CRN Interview: John Jones, St. Bernard Software
As a provider of system utilities and security appliance products, St. Bernard Software has no shortage of competitors. But the company feels that its diverse product portfolio and limited presence in the channel gives VARs an incentive to switch loyalties. In an interview with CRN Editor in Chief Michael Vizard, St. Bernard CEO John Jones talks about the company's plans to increase sales in the SMB and previews St. Bernard's plans to evolve into a new product category: system settings management.
CRN: What market segments does St. Bernard Software serve and what role does the channel play in your strategy?
JONES: We are focused in the small and medium market with 50 to 1,000 seats. We have two types of channel partners. We have what we call selected or direct VARs. These are guys that are going to do greater than $50,000 a year with us. We give them leads, we train them, we co-market with them and we co-sell with them. And they buy directly from us so they have a very nice discount that they get. We have about 100 of those at this point and we would expect that to grow a bit as we move forward, but I don't think there will ever be more than 300 or 400 of them. The other hundreds of VARs that we sell to are guys that are going to close one, two or three deals a year. They probably are going to do in the $10,000 to $15,000 range and we fulfill those VARs through our distribution partner Tech Data.
CRN: How do you manage the conflicts between VARs in different parts of the program?
JONES: The way we manage that is by significant discipline on our discounting on a direct basis. We do not allow discounting to happen. We will never undercut the VAR from a price standpoint as we move forward. It's the customer's decision.
CRN: Are there any other ways that your products find their way to market?
JONES: We also have two groups of OEMs that we sell through. We sell almost all of the backup vendors where they have our product under their brand that they sell as an option for their backup or data protection solutions. And for Update Expert, we have the same thing. We have a brand private-label program at this point with five OEMs that will sell our patch management product in conjunction with other products that they have in their lines such as system management or configuration management products.
CRN: How much of the potential security market in the SMB space has been tapped at this point?
JONES: I think it's quite small at this point. A good example is [that] the biggest inhibitor to selling more patch management capability to customers is apathy. For Web filtering, I think that it's only like 20 percent or 25 percent of the SME market is penetrated with Web filtering.
CRN: In the channel, how do you differentiate St. Bernard Software?
JONES: Some competitors have over 800 channel partners in the United States. Clearly, they are over-distributed and as a result the channel partners are quite unhappy with them because there's not much margin left. You've got three or four guys bidding on every project and all of them are dropping their pants, of course, trying to get the business. We definitely do not want that to happen. I think today we are under-covered by probably a factor of 25 [percent] to 50 percent. So that's why I think a number of 200 direct VARs is probably a good number. Beyond that, we can compete with anybody if we maintain or are on the edge with regard to product leadership. We've had good luck in acquiring technology products and that further enhancing them to where we have product leadership in every segment we play in. And we believe"even against the big guys"that we can continue to do that.
CRN: What are the core St. Bernard Software products?
JONES: We operate in three application segments which are data security, system security and Internet abuse security. The data security market is growing at about 15 percent a year. The system security market is growing at about 40 percent a year. And the portion of the Internet abuse security market that we participate in is growing at about 70 percent a year. As part of that, we have four product lines, one of which is in the data security market and is called Open File Manager. It manages files that are in use so that backup packages can capture those files in a manner where the data is accurate and can be stored at the same point in time, leaving that open file available for users to continue to use. Our second market is the system security market and [there] the area we are focused on first is patch management. We have a product called Update Expert and this is a product that will query all the systems in your company to find out what level the various software"both operating system and applications"is at on each system. It provides then to the administrator the information with regard to what patches are available to improve the software on those systems and will automatically get those patches and deploys them.
The third area then that we deal with is Internet abuse security. In that area, we have two products. We have a web filtering and we have our antispam, antivirus product. Both of those products are appliance-based. Customers have told us and history has shown us that when you put applications into the middle of a network infrastructure, customers prefer to have that done in an appliance orientation.
CRN: What are the fastest-growing products?
JONES: Patch management, e-mail filter and Web filter are all growing at about the same rate, which is pretty close to about 100 percent year over year. Open File Manager has grown about 15 percent. In 2003, we did about 25 million and that was a 56 percent growth over 2002. We're expecting a similar growth this year. We're ahead of the market growth so we're taking share in all markets.
CRN: How much effort are you putting into getting VARs to sell more than one product?
JONES: We are pushing hard this year on a concept we call cross-selling, which is to get more of our customers to own more of our products. We have today a little over 9,000 companies that are on subscription with our products and we're going to have 13,000 by the end of this year. We now have a set of auxiliary efforts by which we are going to our channel partners to talk about buying more than one of our products. At this point we don't have an incentive to drive people to do that. But what we do believe is because we have high satisfaction rates with the products that people have brought from us, that it's a nice reference sell and therefore the sell cycle is more straightforward.
CRN: Is a VAR providing managed services around security a good opportunity going forward in the SMB space?
JONES: I think it is. In the small-to-medium business [space], I think there is a tendency for people to use that because it says, 'I don't have to administer it.' All I do is pay a monthly fee and it happens for me. The inhibitor, I believe, to the services business really is how to make money. There are some real issues doing that as the ISPs have shown us. No. 2 is that an awful lot of companies do not like to have their information-critical data and so forth leaving the company out on the Internet"even though it's encrypted, protected, and all that"going to some service organization and then coming back to them. I think this is a natural inhibitor. But I do think it will grow and I do think it will be a viable force. I don't think it will be dominant.
CRN: How much opportunity is there in patch management for VARs to create a service?
JONES: The primary reason that systems get hacked is that Microsoft tells you exactly how to do it by the patch which they say our Web site, public Web site, which is, 'Here's the hole in this particular application Row S, here's how you would exploit that hole and then this is how we're fixing that hole.' Well, for a hacker, it's pretty easy to go to a company to determine whether they have patched. If they haven't then those holes are very visible and [hacking] can be done very easily.
CRN: Why don't customers patch their systems more aggressively to eliminate the vulnerability?
JONES: Why customers wouldn't patch their systems is because quite often when they did they ended up with more system problems than they would have had otherwise. Microsoft is getting better at it, but in addition I think we bring additional value when you get there. Our product has the ability to uninstall. So if you put something out there that's not acting right, we can uninstall it. We ensure that their corequisites and prerequisites that are required are present and if we find anomalies in the performance of how that patch performs when it is installed, we note that to the user.
CRN: What comes next in the area of patch management?
JONES: We are rolling out a second product, unannounced at this point, that will do settings management so that we'll move from just a patch management system security capability to what we call then total system threat protection. If you patch your system right and you have the setting such as passwords, etc., correct on the system, then that system is very close to being invulnerable. Patch management is a part of it. Setting the management is the rest of it and we'll have that product out in the next couple of quarters.
CRN: As Microsoft gets more focused on patch management, how will this area evolve for vendors such as St. Bernard?
JONES: I think over time, standalone patch management kind of goes away. I think it becomes the purview of Microsoft. Why we are all in there doing this today is because Microsoft didn't do it and should have. They have the issues, they've got the patches. They should have made it easier, better for their customers to have been able to deploy these, to manage them. Well, they're going to do that. They've announced some initiatives where they're going to do that and they should. But customers want more than that. They would rather not patch and if Microsoft didn't create holes, [then] better yet. But those are very complicated programs Microsoft has and they're always going to have some holes. What the customers really want is their total system protected, which is well beyond the purview of just Microsoft. It includes hardware, it includes settings, it includes device drivers and so forth. That's where we're headed is to create a system protection product that does all of that for the customer.
CRN: How will you unite your products into a common set of offerings in the future?
JONES: I think we will have a policy manager that sits over the top of them but allows you from a single console to manage both of them with a similar look and feel. I think you will see that over time.
CRN: How do you handle license renewals?
JONES: Each of our products has a subscription component and that subscription component can vary from 25 percent of the original price to 70 percent, depending on the product line. We sell one-, two- and three-year subscriptions in which people get the normal technical support stuff but they also get continued access to the constantly changing databases for patch management, URL filtering and for e-mail filtering. We do that direct but we also do that through the channel where the channel partners have an opportunity to participate in that.
CRN: How much of your business is driven by VARs?
JONES: Most of the direct VARs bring leads to us and we to them. It's one of the requirements that they have to be a direct VAR. We're either co-marketing or they're marketing themselves into their customer base and out of that generating leads. I think about a quarter to a third of the business they do with us comes from the leads they generate. About two-thirds is from stuff we give them.
CRN: As the security market overall continues to grow, what should people expect to see happen on a macro level?
JONES: In some areas, the number of new vendors entering has dropped; in fact, hardly any. The consolidation within the industry is beginning. The big debate and it's been debated probably since forever, is what would a customer prefer? Would they prefer a suite of products or would they prefer best of breed point solutions? I think we've seen the history"you're going to continue to see the demand for both. The larger enterprises will go with suites under CA Unicenter, IBM Tivoli or HP OpenView. In the small-to-medium market, we see less tendency to go with suites. A lot of the small-to-medium enterprises, in our opinion, are not suite-oriented; they are best of breed-oriented. I think there will be a large market opportunity for best-of-cbreed point solution.