Yesterday, Symantec CEO Greg Clark flexed his M&A biceps, saying that Splunk could be an attractive target at a $9+ billion valuation.
Clark definitely plans to go whale hunting to regain Symantec’s long-lost security position. Symantec expects to grow 3 percent to 5 percent in 2018. Compare that to Splunk, which projects to grow upwards of 20 percent this year and generate $1.2 billion revenues, up from $950 million last year, and it’s not hard to see why Clark is interested.
In the second quarter 2017 results, Splunk’s revenues grew by 30 percent quarter on quarter. Analysts gushed with “congratulations on a great quarter,” as Doug Merritt, CEO and David Conte, CFO fielded the calls, digging into Splunk’s security opportunities and trends. Splunk has handily kicked the backsides of all the legacy security players — Symantec, Cisco, IBM and HP, each of which were mired in their own corporate challenges. CEO transitions, acquisitions and divestitures kept them distracted. IBM’s security revenues are growing at 5 percent. Cisco’s security business grew 9 percent in FY 2017. HPE’s software revenues have been dropping by 8 percent to 11 percent in the first two quarters of 2017.
While they are eating dust, Splunk has continued to grab security market share at an enviable pace. By some estimates, Splunk will pull in upwards of $400 million from its security division this year — which is more than 40 percent of its annual revenues. Splunk is rapidly becoming the de facto SIEM replacement product, causing heartache for HP-ArcSight as well as IBM. But Splunk never started out to be a security company. How did it even get here?
Let’s do something — like cure cancer, or… aggregate machine data
While hunting for ideas for his third startup, Erik Swan, co-founder of Splunk, started to think big: cure cancer. He most probably googled “how to cure cancer” and even confessed that he bookmarked web pages on genomics research. After all, curing cancer has so much cachet to it. But a week later, reality set in. Instead of cancer, he decided to solve a problem that’s aligned more closely to his universe.
He found that IT operations teams struggled with troubleshooting — gathering and analyzing relevant data to get to the bottom of the issues was nearly impossible. Erik and his co-founder, Rob Das, polled more than 50 potential users over a period of nine months and found this to be a pressing problem. People were writing all kinds of scripts.
To access data, the database administrator would often get involved. No one person had access to all the data. Each corporate silo — IT, BizDev, Ops — was doing their own thing. Analytics was another growing nightmare. And so they started to build an engine that gobbled up machine data. Spelunking, or exploring caves is a hobby for some. IT teams were used to digging into the caves of data to identify patterns. For the two founders, the vision was simple — all machine data within any enterprise could be gathered, stored, searched and analyzed. Every user they polled said they need, and they’d pay for, something like this. It sure sounded like a Google appliance for machine data.
As it got off the ground, the company raised around $5 million at a pre-money of $5.7 million. David Hornik of August Capital invested in the first round. Fourteen years later, he still serves on the board of the company. “As the longest-standing member of the Spunk team, I recall the pitch as ‘search engine for log files’ — whatever that meant,” he says. “But this was one of the first few teams to to hit the nail on the head on several fronts — they understood the importance of gathering ever-burgeoning machine data well in advance of anyone else. The ability to store this data easily and then conduct arbitrary searches on top of it blended together into a compelling opportunity.” And Splunk did not know back then that the security team would love such a central repository of all data. The company consumed less than $50 million in venture capital and completed its IPO eight years later.
For the modern-day unicorn, this is an interesting challenge — can you get to an IPO on less than $50 million?
First the culture, then the people
Merritt joined the company when it was pulling in $348 million in revenues and worked his way up to become its CEO in 2015. His mantra for growth is simple — freedom and accountability, with a healthy dose of humility. In a day and age when CEOs often exude an air of invincibility, complete with chest-thumping braggadocios, Merritt is quite the opposite. While he establishes the overarching guidelines and framework, he often tells his team, “I am dependent on you. Please guide the way.”
Splunk’s cultural DNA — “low on politics and high on accountability” — combined with intellectual rigor and humility, has become Splunk’s strong suite. Its team stays nimble, innovative and keeps an ear close to the customer. These characteristics allow the ship to move into unchartered waters. Splunk never started off to build a security platform, but rather, it evolved into one of the leading solutions of the day.
The technology stack was evolving rapidly. At one one end of the spectrum, the perimeter dissolved in cloud and mobility wave. Data storage became cheaper, unstructured data sources grew and Hadoop clusters were being evangelized. Words like Big Data popped up everywhere, but very few knew what it exactly meant, or what would anyone do with all this data.
Merritt recalls, “With processing power, new schema and ability to rapidly query, the nightmarish days of data warehouse, data lakes and swamps could come to an end. Data sets and pairings can be made very rapidly to draw conclusions.” Splunk soon became one of the first companies to help make sense out of the big data madness.
David Hornik of August Capital says, “There were a lot of ways Splunk could grow — the team was savvy. Even though they did not have the magic key, they studied the user engagement closely. The security use-case was a natural extension of debugging and traffic analysis/compliance became the drivers.”
Security revenue growth has sextupled in three years
As customers gathered data, security teams started to poke around to analyze patterns and trends. The best part — everyone was working off the same repository. There were no multiple silos, hidden copies and master copies. Everyone was looking at the same data set, yet from different angles.
By 2014, as much as 20 percent of Splunk’s revenues, or upwards of $50 million, were coming from security markets. Splunk soon formed a Security Market Group to dig deeper. Haiyan Song came on board as SVP of Security Markets. Previously, she had spent nine years at ArcSight, driving the product strategy of its security event and information management (SIEM) product line.
Legacy SIEMs were unable to adapt to market changes and the shift from ArcSight to Splunk was a well-calculated move. Between 2014 and 2017, Splunk started to pull in as much as 40 percent of its revenues, or close to $350 million from security markets. That’s a 6X ~ 8X growth in three years. While there is no easy way to measure innovation, a 6X revenue growth speaks to the culture, hunger and drive of Splunk’s security team.
Show me the ROI
DJ Goldsworthy, director of Security Operations and Threat Management at AFLAC, has more than 100 team members in his infosec department. He says, “I heard about Splunk when I was trying to build a similar internal system using .net code. I tried it and in 10 minutes, I could do everything I needed. I got buy-in very quickly to replace our legacy systems. Today, I can gather my security metrics and offer them to our board of directors in record time. We can manage and measure our security posture and protect our clients.”
A chief information security officer (CISO) of a publicly traded company who uses Splunk SIEM in the cloud says, “We monitor 12 billion events and before Splunk, we had all these data silos, time-consuming reporting and manual troubleshooting. After Splunk, my dashboard has 12 billion events reduced to 140 actionable alerts. I have a great ‘helicopter’ view and much efficient use of my team’s time.”
One security executive told me that “thanks to the false positives, our Intrusion Detection Systems (IDS) had become somewhat of an internal joke, so we started using Splunk. Our data had an interesting pattern. The operations and applications data clocked at 20 percent each, while security data was as high as 50 percent of the volume and our application / SaaS data was only 5 percent. Splunk is now our de facto security platform.”
Despite that, its largest customers are indexing less than 25 percent of their total data. While the average selling price is around $75,000, most people I spoke with were clear of the ROI they see. Security analysts were moving up the productivity chain. They were doing bigger and better things. Morale and team dynamics were up and customers continue to pump in more data. One customer pumps in 10X more data from when they started five years ago. Yet some large customers struggled with costs, which increase with volume of data ingested. The company has now developed an array of pricing options, away from volume of data, even though AWS is its largest expense.
Competition from Sumo Logic (which aims for an IPO), Loggly for cloud native offerings and Log Rhythm is heating up. Open source offerings like Elk stack (Elastic Search, Kibana, Logstash) are a growing threat. Elastic (backed by Benchmark, Index, NEA) acquired Prelert for its machine learning and Opbeat for application performance. And then there is adjacent pressure from the likes of New Relic / AppDynamics (now Cisco). All of these impact Splunk’s growth rate. For those who think Amazon will eat up Splunk, it’s unlikely to happen as long as customers’ data floats on-prem or the hybrid cloud.
Accel, Greylock, Sequoia, Sapphire
Access Ventures, Adams Street, Grotech
Trinity Ventures, Data Collective, Cisco, True Ventures
(IPO in 2012)
August Capital, Ignition Partners
Dr. Anton Chuvakin, Research VP & Distinguished Analyst for Security and Risk Management at Gartner ,says, “Splunk’s growth is driven by its ability to aggregate data that can be used by Network, Systems and Security teams. Other platforms can impact one or possibly two of these teams.”
Basically, Splunk has a license to print money all day, because competitors have bits and pieces of the offering — not all of it. Splunk continues to focus on building more value with more than 1,500 apps in its ecosystem. Its partnership with AWS, Microsoft and Azure aims to bolster its hybrid cloud offerings.
By 2020, Merritt aims for $2 billion top-line revenues and 75 percent shift to the cloud. It adds 500 new customers each quarter. To bolster its sales, the company is strengthening its cloud offerings, developing a plan for small and medium businesses and strengthening its EU sales leadership. Splunk’s Americas revenues are strong but international revenues are 25 percent, which is less than average of most mature software companies.
Merritt intends to get that to 50 percent over time. Splunk snagged a chief marketing officer from Salesforce to increase demand generation. “By bringing in automation, apps and industry-specific tools in the coming years, we can drive even higher gross margins,“ says CFO David Conte, speaking at Bank of America Merrill Lynch Global Technology Conference.
From big data to analytics to AI
Splunk can grow in many directions — AI can certainly drive more value across its platform. DJ Goldsworthy of AFLAC says, “Changes bring new opportunities to help us grow. Spotting anomalies has become a mathematical issue. Splunk automatically pushes the detective and preventative controls by self-immunizing our systems. I wish I could tell the hackers, ‘Thank you for sending me a malware,’ because it is making our overall systems smarter.”
Song says Splunk has the potential to become the enterprise “nerve” center — like a human brain. Clearly, as the AI wars heat up, those who have the data will have a winning edge. And Splunk is better suited to ride the AI wave better than most big data players. As the IoT markets evolve and machine to machine (M2M) communication grows, the volume of data will rise. Long Beach Container Terminal plans to use Splunk to monitor system performance, automated cranes and flow of cargo.
Splunk is instrumented for visibility and has successfully broken down silos inside companies where sharing data is the new norm. It drives an esprit de corps within the IT, operations and security teams. Unfortunately, Wall Street cannot measure the soft, yet critical aspects of culture and customer delight.
Maintaining its nimble and humble culture, and attracting talent while growing rapidly, can become a challenge. But its biggest challenge lies in breaking silos across sectors. Merritt says, “In thinking through AI, we have to consider what data can be exposed versus locked down.”
If customers own the data, can Splunk build a federated universe where customers share their data for the collective good? Espousing his worldview, Merritt says, “Our evolution in society depends on better decisions. To distort, hoard or hide data is detrimental to society. If we aim for openness and expansion of thought based on data, we move towards enlightenment.”
If Symantec steps up to buy Splunk, it will be its largest acquisition. Most likely Cisco may jump in to compete, as it has a bigger market cap. And then there is IBM — the sleepy big blue giant.
No matter which way the wind blows, Splunk is sitting in a pretty good spot right now. As we approach the machine learning age, data is the new currency. It’s the foundation that will drive analytics and artificial intelligence. And no other company is geared to take advantage of this wave better than Splunk.