Astaro / Sophos merger – my personal view on that

Prelude:

I wanted to blog more in my native language, but this blog post will be written in English. Inconsequent? Rather audience-oriented ;) Also, I almost never blog about things that have to do with my job, but since this is a rather big thing and there are a few voices out there claiming that this was a bad thing happening to Astaro employees, I wanted to give an insight perspective (+ a view from somebody who has also worked for a system integrator in the past).

So, what happened? Well, Friday was a big day for everybody involved in the Astaro microcosmos (partners, resellers and the like) and medium-important day for the whole IT Security industry. At that day, Sophos and Astaro announced publicly that Sophos is planning to acquire Astaro in the very near future. Bottomline: Astaro as a company will not officially exist anymore, but everybody working for Astaro today will turn into a Sophos employee and also every asset in the company will turn into Sophos property.

This at first might be a bit frightening, but if you have had a bit more time to think about it (we Astaronians had a small heads-up), this seems to be a good thing. So, nobody who has heard about this should be frightened or feel somewhat sorry for me / us. Rather the opposite is true.

Astaro has been the 4th largest vendor – by sellout – in our space (UTM, basically a “Firewall + many other cool things”), privately owned, has ~ 220 employees and has been profitable since a couple of years.

So, it is nice to work for this rather small and cozy company. You could feel that we didn’t realize only a 0,3% – 1% profit from the money that we earned (such as my former employer did) and the overall feeling was very relaxed. Many people have been with the company since the very beginning, many people in key positions haven’t had another job before. The company is still rather young (11 years old) and we’ve recently moved to new, shiny offices in Karlsruhe.

It feels like your word and your opinions are valued, the founders know everybody working for them by name and greet them on the floors and there is an overall open door / everybody talks to everybody mentality that I didn’t feel in larger organization.

And suddenly, the acquisition was announced.

This was rather a shock for people outside of Astaro; they fear that the product will be let down, that support will suffer and that this will have some negative consequences.

I don’t think that those people are right. There are a few good reasons why I personally do believe strongly in the merger and those I’d like to share with you (and also do calm down my friends and family and convince them that I’ll be alright):

In fact, I wished to be bought by Sophos if that had to happen one day. I personally like them technologically very much and I think that their way of doing business is very similar to ours.

  • No direct competitor:
    Sophos is not a direct competitor to Astaro. They are not the No.1 UTM vendor out there and they don’t have similar products. So they don’t buy Astaro just to get rid of competition, letting the product and the people involved with it die afterwards. This is not only good for our customers and partners that can be sure that the product line will continue to be developed and sold, but also for us, since our jobs are pretty safe.
  • European company, focussed on the professional market:
    Just as Astaro, Sophos is a European company. This reflects I think on their way of doing business, on their view on the world, on their ethics and ideas about how to do business. And most importantly: The network division of Sophos (which Astaro will turn into) will not be far away in another continent, having little influence on the overall company.
  • Great products
    The Sophos guys have built clever products and are in my opinion close to McAfee when it comes to cool Endpoint security products. If you’ve followed my bio a bit, you will know that I have good reason to call myself an expert in that field, and I think that they are No. 2 worldwide when it comes to technology (unfortunately not yet sellout).
  • Astaro complements their portfolio:
    The product range that Astaro stands for (Gateway security products) is something that Sophos lacked over the last years. Rumor has it that they also launched their own Mail- and Web Gateways, but they are not industry-widely known for these kind of products. So, similar to what McAfee did with the Secure Computing acquisition they seemed to have checked the market for a solution that fits and stumbled upon Astaro. Fortunate for everybody!
  • Expertise that is unique within Sophos:
    Given the fact that Sophos has little to no knowledge in this particular security area, our expertise and our understanding in how to sell and run the gateway business is needed by them. They saw that the business is done a bit differently and are planning to let Astaro as a sub division act rather  than integrating them directly.
  • No direct changes
    This will also result in business not changing directly. The Astaro partner model, the margins, the criteria to classify as an Astaro partner will remain unchanged. There won’t be 100s of new partners overnight that will kill our established partners’ business.
  • Higher visibility
    Mid-term however, the visibility and status that Sophos has will bring a completely new group of partners and customers to us. Very large system integrators who have focussed on bigger companies will be interested in looking at us and consider to include us actively in their portfolio rather than just sell us if the customer explicitly asks for it.
  • We’re No.1 UTM now
    No need to explain who Astaro is anymore. The brand name “Sophos” will give our business a huge boost outside the German-speaking regions. Sophos is known in the IT industry, Astaro is still somewhat unknown as a brand. So, doors will open for us that wouldn’t have opened before. And immediately we are one of the big 10 players in Security. Cisco, Symantec, Juniper, Mc Afee, Check Point, Trend Micro and F5 (probably a few more) are bigger than the merged Sophos/Astaro team, but the joint company is bigger than better known players such as Fortinet (largest UTM-only vendor in regards to sell out) or Kaspersky.
  • Focus on Network Security
    Astaro or the new Network Security division of Sophos or however you’ll call us now, can focus on Network Security again. We have presented this great Security Wall vision a couple of months ago that basically covers all security aspects out there. But, we don’t have to build everything on our own anymore. We don’t have to deliver an endpoint security product, there already exists one in the company (and a pretty good one, BTW). Whether we will continue these product lines or not however is something that I’m not aware of. And some other aspects of the product that we were lacking are now covered as well.
  • Cool OEM components to integrate in our product
    Astaro has always either built (own technology), borrowed (open source technology to which we actively commit code to drive it further) or bought (OEM components) technology for our product. Now that Sophos e.g. offers some great Antivirus components that run under Linux and has some offerings when it comes to Threat or Spam databases, the number of OEM components that we have to license from 3rd parties will be reduced in mid-term. This means that we’ll have better control over the product and will be able to fix bugs even faster than before.
  • Being back in known waters
    Last but not least: I’ve worked in the endpoint security part of the IT Security industry for 5 years before I joined Astaro. So, for me this merger is perfect: I’ll still continue to work in the Network branch of Sophos, but the knowledge about the other side of the company and their products will hopefully be beneficial in many ways.
  • Many new trips and challenges
    Though nothing will change immediately the additional sales personnel within Sophos and the existing Sophos channel will probably bring some boost to the things I have to do: give trainings, give Pre-Sales presentations, teach the Sophos colleagues about our products.
  • Strong presence in Germany
    I love working in a multinational company. But I also love communicating in German, as it speeds up things. And luckily, Sophos has a very large presence in Germany now + many product parts are developed here (the SafeGuard product line done by Ex-Utimaco and also our network security products). So I’ll be able to communicate with many new and old German colleagues.

So now that I predicted the Sophos thingy properly 2 weeks before at InfoSec, it’s time to have a look into my crystal ball once again and predict what products Sophos is going to buy next. If you compare the McAfee offering, including Vulnerability Management and Patch solutions and maybe what Symantec has (managed Mail filtering), some SaaS providers and something in the VM / patch management space sound like a good fit.

Qualys fits perfectly from its size into the company, Secunia might also be an option. For the SaaS part, Webroot would be a nice addition. And, just to mess with McAfee’s mind, Bit9 would be nice to have in the portfolio….

For all of you security geeks out there: what do you think about the acquisition? And, more importantly, which company do you think will / should be bought by Sophos next?