SurfControl

Yesterday, after markets closed, Websense announced it's intent to acquire SurfControl for about $400 million (Websense press release). On the heels of a decent quarter from Websense, this is a strong move to consolidate the web filtering market and gain exposure to the large (and modestly growing) email security space. As an extra bone, Websense also puts a toe in the water on the content security managed services business (via SurfControl's Black Spider operations).

On the surface, this deal makes sense along a number of strategic fronts:

1. Channels - Websense has traditionally been enterprise focused via a direct model, SurfControl more on the mid-sized business via channels. There is little overlap, though it has been a strategic focus for Websense to go through distribution and more effectively target the mid-market. This obviously accelerates that effort.
   
   
2. Exposure to email security - SurfControl was the first of the web filtering companies to make a significant commitment to email security, and the combined offering (with some innovative packaging) has been modestly successful. The product is not robust enough to compete in the high end enterprise accounts, but for the mid-market it was good enough. This was a big hole in Websense's story that is now patched up.
   
   
3. Exposure to managed services - The trend in the mid-market is more towards managed services for content security. SurfControl bought a UK-based company (Black Spider) last year to go after that market. Their US presence has been minimal, but at least Websense will have an offering.
   
   
4. Geographies - Being a UK company (at least started in the UK), SurfControl has a decent presence in EMEA and that will help Websense further push their international objectives.
   
   
5. They are doing something - Websense was a company going nowhere fast and waiting for ankle biters (like Barracuda) and the high end folks to come and loot their installed base. They definitely had "CheckPoint-itis" for quite a while. So doing something is better than doing nothing, and though this is a big something - the alternative of waiting to become the walking dead didn't look too good either.

So, there is a good strategic rationale for doing this deal, but as always the devil is in the details. Here are some gotchas that jump out at me:

1. Product line overlap - It is not efficient to support to distinct, competitive, overlapping product sets. But to pacify fears on the part of SurfControl's customer base, Websense committed to support the existing product lines for 3 years. That is problematic when one of the key strategies behind the deal were to gain synergies in the market.
   
   
2. On the deal sidelines - Like Secure Computing's acquisition of CipherTrust, this deal is heavily leveraged. By pushing a cash deal, WebSense is killing their cash position (at about $50 million after the deal, it seems a bit low) and taking on debt. The Wall Street guys can comment on the economics, but it clearly will keep Websense out of the acquisition game for 2 years or so. So they are going to play the hand they are dealt and in a business that changes as fast as security - the inability to do deals can be problematic.
   
   
3. Customer retention - There are very low switching costs both on the web filtering and the email security product lines. So SurfControl customers can (and should) look at the market, as opposed to blindly renewing with the new regime. Websense customers should do that too, so there is a lot of risk that the so-called revenue synergies actually mean 1+1 = 1.6.
   
   
4. Channel conflict - Websense has made it a point to buddy up to the channel and those efforts are proceeding, but there is still a lot of acrimony based on past sins. SurfControl plays into a different channel, and reconciling the programs and providing consistency is going to be a challenge.
   
   
5. Lots of balls in the air - Websense has one, very small deal under their belt. Obviously Hodges and Co have done a lot of deals in their past lives, but culturally this is a lot different than PortAuthority. This changes the face of Websense and creates a lot of execution risk.
   
   
6. What about ProofPoint? - When you think about potential partners for Websense, SurfControl wasn't really on the list. For a lot less money (although with IronPort's valuation, all the email security vendors may have an overinflated sense of their own worth), they could have acquired ProofPoint to gain exposure to email security, outbound compliance/encryption, and a largely enterprise oriented customer base. Of course, if the price would have been roughly the same, then they did the right thing - but ProofPoint would have been a cleaner fit.

So you are a Websense and/or SurfControl customer, what do you do? As with anyone that uses web filtering or email security products, you should scan the market every year. This business changes rapidly and you need to make sure your current product reflects your current needs. If anything, this deal creates the impetus to go shopping again.

The channel needs to figure out what the new programs are going to look like, so it's business as usual until the deal closes (probably 4 months at least, since it's an international deal) and then resellers should be pinning down Websense to clearly codify what the new programs are going to look like.

Whether you are a customer or a reseller, understand content security is a VERY VERY VERY competitive business and you have options. If you don't like what you hear from Websense, then go find something else. There is a lot of stuff to pick from.

 

Following this M&A stuff is becoming a full time job. This morning, SurfControl acquired Black Spider (link here), which is a content security service provider that does email and web filtering. Postini, MessageLabs, and ScanSafe are their top competitors. I had decided not to do a separate piece, but then I heard from a friend of mine who is over in the UK and he mentioned how everyone over there was fired up about it. Sometimes I need to remember that we all live in a global village.

The specifics of the deal are pretty straight forward. SurfControl pays US$36 million and gains entrance into the managed service business. Black Spider gets an exit, and worldwide distribution given their real strength was in EMEA. As an added bonus, Surf Control can probably sell the blackspider.com domain name to Columbia Pictures for a pretty penny (if you've seen the Spider-Man3 trailer, you know what I'm talking about).

To be clear, Black Spider was small with about 1200 customers and doing less than $5 million in revenues, but that doesn't matter. They'll fit into SurfControl like a glove. If a customer wants a service option, SurfControl doesn't have to walk away from the deal (or the customer). It's a pretty compelling way to play into the inevitable trend that most customers will want to filter email and web traffic in the network (see Incite on Content Security here).

And as opposed to other deals announced this week, $36 million is very affordable for SurfControl.

Yet, there are always challenges every deal, and with this one comes the challenge of channel conflict. It needs to be very clear to the SurfControl field force when they should look to sell a service or an appliance. The worst case scenario is that they try to sell an appliance, and only when the client says a resolute NO do they move towards the service. By then, Postini or MessageLabs is in the house and will win the business.

You also will have a potential area of conflict around their VARs trying to get into the MSS business themselves. When I was in the business, I saw a lot of that and it's only been increasing. You know, a VAR buys 3 Barracuda's and bingo, they are in the email security business.

But for the most part, this deal makes perfect sense and is a precursor to maybe some bigger folks that offer appliances moving to take out the leading service providers. McAfee already sells Postini's stuff and IBM is very close to MessageLabs. So it wouldn't surprise me to see more deals in the space sooner rather than later.