RSA Security – Four Distinct Businesses & their Positioning & Performance

How has RSA Security evolved over the years? Clearly, the company has had multiple owners and arguably different operating structures. In June 2022 it stated, “While identity has always been central to RSA’s mission, the company has also been involved in adjacent cyber modalities. No longer. Going forward, those organisations focused on integrated risk management, threat detection and response and omnichannel fraud prevention will grow as independent companies with their own brands.” I thought that was noteworthy, perhaps not wholly surprising. What do you think is most important about RSA?

RSA announced a sale of the RSA Conference business in March 2022. Originally, EMC bought RSA in 2006, then about 10 years later Dell bought EMC along with RSA, as you indicated. All the while, it seems RSA has been dealing with ownership, organisational and structural challenges. The company has also been trying to run its businesses so they’re successful, either independently or together. It seems a lot of what the potential and possibilities consisted of weren’t really executed upon. Why do you think that was? You mentioned conflicts within Dell, because Dell had some of its own cybersecurity solutions and there was some confusion around how to go to market and compete with a business or product set owned by the parent company. Could you discuss some of the missed opportunities? Do you think RSA, with the simplified ownership structure, could deliver on its past promises?

You highlighted that legacy RSA consisted of five businesses. It sounds like some of those focused on cybersecurity and there wasn’t as much integration and cross-selling as expected. The RSA Conference business has been divested. RSA will focus on identity and access management and its businesses – SecurID and Archer, which is a GRC [governance, risk and compliance] offering. It also has NetWitness, which is threat detection and response and SIEM [security information and event management] business. Then it has Outseer, which is omnichannel fraud prevention. What are the revenue contributions of those businesses to legacy RSA?

If we assume the structure of the RSA business and constituent operating businesses doesn’t change in three years, where would those businesses be?

I’ve seen indications of a major pandemic-related pull-forward in sales and revenues. I think RSA’s revenues fell by around 17% in FY22, so obviously the company will try to recover from past issues. Regarding separating the businesses, I think many people wonder if any material or even notable cross-selling was taking place. All the businesses have elements of cybersecurity and cyber safety, but there doesn’t seem to have been much integration, collaboration or cross-selling. I imagine that separating out these operations means RSA would benefit less from that, but perhaps not much was happening anyway. Is that correct?

You highlighted the lack of product R&D, which I think is super important. You called out the new RSA business in identity and access management. What do you think about ID Plus, the newly announced cloud-based identity security offering? It’s probably designed to make new RSA more of a hybrid solution, enabling it to compete with many companies in this category such as Okta, Ping and ForgeRock. Do you think it’s too little too late for ID Plus, or might new RSA still have a pretty significant user and revenue base and could gain some market share as a result of the cloud solution ID Plus?

For the identity and access management business, it sounds like a status quo, so clients will continue to use it and remain on-prem. I imagine there are differing views on whether the current macro backdrop will cause companies to pause or accelerate their transition to the cloud and digital transformation efforts. When existing legacy customers do transition to the cloud, what do you think are the chances they go with ID Plus vs Okta or many of the other solutions?

Who are the top competitors for the new RSA business? We mentioned a couple of companies and I imagine it starts with Okta.

You mentioned the Archer GRC software business has been doing relatively well and noted the competition with ServiceNow, which is obviously a giant and has been moving into many areas. How do you assess Archer’s positioning and performance? You touched on your growth expectations, but what are some competitive issues, especially with ServiceNow?

Is anyone else in the GRC software category potentially taking market share alongside ServiceNow, or is it just ServiceNow with its install base, SaaS solution and perhaps its appealing pricing constructs?

NetWitness is a lot easier to think about as just a SIEM. You mentioned Splunk but there are others in this category. You highlighted that NetWitness, of the four companies we’ve discussed, seems to have experienced the most operational and performance challenges. Could this business be separated, perhaps to garner some more investment with a different owner? Alternatively, do you think it’s too little too late? How do you assess the technology and the prospects if it received a lot of new investment and new leadership perhaps focused on product development and sales?

How do you see the Outseer business positioned in its competitive landscape? You referenced it being somewhat unique with a unique solution set. Multiple companies do similar things, such as Riskified, Signifyd and Sift. Kount is more focused on the e-commerce side and is a business owned by Equifax.

What do you see happening around ownership for RSA’s businesses, excepting the identity business? You mentioned NetWitness and its future, or lack thereof. PE bought legacy RSA almost two years ago, which many found surprising. You noted there’s been a lot of investment, arguably even pre-acquisition, in separating out the businesses and architecting them separately, but it’s been two years. Outseer might be the most appealing business, particularly from an acquisition perspective, given its market, positioning, unique technology and leadership. What might happen with Outseer?

Riskified went public in 2021 and was growing revenues 30-35% in 2020 and 2021. The company’s 2022 growth expectation is around 10% and will bounce back to 20-30%, so your expectations for Outseer aren’t that different than those for Riskified. Do you see any strategic acquirers being interested? There has been some consolidation in this category and obviously going public means there’s market demand for this kind of solution from an investor perspective.

You’ve mentioned scale a couple of times and I think Riskified’s revenue base is almost double what you touched on earlier. What about NetWitness? That seems to have a lot of challenges. There’s been a lot of consolidation in and around cybersecurity proper and I would put SIEM in that area. Could a bigger player such as Palo Alto Networks – which I don’t think has a really built-out, dedicated SIEM offering – take NetWitness over and input its own investment and people to try to turn it around?

Excepting the challenge that ServiceNow poses, there are things to like about the Archer business. What do you see as its ownership future? It’s in an area to which I think a lot of people are paying attention more recently.

How do you assess the management and culture of legacy RSA? The PE sponsor acquisition seems to have led to a lot of leadership changes. Rohit Ghai has remained CEO, but we’ve seen a new CFO, chief product officer, chief business officer and chief marketing officer. What do you think of the leadership team? You mentioned employee retainment, which is a real challenge for a lot of companies. Is that a continuing problem for RSA the company?

What is your 1-3-year outlook for RSA the company? What is the company’s biggest opportunity and risk?

It seems we’ve been waiting some time for all the RSA businesses to be spun off, divested or sold. Does it seem like that to the employees, so are people waiting for something to happen? When might that occur – in 2022, 2023 or might it take a while, given the things that need to be addressed?