enterprises spending significantly less on security regardless of economic conditions. Automation is also front-of-mind for many organizations today as they attempt to streamline routine workflows and free-up employees to focus on more strategic work. Accordingly, Mr. Krishna explained that “[this] is one of the many reasons we are investing heavily in both AI and automation.” AI plays a key role in IT operations today, with Gartner inventing the term “AIOps” to refer to the combination of “artificial intelligence” and “IT operations”. On that basis, IBM would seem well positioned to capture a significant share of the fast-growing AIOps market via its tooling.
While we see the automation and security sub-segments only posting single-digit growth in Q2 FY ‘22 as per Figure 7, I would expect the growth rates of both businesses to increase moving forward due to the nature of those particular markets.
So, with reasons to think the core business still has some life left in it, is UBS too bearish with their call?
IBM’s revenue and EPS estimates are seen in the table below, along with the glaring marker of 13 downward revisions in the last 90 days.
With analysts clearly expecting a weaker performance, investors might keep a few other points in mind.
1. Q3 tends to be a weaker quarter for IBM.
As readers likely know, Q4 tends to be the strongest quarter for many technology companies. Such is the case with IBM as well; and thus history does not play in the company's favor heading into Q3 FY ‘22 results. Investors might also remember that the company missed its Q3 FY ‘21 estimates.
2. The Red Hat business is decelerating.
Red Hat sales growth in Q2 FY ‘22 declined to 12% versus the prior period which saw a growth rate of 20%. Although, both growth rates were identical at 17% adjusting for currency. Still, with a Red Hat growth rate of 21% in Q1 FY ‘22, this is not a trend that investors want to see considering that IBM bet the farm to a certain extent on Red Hat. Of course, it’s premature to declare that the business is in trouble. But, investors will certainly want to pay attention to the business’ results when Q3 FY ‘22 earnings are announced.
3. The hybrid cloud and AI strategy may be weaker than some investors think.
On the surface, IBM’s stated hybrid cloud and AI solutions strategy would seem to be gaining traction in the context of Q1 FY ‘22 and Q2 FY ‘22 results, with revenue growing 11% and 16% respectively versus the prior periods in constant currency. Mr. Krishna mentioned during the company’s Q2 FY ‘22 Earnings Call that the firm had more than 4,000 hybrid-cloud clients at the end of Q2 FY ‘22, including more than 250 added in the quarter itself. Of course, this is a bullish signal and it reinforces uptake of IBM’s architectural model centered on Red Hat Enterprise Linux, containers, and orchestration. However, we might also argue that 4,000 hybrid-cloud customers might seem a little low, especially as IBM has been talking about hybrid-cloud as far back as its Annual Report FY ‘11. I think this shows that while IBM correctly foresaw an evolution of the cloud into a “multi-cloud” as it pertains to how enterprises would deploy and run applications, there are any number of supporting technology stacks to support multi-cloud application environments, some of which might feature IBM technologies and some which feature none at all. There is a somewhat analogous story with respect to AI. The AI market is composed of innumerable players, many with specializations in particular sub-fields under the AI umbrella. Accordingly, it is an incredibly competitive space, sometimes characterized by a lack of compelling differentiation between competing solutions. While IBM is still regarded as a leader in AI by some, remember that their grand vision for IBM Watson never really came to fruition. This is all to say that IBM’s stated strategy may not be all that strong, especially in consideration of the prior point discussing the deceleration of the Red Hat business.
Having worked at IBM during my enterprise software career, I would lean toward the typical weakness seen in Q3 possibly driving a miss on both lines. Couple that with the possibility of emerging weakness in the firm’s strategy along with economic headwinds, and the outlook becomes somewhat gloomy. Maybe UBS was right.
As UBS lamented, IBM’s share price did not offer investors any kind of grand bargain early in the year; nor is it wildly cheap even after its YTD decline.
Data as of market close October 11, 2022.
Data from Polygon.io except P/S, P/B, and P/E data from Yahoo Finance; as well as ORCL and HPE gross margin data also from Yahoo Finance.
At the same time, it’s not wildly expensive either. As mentioned in the previous section, I do think Q3 FY ‘22 might be a bit rough, if only because it often is. But, with the idea that the “future” of the core business may be powered to a greater extent by IBM Consulting, and that IBM’s deeper push into APM, security, and automation may offset weakness elsewhere, I think it makes sense to hold the stock even with the threat of a weaker-than-expected Q3. Again, Q4 tends to be IBM's strongest quarter so if the stock dips following Q3 earnings, there’s a good chance it can recover following Q4.
I deliberately referred to IBM as a “service integrator”, rather than a “technology company”, in the title of this section because I tend to think of the firm more and more as a service integrator with technology, as opposed to a technology company with services. Services have been a core part of IBM’s business for decades; and I am betting services will drive a majority of revenues in the not too distant future. And, I actually think that’s a good thing because I personally think that’s where IBM excels. With Kyndryl (KD) spun out, I wouldn’t be surprised if IBM continues to slim itself down even more, perhaps with IBM Infrastructure the next to go.
Responding to the question I posed about Dr. Damodaran’s quote in the introduction: he’s probably right. But, that doesn’t necessarily mean investors can’t profit off an investment in the company. I think IBM’s core business will continue to throw off cash for a long time to come; and the stock likely will suit income investors just fine during that time.
Upcoming Q3 FY ‘22 results might leave investors wanting, but I think they owe themselves a longer-term perspective on the company’s forward prospects.
A shocking 90% of US small businesses have no cybersecurity in place to safeguard their data.
The cybersecurity landscape looks nothing like it did a decade ago. Once only the concern of large businesses, online threats now affect organizations regardless of size and industry. Comcast Business SecurityEdge™ helps companies mitigate threats to their business and protect themselves, their clients and their employees.
Fiction Tribe, a loyal Comcast Business customer, is a creative agency for many well-known brands. From product launches to demand generation, they develop multi-layered strategic marketing campaigns.
“Everyone’s at risk,” says James Rice, Owner, Fiction Tribe. “The traditional thinking when you’re a small company is, ‘I’m not Target or IBM, I’m 25 people in Portland, Oregon. I won’t get breached.’ But no one can think like that anymore.”
James Rice, Owner, Fiction Tribe
As Fiction Tribe evolved with the digital landscape, so did its client service agreements, adding more stringent cybersecurity requirements.
“Ten years ago, the cost to comply would’ve been outrageous for a business of my size,” Rice notes. “But today, Comcast Business is bringing those services under one delivery package. They’re protecting the same things that service contracts are requiring.”
“Cyber criminals just have to be right once, and cybersecurity companies have to be right all the time,” says Sukhjinder Singh, Product Manager for Comcast Business. “In addition to blocking known threats, Security solutions need to be equally effective in identifying and blocking emerging threats. SecurityEdge™ threat intelligence is updated every five minutes, blocking emerging threats in a constantly changing landscape.”
Rice and Singh both implore organizations to act now and put safeguards in place, which are possible without a large investment. When it comes to cybersecurity, a little can go a long way. For example, simply using multi-factor authentication can help safeguard a person’s digital identity and assets.
“Take a preventative approach,” Singh recommends. “It’s not a question of if but when. How will you respond?”
Comcast Business brings both prevention and mitigation expertise, protecting any internet connected devices across an organization’s footprint. On the backend, the system constantly updates its threat list, which has grown in recent years.
Fiction Tribe office
SecurityEdge™ is a leading cybersecurity solution tailored to meet the unique needs of small- to medium-sized companies. Even companies with a minimal budget that are looking for an affordable security solution can use this service as an added layer of defense for all internet connected devices.
“I don’t want to over-invest in this as a small business, but I need to make sure I’m not disregarding it,” Rice says. “I could have a massively compromised organization in the snap of a finger.”
For larger, more complex organizations, Comcast Business offers actively managed cybersecurity solutions tailored to specific needs, including distributed denial of service (DDoS) mitigation, advanced security solutions and software-defined networking (SD-WAN).
“We want to be a trusted solutions provider to businesses of all sizes. If you’re a small- to medium-sized business, we can get you something effective and affordable,” Singh says. “If you’re a larger business, we can offer advanced security solutions that are fully managed.”
Common attacks today include phishing and botnets. The initial phishing attempt infects the system and paves the way for the bot to enter and launch an attack, capturing keystrokes to steal login credentials or hold databases for ransom.
For companies like Fiction Tribe, this is potentially crippling to the business.
“How much disruption can a small business handle? We’re trying to get as much done in five eight-hour days as we can. We’re already at our limit,” Rice explains. “It’s not about my data being of national interest. It’s the fact that we’re avoiding disruption that could derail me for 30 plus days. It’s about my business and serving customers and building great creative work.”
As a longtime client of Comcast Business internet services, Rice turned to them to quickly implement a simple cybersecurity solution. The “installation” required no additional equipment and the service was quickly activated remotely, providing the Fiction Tribe management team with access to a dashboard for monitoring attempted attacks.
“We hear stories in the media about attacks on school districts or hospital systems, and those have become more frequent,” Singh explains. “More and more people are using internet based, digital technologies to operate their business. The surface area for potential cyberattacks has increased.”
Every Sunday night, Fiction Tribe receives an email compiling all the cyberattacks prevented that week. “I actually look forward to receiving that weekly report,” says Rice. “I get peace of mind from seeing all the cyberattacks we avoided.”
Comcast’s solutions will continuously evolve to address the current and future needs of its customers.
“In the old days, you would piece together 10 different providers to be compliant. Now, if a new requirement comes out, I’ll just call Comcast and ask if they can make it happen,” Rice says. “I have grown with them. They have matured their offering for me, and that has led me to where I’m at today.”
Brand stories are paid content articles that allow Oregon Business advertisers to share news about their organizations and engage with readers on business and public policy issues. The stories are produced in house by the Oregon Business marketing department. For more information, contact associate publisher Courtney Kutzman.
A four-year bachelor’s degree has long been the first rung to climbing America’s corporate ladder.
But the move to prioritize skills over a college education is sweeping through some of America’s largest companies, including Google, EY, Microsoft, and Apple. Strong proponents say the shift helps circumvent a needless barrier to workplace diversity.
“I really do believe an inclusive diverse workforce is better for your company, it’s good for the business,” Ginni Rometty, former IBM CEO, told Fortune Media CEO Alan Murray during a panel last month for Connect, Fortune’s executive education community. “That’s not just altruistic.”
Under Rometty’s leadership in 2016, tech giant IBM coined the term “new collar jobs” in reference to roles that require a specific set of skills rather than a four-year degree. It’s a personal commitment for Rometty, one that hits close to home for the 40-year IBM veteran.
When Rometty was 16, her father left the family, leaving her mother, who’d never worked outside the home, suddenly in the position to provide.
“She had four children and nothing past high school, and she had to get a job to…get us out of this downward spiral,” Rometty recalled to Murray. “What I saw in that was that my mother had aptitude; she wasn’t dumb, she just didn’t have access, and that forever stayed in my mind.”
When Rometty became CEO in 2012 following the Great Recession, the U.S. unemployment rate hovered around 8%. Despite the influx of applicants, she struggled to find employees who were trained in the particular cybersecurity area she was looking for.
“I realized I couldn’t hire them, so I had to start building them,” she said.
In 2011, IBM launched a corporate social responsibility effort called the Pathways in Technology Early College High School (P-TECH) in Brooklyn. It’s since expanded to 11 states in the U.S. and 28 countries.
Through P-TECH, Rometty visited “a very poor high school in a bad neighborhood” that received the company’s support, as well as a community college where IBM was offering help with a technology-based curriculum and internships.
“Voilà! These kids could do the work. I didn’t have [applicants with] college degrees, so I learned that propensity to learn is way more important than just having a degree,” Rometty said.
Realizing the students were fully capable of the tasks that IBM needed moved Rometty to return to the drawing board when it came to IBM’s own application process and whom it was reaching. She said that at the time, 95% of job openings at IBM required a four-year degree. As of January 2021, less than half do, and the company is continuously reevaluating its roles.
For the jobs that now no longer require degrees and instead rely on skills and willingness to learn, IBM had always hired Ph.D. holders from the very best Ivy League schools, Rometty told Murray. But data shows that the degree-less hires for the same jobs performed just as well. “They were more loyal, higher retention, and many went on to get college degrees,” she said.
Rometty has since become cochair of OneTen, a civic organization committed to hiring, promoting, and advancing 1 million Black individuals without four-year degrees within the next 10 years.
If college degrees no longer become compulsory for white-collar jobs, many other qualifications—skills that couldn’t be easily taught in a boot camp, apprenticeship program, or in the first month on the job—could die off, too, University of Virginia Darden School of Business professor Sean Martin told Fortune last year.
“The companies themselves miss out on people that research suggests…might be less entitled, more culturally savvy, more desirous of being there,” Martin said. Rather than pedigree, he added, hiring managers should look for motivation.
That’s certainly the case at IBM. Once the company widened its scope, Rometty said, the propensity to learn quickly became more of an important hiring factor than just a degree.
This story was originally featured on Fortune.com
More from Fortune:
A 2007 flashback: home flippers are in trouble again
Managing Gen Z is like working with people ‘from a different country’
The Renault Nissan empire once held together by fugitive Carlos Ghosn may slowly be unraveling
PayPal tells users it will fine them $2,500 for misinformation, then backtracks immediately
Investors this year increasingly turned away from dividend stocks in favor of the rising yields being offered on bonds. Given that investors can now earn a 4.3% return on a 2-year Treasury note, many prefer that guaranteed return to the risks of putting money into the stock market.
International Business Machines (IBM -1.44%) offers a dividend yield that exceeds that bond return. But with a bear market in progress, are investors better served to take a chance on the cloud stock or to take the 4.3% return at virtually zero risk?
IBM didn't participate in the bull market of the 2010s. The stock dropped as its tech businesses suffered a considerable growth slowdown. In an effort to change that, IBM pivoted into the cloud computing sector aggressively, in part via its $34 billion purchase of Red Hat in 2019. Grand View Research forecasts a compound annual growth rate of 16% through 2030 for the cloud industry. Growth like that could certainly help both IBM and its stock.
Also, IBM spun off its managed infrastructure business into a new public company, Kyndryl. This business was less of a fit with the parent company amid its pivot to the cloud. Separating it off should make it easier for IBM to grow its revenue.
Time will tell if these moves can help the stock price recover. Nonetheless, IBM currently pays its shareholders $1.65 per share every quarter, or $6.60 per share annually. At the current stock price, that adds up to a yield of 5.6% per year. Moreover, depending on your financial situation, the IRS may tax your dividends at a lower capital gains rate, which can offer an added advantage.
Additionally, IBM hiked its payout annually for 27 consecutive years, making it a Dividend Aristocrat. That status carries some importance as many income investors will be more inclined to buy and hold IBM stock because of this status. Also, since abandoning Dividend Aristocrat status tends to hurt a stock, management will probably prioritize maintaining it by continuing to raise those payouts.
Investors also can also reinvest their dividend payments into more IBM stock. However, such newly purchased shares will pay you the dividend yield at that time. The return will rise if the stock falls since investors can buy the exact cash return at a lower price. Conversely, cash yields will drop if the stock rises, but those investors still benefit since the stock has increased in value.
U.S. Treasury notes offer more stability than stocks such as IBM. Investors who purchase the 2-year Treasury note receive semiannual interest payments. At the current interest rate of 4.3%, investors will receive a 2.15% cash return on their invested amount in each of the subsequent three six-month periods. In the fourth period, when the note matures, investors receive the final 2.15% payment along with the return of their principal.
Investors should also be aware that bond values can fluctuate. If interest rates drop, the value of the bond will fall; the opposite will happen if rates rise. This affects investors if they decide to sell the bond early. Upon maturity, the note will return to its par (or nominal) value.
Additionally, bond interest payments are subject to federal income tax but exempt from state and local taxes. In some cases, this is higher than taxes on dividends. Still, bond issuers are obligated to make such payments. In contrast, IBM faces no legal obligation to continue its dividend.
Also, like with a stock, investors can reinvest their interest payments into more notes or other forms of Treasury bonds. However, those purchases will be subject to the prevailing interest rates at that time.
Investors who lack much risk tolerance should choose the Treasury note. Given its guaranteed return, they will not have to worry about volatility.
Nonetheless, for investors comfortable with buying stocks, IBM is a surprisingly strong buy. The cloud industry is in growth mode, which should propel IBM stock to a long-awaited turnaround. Moreover, IBM has repeatedly shown it wants to hold on to its Dividend Aristocrat status. This should provide its income investors returns that are not only larger than the bonds offer, but also likely to increase in size.