How Secure Is BB10 And Does It Matter?

| About: BlackBerry Ltd. (BB)
This article is now exclusive for PRO subscribers.


Focusing solely on BlackBerry's niche market is not enough for the firm to grow.

BB7 is the security champion among older OS devices; however, BB10 faces strong competition from Windows Phone 8 and Android with Samsung Knox devices.

BlackBerry has a moderate economic moat in terms of security, but that moat is quickly decaying.

BlackBerry's (BBRY) competitive edge in the corporate mobile industry is eroding: the new partnership between Apple and IBM, Samsung's entry into mobile security, along with AirWatch, MobileIron, and Good Technology's rise in the Enterprise Mobile Management (EMM) industry is squeezing BlackBerry's future potential. Nevertheless, BlackBerry bulls are constantly pointing to the firm's top tier security offering as a guaranteed competitive advantage. But how good is "top tier" in terms of competitive advantage, and will it actually make a difference in terms of device sales, user growth, and stock price?

Who buys security?

It's easy to define a secure mobile phone: user activities are contained in a closed network and data cannot leave or enter this network without permission. However, the effectiveness of security is hard to measure. Like the TSA with terrorist prevention, the security breaches BlackBerry prevents cannot be measured, yet every breach calls into question BlackBerry's actual effectiveness. Thus, security is hard to sell, but it is the firm's best differentiating competitive advantage.

I believe that enterprise buyers of BlackBerry smartphones fall into two types: a niche buyer and a casual buyer. A niche customer truly values a phone's secure offerings more than its functionality, performance, aesthetics, etc., and will likely base their purchasing decision on a device's security specifications and security reputation, placing equal weight on both. Examples of niche customers would include government agencies, financial institutions, and legal services. These firms should value security above all else, because the type of information they seek to protect can be valuable enough to significantly endanger firm survival. It is well known that the POTUS cannot use any other phone due to security reasons and Angela Merkel is now doing the same.

However, I think the niche market is barely big enough to support BlackBerry's ambitions. If BlackBerry aims for 5% of global market share (3rd place), it would need to sell 47 million smartphones. I estimate the niche customer base as follows: the number of employees in legal services (1.1 million), accounting (.87), financial activities (8.0), and federal, state, and local government (20.5) sum to only 30 million employees, which is roughly 9.7% of the US population (Employment situation report). Assuming this same ratio holds across all of BlackBerry's major markets, we get roughly 210 million customers, although this figure decreases to 90 million if we exclude India (BlackBerry's market share in India is less than 1%). Thus, the firm would have to retain at least 50% of customers in its niche industry. These percentages are certainly not unheard of, but they seem unreasonable, especially given the competitiveness of Apple (NASDAQ:AAPL) + IBM (NYSE:IBM) in developed markets and Nokia (NYSE:NOK) + Windows (NASDAQ:MSFT) in developing markets, along with the relaxed assumptions of everybody in these occupations needing a secure smartphone and that white-collar niche workers are 9.7% of the population in developing countries.

On the other hand, a casual enterprise customer should value security less than (or equal to) functionality, performance, etc, since data breaches, denial of service attacks, and other common security problems are nothing more than inconveniences. They might be expensive, but they cannot cripple the firm. The casual customer base is the largest customer base and includes verticals such as retail, healthcare, media, and just about everything else. These firms do not contain data that, if stolen, could permanently damage the firm's performance. A 2013 report by Deloitte showed that TMT organizations, which host and transfer a significant amount of the world's data, reported only 12% of breaches as high impact and 58% as medium impact. Their top three concerns were breaches at third-parties, denial-of-service attacks, and employee error, all basic security concerns. Since most enterprises are much less data heavy than TMT companies, the frequency of high impact data breaches should be noticeably lower.

Whereas IT and security managers in niche enterprises would have the most purchasing power, IT managers for casual firms will likely have to balance employee demands with security needs. Most employee end users have little incentive to give up performance for security: using a lower-functionality device is a hindrance; whereas, a data breach neither harms nor helps employees. Thus, casual IT managers will likely make device purchases based on a phone's security reputation and phone functionality rather than actual security specifications. Casual enterprise customers will be harder for BlackBerry to target because the differentiation value of its secure phones is a lot lower in this segment. However, Microsoft's Satya Nadella seems to understand the dynamic of this market and describes these enterprise customers as:

"Dual users - people who will use technology for their work or school and also deeply use it in their personal digital life. They strive to get stuff done with technology, demanding new cloud-powered applications, extensively using time and calendar management, advanced expression, collaboration, meeting, search and research services, all with better security and privacy control."

If BlackBerry is unable to provide its customer base with a robust range of productivity apps, PDA services, and other experiences rivaling those of its competitors, then its end users are unlikely to choose BlackBerry devices out of their volition. Selling devices to CIOs and implementing them by force due to security reasons is a poor long-term strategy in the age of Bring-Your-Own-Device.

Are BlackBerry devices technically differentiated by function?

A 2012 study by Trend-Micro ranked OS's in terms of security functions as follows: BB7 @ 2.89, iOS 5 @ 1.70, WP7.5 @ 1.61, and Android 2.3 @ 1.37 with 5 as the maximum rating; thus BB7 is the security champ among older smartphones. As for BB10 devices, roughly 25% of the firm's 2013 unit sales, BlackBerry offers several new features such as secure password storage, workspace containerization, app permission management and anti-theft features preloaded on the device. Apple's iOS comes closest to matching these functions but relies on third party software to develop its capabilities; e.g., its containerization features rely on third party device management solutions. Rather than using another functional comparison of BB10 against the newest OS's from a security corporation promoting its products, I tried to measure OS's against criteria established by the Communications-Electronics Security Group (CESG). The point of this comparison is not to assess actual technical scores, but to see the magnitude of the differences among OS's:

The results are rather unclear for BB10. WP8.1, KNOX 1.0 and BB10 are too close to each other to determine the most technically secure offering; e.g., if I assign BlackBerry a 5 for event collection assuming the firm releases this feature, then BB10 becomes the best-in-class secure provider.

Nevertheless, all five iOS's are limited to accessing OFFICIAL level documents, below the SECRET and TOP SECRET levels. BlackBerry's encryption methods are reputed to be unbreakable; but CESG reported, "The device's native data encryption has not been independently assured to Foundation Grade, and does not support some of the mandatory requirements expected from assured full disk encryption products." Interestingly, Windows' BitLocker encryption, although not officially Foundation Grade certified, "is equivalent to Foundation Grade when configured as per [CESG] guidance." BlackBerry fanboys also point out that the firm's Network Operation Centers, secure messaging, and back-end servers give the firm a technical edge; but with the Apple + IBM and Android + KNOX combos, whatever remains of BlackBerry's technical security differentiation is in real danger, as its rivals have the resources to develop comparable facilities.

Are BlackBerry devices differentiated by reputation?

A way to measure BB10's security reputation is through government security certificates, as customers are generally impressed with strong government accreditations. Certification and accreditation is performed by DIACAP (Department of Defense Information Assurance Certification and Accreditation Process; DIACAP is actually being abandoned for NIST allowing a 3 year transition), who tests devices not only on a functional basis, but from a more comprehensive, system-wide perspective with regular performance reviews.

In May 2014, BlackBerry announced that BB10 devices connected to BES10 is the first and only mobile solution to receive Authority to Operate (ATO) and Full Operational Capability (FOC) certificates from the U.S. Defense Information Systems Agency (DISA). Analysts have noted that this is the "last" part of the authorization process, but what does "last" really mean? Is there any benefit to completing the "last" part? BlackBerry clarifies the terminology in an obscure blog post (emphases are mine):

"Security Technical Implementation Guide (STIG)

STIGs are configuration guides that users and administrators use to securely operate products within DoD. STIGs are developed by product vendors in conjunction with the Defense Information Systems Agency to satisfy a set of security requirements, and verified by DISA through conformance testing.

Authority To Operate

ATOs are granted for products with STIGs to be implemented in the DoD network for small deployment purposes. At this stage of deployment, products are further tested for any operation and integration issues with existing DoD infrastructure.

Initial Operation Capability (IOC)

IOC is the initial attainment of products to be operated by trained DoD personnel. At this point the products are deployed in the DoD network for production use.

Full Operation Capability (FOC)

In the FOC stage, products are fully deployed and in operation and support phase. This is the last and final step to product approval, acceptance and acquisition in the DoD."

In other words, when BlackBerry announced that they were approved by the DoD in May 2013, BB10 had already achieved its highest secure status. However, this same status is applicable to Android 4.4 with Samsung Knox (OTC:SSNLF), iOS 6, and iOS 7, all of whom received STIGs and are approved for use on the defense network as listed on the Unified Capabilities Approved Product List. For further clarification, I called the UC Certification Office, and they explained it to me as: all UC APL products are secure enough to operate on DoD networks, and ATOs are obtained by individual DoD components to make sure localized implementation is possible.

However, BlackBerry's explanation of FOC is more confusing. The firm initially announced that FOC validation "completes DISA's certification process for BlackBerry 10 mobility management platform" in its press release. I think their blog post is more accurate in describing FOC as the end of BB10's acquisition process by DoD components; certification and accreditation was already completed last year when BlackBerry received its STIG. The DoD's official training program describes FOC as "attained when all units and/or organizations in the force structure scheduled to receive a system have received it and have the ability to employ and maintain it." A report by DARPA's Gary Hagan on DoD acquisition processes also supports FOC as a "completion" status rather than an "accreditation" status. In summary, ATO and FOC do not give BB10 devices higher security accreditation, but more so represents the beginning-to-end process of a purchase fulfillment.

In regards to performable operations on the DoD network, all STIG approved smartphones are "Use Case 2", which is still not "Use Case 3", the deepest level of DoD's network services including programs utilizing technologies such as VVoIP and XMPP. However, BlackBerry is slightly ahead in offering a more integrated and higher quality solution. Apple iOS 7 devices can only be deployed in the DoD with Mobile Device Management and Mobile Application Management servers and BES10 is currently the only approved device management back-end sever. Samsung devices can be deployed with DoD apps functioning only in the KNOX container; however, the compliance memo warned against irremovable carrier bloatware and third party access to device data found on the firm's devices. I believe that the DoD is unlikely to replace BlackBerry phones with Samsungs as long as BlackBerry continues to provide cleaner phones, update BB10's productivity functions, and reinforce features with high switching costs DoD users are used to; e.g., BBM and keyboards, although the firm should lower prices to retain certain Pentagon customers.

We can also examine reputation differentiation by NATO authorization. BlackBerry Enterprise Server with BlackBerry 10 devices is the only smartphone solution with access to NATO Restricted level documents. This is positive, but is slightly misleading. NATO has six levels of security from lowest to highest: Unclassified, Restricted, Confidential, Mission Secret, NATO Secret, and Cosmic Top Secret. When put into context, "restricted" operating status seems less impressive. BlackBerry may be the only smartphone with this access, but 5 other feature phones and mobile device management solutions also operate on this level. Two more operate at the confidential level, and one more at Cosmic Top Secret.

Security differentiation as a competitive advantage

BB7 and BB10 devices are somewhat technically differentiated, much aided by its past-decade legacy, but the attacks on BB10's secure status as best-in-class are, in my opinion, well justified. I believe its security reputation will continue to erode. The firm may have the most security certifications and accreditations, but they do not seem to be too difficult to obtain. As other manufacturers apply for the same certificates, BlackBerry will need to update its brand differentiation strategy, most likely by pursuing stronger technical differentiation.

Will better security offerings alone translate into a higher stock price?

From this cursory examination, I think it is safe to assume that having secure service and hardware in and of itself will help the firm retain a small percentage of customers, although it is not sufficient to drive higher adoption rates of BlackBerry devices. BB10 phones are secure enough to warrant a moderate economic moat, although the moat is under attack, and the firm currently does not have enough resources to compete and out-innovate in this area. Being the most secure device or device solution is not enough for BlackBerry to grow.

The firm needs to regain its niche customers back and then really go after the casual enterprise base. However, as John Chen has noted in his Q2 conference call, BlackBerry is currently trying to stop the outflow of enterprise customers and convert CIOs back from competitor solutions such as MobileIron and Good, rather than expanding into new territory. For the time being, BlackBerry will need to go up against Apple + IBM and Nokia + Windows in productivity solutions as well as maintain its technical and marketing security differentiation, until it can successfully monetize its BBM, QNX and Internet of Things connectivity strategy. Given its current strategic position and luke-warm probability of a successful transition to services, I believe the firm has an intrinsic value of around $8 to $12; although a higher value of $15 and perhaps even $20 is not too unrealistic, if John Chen capably executes his software strategy and brings back higher gross margins.

Disclosure: The author is long BBRY.

The author wrote this article themselves, and it expresses their own opinions. The author is not receiving compensation for it (other than from Seeking Alpha). The author has no business relationship with any company whose stock is mentioned in this article.

Additional disclosure: I bought shares of BBRY at $8.99.