Innovate or Die?

Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Fri, 16 Aug 2019 15:13:14 +0000

The recent series of IT acquisitions and IPOs highlight a simple economic fact: companies that fail to keep up with the fast-paced innovation of technology can easily become targets for acquisition.

Mark Twain put it this way: History doesn’t repeat itself, but it rhymes. As a former Gartner analyst, I find it irresistible to comment when our industry versifies.

During the 1970s and 1980s, Computer Associates executed a sound business model. They acquired mainframe software companies following a careful economic analysis. When a potential target company achieved more than half its revenues from maintenance contracts, when its stock price dropped as investors felt that long-term growth was slowing, and when the company had a significant cash hoard, CA would make its bid. Usually the acquisition would succeed. Following the takeover, CA would use the cash to repay the loan used to fund the acquisition. They would liquidate assets and cut expenses in research and development, sales, support, training, administration, marketing, and channel support. The resulting shell would improve the unit’s financial performance. The maintenance revenue stream would fund the next round of acquisitions.

During my time with Gartner, I worked with financial analysts at our sister company, Soundview Associates. They developed a spreadsheet incorporating the CA model, and used it to spot potential acquisitions. The same model guided Oracle during its acquisitions in the 1990s and 2000s. Now, a similar pattern seems to be guiding Broadcom.

Information security is a highly dynamic industry sector. As a non-functional strategy, information security typically gains less focus and resources than core new product functionality. As new capabilities enter the market, they introduce new attack surfaces and invite new attack vectors. Any viable information security vendor must sustain relevance in this volatile technology landscape. Without extensible products, a vendor cannot maintain a leadership position in the field. While start-ups proliferate, these offer a solitary point product to address a specific new vulnerability. This leaves the enterprise customer with an unpleasant set of options.

Most enterprise customers already have dozens of information security products in their portfolio. The option of adding yet another solution to the mix is unappealing. A clever start-up may have an insightful approach to tackling a novel vulnerability. Most prospective customers also weigh the additional complexity in their operations, the burden of training scarce staff on another product, the additional stream of alerts into their SEIM or SOC, and the discipline of managing a small vendor with problematic financial viability.

A second option is to wait for a larger information security vendor to acquire a start-up, and integrate the new technology into their existing portfolio. Integrating new products into an existing portfolio is vastly more complex than most customers appreciate. Typically, the process takes these steps. First, the new tool gets a new name. Then, its alerts flow into whichever SEIM or SOC the existing suite exploits. Next, the product’s agents (if any) are built into any pre-existing agents, minimizing the customer’s installation complexity. Later, product engineering merges the new back-end data store into the suite’s data store, possibly driving a re-engineering of that back-end store to handle the new information’s structure and analytical tools. Finally, the product engineering team has to bring the combined capabilities to par for both on-site installed customers and cloud-based SaaS customers. That step must include appropriate APIs for integration to MSPs, as most enterprise customers do not want to run complex SOCs and prefer to outsource specialists for diagnosis, support, and remediation.

Note that this stream of investment takes years. It draws down cash as the vendor invests in the “plumbing.” The financially successful strategy of “acquire – strip cost – monetize maintenance” discussed above prohibits costly investment in that plumbing, meaning most acquisitions never achieve much more than re-branding.

Consider mainframe job schedulers acquired by CA over the decades: CA-7 (once UCC-7), CA-AutoSys (formerly Paragon Global Technology via Platinum Technologies), CA-Workload Control Center (formerly Cybermation), and other offerings from Boole and Babbage and Legent. None of these products were integrated beyond branding: the cost would have rendered the acquisition unprofitable. (See https://www.itjungle.com/2007/04/10/fhs041007-story04/ for background on CA’s integration strategy in 2007.) Firms chasing the financially driven acquisition model cannot make long-term investments in their acquisitions.

The third customer choice is to invest heavily in a start-up. This mitigates the financial viability question. The customer/partner will drive product development. This guarantees the vendor addresses the customer’s needs quickly, but it does potentially distract the customer’s IT team from their primary mission, which is not running a start-up but handling the customer’s business problems.

The final customer choice is to find a vendor what invests in product integration at a deep level, for the long term, and delivers on that strategy. This necessitates the vendor prioritize product enhancement over short-term financial results. This business strategy is not a flashy as others, but it is deliberate, measured, and generates durable results. The vendors in this camp acquire companies not for their maintenance revenue stream or their cash and real estate holdings, not for their customer list, not for their geographical presence, not to monopolize a market, thwart a deal, nullify a competitor, and not for their patent portfolio. These vendors acquire companies for their current and future technology. They focus on technical capabilities and cultural fit – if the people don’t stay, the future of the product is lost.

Please note that I am a technology analyst, not a financial analyst. But I am proud to work for a company like Trend Micro. This timeline shows our history of innovation and integration: www.trendmicro.com/en_us/about/history-vision-values.html?modal=s4a-btn-see-infographic-06c573

Let me know what you think! Either comment below or @WilliamMalikTM

The post Innovate or Die? appeared first on .

http://feeds.trendmicro.com/TrendMicroSimplySecurity