One of the things that often frustrates me with technology companies is that they seldom do gap analysis. What I mean is that they don’t model out what a complete offering will be, look for the gaps, and then work to fill those gaps so they have complete solutions. One of the most annoying experiences in my life was arguing with Microsoft in the 1990s that it needed to have a security solution for Windows to be complete. After a ton of pain, Microsoft eventually agreed, and now has one of the best Windows Security solutions in the market and we now are a ton less annoyed with Windows.
One of the exceptions to this is BlackBerry and CEO John Chen. He took over the company when most thought it was about to go under. Chen dug down and found unmatched security expertise, something that the world increasingly valued because of the growing state-level threats of the time. Then he and his team created a chart that showcased what a solution might look like and worked to fill the gaps — the recent acquisition of Cylance is a showcase — so that BlackBerry’s solutions would be complete. They aren’t done, and because security problems are fluid, likely never well be, but the company is constantly looking for ways to complete its security solution as opposed to jumping to the next popular topic. The company is growing and no longer in danger of failing.
I’m at BlackBerry’s analyst event this week in California and it is refreshing to see a company that doesn’t jump from fad to fad, and instead is focused on keeping us all safer. I’m a big fan of “safer.”
The CFO was up after Chen presented the opening and talked about the changes between 2014 and 2019. Back in 2014, the gross margins were 36 percent and they were burning $400M a year in cash. Now the company is in the mid-70s in gross margin and generating around $83M in cash. In 2014, the company was on death watch; it is now healthy and growing. It is more like a startup than an oversized failing company about to go under.
The markets it is in are mostly growing at around 30 percent now, where the smartphone business it used to be in is arguably in decline and Apple, the most profitable of the smartphone firms, is dropping in sales volume year over year. Cylance, BlackBerry’s most recent acquisition, is forecast to grow in the 30 percent range going forward. We’ll see (the acquisition isn’t done yet and typically maintaining growth with an acquisition is difficult), but it appears to be using the Dell acquisition methodology and Dell has showcased that its process can result in post-acquisition growth. (It is nice to see at least one company that understands what makes the Dell process better and is emulating it.)
Geoffrey Moore — Crossing the Chasm
Geoffrey Moore is famous for his book “Crossing the Chasm.” He opens with his view of the changing world. When he started, the product was king and ERP was the technology that showcased this. Then we moved to mobile systems engagement and both BlackBerry and the customer were king. Now we are in a world of cloud systems of intelligence and the data scientist became king. Attack surface changed as well because we moved from corporate-supplied hardware and perimeter security to BYOD (Bring Your Own Device), and security in depth became the critical defense and folks started, on both sides, looking for force multipliers. Big companies look for coverage and focus on plugging holes in the fabric. The goal is good enough. Smaller companies, like BlackBerry, focus on where “good enough” isn’t. So, they attack markets that are big enough to matter but small enough so that the smaller company can win. Small firms can’t handle the coverage that the big companies can, but big companies aren’t interested in small targeted markets with unique needs.
Examples of focused needs are financial services enterprise endpoint management (high value, low volume), encrypted data for government, secure crisis communications for public safety, mobile secure government communications for government, secure digital cockpits for automobiles, and cyber-attack prevention for health care. For instance, if a hospital’s heart and lung machine gets hacked, someone dies. Small market, but still mission-critical for a hospital.
Moore brought up the importance of the fish-to-pond ratio. Small fish in big ponds get eaten. But if you can find a pond where you are competitively large, and the huge fish aren’t interested, you can dominate, and you are the player defining the market.
He drew a pyramid that began with solutions developed solely by the OEMs, then built up to solutions that were built with the help of customers, and finally solutions that attracted third-party developers. The higher you go, the more potential profit and impact you have. It is kind of the difference at extremes between the iPod and the iPhone. The iPod made Apple; the iPhone made it a trillion-dollar company, thanks to developers. One interesting comment is that often companies rush to get to the top layer and ISVs long before there is a market and the ISVs get screwed and the effort fails (Samsung comes to mind as it repeatedly makes this mistake).
Moore closes with the concept of hyper-security and ties it to BlackBerry’s imperatives. He argues that you can’t compete today if you aren’t mobile first and, in security, state actors are way too powerful, and enterprises are way too exposed, so hyper-security requirements are the new normal. So, BlackBerry’s crown jewels are that it is mobile first, its installed base is rock solid, it has a clean expansion path with adjacent use cases, and Cylance is a force multiplier. Strategy is to not chase commoditized applications and let the market grow naturally. In short, focus on what the firm does well and don’t let BlackBerry’s grasp exceed its reach.
This was one of the most interesting talks I’ve seen this year.
Verizon Global Head of Cyber Security John Loveland then took the stage. His unit, Verizon Enterprise Solutions, sells security solutions to large enterprises globally. He opened with a chart that showcases that it takes minutes to compromise an enterprise and generally months to discover and mitigate the damage, which is unsustainable. Only 3 percent of breaches are mitigated as fast as they are created. (It is during times like this that I’m really glad I’m not a CSO.)
He had another interesting chart that showed how security went from being an IT issue in the 1990s to becoming a shareholder issue today, due to the nature and size of the breach. (Once again, don’t ever want to be a CSO; this looks like a talk on why, if someone offers you a CSO job, you want to jump out the window screaming.) The next chart (this really does seem to be the theme) showcases 98 percent of companies are compromised in seconds, 70 percent of the breaches are successful with material data loss, and 42 percent of the breaches took months to years to discover. Oh, and the next chart showcases that not only is ransomware increasing at 100 percent year over year, but 85 percent of the targeted companies are in health care so you really, really, don’t want to be a CSO in health care.
In order to cover the entire attack surface, Verizon has partnered with BlackBerry and is particularly interested in Cylance, BlackBerry’s most recent acquisition.
Stuart McClure is the ex-CEO of Cylance, now the President of BlackBerry Cylance. He is talking about the use of artificial intelligence (AI) to make decisions about what the threat is and how to respond to it at machine speeds. This is a machine learning solution that is designed to address the problems that Verizon showcased (I’m thinking this is like CSO armor or one of the few defenses to that “jumping out of the window” outcome I mentioned above.”) One interesting opening comment was that Cylance was created around the balanced concepts of innovation and integrity. Given that integrity seems to be so often forgotten regarding vendors that too often over promise and under deliver, it is nice to see a company that places integrity as a top-level goal.
McClure walked through the phases of cybersecurity from his perspective. Phase one was scripts and human-written rules. Phase two is where most anti-virus products are a heuristic-based approach. Phase three is cloud learning local conviction, phase four is local learning and conviction (Cylance), and phase five is contextual understanding.
He broke cybersecurity into two focus areas, a response to threats (known and unknown), and compliance, where folks are operating outside of rules, both internal and external. For instance, that story of the Google engineers looking at the emails from female users would be a compliance problem.
Services and BlackBerry’s Four Pillars
Bryan Palma, BlackBerry COO, then took the stage. Palma is ex-U.S. Secret Service and a recent hire from Cisco, where he ran the customer experience unit. He spoke to why he joined the company — he felt he could make an important impact on the world and he believed in the engineering competence of the company. As an ex-Secret Service guy, you’d expect he’d begin with protection and you’d have been right.
Palma broke down BlackBerry’s four pillars and began with UEM, or protecting all the devices in the enterprise with target markets being government, health care, finance, and anyone that has a critical need for security. Second pillar is QNX and the target vehicle focused platform (the company had an Audi Q8 on the floor with the QNX-based cockpit solution and, from my perspective, it is currently the best in market). BlackBerry AtHoc is the third pillar, which focuses on secure crisis communications; if there is an active shooter on a U.S. military base, this is the solution that is most likely keeping folks safer. Fourth is BlackBerry SecuSmart, which is the iOS/Android-based end-to-end government-level encryption solution. There is a potential fifth pillar, which is kind of a mix of the technologies called BlackBerry Spark. Currently, this is mostly in proof-of-concept phase.
Another interesting representation from Palma was that BlackBerry’s primary sales goal is to retain and grow its customer base. Retention came first, which is something a lot of companies seem to forget, as they often prioritize new customers over old ones. Palma got the order right which, sadly, is strangely unusual.
He called out some interesting products that they are tightly partnered with. One was Symphony, which is a secure email system designed for health care that few know about. Currently, BlackBerry has seven out of seven global governments, nine of 10 of the largest banks, eight of 10 of the largest defense and health care providers, and nine out of 10 of the top automakers, according to Palma. Interesting and unusual implementations range from surgical robots to flight simulators. One of the big industry problems is “shelf ware” or products that IT buys but never deploys. Palma represented that one of his primary goals is to never sell “shelf ware;” if it isn’t deployed, it doesn’t count.
Steve Rampado, Deloitte
Steve Rampado, CTO for Deloitte, came up on stage to talk again about the massive threats that are growing in the world and the need to protect the increasing number of connected devices and how the threat landscape is changing. For instance, he spoke about the threats that are coming from unexpected areas like drones and third-party vendors that are introducing unsecure elements into the enterprise.
Rampado is a big fan of BlackBerry’s solutions and represented that there are no other companies with the depth and breadth of the critical security tools that are needed to address this growing security problem. He believes that attacks on digital assistants and VoIP solutions are increasing significantly and that BlackBerry is the only firm positioned to address both exposures, for instance. Deloitte is one of BlackBerry’s biggest system integrators.
Bain & Company
Bain & Company came on stage. It is 85 percent iOS and, coincidently, about 85 percent BYOD. It uses BlackBerry to secure this mess and particularly to secure the third-party applications and better secure Microsoft’s offerings. It can manage this with less than one FTE globally. The company was able to automate the help desk and keep the management costs extremely low while keeping the company very secure.
On stage is one of the leading user interface companies for the automotive market, Byton. One of the big deadly problems is distracted driving. The company’s goal is to provide compelling automotive solutions that reduce distractions and are secure. It also realizes that voice is nice but given that no one uses it because it isn’t seamless, its solution addresses that. The platform recognizes you as you enter the car, gives you your settings, provides you with an automatic phone interface so your phone stays in your pocket or purse, and blends a variety of user interfaces to create what sounds like an amazing experience that will ship out in cars next year. It too chooses BlackBerry as one of its primary partners. (As a side note, I drive a new Jaguar I-Pace, which has won a ton of awards but often gets pounded for its crappy AV system interface. Here they have a brand-new production Audi Q8, which uses BlackBerry’s QNX and it is fast and amazing. Had the I-Pace used the Audi solution, Jaguar, in my opinion, would have sold a lot more cars.)
This session is led by BlackBerry CTO Charles Eagan, and it is focused on what is coming from BlackBerry. These things include the increased use of AI in security solutions targeting Android and Linux platforms, improved incident management, voice services, and tighter integration between the firm’s offerings. And, finally, in transportation, significant improvements in intelligence, security, integration and even more compelling user experiences. By 2025, he predicts there will be 75B connected devices, surrounded by a $3T financial investment, and representing an $11T business value.
This is demonstration time. One of the most interesting demonstrations was the use of a BlackBerry UEM solution on a military base. As soon as he walks into a secure area, the microphone and the camera are automatically disabled but he can still receive texts and email. This ability to granularly control phone functions via policy is one of the breakout features.
Another interesting demonstration was with Alexa, using it to generate and communicate severity-one alerts. For instance, if there is an active shooter in the building, the device would detect the problem and then alert to all the devices in the building in order to assure that folks can respond accordingly. This is using AtHoc. They then showcased how you could use dual-factor authentication and voice authentication to assure that only you get your messages off of your digital assistant.
In the fall, they will release CylancePERSONA, an AI-driven behavior and biometric analysis solution that blends enhanced user experience with enhanced security to eliminate passwords. This application learns who you are by what you do. It monitors all of what you do, from how you type and use the mouse, to what apps you use, over a period of about 10 days, and then it can determine if someone is using your PC that isn’t you. It also is tied to your devices so that someone in China on a different PC or smartphone can’t access your stuff. Someone else on your own PC can’t get to your stuff either, even though you never had to use a password. Depending on the policy set, the application can lock up virtually everything you touch automatically if it determines someone other than you is attempting access.
Wrapping Up: Capturing Customers with the New Reality
BlackBerry continues to impress regarding product and execution, but it is held back by an image tied to what it used to be. This is largely a branding/marketing problem because people believe they already know what BlackBerry is, so they are less likely to explore what it is now. It isn’t that the brand is negative. It does open doors. It is that the brand creates a drag on sales. This isn’t too dissimilar to the problem Honda had when it first sold cars and why its initial effort to sell those cars at motorcycle dealers failed. For the company to reach its full potential, it must get people to see it as the leading supplier of security software for the target segments. I’m convinced it is that but won’t reach its sales potential until it is at a critical mass of potential buyers that see it for what it is now.
On the other hand, the customers here have clearly indicated that BlackBerry is keeping their firms and people far safer than what is likely being deployed at these customers’ competitors. They seem to be betting that Darwinian rule will apply and that they will survive the next big attack while those competitors may not. So, there is likely a huge potential competitive advantage for those that get what BlackBerry can do and avoid the catastrophic breaches that those that don’t will experience. It reminds me of the joke about the two guys being chased by a bear. When one stops to put on running shoes, the other asks why, since he can’t outrun a bear. The runner’s response is “I don’t have to outrun the bear, I only have to outrun you.” One of the rules in security is that you only need to be more secure than the next most likely target. Something to noodle on this week.