Austin is well known as a hub for technology and innovation – and SolarWinds is one Texan company making a stir among the security landscape, as Mike Hine discovered when he met Mav Turner
SolarWinds is a fairly recent arrival to the security vendor scene. Its acquisition of TriGeo in 2011 kick-started the company’s move into the field, as it sought to branch out beyond its core business of network and systems/application management.
Infosecurity caught up with the Texan company’s director of product marketing and business strategy, Mav Turner, on an icy February morning in London. He explained that, while SolarWinds’ foray into security happened more recently, the real story begins at the turn of the millennium.
“In 1999, two brothers basically built a bunch of tools for their friends. They were very single-purpose. But in 2001, some venture capitalists got involved and said ‘let’s take this and scale out.’”
The timing was fortuitous, coming “right before the big tech bubble burst,” when investors were taking a lot of interest in tech start-ups. As to whether North America or Europe has a stronger culture of investment in technology, Turner believes that conditions in the US make it particularly favorable for entrepreneurs: “A lot of it has to do with the regulations in the country. In America if you take on a big risk and you take on a lot of debt and there’s a problem, the bankruptcy laws are more lenient, allowing you to take those risks.”
However, the “highly compressed boom-bust cycle” within the tech industry does mean that a lot of businesses have a short lifespan, Turner argues. “The exit strategy for a lot of companies is going public and getting acquired by a larger company. And it is a viable strategy. You look at valuations for a lot of start-ups and they’re ridiculous. Within tech it’s even acceptable not to make any profit as long as you’re building your revenue base.”
The plan for SolarWinds, however, has always been more long-term: “For us it’s important to be profitable and not just to build revenue, because we want to actually build a sustainable business that we can scale.”
That focus on the bottom line does create restrictions, Turner suggests, but these restrictions “allow us to grow in a smart way rather than just blowing up, then getting bought out, and then some company kills us off.”
That’s not to suggest that SolarWinds hasn’t benefited from the buoyant M&A landscape within security. The Texan company has a string of acquisitions to its name, most recently Librato and Pingdom. Nonetheless, Turner says, SolarWinds isn’t just buying up companies for the sake of it.
“We’re certainly not at the scale of an IBM or an HP, but we’re also not the little guy either. We benefit from a lot of those small companies, we can add those technologies, but I think one of our advantages is being able to use those technologies.”
While a $500m acquisition might get “lost in the sea” of a giant corporation’s wider interests and ventures, Turner argues that for SolarWinds “any of these acquisitions is a big deal, and it’s important that it’s successful and we get a return, as opposed to just buying something and shelving it.”
The high volume of information security acquisitions must generate a lot of competition within the sector. Asked whether it can be a ruthless environment, Turner suggests “not in the sense of cut-throat.” He continues: “Everybody’s trying to work a good deal but everyone understands that a lot of these companies get acquired. It’s competitive, but everybody knows they’re going to see each other around, especially in smaller communities.”
With all this talk about the vendor community’s vibrancy, it’s easy to forget that the wider industry is supposedly facing a major dearth in skilled personnel. Turner agrees that, while the rise of new business ventures shows no sign of abating, actual security staff in IT departments are in short supply.
“The need is growing so fast. People who make the best security professionals have worked in other roles. You’re securing all these systems, so you need a good strong technical background. Typically [infosec pros] are more senior and that’s why [hiring] is a little bit more difficult.”
However, there are more problems facing IT departments than a short supply of candidates for security roles. There are still a lot of basic mistakes being made, Turner suggests, that damage cybersecurity efforts across many sectors: “A lot of times people purchase software to meet compliance regulations, but then they don’t really use those solutions to their full extent.”
“Any of these acquisitions is a big deal… it’s important that we get a return”
This problem is intrinsically bound up with a lack of manpower in security departments, Turner says: “There are so many customers I talk to both on the security side and with network monitoring, and you see their inbox and it is just overflowing with alerts.”
Typically, we expect vendors to advocate their own products above all. Turner, however, is more sanguine: “I would love to say that the new technology is great and we should focus on that, but what typically happens is that everyone gets excited about the newer stuff and just fails to secure their existing environment.”
The flashy capabilities of new software are easy to talk up to management, but IT departments need to ensure that they are communicating the importance of basic security measures properly: “The way that IT goes about justifying security purchases is not the most business savvy. I think they really go after it from a technical perspective – but really once you’re talking at C-level, it should be more about risk management.”
Getting executives to consider security risk in the same breath as financial or competitor risk is an important step. But while education at board level is crucial, the wider workforce must not be forgotten. Leveraging the potential of security-savvy staff can greatly assist in bolstering security.
Turner explains: “One of things about training users is you’re never going to get 100% coverage, just like you’re never going to get 100% protection on your perimeter. But with the combination of defensive technologies as well as training, you can hope to cover as much as possible.”
The need for effective training is particularly acute at the moment, given that IT departments are increasingly tasked with enabling a more flexible working environment for employees. Reconciling the disparate technology this involves with a strong security policy is a big challenge, and one that Turner feels is fundamental to his role as a vendor.
“The question is, how can we make it so it’s not extra work, not a burden, so it’s seamless? It’s a hard problem to solve and that’s something we’re always thinking about.”