Milestone Group Quarterly: October 2003
Articles
CEO Hot Seat:
Phil Dunkelberger, CEO, PGP
CEO of PGP Corporation (www.pgp.com), Phil "Dunk" Dunkelberger has a 20-year background successfully selling technology in executive roles at Symantec, Vantive, Embark and PGP. Now in the hot security space, Dunk shares some of his candid thoughts with Milestone Group.
Milestone: You sold PGP to Network Associates 1997, then in 2002 raised capital to buy it back and take it private again - nice round trip. What did you see that Network Associates didn't?
Dunk: We saw a void in the marketplace that existing desktop and gateway encryption solutions weren’t solving. We saw the chance for a start-up to innovate, taking the view that existing encryption solutions would never be widely used because of their deployment and usability problems. We could use the PGP technology and brand to produce products that would allow very large customers that want to use encryption to do so, not just in pockets, but also throughout the enterprise. We saw a very robust set of tools to build security software with, and the strong PGP brand.
Milestone: Is overall spending in the security sector still strong? Which sectors of software security are toast?
Dunk: I just read an article this morning that said that security spending is dramatically up based on interviews with about 7500 IT executives. Mainly the issues around corporate governance are driving it. Those things are all driving people to be more aware of security and to spend money on it. These issues are definitely driving security spending up and it looks like expenditures are going to stay up. I’ve seen other, corroborating evidence of that. The areas that seem to be hot are areas of intrusion detection and prevention, anti-virus and malicious code, steady state environments where if there’s a change of state, it suggests that someone has come in and changed something. One of the big areas that we see is the whole area of communications, and specifically secure communications. We’ve had several robust quarters of increased revenue in a row, every quarter that we’ve had the product line. And there’s a tremendous amount of interest from people in securing both e-mail and instant messaging. The areas that we see that have been flat are firewall and scanning technologies that essentially show people have been in and done something but you don’t know what. One of the areas that tends to get a lot of attention but not a lot of sales is the area of building reporting tools into their own consoles for security. There are so many security consoles out there now, and lots of people trying to build new ones, from the big vendors to start-ups.
Milestone: Selling security software seems to be like selling insurance - hard unless there is an event. How are your prospects and customers currently weighing up risk vs. cost?
Dunk: I think with the aforementioned governance cases, people don’t have a choice. They are going to have to be sure that the solution they implement digitally signs and stores all of the information in a secure manner. California’s Senate Bill 1386 requires that information about your customers has to be secured, so there is legislative impetus for people to do it. From an ROI standpoint, though, and from a risk management standpoint, we’ve seen people that have developed very sophisticated internal security mechanisms for risk assessment for things like intellectual property, or transmission of M&A or financial data. Those things are pretty well recorded, so that if they are breached it is catastrophic to both the ROI and TCO. It doesn’t matter what you paid for a solution because the price you are going to pay in the market place in brand damage, and opening yourself to litigation, is dramatic. A lot of people have been aware of these issues for quite some time and have done a lot with perimeter defense and security, but they are now starting to look at all of the inbound and outbound communication pieces. That’s where we see the big opportunity, and that’s where we are being told is one of the big holes in people’s security strategies. Approximately 50 or 60% of a corporation’s core data winds up in e-mail at some point; it moves around internally and externally, which opens up the door to liabilities.
Milestone: Where is the security market heading? What is the best strategy for start-ups competing against big incumbents like Symantec and Network Associates?
Dunk: First, you’ve got to build products that are standards-based and compatible with what already exists. There’ve been a number of companies that recently have come out and said, "Hey, we’re brash and new, try this!" and if you don’t have an integration strategy, if you don’t work with what’s already deployed, people do not have time for those completely brand new products. In fact, the amount of money being spent on completely new projects vs. maintenance money is down dramatically. Second, people are tired of trying to round up all the different rabbits that make up their security environment. Third, you should raise money from any source that you can get but be sure the source has very deep pockets, This is a long-term play, people are not making or changing security decisions capriciously, so you have to have staying power if you are raising money from people. If you are going to put any money in the security space you must have enough money. Fourth, you have to have third party validation of your products, you can’t just validate with your own customer base, it’s other vendors that have to validate you, and it’s other security specialists that follow the industry that have to give you their blessing. Companies cannot afford trial and error with security products.
Milestone: There is a lot of industry buzz about how the software industry is destined to undergo fundamental changes--slowing growth, increasing consolidation, etc. How do you see things evolving?
Dunk: I think that has been the pattern over a large number of years, excluding the bubble years. The software industry always has growth spurts and consolidation and as new operating systems and new environments come out you essentially have to reinvent yourself for those platforms, which opens up new opportunities. So the advice I would give to anybody is that you’ve got to innovate. I think Peter Drucker said it best, that large companies fail because of lack of entrepreneurial spirit, and small companies fail because of lack of management. I think the consolidations you see are many times driven by people with great technology that don’t have either the staying power or the business plan to make it work, and I think you see some of the bigger companies experiencing slower growth because they haven‘t been innovative or inventive enough to keep their market leading position.
Milestone: You seem to be a BIG fan of channel sales; don't they take too long to build?
Dunk: I think that channel sales do take a long time to build if you do not have a good value proposition for channels. There was a mantra when we built the Symantec channels from a two tier distribution to add the VAR channel, the systems integrator, and various verticals like education - all of those were built when we were able to show that when the channel profited, we profited as did the entire channel food chain. You develop products, you don’t compete with your channels, you don’t keep making exceptions, and last but not least you understand the fundamental margins of your product. If you do not have $100,000 plus type of orders that your sales force is driving, it is very hard to justify a direct sales model in this day and age.
Milestone: So when does building a big direct sales force work best?
Dunk: When you have a very large, complex sale that drives a lot of margin rich revenue to your company. In the enterprise phase, people have found that delivering two or three million dollars worth of software requires five to ten million dollars in additional services. Those are the people who are seeing slow growth. What people want today is rapid deployment, out of the box low TCO and high ROI, and they want the products to integrate with what’s already in place. If you build a product that does these things you can sell them through various channels that originally installed the systems that you are integrating with. At the end of the day, you need to drive a margin-rich sale and it must be product revenue, not just services.
Milestone: You spent a while as a VC entrepreneur in residence, anything surprise you about the deals your firm was continually pitched?
Dunk: I probably looked at over a hundred deals in the eight months I was with Doll Capital Management. There were a couple of surprising things that I saw in the deals that we were continually pitched. One, many of the people did not consider their go-to-market strategy. They were all about early-stage products, so they really didn’t consider the surrounding market, the channels they would use, whether to go direct or indirect, or the type of brand needed. Two, was an inability to understand the customer base. Many people had not really done their own due diligence, the most impressive people that came in were the people who had done large-scale due diligence with their customer base and really understood that the negative feedback they were getting was the best type of feedback for their business plan. When you are trying to build something new from scratch, every knock really is a boost. That’s how you learn, and I was surprised at the number of people who would ignore some very good advice from their customers and other people who were very familiar with their market. Three, I was amazed at how people were still holding on to the old maxim that you didn’t have to be in it for seven to ten years to build a software business. In many cases, in 2002, when I was employed at Doll, many people still hadn’t thought through years three, four, and five of their business. Not that their numbers had to be correct, but what was going to happen to them over time. They had not considered what transitions they would need to make as a business.
Milestone: We have all learned some lessons from the bubble and this swell economy. What do you think tech companies still need to learn?
Dunk: They need to manage expectations, they need to be extremely honest with themselves and their investors and their customers, I think they need to dig in and be in it for the long haul. I think as long as they are innovating and providing value there is a bright future for tech companies, but only the tech companies that heed that advice. You really need to understand it’s all about deployment and customers. The proximity to your customers is where you are really going to win over a long period of time. |
