From frog to prince: How private equity may fish Barracuda from the industry's boiling pot

Analysis Seven months ago Barracuda Networks was gobbled up by private equity biz Thoma Bravo because it saw latent possibilities that couldn’t be realized under public ownership.

It wasn’t one of your usual private equity buyouts, with a company brought down by weak results and acquired on the cheap, or spun off by a parent hobbled by it. Instead, Thoma Bravo saw things that some stockholders could not or would not. Firstly, that data protection and computer security for small and medium enterprises were inextricably linked and, secondly, that SMEs were transitioning to the cloud, via products such as Microsoft's Office 365, and data protection and security were as vital there as on-premises.

Thoma Bravo thought that, were it to buy Barracuda, it could spend money internally in a way that a publicly owned company could not, because staple quarterly financial numbers such as gross margin and cost of sales would rise out of step with revenues, and the results on paper would look bad.

Since Barracuda went public in 2013, small and medium-sized biz customers upped their demands for public-cloud-like subscription pricing, which would defer revenue recognition in Barracuda's books, and bought fewer appliances. That slowed Barracuda’s sales growth, and inhibited its ability to build out its infrastructure and its technology portfolio.

It became a slow-growing and relatively low-profit company, as a chart of its revenues and profits up to the completion of the Thoma Bravo acquisition in February this year show:

The market is changing so fast – witness the endless ransomware outbreaks and phishing attacks, all with new or improved techniques for ruining someone's day – Barracuda needs to buy in technology to make its product portfolio a better fit to its customers’ needs. Thoma Bravo needed to convince Barracuda’s board that it could do a better job of growing the business, and making everyone richer in these circumstances, if they relinquished public ownership. It made a pitch along these lines.

A frog in a pan of water slowly coming to the boil dies because it doesn't realize the peril it is in. Barracuda was the security and data protection frog that realized it was getting boiled by the cloud and changes within the industry, and needed a helping hand to get out of the pan faster than it could on its own.

When the board became convinced that private ownership could deliver greater and sustained share price rises than public ownership, it invited bids. Half a dozen or more buyers expressed interest. Thoma Bravo made the best offer, $1.6bn, and took over the organization, with the aim of building it up, not cutting out deadwood and shrinking the head and office counts.

The contrast with what’s going on at private-owned Veritas is acute, where the Carlyle Group paid $8bn for the outfit and is now in full cut-and-restructure mode as revenues did not meet expectations. While this was going on, Barracuda was in the process of acquiring two companies: Sonian and PhishLine. Sonian possessed cloud archiving and analytics technology suited to Barracuda customers’ march into Office 365.

PhishLine, an anti-phishing attack software-as-a-service platform, also with data analytics, was bought by Barracuda in January this year. Both purchases were in line with Thoma Bravo's notions about how the company should build out its product portfolio, and the new owner approved them.

Its intent is to be the leading security platform for today's IT professionals by protecting applications, data, and users anywhere, being neither a pure-play security nor a backup-only vendor. Barracuda reckons that ransomware is the greatest threat to data today, and clean backup data is the fail-safe backstop to recover from an infection. It believes better detection and prevention of security threats is needed as well.

The security industry is fragmented, with more than 3,000 private data security companies operating today, according to Hatem Naguib, Barracuda’s senior veep of its security business. It’s ripe for consolidation because, in your humble vulture's opinion, it is failing and the industry needs a correction. Too much stuff is getting through network perimeters, and either scrambling files or exfiltrating sensitive information. Some 35 per cent of companies are affected by ransomware, and view it as just another cost of doing business, Naguib said, and he thinks this is unacceptable. Barracuda has some work to do if it aims to help fix this.

At a May Barracuda customer event in Monte Carlo, CEO BJ Jenkins said: “We used to be a fast follower but now we’re investing in our own focus areas. We have end-of-life'd products and refocussed investment on email security and management, network application security, and data protection.”

He added: “A big part of Barracuda’s strategy going forward is acquisitions.” It can now move faster with mergers and acquisitions now because it only has one owner to please, instead of 1,000s of investors listening in on onerous quarterly financial conference calls.

It can invest $10m to $15m a year in replacing its infrastructure, such as replacing its ordering system, which was programmed by its founders 15 years ago. Jenkins said Barracuda couldn't afford to do this as a public company.

Barracuda has returned to double-digit growth. Billings are said to be $439m for fiscal 2018 – the 12 months to the end of February – up from $402m a year ago, and it should break $500m in sales in fiscal 2019. Its goal is to get to $1bn in five years, according to this chart it made and showed off:

It aims to add more than $25m a year to its billings from fiscal 2020 to 2023 from acquired businesses.

These acquisitions will help it bolster its peripheral defences for its customers, both on-premises and in the cloud, detect and deal with intrusions better, and ensure that its backups provide clean data when miscreants do get through computer defenses.

Jenkins didn’t utter these following words, but your humble vulture reckons Barracuda wants its customers to stop paying the ransomware tax, and get phishing attack rates down to more manageable levels. If it does that, Thoma Bravo can look forward to Barracuda, transformed from frog to prince, returning to public ownership around 2023, or selling it to a bigger fish needing what Barracuda will have by then in its product and services portfolio. ®