Securing Cyberspace-the Government vs. the private sector

There were 2 conferences yesterday addressing cybersecurity. One was the National Cyber Security Summit in Santa Clara and the other was a smaller event in DC. While I was not in attendance, I did speak with a couple of people who participated in the events. The takeaway is that 85% of the critical infrastructure in the US is owned and controlled by the private sector. The other 15% is the government. While security has gotten better over the last few years, there are still some major holes in the system. There is a classic standoff right now as the government wants the private sector to take control of securing their networks and data while the private sector says why bother when the government’s infrastructure is not even secure. For example, if cyber terrorists took down critical DNS systems, whether or not the private sector secures its infrastructure is moot as the Internet will have massive troubles. Some in the private sector also alluded to the fact that Chief Security Officers do not have enough control as most are only VPs who report to CIOs who sometimes report to CFOs. If CSOs have no real control over budget, then how can they really effectuate change? The government, on the other hand, is threatening to take action and impose mandates for securing private infrastructure. The government wanted to give the private sector the chance to organize itself and develop its own best practices before it is forced to do so through legislative mandate. To hammer the point home, one official apparently said that the next terrorist attack could be on the information systems of a large financial services institution causing serious economic damage. Despite the warnings, it does not sound like the 2 sides made much progress yesterday. At the end of the day, companies in the private sector are driven by dollars. If these companies feel secure enough already, they are not going to rush out to spend more money for the sake of national cybersecurity. Therefore, my feeling is that Ridge and his team will not get what they want until the private sector feels pain on their bottom line in the form of stiff economic sanctions. That being said, the government has to live up to its end of the bargain and drive security in its 15% of the infrastructure as well, because as Ridge says, all it takes is one hole to compromise national security.

Hand-held device security

Hackers like to go where they can cause the most pain. As 3G rolls out in the US, you can bet that hackers will go there as well. There was a great article last Friday in the New York Times about viruses and other security issues on cellphone and hand-held devices in Japan(free site but registration required). It is clear that we should look at how Japan is dealing with this issue as their wireless infrastructure is much more advanced than ours at this point. At the same time, it seems that not many people in the US are dealing with the issue now. Having suffered attacks in the past, NTT DoCoMo has gotten proactive and not only put security software on its servers but also on its handsets. We should learn from this and prepare our infrastructure accordingly. Spam is not the major problem on these devices; think viruses that can jam the 911 emergency response system or denial of service attacks that can bring a wireless network down. What happens when we live in an even more embedded world where chips in cars, appliances, etc. begin talking to a wireless network and becomes infected with a virus?

Many of the companies that I have seen that focus on wireless security are looking at the client or handheld device level. This is the approach that companies like Network Associates and Symantec are taking with handhelds. While I applaud the effort to protect our devices, I do not believe that putting antivirus software on every handheld device is the right solution:

1. Installing antivirus software on every device is not an easy to manage task;
2. While it is much easier to constantly update virus definitions on connected devices, this will increasingly eat up precious memory and computing cycles on your device.

What is needed is smart security on the edge. This will require software that can sit on the network/server layer and in real-time inspect every message being sent from one device to another. It is not easy to sit inline and inspect every message without creating latency. In addition, the software will have to be able to prevent unknown attacks through behavioral analysis and not rely solely on signatures to prevent nefarious activity. This will lessen the need to constantly update every handheld, chew up precious memory and power, and give users an easy way to use their connected devices without headaches.

The Economy and IT Spending

It looks like the economy in Q3 grew even faster than we initially thought, 8.2% annual rate versus 7.2%. It was not too long ago that the Department of Commerce released numbers showing 7.2% annualized GDP growth for Q3. If you take a closer look, “equipment and software” spending was at a 15.4% annualized rate. I obviously have concerns about the revised 8.2% GDP growth and certainly do not believe that is sustainable due to one-time factors like tax cuts and mortgage refinancings. While it is nice to see a 15.4% annualized growth rate in “equipment and spending” for Q3, let’s not assume that this is the beginning of a huge ramp-up in IT Spending. To bolster my thinking, I like to look at a number of data points. For one, Goldman Sachs recently issued its October IT Spending Survey. Its latest survey calls for an increase of 2% spending for 2003 versus a December 2002 survey which forecasted a decline of 1.1% for 2003 spending. So it is nice to see that the trend reversed in terms of IT spending, and that it looks like there is a small rebound happening. That being said, the October 2003 survey forecasts spending growth of only 1.3% for 2004, down from an August 2003 spending survey forecast of 2.3% growth for 2004. That is a negative trend and does not promise earth-shattering returns to IT Spending in the bubble years. As Goldman Sachs mentions, hopefully there is just a lag in terms of how the economy performs and where each company is in its budgeting process. If this is the case, we shoud keep an eye out for data from future surveys.

Another data point that I look at is how the fund’s 30+ portfolio companies are performing. We have a number of companies in the Enterprise IT space selling security, storage, network management, wireless, and other related software. Some companies are performing extraordinarily well and others are close to budget. The fact that most of my companies are close to budget is a far cry from 2001 and 2002, years plagued by numerous reforecasts of revenue and expense projections. In general, sales pipelines are building momentum giving better visibility for the next two quarters. While I cannot say that all of the fund’s portfolio companies are growing like wildfire, in general the sentiment across the board is positive. As you can see, I am more in the Goldman camp of IT growth than what the GDP numbers reflect. The conclusion I draw is that even with 2% expected growth in IT Spending next year, as always, there will continue to be pockets of huge opportunity like security, business intelligence, and systems management allowing companies to protect their mission critical assets, report in real-time (or near real-time), and better manage the IT assets they already possess and do more with less. Call me a moderate optimist, if you will.

Capital Efficient Business Models

Yesterday I participated on a panel at the Mid Atlantic Venture Conference on the current venture capital market and how to raise capital. While this was a plain-vanilla panel about venture investing, there was one theme that was echoed by a number of my fellow panelists from Rho Ventures, New Venture Partners, Edison Ventures, and Cross Atlantic-today’s world requires software companies to have a capital-efficient business model. What is a capital-efficient business model and why does it make sense? From my perspective, a capital-efficicent model is one that allows a company to use as little cash as possible to generate significant growth and become self-sustaining and profitable. Growth at all costs without profitability does not get you there and neither does profitability with no growth. Finding the right balance is important. Given this backdrop, the real question is how does today’s VC generate a 10x return? Yes, that is easier said than done, but let me walk you through why it is imperative for VC investors today. During the bubble years, a $500mm to $1b exit for a software company was not uncommon. A bad deal for a VC was a $100mm sale. However, many of the software companies during the bubble years required $50mm or more to create meaningful exit value, and in many cases the companies were still not profitable. Today and into the future, I believe we will return to a sense of normalcy where a great exit for a venture investor will mean $100-200mm of value. If it takes $50mm or more to get there you are talking about a 2-4x multiple for a GREAT deal. That is not terribly exciting. A capital efficient software model should only require $20-25mm to get to profitability. With those numbers a VC could earn 4-10x their investment, even at today’s reduced values. Given my perspective on what ultimate exit values will be, it will serve the entrepreneur and venture investor well to do as much as they can with as little capital. This is doable-looking at history, Peoplesoft only raised $10mm of venture funding, Documentum raised $13.5, and Veritas raised $6mm. This does not mean skimping on growth, but it requires companies to:

1. Focus on getting product into the hands of its customers earlier rather than later-do not build the perfect product (see an earlier post);
2. Grow carefully-do not ramp personnel too far in advance of revenue;
3. Leverage offshore resources where appropriate;
4. Leverage reseller and OEM relationships (direct sales is way too expensive).

Each bullet point above deserves its own lengthy discussion, and I hope to address some of these in future postings. The impact this will have on the industry will mean that venture capitalists will need less capital for each company resulting in smaller funds and a better ability to generate multiples of invested cash for its investors. For today’s entrepreneurs, it will mean that they rethink their go-to-market strategy and remember to balance growth with getting to profitability sooner.

Chuck Prince, CEO of Citigroup

I was at the TIE Tri-State annual event in New York yesterday and participated on a venture capital panel helping young companies refine their pitches and business strategies. There were some interesting software and BPO (Business Process Outsourcing)companies that presented. On the BPO side, it was quite fascinating to hear about the types of services that companies were willing to outsource-for example, in the finance sector, basic credit analysis and research, analytics, and even some financial modeling. In today’s NY Times (free site but need to register), there is an article about teleradiology-X-ray and M.R.I. analysis being outsourced to India.

For those of you that do not know, TIE (The Indus Entrepreneurs) is a wonderful group and stands for the Indus Entrepreneurs signifying the ethnic South Asian or Indus roots of the founders. TiE stands for Talent, Ideas and Enterprise. From speaking with some of the members, it was clear that there was alot more buzz and energy this year versus last year, especially due to the pickup in the economy. Speaking of economy, TIE was able to bring Chuck Prince, CEO of Citigroup, as a keynote speaker. Chuck did a great job as he was quite funny (he had the room in laughter a number of times) and also had some interesting things to say about the economy and entrepreneurship. Here are some relevant notes I took from his keynote discussion:

*Chuck outlined his bio in more detail and fleshed out how he came to be CEO of Citigroup. Basically, he ended up as General Counsel of Commercial Credit Corporation which was about to run out of money in 1986 when Sandy Weill swooped in and bought a large stake in the company and took it public. What Chuck learned about people over the years is that the great ones have intensity, passion, and a desire to win. He said that luck helps and even played a role in his career progression.

*Chuck has no doubt that the economy will perform well for the next 18 months. However, he strongly believes that the economy is susceptible to the election cycle. No existing President wants a recession in year 3 of a 4 year term as they are gearing up for a re-election. Of course, his big concern is what happens in January of 2005 when the President is faced with how to handle the budget deficit. If the economy does not pick up in a self-generating way, we could be faced with policy that could slow the liquidity-driven growth we are now experiencing.

*Longer-term, Chuck believes the world economies will segment into 3 distinct buckets of growth:

1. Dynamic growth characterized by young populations in India and China;
2. No growth characterized by homogeneous economies such as in Western Europe that are not open to immigration with aging populations, low growth rates, and a sagging economy;
3. Balanced growth economies like the US which is open to immigration and hetegenerous from a population perspective.

Unless Western Europe rethinks its immigration policies, it will not be able to sufficiently replace its aging population with young workers to drive growth. This could result in huge problems down the road.

*On offshore outsourcing, Chuck believes that is something that is just going to happen. Who would have guessed years ago that Toyota could make better cars in Japan and ship them to the US to put the auto industry at a competitive disadvantage? It happened. The same thing will happen in the service sector. Chuck believes it is inexorable. Therefore, companies should focus on services/products that need to be done locally, those that require a physical presence. Everything else that can be done offshore will be done offshore. Please see an earlier post if you want to read more about my thoughts on using offshore resources.

*If Chuck could give a young CEO advice (business related other than focus on family and ethics), he would tell that person that execution capability is the most important trait that a CEO can possess. One needs to move the ball and get things done. He has seen thousands of people who were smart, loyal, and dedicated but could not execute or get things done on a timely basis-they were all UNSUCCESSFUL. His advice is to write your issues down and check them off. Move the ball. I couldn’t agree more with Chuck on making sure you execute.

*As an aside, he also encouraged us to read Robert Rubin’s new book titled “In an Uncertain World.” He said that Bob is a fascinating man, and that he enjoys working with him at Citigroup.

Strategic Investors-the Good, the Bad, and the Ugly

I had the opportunity to speak on a panel today at the Corporate Venture Capital Summit. There was an interesting crew of speakers representing corporate-related venture activities for companies such as Hitachi, Intel, Nokia, Panasonic, Siemens, and Kodak. While one moderator cited numbers showing that the amount of corporate venture investing in terms of dollars is down 50% from 2000, in my mind, that does not seem that different from the change in the general VC market. While there are less corporate investors today, there are also less VCs. From the 3 panels today, it was very clear that the nature of corporate investing, if I can lump all the different players in one bucket, has changed. Like today’s VC, they are doing less deals. However, the deals that they are doing need to be more strategic and less opportunistic. This means that someone in a product group needs to somehow get behind the company and act as an internal sponsor. This does not mean that a company looking for funding will get a strategic partnership before a financing.

One of the questions I was asked today was how an early stage company can make a strategic investment successful. Here is what I had to say:

1. Show me the revenue-I would rather have an OEM or reseller deal than a strategic investment. Strategic investments do not mean anything if you are not going to generate revenue for your company and for your partner. In addition, when you sign a reseller or OEM contract it means that the hard work has yet to begin-an early stage company has to throw resources behind a partner to make things happen.

2. Go in with your eyes wide open-what is strategic for you may be tactical for your partner. In addition beware of deal terms that may limit your ability to be flexible. These include rights of first refusal, exclusivity, and other non-standard VC terms.

3. A strategic investment is not an exit strategy-in many cases, it could actually limit your exit opportunities as other competitors to the strategic investor may not want to partner with you.

4. Do your due diligence-how successful has your strategic investor been in setting up relationships for other companies, how much juice does the strategic investor have to make things happen?

5. Manage expectations-constant communication between both sides is key to maintain a healthy relationship.

I could go on and on here but I just wanted to highlight a few of my top of mind thoughts. Suffice it to say that looking at the 30+ companies we have funded, partnering with strategics has been a mixed bag. There have been some that have worked out well and others that have not. However, if done right, I do believe that both sides could substantially benefit from a relationship as long as there are real dollars being generated.

Thoughts on Offshore Outsourcing

A number of my portfolio companies outsource development to India and other locales. When offshoring it is important to think about what can and cannot be offshored, whether management can handle it, and whether or not you open your own office with your own infrastructure or outsource completely. Given that an increasing number of companies that I come across either currently utilize offshore resources or plan on using offshore resources, I thought it would be beneficial to share some of my thoughts and experience related to this matter. Most of us end up using offshore development to work on non-core technology. For example, if you are going to offshore development for management software you may want to have maintenance of agents developed externally or a port from one operating system to another outsourced. When it comes to core architecture and design you are going to want to keep that in headquarters. Some companies make the mistake of trying to own it all and build their own team and own infrastructure from the start-if not done with the right personnel, this could be a disaster. Generally speaking, you may be able to outsource more than non-core development. In addition, for most companies, I recommend that you initially hire offshore development firms rather than build your own in-house staff to develop product. If it works well, you should have an option to eventually buy your partner out and turn your consultants into employees. If it does not work out, you can always end the relationship without incurring any upfront cost.

When accounting for the total cost, you want to make sure that you have your offshore development managed appropriately. Make sure you have the right project lead offshore, preferably one that your management team has worked with before. In addition, make sure your onshore management team can stay on top of the process as well. This will mean someone in headquarters whose prime responsibility is managing the offshore project. Offshore outsourcing will also require some face-to-face time every quarter. The big difference in doing it yourself versus using offshore consultants comes down to managing risks, speed to market and upfront costs. Doing it yourself will take more time and requires an upfront investment to set up an offshore subsidiary, open an office, hire talent, pay for infrastructure and equipment like computers, phones and T1 lines, and pay for benefits. While the monthly difference for making the upfront capital commitment is about $2k per employee (a big difference when you are talking about $1.8-2k in-house vs. $3-3.5k with partners), most companies cannot properly build their own offshore team. In the cases that I have seen work, my fund’s companies ended up sending over a core team of developers that wanted to move back to India. This gave us instant critical mass and the all important transfer of corporate DNA and culture. In general, I am not in favor of having an early stage company open their own offshore office without a number of existing employees making the move or without significant experience from the team in managing offshore relationships. Over time, as you build experience and successfully develop product with your offshore partner, you can think about moving this personnel in-house. Even if you do not have your own offshore resources, make sure that your offshore partner spends significant time at company headquarters (usually a couple of months) to gel with your team and understand your business, technology, and culture.

While the logical resource to offshore is either non-core technology or customer support, some of my fund’s companies have begun to experiment with offshoring pre-sales and back office finance. During the last 3 years, I have had the opportunity to watch one of the fund’s portfolio companies headcount go from 100% US to 70% India/30% US. In addition, I have been able to watch higher value added functions get outsourced. For example, when it comes down to presales, it does not matter where you are if you understand the product and can articulate the need for it. At $6-8k a person versus $40-50k a person here, you can drive substantially more call volume and qualified leads offshore than you can onshore. It may not make sense if the offshore team is not your own as one of the big problems facing companies in India is employee churn. The more educated and higher quality resources that can speak excellent English are also the ones that are most hirable to other companies.

These are just my two cents and will continue to get refined over the next few years. I am curious to hear your thoughts about offshore outsourcing and whether or not you are offshoring more than customer service and technology or if you have any unique model for this process. In the end, it is very clear to me that venture-backed companies that can properly leverage and manage offshore resources will have an incredible advantage moving forward. As more companies take advantage of offshore development over time, this competitive edge will diminish and simply become a necessary way of doing business.

Novell in Microsoft’s crosshairs?

Novell to buy Suse

“This is not about competing with Microsoft. This is about addressing the impediments holding Linux back,” says Chris Stone, Novell’s Vice Chairman in the office of the CEO. What a great quote! I have worked with Chris in the past having invested in his prior company, Tilion. Chris is a smart guy and thinks big. Who in their right mind will tell Microsoft that they are competing directly with them? But let’s face it, Novell’s strategy is to ride the Linux wave by offering a complete enterprise stack which includes server, messaging, access control and eventually desktop. Yes their desktop products acquired from Ximian and SuSE are immature and resemble a server trying to become a desktop OS. However, with time, I do believe that Novell’s ultimate goal is to get on the desktop of corporations. As for IBM’s $50mm investment in the company, who knows, but that could be a stepping stone for a possible acquisition if Novell is able to pull off its amibitious plans. At Tilion, Chris tried to revolutionize the supply chain industry by creating an on-demand view of the supply chain leveraging new technologies like XML. Backing Tilion’s vision in a December 2000 article from Internet.com, Eric Schmidt, now CEO of Google, commented, “Tilion finally allows large enterprises and exchanges to go beyond the simple enablement or automation of B2B transactions. Tilion allows you see into systems which were designed to be closed. This kind of net service will be what justifies the huge investments in B2B infrastructures and technologies such as XML.” We did not get very far with that vision as the supply chain market dissolved along with the rest of the software industry in 2001. It will be interesting to watch Novell during the next couple of years because we all know that it is about execution, and if Chris and Novell pull it off, it will be a big play. Of course the odds are stacked against them.