“Our biggest problem is what to do first,” claims Art Coviello, president of EMC’s RSA security division. Rik Turner reports on the progress of EMC’s largest acquisition to date.
Art Coviello, EMC’s RSA security division president
When EMC announced it was buying RSA in June last year, there was much discussion among IT's chattering classes of the fact that, at $2,1bn, it was the storage heavyweight's largest acquisition to date.
If it was somewhat surprising that there were not more raised eyebrows at the fact that a storage company was buying a security developer, that could be put down, at least in part, to the result of EMC's track record this decade.
There had been more head scratching in October 2003, when the company spent $1,7bn to acquire document management vendor Documentum, at which point a lot of people asked whether it was a bridge too far into applications for what, until then, had been a company from the systems side of the industry.
EMC carried off that acquisition, however, marrying Documentum and the Legato storage software business it had bought for $1,3bn three months earlier to become the ultimate evangelist of information lifecycle management.
ILM is all about putting information in the right place, from the cradle to the grave, which means from the initial save onto high-end, highly available disk to its deletion from long-term tape archival. As such, EMC buying a company in the identity and access management (I&AM), as well as the encryption space, was less of a surprise to seasoned EMC watchers.
After all, since it is already storing its customers' data on the most appropriate medium in accordance with cost, policy and compliance, why not offer them the ability to control who can get at what information for compliance purposes?
To mark the additional dimension that RSA has added to its overall proposition, EMC has also come up with a new concept/mantra. Beyond ILM, it is now a purveyor of what it calls 'information infrastructure'.
Art Coviello, the former CEO of RSA and now president of EMC's RSA security division, recalls how, when EMC bought Documentum in 2003, "I figured they were desperate, coming out of the dot-com boom, the logic being that if they had no strategy to become more important to their customers, they risked getting commoditised.”
He adds that, with hindsight, “I was not wrong: they were a $5bn company then and now they are nearer $13bn, having embarked on an aggressive plan to be more than just a storage company.” Furthermore, “they are now more relevant and valuable to their customers, delivering more integrated solutions to their hideously complex environments.”
Added M&A; clout
For Coviello, the sale of RSA to EMC meant a change in job title, from CEO of a company that posted $410m in revenue in 2006 to president of an EMC division. If that looks like a step down the corporate ladder, he points out that RSA had $300m in the bank for M&As, while EMC has $6bn, “although I have promised [EMC CEO] Joe Tucci not to spend all of it.”
Not that he is in an intensely acquisitive phase right now anyway. “With our existing components, we can build a $1bn security franchise over the next several years,” he says, defining that time frame as “more than two and less than 10 years.” However, “the market opportunity for data protection and I&AM; is exploding, so there may be more tuck-in acquisitions to speed us to that $1bn.”
Indeed, there already has been one such example, with EMC announcing the acquisition of incident and event monitoring vendor Network Intelligence on the same day that it closed the purchase of RSA.
There is, in fact, plenty to do even without further acquisition. Coviello declares himself pleased with the progress made in RSA’s first four months as EMC’s security division.
“We have integrated back-end systems, purchasing, facilities and travel, and IT is progressing,” he says.
RSA has simplified its sales organisation to enable a one-to-one relationship with its counterpart at EMC. Coviello acknowledges that this is causing some job cuts at RSA. “We had 1400 people at acquisition and by the end of this year we will have cut around 150 jobs.” Those are all in areas of admin, such as HR, and other overlapping functions. “After you have been acquired you do not need a CFO or corporate counsel,” he argues.
On the other hand, net employment at the security division will be up at about 2000 by the end of the year, partly thanks to the addition of network intelligence but mainly through recruitment of more sales, post-sales, engineering and support staff. “We are also developing a professional services organisation for risk assessment, which is something we could not have done alone,” Coviello adds.“We will leverage their [EMC’s] PS infrastructure.”
Aside from the physical integration of RSA into EMC, there are also technical integration plans, which are “either completed, under development or under study,” says Coviello. The ideas are manifold, and Coviello makes it clear there are multiple synergies between the businesses.
“We will build encryption into their storage systems and do key management for access to databases and end-user apps,” he says. “We will also do access control for document management and provide security around EMC’s Symmetrix [storage array] management. We will add a virtual security layer to [EMC’s server virtualisation subsidiary] VMware and leverage VMware to deliver security to companies with virtual architectures. Our biggest problem is what to do first.”
The net result of this integration of EMC and RSA technology at the product level is that, whereas this year EMC Security Division’s sales will be 90% standalone RSA and 10% blended with EMC’s, “that will change to 60/40 in three years’ time.”
Coviello bemoans the fact that EMC “has gotten scant credit on Wall Street,” where it has come in for criticism as overly acquisitive, when it could be paying higher dividends or initiating share buybacks. Considering this view a manifestation of “today’s instant gratification society,” Coviello argues that EMC takes “the long view [on M&As], not smashing them together. They have developed a distinct competence in acquisitions, and they are not screwing them up.”
One reason for the criticism is that, as a result of its 25 acquisitions this decade, EMC’s operating margins are contracting. However, Coviello argues, “at some point the degradation in margins on storage hardware will be offset by the increase in revenue from software, at which point it will reverse the trend.” The recent decision by EMC to carry out a partial IPO of VMware will, he adds, “force Wall Street to look at [the group’s] intrinsic values and recognise that the sum of its parts is not reflected in its valuation.”
Like EMC itself, RSA faces the challenge that its core business is undergoing commoditisation: in EMC’s case it is storage hardware, in RSA’s it is SecurID authentication tokens. RSA’s competitors such as VeriSign and Vasco have been dropping token prices as a way to gain market share, and RSA responded in kind.
“We had embarked on commoditisation before we were acquired,” Coviello says. “Our average selling prices on SecurID have gone down consistently over the last year, but we are doing more SMB business to mitigate the commoditisation in major accounts, so SecurID revenue was still 15% up in 2006.” Still, RSA’s expansion from authentication tokens into the broader arena of I&AM, as well as into encryption and key management, means that, as a contributor to total revenue, SecurID went from 70% three years ago to 50% now.
Coviello says he expects the data protection side of the RSA business, which is currently growing at about 20% per annum, to accelerate over the next few years, thanks to “an increasing need for encryption and the growing adoption of key management.”
The latter field in particular looks promising. It is still an emerging business, so much so that RSA’s sole competitor in the space is a small UK start-up called nCipher. US encryption specialist SafeNet tried to buy nCipher last year but failed due to regulatory concern on the part of the British monopolies regulator.
The rationale for the growth in demand for key management is simple: as encryption becomes more widespread in the corporate world and companies go from issuing tens to hundreds and even thousands of keys, the need for central management tends to grow exponentially. Coviello knows nCipher quite well, RSA having been a shareholder in its early days.
He clearly fancies his odds against the UK minnow now that he has the clout of EMC, not to mention the upsell potential of the latter’s storage hardware and ILM software, behind his efforts to sell encryption and key management. A more serious challenge is likely to emerge from larger companies entering the ring, with natural contenders being systems management vendors such as IBM, CA or HP, any of whom might acquire nCipher to speed their entry.
Of course, another reason the market was less taken aback by EMC-RSA than it had been by the Documentum deal was that security heavyweight Symantec had spent $13,5bn in December 2004 to acquire Veritas, the storage security vendor EMC has moved into competition with by acquiring Legato the previous year. Indeed, Symantec was also rumoured to have been sniffing around RSA prior to EMC’s move.
Coviello argues that the synergies between EMC and RSA are far greater than those between Symantec’s edge security (anti-malware, anti-spam and IDS/IPS) and Veritas, whose main claim to fame was in back-up and recovery software. “In fact it would have made more sense to integrate RSA and Veritas, as I&AM; and encryption have more to do with storage than anti-virus has to do with back-up, restore and archive,” he ponders, adding swiftly that such a deal was never on the cards.
“That is not to say [Symantec CEO] John Thompson’s strategy is necessarily a bad one,” Coviello adds. “He just needs to fill in more blanks. EMC has more of the pieces in the puzzle already.”
Not surprisingly for the head of a company that has just been absorbed by a systems vendor, Coviello predicts “the standalone security industry is going away, though not necessarily the standalone applications.”
His rationale is that “we must put more security into the information infrastructure from companies like EMC and IBM,” the difference between these two being that “IBM does not have a security division, they are more like a patchwork quilt put together by buying tier-two companies, then making up for it by throwing service at the problem.” He acknowledges that at least in one case, however, IBM has landed a market leader: “ISS was the first good thing they have done.”
As for other competitors, Coviello acknowledges Vasco and Entrust “in point products” and Secure Computing “in places,” while Cisco, Juniper and Check Point he considers partners. Oracle, like IBM, has no security division, even though it has some security assets. Microsoft is “mainly a partner.”
It is still very early days for EMC’s security division, but so far the signs are good. The fact that the first marriage of EMC and RSA technology involved the storage giant’s flagship Symmetrix DMX-3 disk array is indicative of the value EMC places on its record acquisition. It is perhaps not surprising that Wall Street has some doubts about the strategy given the number and diversity of acquisitions EMC has made so far this century, but this is one that appears to be heading in the right direction towards proving any doubters wrong.