As we increasingly move to a connected world where all of our devices and products have embedded chips in them communicating with a wireless network to share information and data, we will become more susceptible to privacy and security issues. The New York Times has a great article (must log on but free to join) on automobiles and how products like Onstar from GM, EZPass, and even tires from Michelin can share data about you and where you have been. Obviously, there are a plethora of benefits from services like the above and a potential invasion of privacy is the tradeoff that we need to live with in order to have more convenience. However, there is one aspect of living in a more connected world that I worry about and that is security. In an earlier posting, I commented on potential security breaches in mobile phones and other devices. Currently Onstar can remotely unlock your doors and turn on lights and horns. What if a hacker found ways to control other functions in your automobile via Onstar? As new technologies emerge and proliferate into the market, you can bet that hackers will find a hole to exploit. When taking advantage of new technology and designing new products, companies must carefully balance the tradeoff between convenience/simplicity and security.
Besides taking a brief time out to celebrate the Expertcity deal, I have spent a fair amount of time interviewing VP candidates for one of my portfolio companies. As with any smart executive who cares about the value of equity, the question I am often asked is, “What is your exit strategy.” My answer is quite simple-every company we invest in must have IPO potential (IPO potential as defined by non-bubble metrics) but along the way if someone makes an offer for the company because it is an attractive, rapid growth business, we can evaluate it appropriately. What we will not do is invest for the sole purpose of having a company acquired. That is a losing proposition. The ultimate way to create value is to have a real business with real cash flow and a strong balance sheet where you can show your potential acquirer that you do not need any other sources of funding besides self-sustaining growth. VMWare certainly used this approach when it decided to sell to EMC. You have to be able to show your potential acquirer that they are not the only way to create liquidity for your business.
Companies are bought and not sold. What I mean by that is good exits usually happen when someone tries to buy your company rather than you trying to sell your company. In other words, these good exits usually happen when your company is approached by a potential buyer-i.e., you are seen as desirable in someone else’s eyes rather than you telling someone how pretty you are. Typically, these types of exits result from already existing, revenue-generating business relationships. It is not that big of a leap for an aquirer to make an acquisition offer on the higher end of a valuation range knowing how its partner does business, how the management teams work together, and how the product sells through to its customers. Other times it can happen when your company consistently beats out a competitor in the market and is seen as a thorn in the side. In either case, your company is a known quantity and the potential acquirer has seen you perform in the market.
What does this all mean? My advice to entrepreneurs and management is quite simple: if you focus on what you can control (growing and managing your business), then the external factors (exit strategy) will take care of itself. However, if you try to force it and shop your company, that shows a sign of weakness and more often than not will result in a fire sale. Remember, companies are bought and not sold. If you do not get the price you want, it will not matter since you have a business built for the long-term. For a strong, well manged company, opportunities will always present themselves.
Congratulations to Expertcity and Andreas, John, and Klaus. It has been great to work with you from a board level over the last 4 1/2 years. When the transaction closes, I look forward to writing a little more about how you were able to persevere through some tough times, launch new product, stay focused on leveraging the core screen sharing technology, and build a high growth business in a completely new market. Not only were you an early player in remote access, but you also were one of the first ASPs out there.
Expertcity is not the only ASP making headlines today. Salesforce.com filed to go public and raise $115mm. As I mention in an earlier posting about Google and IPOs, pre-bubble, it took companies 4-6 years from their first round of funding to IPO/acquisition. During the bubble it took 1-2 years. While I am excited about today’s announcements and other recent deals like VMWare (bought by EMC) and Zonelabs (bought by Checkpoint), it is obvious that we have returned to a pre-bubble mentality and the companies that will be significantly rewarded are the ones that embody the philosophy of building real businesses with real revenue and cash flow. Well, isn’t that just business 101? Yes, and this is great news as it is something we can all understand.
So Checkpoint is going to buy Zone Labs for $205mm. Here are my thoughts on the deal. Zone is expected to do around $28mm of revenue in 2003 and $42mm in 2004. The revenue multiple is 7x for 2003 and 5x for 2004. That is pretty much in line with existing security multiples of 6-8x revenue. The more significant point is that Checkpoint made its first, meaningful acquisition. So for all of you security companies out there, add Checkpoint as another potential acquirer. Some future deals could include an SSL VPN player or network intrusion prevention provider. It seems that concerns over their revenue growth has finally hit management, and they are trying to find ways to accelerate the top line. However, I am not too sure that acquiring a desktop firewall product and competing against established competition like Microsoft, Symantec and NAI is the way to do it.
Om Malik (ex-senior writer for Red Herring) has been writing about the commoditization of hardware. In a recent article in Business 2.0 titled “The Rise of the Instant Company,” Om talks about how hardware has become commoditized to the point where hardware expense as a cost of goods sold is de minimis. In other words, companies can now cobble together off-the-shelf-hardware with proprietary software to create companies that can quickly and cost-effectively go after large incumbents. This is a great point and what it comes down to is that software companies can now “package” themselves as hardware plays and successfully leverage the hardware channel from a sales perspective. This is quite attractive from a VC perspective because now we get the opportunity to invest in business that can grow rapidly like a hardware play at software like gross margins (depending on price point 65-85%).
Given this backdrop, I believe that we will see 3 types of software companies in the future. The first will be companies selling expensive applications which will rely on extensive professional services to install and customize. This is the market dominated and characterized by large companies like SAP, Siebel, Peoplesoft and their ancillary professional services partners like Accenture, IBM Global Services, and other consulting companies. The second will be companies that will sell their software as a service (ASP model). These are companies like Salesforce.com, Liveperson, and Expertcity (LPSN and Expertcity are both fund investments) which took the above market segment and made it really easy for customers to buy and in effect, removing the complexity of managing and installing the software. Finally, there will be software companies that have a componentized product that is easy to install which can and may be packaged into an appliance to leverage the channel sales model. This could mean that companies are selling their own appliance or OEMing their software to hardware vendors who in turn sell an appliance. Companies like Neoteris and Network Appliance fit this model. From a venture perspective, the sofware companies that are most interesting to me are the ones with ASP and appliance offerings. In this posting, I would like to focus on software packaged as an appliance.
While the average selling prices for companies that leverage the channel are much lower than pure, direct enterprise sales, I like the fact that these types of companies can utilize a seed and harvest model. In the seed and harvest model, companies that have lower price points can seed a number of customers with a low, entry price product and go back to them later to harvest accounts to sell multiple instances of the product. While the initial sale may not be $1mm upfront, you may be able to get $1mm in the life of a deal. The benefit for the software company is hopefully a shorter sales cycle (it is easier to get sign off for $50k vs. $500k) and the ability to leverage other people’s feet to sell your product.
From a VC perspective, I like to see companies which can leverage other people’s sales forces to grow. Yes, your company will give up some points in margin and also lose some control over customer relationships, but will hopefully make up for it in terms of more volume. For early stage companies, it is already quite difficult and expensive to sell into Fortune 1000 accounts. Many of the companies under the first model (pure enterprise license sales) need expensive direct sales forces which sell high-priced products which have long sales cycles. If the price point of your product is not high enough, then there is little likelihood of you ever building a real, profitable software company from direct sales alone. In addition, if you want to get the excitement and interest of service providers like IBM Global Services and Accenture, you better be able to drive $10s of millions of dollars of service revenue.
Just to be clear, I am not saying that software companies do not need direct sales forces as it is incredibly important in a company’s early phase of development to own the customer relationship and gain valuable feedback about its product. In fact, no matter what kind of software company you aim to be, you need to have customers to get channel partners, know what it is like to sell to an end customer, and successfully manage an end customer in order to train your channel and OEM partners. Therefore, most companies will require some form of direct sales force to begin with, but over time, I like to see the mix of revenue moving towards greater than 50% into the channel and OEM model. What this means, at least for me, is that selling $1mm software licenses with 3-6 month installation processes is not interesting and has gone the way of the dinosaur from an attractiveness perspective in terms of funding. The fact that hardware has become commoditized has really opened up new ways of selling software and building companies, ways that can be quite attractive for both entrepreneurs and venture capitalists.
Jeff Nolan from SAP Ventures has some interesting insights on building sales teams. One other I would add is pay commissions when you get paid.
There were 2 conferences yesterday addressing cybersecurity. One was the National Cyber Security Summit in Santa Clara and the other was a smaller event in DC. While I was not in attendance, I did speak with a couple of people who participated in the events. The takeaway is that 85% of the critical infrastructure in the US is owned and controlled by the private sector. The other 15% is the government. While security has gotten better over the last few years, there are still some major holes in the system. There is a classic standoff right now as the government wants the private sector to take control of securing their networks and data while the private sector says why bother when the government’s infrastructure is not even secure. For example, if cyber terrorists took down critical DNS systems, whether or not the private sector secures its infrastructure is moot as the Internet will have massive troubles. Some in the private sector also alluded to the fact that Chief Security Officers do not have enough control as most are only VPs who report to CIOs who sometimes report to CFOs. If CSOs have no real control over budget, then how can they really effectuate change? The government, on the other hand, is threatening to take action and impose mandates for securing private infrastructure. The government wanted to give the private sector the chance to organize itself and develop its own best practices before it is forced to do so through legislative mandate. To hammer the point home, one official apparently said that the next terrorist attack could be on the information systems of a large financial services institution causing serious economic damage. Despite the warnings, it does not sound like the 2 sides made much progress yesterday. At the end of the day, companies in the private sector are driven by dollars. If these companies feel secure enough already, they are not going to rush out to spend more money for the sake of national cybersecurity. Therefore, my feeling is that Ridge and his team will not get what they want until the private sector feels pain on their bottom line in the form of stiff economic sanctions. That being said, the government has to live up to its end of the bargain and drive security in its 15% of the infrastructure as well, because as Ridge says, all it takes is one hole to compromise national security.
Hackers like to go where they can cause the most pain. As 3G rolls out in the US, you can bet that hackers will go there as well. There was a great article last Friday in the New York Times about viruses and other security issues on cellphone and hand-held devices in Japan(free site but registration required). It is clear that we should look at how Japan is dealing with this issue as their wireless infrastructure is much more advanced than ours at this point. At the same time, it seems that not many people in the US are dealing with the issue now. Having suffered attacks in the past, NTT DoCoMo has gotten proactive and not only put security software on its servers but also on its handsets. We should learn from this and prepare our infrastructure accordingly. Spam is not the major problem on these devices; think viruses that can jam the 911 emergency response system or denial of service attacks that can bring a wireless network down. What happens when we live in an even more embedded world where chips in cars, appliances, etc. begin talking to a wireless network and becomes infected with a virus?
Many of the companies that I have seen that focus on wireless security are looking at the client or handheld device level. This is the approach that companies like Network Associates and Symantec are taking with handhelds. While I applaud the effort to protect our devices, I do not believe that putting antivirus software on every handheld device is the right solution:
1. Installing antivirus software on every device is not an easy to manage task;
2. While it is much easier to constantly update virus definitions on connected devices, this will increasingly eat up precious memory and computing cycles on your device.
What is needed is smart security on the edge. This will require software that can sit on the network/server layer and in real-time inspect every message being sent from one device to another. It is not easy to sit inline and inspect every message without creating latency. In addition, the software will have to be able to prevent unknown attacks through behavioral analysis and not rely solely on signatures to prevent nefarious activity. This will lessen the need to constantly update every handheld, chew up precious memory and power, and give users an easy way to use their connected devices without headaches.