Cisco's security strategy is confusing
It's not clear what their brand and focus are
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
After writing about how many cybersecurity companies will fail (and potentially succeed), recently, I’ve done a deep dive into companies where cybersecurity is not the core business but a big part of it. For example, I explored Microsoft’s large cybersecurity business. Check out the Substack articles if you’re curious.
This week, I’ve decided to look closely at another large company’s security business, Cisco. Honestly, the offerings seem confusing to me. Why would I choose the Cisco security platform? Is there a core top-of-the-line product that makes the platform worth it? It just seems like random products Most of them are the result of acquisitions, but they don’t seem to have any broader cybersecurity strategy. For example, Palo Alto Networks’s acquisitions are meant to bolster its cloud security platform. However, it’s unclear what Cisco’s strategy is. Maybe, I’m missing something here.
What is Cisco?
Cisco needs no introduction. It started as a networking company focused on selling routers and software to support multiple network protocols. Then, it became a dominant player in the networking business and expanded into telecommunications. It also has a large security business, and the main highlights are from acquisitions:
Vulnerability management - Kenna Security
SIEM - Splunk
Cloud security - Lightspin
Identity Management - Duo Security
CASB - Cloudlock
With that said, it seems to do little to no organic innovation.
Cisco lacks a security story
Like I alluded above, it’s not clear how all these acquisitions are related to each. All the major security businesses with a platform play seem to have a strong anchor product:
Crowdstrike with its endpoint product
Palo Alto Networks with its Prisma Cloud product, which was started by its acquisition of Evident.io and Redlock
Cloudflare with its WAF and SWG
Microsoft with its endpoint and AD as well as Azure security features
The list goes on, but all these companies have a market-leading product as a core part of their platform. Cisco doesn’t seem to have this. It’s not clear to me that they’ve tried.
They haven’t even managed to add security features to their core strength: networking and telecommunications. Microsoft took advantage of Azure and Office 365 to sell additional security features. At the very least, Microsoft made it hard for other players to build products that it could address with features.
My main question is what kind of security solutions Cisco offers and what differentiates it.
Who is the typical Cisco customer?
Before, we answer that question. It’s important to understand Cisco’s core customer base.
It seems that their typical buyer is either IT and/or someone focused on traditional IT networking. In addition to its datacenter networking products, Cisco has Meraki for office networking as well as telecommunications. It seems like there are two personas here, which might exist at the same company. First, there are the companies with datacenters, and the buyers of Cisco are the IT and infrastructure teams tasked with managing these datacenters. Second, there is the IT team that has to manage physical spaces, i.e. offices. So, what are the security needs of these personas?
That’s the hard question that Cisco needs to figure out, and it’s likely why they are struggling to have a cohesive security story. Much of the security responsibilities of their typical customers have shifted to dedicated security teams who now focus and prioritize engineering initiatives over IT initiatives, especially since many of these companies have a DevOps function. For example, infrastructure access and most parts of identity have moved to DevOps and security teams. Cisco buyers/advocates are likely left with physical security and wireless security, which have become less impactful with the advent of remote work and zero-trust networking.
Cisco has yet to reinvent itself for modern security
There are two main ways that a company can reinvent itself, and I alluded to them above. First, it’s through acquisitions. They can acquire companies that bolster their current product line or create a new product line. Palo Alto Networks acquired RedLock and Evident.io along with Twistlock and Demisto to start their cloud security business. However, the important part is that these acquisitions have to fit the GTM of the current business lines.
Second, it’s through a reinvention of its current business line. Microsoft did this when it started the work in the cloud and then focused on security features related to Windows computers with Intune, Active Directory, and Defender. This also allows it capitalize on its current customer base without the need to do integration or create a new business line.
Cisco has yet to do either.
They also haven’t acquired an innovative market leader. They tried with Duo Security, but that has yet to lead to anything. Although a slightly different use case, Okta still dominates the market on corporate identity. Cisco has tried to move into application development with the AppDynamics acquisition, but that was likely too far from its original customer base, which is primarily IT and networking people rather than developers. Maybe, Splunk is its attempt at doing something more innovative, but it feels like an outdated product, especially given advances in the modern data stack. Honestly, Meraki seemed like the most promising acquisition, and it seems to have traction with much of its traditional customer base. However, Cisco hasn’t done much with that platform.
In terms of its existing core products, I believe the main issue here is that Cisco has slowly been losing market share across its products. It might have market-leading products, but it doesn’t have a market-dominant product like Office or Windows where it’s easy to add security features to increase the barrier for value creation by other companies.
What should Cisco do now?
I believe they need to make an aggressive acquisition of a modern, innovative player. It might shock the market and affect their perception of Wall Street, but it is a necessary long-term bet. However, it might be difficult for them to do so given they spent $28B on Splunk. In my opinion, Splunk was the wrong acquisition. I do believe it was Cisco’s attempt to get into cloud security, but it’s no longer a cutting-edge product that can transform Cisco. It’s mostly trying to increase its revenue and earnings. It feels tactical, not strategic.
The main problem is that Cisco is not in the conversation around security in modern architecture. This is a fast-growing market as companies migrate toward the cloud and agile development frameworks. Cisco doesn’t have any product that can compete in this space. That’s why buying Splunk was strange. It’s not a modern architecture, so this means that Cisco is out of touch or believes it’s too risky to move the company’s strategy in that direction. Given the size of acquisitions it’s capable of doing, Cisco has a few options.
Cisco could potentially buy Okta to bolster its position in the identity space, but it’s complicated because Okta also has Auth0, which is more developer-focused. Similarly, the question is what to do with Duo. It can likely merge the functionality. Another option is to buy Zscaler to focus more on the networking and corporate security side. They have similar customers.
However, I believe that its customer base wants tools that make them stay relevant, especially in an evolving technological environment. For example, as mentioned above, much of their responsibilities have shifted to more engineering-focused teams. These customers need tools to remain relevant and to demonstrate value. If Cisco doesn’t want to make any large bets, they can add some security functionality to their more popular products so that those customers can seem like “heroes” and contribute to security improvements. One product is likely Meraki, which feels like a modern approach to office networking. Another is to do more with Duo, which has good traction and feels like a modern security product. The product expansion there is a bit unclear because it would need to compete with Okta around corporate identity, but it has a good customer base.
Takeaway
With its current offerings, it’s hard to consider Cisco a modern security company. It has failed to make the proper acquisitions or product changes to make it part of the conversation. Therefore, it’s unclear what their goals are for the security business. For example, what is the goal of the Splunk acquisition? Is it to slowly continue to grow both revenue and earnings with minimal risk? It seems like Cisco isn’t looking to transform itself or enter a high-growth market. This strategy is confusing because security is a fast-changing market, and Cisco will continuously be fighting an uphill battle. Maybe, it doesn’t quite realize that yet, but once they do, it’ll be a rude awakening.