Cisco's Cybersecurity Shopping Spree (Part 2)

What the Alaska Purchase and Seward's Folly can teach us about the strategy and upside for Cisco's acquisition of Splunk.
Cisco's Cybersecurity Shopping Spree (Part 2)

Note: This article is Part 2 of a brief series on Cisco's cybersecurity strategy. You can read Part 1 here. It's not required reading for this article.


People thought the best land purchase of all time was the worst land purchase of all time for more than 20 years.

The United States, led by Secretary of State William Seward, bought Alaska from Russia for $7.2 million in 1867. Adjusted for inflation, the acquisition price was about $725 million in today's dollars. That's a steal. Nobody cared in 1867.

Both the media and the public mocked the acquisition. The New York Herald called Alaska a "sucked orange," meaning Russia had sucked the value from the land and sold the U.S. a frozen wasteland. The deal was nicknamed "Seward's Folly," a personal criticism against William Seward for leading what everyone thought was a foolish purchase.

William Seward passed away in 1872. Seward's Folly followed him to the grave. He never knew about the gold discovered at Juneau in 1880. He never knew about the oil discovered at Prudhoe Bay in 1968. He certainly didn't know his now legendary foresight was vindicated by economic benefits of a trillion dollars and counting.

What can the Alaska Purchase teach us about the strategy and upside for Cisco's acquisition of Splunk? A lot more than you'd think.

Let me tell you how Russia sold a literal gold mine

Motives for selling: fur trading and SIEM are unprofitable businesses

Russia wanted to get rid of Alaska because the land was a pain to maintain and defend from the expanding British Empire. They were also broke and needed the money.

The fur trade was paying the bills. It was an okay business, but it cost them tons of money and military resources to operate. Alaska seemed like a giant, frozen, bottomless drain of cash.

The near-term pain of making their Alaska problem go away motivated Russia to sell. The deal with the United States checked too many strategic boxes to refuse. Decent cash infusion? Check. Stop fending off the British Empire? Check. Sell off a marginally profitable fur business? Check.

Is this story starting to sound familiar? It should.

Back in 2016, SIEM looked like a good market for Splunk. Here's the Gartner Magic Quadrant for SIEM from 2016:

Gartner Magic Quadrant for SIEM (2016)

Splunk's position in the "Leaders" quadrant was a cozy spot on the couch in front of the fireplace at a mansion in Vail. Splunk and LogRhythm were the up-and-comers, just out there chilling in the house enterprise tech players built. IBM, HPE, and Intel owned the mansion, but there was plenty of room for everyone.

Then, things got crowded. Microsoft entered the picture. Seven other startups raised $2.4 billion in capital.² Splunk and LogRhythm weren't the only up-and-comers anymore.

The three most recent Gartner Magic Quadrants for SIEM look a whole lot different than 2016:

Gartner Magic Quadrants for SIEM (2020-2022)

Competition arrived, and the SIEM market became a pain to maintain and defend. Financially, the Splunk of the 2020s was a wildly unprofitable business. This chart compares Splunk's revenue and profitability (net income) over its entire time as a public company:

Splunk revenue and net income comparison.
Source: Seeking Alpha

It tells you everything you need to know. Splunk has never (yep, never) had a profitable quarter. In January 2022, they spent $4 billion to earn $2.67 billion. Put differently, they had to spend $1.50 to earn $1. You don't need an MBA to know that spells trouble, capital T.

Cisco kicked off the beginning of the end with a failed $20 billion plus acquisition offer in February 2022.

Private equity entered the room shortly after. Silver Lake invested $1 billion in June 2022, "...eager to work with [Splunk CEO Doug Merritt] and his team to support Splunk’s next phase of growth."

Doug Merritt resigned five months later.

Pile on even more competition and the makings of a paradigm shift from SIEM towards security data lakes, and Splunk's situation starts looking a lot like the frozen wasteland of Alaska in 1867.

Could Splunk have waited things out and kept competing? Sure. This wasn't a fire sale. But, like Russia³ and Alaska, the deal with Cisco checked too many strategic boxes to refuse. Decent return for shareholders? Check. Stop fending off well-capitalized competitors? Check. Sell off a marginally profitable SIEM business? Check.

Alleviating near-term pain often motivates action more than the drudgery of waiting things out for long-term benefits that may never come. This is true in territorial expansion, in cybersecurity, and in your own life.

Russia was happy to sell 665,384 frozen square miles of land and an unprofitable fur trading business for $7.2 million. Splunk was happy to sell $4.1 billion of ARR and an unprofitable SIEM business for $28 billion. They both just needed to make the pain go away.

Next, let me tell you how a directionally correct strategy and an insatiable hunger for expansion led the United States to make the purchase.

Motives for buying: American expansionism and predictable revenue growth

The United States didn't know it was buying a literal gold mine, either. William Seward had a directionally correct hunch about resources (hand-wavey gesture... somewhere). More importantly, he had an obsession with the idea of American expansionism.

By 1867, the United States was already a prolific dealmaker. The Alaska Purchase was the country's seventh major territorial expansion. Back then, America valued expansionism like many of today's investors value growth — more is always better.

If you look at expansionism as the main strategic driver, the Alaska Purchase had very little downside risk for the United States. More land, same continent, decent price, and maybe some resources other than fur. A true "All Weather" strategy. Ray Dalio sure would be proud.

The acquisition of Splunk by Cisco and CEO Chuck Robbins is a similar story. The news was initially met with shock about the price tag, questions about Cisco's ability to execute, and mixed reviews about its potential.

Cisco has been widely criticized for years about low growth and declining innovation. The accusation of "The destructive and illogical ideology that...a company should be run to 'maximize shareholder value' continues to cripple the United States..." is an uppercut to the jaw of Cisco's leadership team.

Splunk was a solid acquisition for Cisco based on financial metrics alone. The $28 billion acquisition price was a relatively pedestrian 7x multiple on Splunk's projected revenue. Buy-side investment bankers everywhere smiled with joy.

Leaders from both companies projected the deal to be cash-flow positive in the first year. They wasted no time making good on that promise. Splunk laid off 7% of its workforce a month after the acquisition was announced.

Most importantly for Cisco, Splunk adds $4 billion of smooth, buttery, and predictable ARR to its security business. When you're a 38-year-old company with $57 billion of revenue, boring ol' predictable growth is a central part of your strategy. Nobody is calling this "Robbins' Folly."

But wait. Predictable revenue growth surely isn't what the life of a big company is all about, right?

Here's how new technology can turn an average investment into an iconic one.

Sometimes, you get lucky: gold, oil, and artificial intelligence

The potential upside of a deal isn't always obvious right away. This story has repeated itself throughout the history of tech.

Microsoft and Forethought had no clue its Project Odyssey would turn into Excel, the app that never dies.

Google and YouTube had no clue that traditional media was on the brink of The Great Unbundling.

Sequoia and WhatsApp had no clue the app was going to become the de facto SMS protocol for billions of international users.

Likewise, Russia and the United States had no clue about the gold and oil buried beneath the frozen tundra in Alaska.

So the important question is: what changed?

Technology.

Technologies for finding and extracting gold and oil were basically non-existent when the Alaska Purchase happened. Russia didn't know they were selling a gold mine because they couldn't find it. Simple as that.

The discovery of oil at Prudhoe Bay happened because of major advancements in tech. It took 100 years and a slew of breakthroughs in geological surveying, seismic testing, exploratory drilling to finally discover one of the largest oil fields in North America. On top of all that, it took an 800-mile pipeline to actually use it.

You can rag on Russia all you want for selling a gold mine. The reality is there's no way they could have found it in 1867. The technology just wasn't there yet.

Splunk could be the Alaska Purchase of tech acquisitions. Why?

Artificial intelligence. Specifically, how artificial intelligence gets applied to the security problems we've been struggling with for a long time.

Security Operations makes up a giant subset of the problems. It's one of cybersecurity's largest estates. The company that develops the best AI and ends problems like alert fatigue, SOC analyst burnout, long MTTD/MTTR cycles, and (just maybe) the holy grail of reducing breaches is going to get paid.

Palo Alto Networks and others are working towards this audacious future. But Cisco's acquisition of Splunk might be the savviest strategic move yet.

When you’re building AI models, one of the only factors that matters is how much high-quality data you can run through the algorithm to train it. Training AI to solve security problems for you is a whole different ballgame than building products and storing security logs for customers to analyze themselves.

In the context of AI, Splunk is uniquely valuable. They have access to more operational security data than just about anybody, with 790 enterprise customers paying over $1 million in annual subscription fees.⁴ Customers add petabytes of data to Splunk every year. The total amount of data stored on their platform is probably into the exabytes. Let's just bluntly summarize by saying Splunk has a $%&#-load of data.

AI completely reframes Splunk’s unprofitable business model because its upside is so high. Charging a pile of money to store SIEM data was expensive for customers and unprofitable for Splunk. Taking a loss on the cost of storage and using the data to train AI models looks like a bargain for Cisco.

Buying access to exabytes of security data is like discovering oil at Prudhoe Bay. If Cisco's hunch about Splunk’s value to AI is right, it completely validates the purchase and changes the trajectory of the company forever.

Like William Seward and the Alaska Purchase, we may not know the real outcome of Cisco and Splunk for many years. Part of Cisco’s strategy is being able to wait long enough to find out. Sometimes, you get lucky.


Footnotes

¹Technically, Russia sold a gold mine and an oil field, but this is a metaphor!

²According to Crunchbase data. This stat only includes startups listed on Gartner's Magic Quadrant. Total investments in SIEM companies who didn't make the quadrant raises the amount even higher.

³Saying this out loud so there is no ambiguity: I categorically condemn the current Russian administration's attacks on Ukraine and its behavior towards the rest of the world. Using the Alaska Purchase and the Russia of 1867 as a metaphor for this story is not meant to make or imply a connection or parallel between Splunk and Russia today.

⁴As of its Q4 2023 earnings report.

Mergers and Acquisitions
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.