1. What is the Intent?
2. Who is in the Room?
3. What are the Dependencies?
4. What is NOT Being Said?
5. What is the Market?

In this second, and final part we pick up where we left off.

6.      Does it Work?

This question is as obvious as it sounds.  Does the product do what the company claims it does? This is easy to answer if you can rise above the company’s messaging and posturing.

The first part of this question is to have the company’s sales engineers demo the product.  Ideally, I want to see how they explain the product, its features, and its strengths.  My focus with them is the infrastructure of the product; where it is deployed, how it is installed, what third party products does it need, etc.

When time permits, I like to install and use the product myself. I have a rich background in installing technology, so this can be fun. It can also be miserable, like the encryption product I reviewed once that bricked my laptop.

With some hands-on experience under my belt, the next step is to see what others have to say.

7.      What Do the (Real) Users Say?

During most due diligence projects, the company will set up one or more user meetings. These are useful since I can hear how the product performs in the real world. However, it is unlikely they will put unhappy customers in front of me.  As such, I need some “unfiltered” opinions.

Online user groups, like Reddit, can be useful here. While you cannot fully trust on-line sources, they can give you clues to what is bothering users. Many years ago, I was analyzing a web gateway product. I noticed numerous online users complaining about logging capabilities. When the SE’s showed me the product, I specifically had them focus on logging. They got defensive. Eventually, the product manager fessed up that their logging capabilities were weak. Had I not read all those on-line complaints, I might not have thought to dig into the product’s logging capabilities.

However, user groups almost always skew to the negative. Nevertheless, between the handpicked customers the company provides, and the rants of people on the Internet, I can assemble a picture of the product’s real-world usage.

8.      What Problem Does It Solve?

How a product is sold to customers says a lot about its potential. A smooth sales process translates to scale, while a clunky process can hinder a product’s growth. Analyzing a company’s sales processes can be highly entertaining, but it does not give much insight into the product’s technical capabilities. This is because there are plenty of technically weak products that sell well, while innovative ones languish.

However, sales can provide insight into the market for a product, if you look at why people buy it.

This begins with an understanding of the sales personas.  These are the generalized roles at a prospective customer that sales works with to close the deal. There are four sales personas:

• Champion: person who identifies the product and promotes it within the company
• Evaluator: person who assesses the product for use and provides a recommendation for purchase, or not
• Influencer: person who’s opinion of the product holds weight among the other personas
• Decision Maker is the person who makes the final decision to buy the product

While a single person may embody all these personas, that is uncommon.  Even small companies divide the decision maker from the evaluator.

Evaluators and influencers are where this why question has the most traction. These personas are typically tasked with vetting the product for use. If they see something they like, they will recommend the product. Mostly, they will want to solve a problem.

The clearer a company defines the problem their product solves, the more convinced the evaluators and influencers will become. Therefore, when I meet customers of a product, I want to talk to the person(s) who evaluated the product prior to sale.  I want to hear why they bought the product, to determine if the company solves a real problem and they communicate that effectively.

A few years ago, I was performing due diligence on a threat intelligence platform. The sales team complained of losing to competitors when they got into evaluations. I had them walk me through a typical technical deep dive with a customer doing an evaluation. The issue was obvious. They could not effectively define what problem their product resolved.

This also had an impact on product development and marketing. The company kept adding features, trying to out-innovate their competitors. Consequently, the product was a mess of features, that sounded cool, but again did not address specific business problems.

Why companies buy (or do not buy) a product can give you a ton of insight into not only sales, but the entire product development process.

9.      Where is the Data?

This is another deep-in-the-weeds issue, but it is a looking glass into a product’s maturity. Mature products handle data properly. Immature ones do not.

A few years ago, I was analyzing an attractive up-and-coming security analytics tool. I asked about data handling. The engineers fumbled around the question, ultimately trying to convince me that saving the data in flat text files to the file system was an ingenious strategy. It was not. It was a terrible way for a security product to store data. Despite looking attractive and powerful, the product had some serious technical problems under the covers. My questioning about data handling revealed these issues.

For this, I investigate how the data is stored, access controls, encryption, auditing, and distribution of data (redundancy.) I also love it when companies supply their data models. I can analyze the structure of their database(s) and see if they are well architected, or a patchwork of disparate databases.

10.      What is the Vision?

If I had to pick one thing that sets great companies apart from mediocre ones, it is vision. Vision answers the simple question “why?”  Why does this product (or company) exist? Why should I care? The clearer a company is about these questions, the better their products tend to be. However, there is nothing simple about vision.

A strong vision connects the product and company to a genuine purpose. Something that can motivate people to a higher cause. Consider Tesla’s vision, to accelerate the world’s transition to sustainable energy. This is a strong vision. Notice it does not mention cars.

Vision is like an invisible guardrail that keeps a company focused on a higher calling. It gives leaders an intangible push to look beyond the mere function of a product, to how that product can fulfill a higher purpose.  Without a strong vision, companies and their products become mediocre.

I am routinely surprised how few leaders understand the power of vision. I think it makes them uncomfortable. Perhaps its because it seems light and “touchy feely.” Yet vision is what motivates people.  As Simon Sinek reminds us, people do not buy what you do, but why you do it.

I could not tell you exactly what vision needs to be. It is different for each organization. However, I know what it is not.  Vision is not merely making money, dominating a market, or “delivering shareholder value.”  Those things are the result of a strong vision, not a vision itself.

Where I look for vision is inside everything. It should start with the leadership, particularly the C-level suite. However, vision should permeate every level of the company, from the executive office to the janitor’s office.

Conclusion

Reflecting on all my due diligence projects, I realize there is more to them than encryption protocols and marketing presentations.  They are complex efforts with a lot of information. In many ways, I find due diligence work similar to risk assessments. Large quantities of data, which when laid out, paint a picture. That picture may be one of ingenuity, opportunity, and prosperity…or not.  Or something in between.

I wrote this blog as a marketing tool as well as a lesson for companies who are getting a visit from a technical due diligence consultant. Ideally, the ideas I shared here will help you assess your own company and make improvements before a person like me shows up.

I will leave you with one of the more poignant moments from my due diligence work.  Many years ago, I spent months analyzing a company. In the final meeting, we were going over all the findings. After the presentation, the CEO of the acquiring company pulled me aside and asked me, “give it to me straight, what is the largest risk in this deal?”

I thought of all the technical weaknesses in the product, the poor logging, the laughable 10Gb performance, and the lack of a good cloud product.  However, those were not the biggest risk.

“There is no vision here. The leadership is…lost.”

The leaders could speak confidently of the product’s features, but not about the company’s purpose.  The leaders were connected to plenty of important people, but they could not explain why I should care about their products. The CEO of the acquiring company nodded and smiled broadly. I had confirmed what he suspected, but nobody was brave enough to say.

If you want a great product, start with the ten hairy questions, and answer them honestly. That way when the investors are sniffing around and they send in some guy like me, you will be ready.

Also, I am not washing your dishes.

Go back to read Part 1

The post Big Hairy Questions: Strategies for Technical Due Diligence (Part 2) appeared first on Zenaciti.

Most of my work is for investors or acquirers.  They hire a person like me, who has a long history in security technology, and I provide analysis of the strengths and weaknesses of the technology.  Any company that has had gone through an acquisition or funding round has had to deal with technical due diligence and a person like me.

Ideally, the analyst has a strategy. In a recent meeting, an investor asked me to describe my process for technical due diligence. In my response, I detailed ten “Big Hairy Questions” that form a framework for my analysis.  These questions are not the only ones I ask.  Rather, they are a structure to analyze the people, processes, products, and potential of a company.

With that in mind, let’s take a look at the Ten Big Hairy Questions for technical due diligence.

1.      What is the Intent?

Way back in the 1980s, I was an art critic for my university newspaper. It was a fun gig.  I met a zany assortment of creative characters.  I wrote about all sorts of artwork from a room filled with feathers to surrealist nightmares from Chicano artists.

My technique was to assess how successfully an artist met their own intentions. First, I would ask the artist what they intended to accomplish.  This usually prompted long, flowery, and impassioned explanations of their work. Then I would ponder what they said and ask myself a simple question: how well did the artist accomplish what they set out do?

Incidentally, the feathers got a thumbs down. However, the Chicano artist got a big thumbs up. He was David Tineo who’s work is internationally known.

This technique works for art as well as for companies and their products. However, with art you can ask the artist directly about their intentions.  With products you must ascertain intent from what the leaders say and the marketing messages. Websites, marketing slicks, tradeshow booths, white papers, and other marketing content are all the artwork of a company.

Apple is an example of a company that does exceptionally well at messaging its intentions. They want to make technology easier so more people buy their laptops and phones. Their marketing is all about inclusivity and broad adoption of their technology.

Conversely, companies with weak products (and teams) generate cluttered, messy, and ridiculous messaging. This often takes the form of grandiose claims of superiority, trite euphemisms, banal platitudes, and my personal favorite, idiotic sports or war metaphors: “Our Dynamic, Results-Driven, HyperDonker Delivers 91% More Extreme Thought Leadership to Get your DevOrcs Over the Goalposts and win the War Against Codemas!”  

Marketing messaging may only be a small component of a company and its products, but it speaks volumes to what they intend to do. I see this as the opening act in this play of unpacking a company’s vision.

This leads to the next big question.

2.      Who is in the Room?

Technical analysis is not all about banal platitudes and source code. Technology is the product of humans.  Who a company brings to the table during a due diligence product says a lot about the company’s maturity.  I expect to see executives, product managers, engineers, developers, salespeople, and sometimes support staff.  However, there are two people who get the lion’s share of my attention: the CEO and the sales engineers.

The CEO is obvious as he/she sets the tone for the whole company. When I talk to a CEO, I pay attention to what he/she focuses on: vision or pedigree.  Both have value, but in this context, vision is what really matters.

Vision is the why of a product and company. Why does this company exist? What problems does it solve? What is the company’s higher calling? I will discuss the criticality of vision later in this article.

Pedigree is who CEO knows, where he/she worked in the past, and his/her connections to people in power. Pedigree may be helpful building the company, but it has no impact on the quality of the product(s). A skilled CEO should know this. When they meet an analyst like me, they should be talking about vision and not all the big shots they know at the country club.

Incidentally, some companies have a CTO, or “Chief Evangelist,” serve as the keeper of the company vision, while the CEO is more of a glad-handler to investors. This is a sign of maturity. In these situations, I shift my focus to the CTO.

Sales Engineers (SE) are where a company’s vision hits the pavement.  Smart, enthusiastic, passionate SEs do not work for companies with lame products.  SEs love to talk about customers, especially the annoying ones.  A talkative SE can reveal everything wrong (or right) with a product in a few short minutes.  Just get them telling stories about customer meetings that went south, and they will reveal all the dirty laundry.

Other key people who need to be in the room include marketing leaders, product managers, and technical architects.  Finance people are a ‘nice to have’ as well. They tend to be matter of fact people, who can provide insights on the sales process.

3.      Where are the Dependencies?

This is down in the technical weeds, but it can be the Achilles Heel of a company and its products.

The use of third-party technologies in security solutions is ubiquitous.  Done properly, it can dramatically strengthen a product, company, and its value. In the complex, interconnected, inter-dependent world of security, using proven third-party technologies is a good thing. Or another way to think of it is “stay in your lane.” For example, if a company is building a new encryption product, they should not also be building a log collection software. There are plenty of third-party products, like Splunk or Elastic, that can do that way better than anything they can build.

Unfortunately, companies often mess up their third-party dependencies. They will use a third-party technology in their product but fail to build a strong partnership with the third-party provider.  This creates a lot of risk.  The value of the product (and the company) can be quickly erased if those third parties pull their support or licensing agreements.  This problem applies to open-source technologies as well, but in different ways.

As such, when I analyze a company’s use of third-party technology, I focus less on the actual usage and more on how strong the relationship seems.  Moreover, I will look at how easily they can swap out the third-party tech.  Relationships, even well managed ones, can sour for all sorts of reasons.

4.      What is NOT Being Said?

During an M&A transaction, emotions and tension are high. Executives get into pitching mode where they say only what they think the investor needs to hear. At some point, what they are saying becomes less important than what they are NOT saying.

Due diligence is about uncovering both the strengths and weaknesses of a product or company. This is not to derail the deal but rather to inform the investors about the risk of the transaction. A company’s products may be fantastic, but there are organizational or structural weaknesses that threaten the ability of the company long term. If an investor is putting money into a company, they have a right to know those weaknesses.

If you want to know what is wrong with a company’s products, ask the people who build, sell, and support it. That may seem like a “duh” thing to say but it works, astonishingly well.  Most people, especially engineers, are honest and forthright. If you show curiosity, the information flood gates will swing wide, and you learn every problem in the company from the lack of good coffee to the plain-text passwords stored in Access databases on a public file share.

Or they will cross their arms and turn to stone.

Companies, particularly immature ones, will “harden” their staff prior to due diligence. That is, they instruct them on specific topics or issues to avoid or dismiss. The irony of hardening is that it rarely works.

Hardening creates cognitive dissonance in people. It is our nature as humans to share. Most people will give off clues when they are not saying something. They may talk around an issue or use body language to indicate they do not really believe what they are saying.

I once worked with an engineer who would roll his eyes every time somebody said their product worked at 10Gb.  His body language was clear as day, the product could not handle 10Gb. When I put this concern in my report the company reluctantly admitted this was a serious issue.

Americans are particularly transparent in this regard as we are culturally predisposed to babbling about whatever annoys us. Other cultures are better at hiding their true feelings.

Some tips on hearing what is not being said:

• Make people feel safe. Downplay the gravity of situation. Make them laugh.
• Meet with people alone. People are more honest in a 1:1 setting.
• Watch their body language. People get uncomfortable, fidgety, and nervous when they are not telling you the full story.
• Refocus them and ask them to complain about an unrelated issue, then lead them back to the product.

Not all of these techniques work all the time, but they can open doors. Again, the intent is to determine what people are not saying and put that in context to what they are saying. This provides a more complete (and honest) picture of a company and their products.

5.      What is the Market?

Products do not exist in a vacuum. They must meet market demand.  Markets are fickle, as are the people who define them. You can spend a lot of time dithering over and debating a market, its size, and how hot it is, was, or might be.

Consequently, I like to keep my market analysis simple. I assess four elements:

• Existence: Does the market even exist? A new innovative technology can define a whole new market…or not. Crowdstrike comes to mind here. They redefined the endpoint security market, ultimately charging ahead to be worth billions. However, for every Crowdstrike, there are hundreds of great ideas struggling to define themselves as well as a market. This is where the Gartner’s and IDCs of the world can step in and help validate the existence of a market.
• Clarity: Merely existing does not mean a market is well defined. A market must have a clear set of success metrics and qualities. A recent example of a poorly defined market is homomorphic encryption. This is a brilliant technology, but there are few players and even less clarity as to what constitutes a successful product in this space. Market definition emerges out of a collection of products, but it may also come from analysts, journalists, and other external sources.
• Size: This is more often called the totally addressable market (TAM). TAM is how many companies would want to buy the product. TAM is always an aspirational number. Average price of a product and the heat around it can also dramatically alter TAM. A company should know their TAM and have some data to back up their estimates.
• Heat: This refers to the buzz around the product space. A few Google and LinkedIn searches can validate the general heat of a market. Hot market spaces can command premium prices and rapid growth. In 2021, when I wrote this, container security was super-hot. If you do a search on container security in 2021, the vast number of articles, products, and marketing fluff out there is evidence of a lot of heat.

Continue to Part 2

The post Big Hairy Questions: Strategies for Due Diligence (Part 1) appeared first on Zenaciti.