Big Hairy Questions: Strategies for Due Diligence (Part 1)
Among all the jobs I have had, from dishwasher to CEO, my favorite one is industry analyst doing technical due diligence projects. I started doing analyst work in 2010. The projects have all been thoroughly engaging; from the one-day anti-virus product analysis to the months-long deep dive into managed services. It is fascinating to dig into a technology, market, and business.
Most of my work is for investors or acquirers. They hire a person like me, who has a long history in security technology, and I provide analysis of the strengths and weaknesses of the technology. Any company that has had gone through an acquisition or funding round has had to deal with technical due diligence and a person like me.
Ideally, the analyst has a strategy. In a recent meeting, an investor asked me to describe my process for technical due diligence. In my response, I detailed ten “Big Hairy Questions” that form a framework for my analysis. These questions are not the only ones I ask. Rather, they are a structure to analyze the people, processes, products, and potential of a company.
With that in mind, let’s take a look at the Ten Big Hairy Questions for technical due diligence.
1. What is the Intent?
Way back in the 1980s, I was an art critic for my university newspaper. It was a super fun beat. I got to meet a diverse assortment of crazy, creative, and complex characters. I wrote about all sorts of art ranging from a room filled with feathers to surrealist nightmares from Chicano artists.
My technique was to assess how successfully an artist met their own intentions. First, I would ask the artist what they intended to accomplish. This usually prompted long, flowery, and impassioned explanations of their work. Then I would ponder what they said and ask myself a simple question: how well did the artist accomplish what they set out do?
Incidentally, the feathers got a thumbs down. However, the Chicano artist got a big thumbs up. He was David Tineo who’s work is internationally known.
This technique works for art as well as for companies and their products. However, with art you can ask the artist directly about their intentions. With products you must ascertain intent from what the leaders say and the marketing messages. Websites, marketing slicks, tradeshow booths, white papers, and other marketing content are all the artwork of a company.
Apple is an example of a company that does exceptionally well at messaging its intentions. They want to make technology easier so more people buy their laptops and phones. Their marketing is all about inclusivity and broad adoption of their technology.
Conversely, companies with weak products (and teams) generate cluttered, messy, and ridiculous messaging. This often takes the form of grandiose claims of superiority, trite euphemisms, banal platitudes, and my personal favorite, idiotic sports or war metaphors: “Our Dynamic, Results-Driven, HyperDonker Delivers 91% More Extreme Thought Leadership to Get your DevOrcs Over the Goalposts and win the War Against Codemas!”
Marketing messaging may only be a small component of a company and its products, but it speaks volumes to what they intend to do. I see this as the opening act in this play of unpacking a company’s vision.
This leads to the next big question.
2. Who is in the Room?
Technical analysis is not all about banal platitudes and source code. Technology is the product of humans. Who a company brings to the table during a due diligence product says a lot about the company’s maturity. I expect to see executives, product managers, engineers, developers, salespeople, and sometimes support staff. However, there are two people who get the lion’s share of my attention: the CEO and the sales engineers.
The CEO is obvious as he/she sets the tone for the whole company. When I talk to a CEO, I pay attention to what he/she focuses on: vision or pedigree. Both have value, but in this context, vision is what really matters.
Vision is the why of a product and company. Why does this company exist? What problems does it solve? What is the company’s higher calling? I will discuss the criticality of vision later in this article.
Pedigree is who CEO knows, where he/she worked in the past, and his/her connections to people in power. Pedigree may be helpful building the company, but it has no impact on the quality of the product(s). A skilled CEO should know this. When they meet an analyst like me, they should be talking about vision and not all the big shots they know at the country club.
Incidentally, some companies have a CTO, or “Chief Evangelist,” serve as the keeper of the company vision, while the CEO is more of a glad-handler to investors. This is a sign of maturity. In these situations, I shift my focus to the CTO.
Sales Engineers (SE) are where a company’s vision hits the pavement. Smart, enthusiastic, passionate SEs do not work for companies with lame products. SEs love to talk about customers, especially the annoying ones. A talkative SE can reveal everything wrong (or right) with a product in a few short minutes. Just get them telling stories about customer meetings that went south, and they will reveal all the dirty laundry.
Other key people who need to be in the room include marketing leaders, product managers, and technical architects. Finance people are a ‘nice to have’ as well. They tend to be matter of fact people, who can provide insights on the sales process.
3. Where are the Dependencies?
This is down in the technical weeds, but it can be the Achilles Heel of a company and its products.
The use of third-party technologies in security solutions is ubiquitous. Done properly, it can dramatically strengthen a product, company, and its value. In the complex, interconnected, inter-dependent world of security, using proven third-party technologies is a good thing. Or another way to think of it is “stay in your lane.” For example, if a company is building a new encryption product, they should not also be building a log collection software. There are plenty of third-party products, like Splunk or Elastic, that can do that way better than anything they can build.
Unfortunately, companies often mess up their third-party dependencies. They will use a third-party technology in their product but fail to build a strong partnership with the third-party provider. This creates a lot of risk. The value of the product (and the company) can be quickly erased if those third parties pull their support or licensing agreements. This problem applies to open-source technologies as well, but in different ways.
As such, when I analyze a company’s use of third-party technology, I focus less on the actual usage and more on how strong the relationship seems. Moreover, I will look at how easily they can swap out the third-party tech. Relationships, even well managed ones, can sour for all sorts of reasons.
4. What is NOT Being Said?
During an M&A transaction, emotions and tension are high. Executives get into pitching mode where they say only what they think the investor needs to hear. At some point, what they are saying becomes less important than what they are NOT saying.
Due diligence is about uncovering both the strengths and weaknesses of a product or company. This is not to derail the deal but rather to inform the investors about the risk of the transaction. A company’s products may be fantastic, but there are organizational or structural weaknesses that threaten the ability of the company long term. If an investor is putting money into a company, they have a right to know those weaknesses.
If you want to know what is wrong with a company’s products, ask the people who build, sell, and support it. That may seem like a “duh” thing to say but it works, astonishingly well. Most people, especially engineers, are honest and forthright. If you show curiosity, the information flood gates will swing wide, and you learn every problem in the company from the lack of good coffee to the plain-text passwords stored in Access databases on a public file share.
Or they will cross their arms and turn to stone.
Companies, particularly immature ones, will “harden” their staff prior to due diligence. That is, they instruct them on specific topics or issues to avoid or dismiss. The irony of hardening is that it rarely works.
Hardening creates cognitive dissonance in people. It is our nature as humans to share. Most people will give off clues when they are not saying something. They may talk around an issue or use body language to indicate they do not really believe what they are saying.
I once worked with an engineer who would roll his eyes every time somebody said their product worked at 10Gb. His body language was clear as day, the product could not handle 10Gb. When I put this concern in my report the company reluctantly admitted this was a serious issue.
Americans are particularly transparent in this regard as we are culturally predisposed to babbling about whatever annoys us. Other cultures are better at hiding their true feelings.
Some tips on hearing what is not being said:
- Make people feel safe. Downplay the gravity of situation. Make them laugh.
- Meet with people alone. People are more honest in a 1:1 setting.
- Watch their body language. People get uncomfortable, fidgety, and nervous when they are not telling you the full story.
- Refocus them and ask them to complain about an unrelated issue, then lead them back to the product.
Not all of these techniques work all the time, but they can open doors. Again, the intent is to determine what people are not saying and put that in context to what they are saying. This provides a more complete (and honest) picture of a company and their products.
5. What is the Market?
Products do not exist in a vacuum. They must meet market demand. Markets are fickle, as are the people who define them. You can spend a lot of time dithering over and debating a market, its size, and how hot it is, was, or might be.
Consequently, I like to keep my market analysis simple. I assess four elements:
- Existence: Does the market even exist? A new innovative technology can define a whole new market…or not. Crowdstrike comes to mind here. They redefined the endpoint security market, ultimately charging ahead to be worth billions. However, for every Crowdstrike, there are hundreds of great ideas struggling to define themselves as well as a market. This is where the Gartner’s and IDCs of the world can step in and help validate the existence of a market.
- Clarity: Merely existing does not mean a market is well defined. A market must have a clear set of success metrics and qualities. A recent example of a poorly defined market is homomorphic encryption. This is a brilliant technology, but there are few players and even less clarity as to what constitutes a successful product in this space. Market definition emerges out of a collection of products, but it may also come from analysts, journalists, and other external sources.
- Size: This is more often called the totally addressable market (TAM). TAM is how many companies would want to buy the product. TAM is always an aspirational number. Average price of a product and the heat around it can also dramatically alter TAM. A company should know their TAM and have some data to back up their estimates.
- Heat: This refers to the buzz around the product space. A few Google and LinkedIn searches can validate the general heat of a market. Hot market spaces can command premium prices and rapid growth. In 2021, when I wrote this, container security was super-hot. If you do a search on container security in 2021, the vast number of articles, products, and marketing fluff out there is evidence of a lot of heat.