Big Hairy Questions: Strategies for Technical Due Diligence (Part 2)

In the first part of this series, we discussed the first five Big Hairy Questions that comprise a technical due diligence project. This included:

  1. What is the Intent?
  2. Who is in the Room?
  3. What are the Dependencies?
  4. What is NOT Being Said?
  5. What is the Market?

In this second, and final part we pick up where we left off.

6.      Does it Work?

This question is as obvious as it sounds.  Does the product do what the company claims it does? This is easy to answer if you can rise above the company’s messaging and posturing.

The first part of this question is to have the company’s sales engineers demo the product.  Ideally, I want to see how they explain the product, its features, and its strengths.  My focus with them is the infrastructure of the product; where it is deployed, how it is installed, what third party products does it need, etc.

When time permits, I like to install and use the product myself. I have a rich background in installing technology, so this can be fun. It can also be miserable, like the encryption product I reviewed once that bricked my laptop.

With some hands-on experience under my belt, the next step is to see what others have to say.

7.      What Do the (Real) Users Say?

During most due diligence projects, the company will set up one or more user meetings. These are useful since I can hear how the product performs in the real world. However, it is unlikely they will put unhappy customers in front of me.  As such, I need some “unfiltered” opinions.

Online user groups, like Reddit, can be useful here. While you cannot fully trust on-line sources, they can give you clues to what is bothering users. Many years ago, I was analyzing a web gateway product. I noticed numerous online users complaining about logging capabilities. When the SE’s showed me the product, I specifically had them focus on logging. They got defensive. Eventually, the product manager fessed up that their logging capabilities were weak. Had I not read all those on-line complaints, I might not have thought to dig into the product’s logging capabilities.

However, user groups almost always skew to the negative. Nevertheless, between the handpicked customers the company provides, and the rants of people on the Internet, I can assemble a picture of the product’s real-world usage.

8.      What Problem Does It Solve?

How a product is sold to customers says a lot about its potential. A smooth sales process translates to scale, while a clunky process can hinder a product’s growth. Analyzing a company’s sales processes can be highly entertaining, but it does not give much insight into the product’s technical capabilities. This is because there are plenty of technically weak products that sell well, while innovative ones languish.

However, sales can provide insight into the market for a product, if you look at why people buy it.

This begins with an understanding of the sales personas.  These are the generalized roles at a prospective customer that sales works with to close the deal. There are four sales personas:

  • Champion: person who identifies the product and promotes it within the company
  • Evaluator: person who assesses the product for use and provides a recommendation for purchase, or not
  • Influencer: person who’s opinion of the product holds weight among the other personas
  • Decision Maker is the person who makes the final decision to buy the product

While a single person may embody all these personas, that is uncommon.  Even small companies divide the decision maker from the evaluator.

Evaluators and influencers are where this why question has the most traction. These personas are typically tasked with vetting the product for use. If they see something they like, they will recommend the product. Mostly, they will want to solve a problem.

The clearer a company defines the problem their product solves, the more convinced the evaluators and influencers will become. Therefore, when I meet customers of a product, I want to talk to the person(s) who evaluated the product prior to sale.  I want to hear why they bought the product, to determine if the company solves a real problem and they communicate that effectively.

A few years ago, I was performing due diligence on a threat intelligence platform. The sales team complained of losing to competitors when they got into evaluations. I had them walk me through a typical technical deep dive with a customer doing an evaluation. The issue was obvious. They could not effectively define what problem their product resolved.

This also had an impact on product development and marketing. The company kept adding features, trying to out-innovate their competitors. Consequently, the product was a mess of features, that sounded cool, but again did not address specific business problems.

Why companies buy (or do not buy) a product can give you a ton of insight into not only sales, but the entire product development process.

9.      Where is the Data?

This is another deep-in-the-weeds issue, but it is a looking glass into a product’s maturity. Mature products handle data properly. Immature ones do not.

A few years ago, I was analyzing an attractive up-and-coming security analytics tool. I asked about data handling. The engineers fumbled around the question, ultimately trying to convince me that saving the data in flat text files to the file system was an ingenious strategy. It was not. It was a terrible way for a security product to store data. Despite looking attractive and powerful, the product had some serious technical problems under the covers. My questioning about data handling revealed these issues.

For this, I investigate how the data is stored, access controls, encryption, auditing, and distribution of data (redundancy.) I also love it when companies supply their data models. I can analyze the structure of their database(s) and see if they are well architected, or a patchwork of disparate databases.

10.      What is the Vision?

If I had to pick one thing that sets great companies apart from mediocre ones, it is vision. Vision answers the simple question “why?”  Why does this product (or company) exist? Why should I care? The clearer a company is about these questions, the better their products tend to be. However, there is nothing simple about vision.

A strong vision connects the product and company to a genuine purpose. Something that can motivate people to a higher cause. Consider Tesla’s vision, to accelerate the world’s transition to sustainable energy. This is a strong vision. Notice it does not mention cars.

Vision is like an invisible guardrail that keeps a company focused on a higher calling. It gives leaders an intangible push to look beyond the mere function of a product, to how that product can fulfill a higher purpose.  Without a strong vision, companies and their products become mediocre.

I am routinely surprised how few leaders understand the power of vision. I think it makes them uncomfortable. Perhaps its because it seems light and “touchy feely.” Yet vision is what motivates people.  As Simon Sinek reminds us, people do not buy what you do, but why you do it.

I could not tell you exactly what vision needs to be. It is different for each organization. However, I know what it is not.  Vision is not merely making money, dominating a market, or “delivering shareholder value.”  Those things are the result of a strong vision, not a vision itself.

Where I look for vision is inside everything. It should start with the leadership, particularly the C-level suite. However, vision should permeate every level of the company, from the executive office to the janitor’s office.


Reflecting on all my due diligence projects, I realize there is more to them than encryption protocols and marketing presentations.  They are complex efforts with a lot of information. In many ways, I find due diligence work similar to risk assessments. Large quantities of data, which when laid out, paint a picture. That picture may be one of ingenuity, opportunity, and prosperity…or not.  Or something in between.

I wrote this blog as a marketing tool as well as a lesson for companies who are getting a visit from a technical due diligence consultant. Ideally, the ideas I shared here will help you assess your own company and make improvements before a person like me shows up.

I will leave you with one of the more poignant moments from my due diligence work.  Many years ago, I spent months analyzing a company. In the final meeting, we were going over all the findings. After the presentation, the CEO of the acquiring company pulled me aside and asked me, “give it to me straight, what is the largest risk in this deal?”

I thought of all the technical weaknesses in the product, the poor logging, the laughable 10Gb performance, and the lack of a good cloud product.  However, those were not the biggest risk.

“There is no vision here. The leadership is…lost.”

The leaders could speak confidently of the product’s features, but not about the company’s purpose.  The leaders were connected to plenty of important people, but they could not explain why I should care about their products. The CEO of the acquiring company nodded and smiled broadly. I had confirmed what he suspected, but nobody was brave enough to say.

If you want a great product, start with the ten hairy questions, and answer them honestly. That way when the investors are sniffing around and they send in some guy like me, you will be ready.

Also, I am not washing your dishes.

Go back to read Part 1


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.