ESG Blog: Carbonite Buys Webroot – Why You Should Care
The devil is always in the details...

Feb 08, 2019
Steve Duplessie   ESG Blog: Carbonite Buys Webroot – Why You Should Care
Author: Steve Duplessie

 

GettyImages-713782297Cloud data protection player Carbonite just agreed to acquire cloud endpoint security player Webroot for $618M in cash.

My first immediate concern is that I’ve seen this before. Symantec bought Veritas – same logic: marry endpoint security with data protection – because that makes sense – except it didn’t work. It failed spectacularly.

Having said that, times are different, so I won’t immediately write it off. But I do have big concerns.

Here are some pros:

  • The cybersecurity point tool fatigue that plagues all organizations is especially problematic for smaller organizations who not only have less resources but lack cybersecurity skills. Being able to combine endpoint security with data protection seamlessly (theoretically, of course) would remove a big headache in the midmarket.

  • The above point is evidenced in the 53% of orgs in ESG’s annual Technology spending intentions study reporting a problematic shortage of cybersecurity skills. This isn’t getting any better.

  • Something needs to give and that something will include convergence into integrated platforms, ideally delivered as-a-service with the option of it being managed by a third-party services provider – this stuff is hard.

  • At the same time, organizations continue to be barraged with ransomware. In fact, just this week McAfee announced the discovery of Anatova, which bring some new and old features to the game, including destroying volume shadow copies. Fun stuff.

  • Fundamental to protecting against a ransomware attack as part of an incident response plan is assuring all data assets are not only backed up but are not accessible by ransomware malware. If malware eats your backup, you are screwed.

  • This play is an “as a service” play, with a go to market via MSPs to the SMB market – which is fundamentally different than what Symantec/Veritas did. If the channel lines up, and the two products can be seamlessly leveraged – this has a much better chance of working. There are still more questions than answers here but assuming Carbonite has the brains (and money) to not try to smash these two companies/channels/go-to-markets/and technologies together without doing their homework, I can definitely see a market ready for such an offering.

The Risks:

Carbonite generated $50M in free cash last year – but they just spent $618M. They have very little room for error. This is a massively expensive play for a company that made just $7M. I don’t know the financing details yet, but unless someone’s rich uncle just decided to give them a half a billion dollars, this a huge leverage play. No matter the synergies, they will not be able to rip out huge costs to offset the risk. They have to nail this.

  • Separate buying centers / budgets – less in the midmarket BUT in most organizations, security and data protection are different animals. On one hand that could be good – another person to sell to – but on the other hand, a data protection sales guy who doesn’t know jack about endpoint security won’t get very far with that buyer.

  • Different go-to-market motions – this is critical. If they can’t get their GTM aligned, they will confuse (at best) or alienate the market and we all know how fickle the market is now. You get one chance.

  • Culture clash – this is always a massive issue when an arranged marriage takes place.

  • Lack of account plans with respect to which offering takes the lead position and which team acts as an overlay. Egos dictate field operations. With unclear or interpretive corporate mandates, egos also completely screw up what might have been a perfectly good concept.

  • Inability to integrate at both the agent layer and the cloud services. I don’t know if this is an issue yet or not, but this story is a cloud play ultimately.

  • Lack of interest from the channel – i.e., MSPs – in a converged DP-endpoint security solution. Again, at face value this seems like it would be attractive to the channel but without a crisp, cohesive program that addresses the direct needs of the MSP/Channel, this will blow up quickly. There are other ways to solve this problem – maybe not better ways – but the channel has different desires than the end-user.

The Bigger Truth

I can get my head around the synergies. I get the market opportunity and I get that the buying climate is essentially perfect right now. This stuff is hard, the stakes are always getting higher, and making life easier is the key to success in IT these days. Being able to mitigate risk while simplifying management and deployment of two critical operational elements (endpoint security and data protection) seems like a no brainer. But alas, the devil is always in the details.


Post a comment