AT&T recently announced it has acquired VeriSign's Global Security Consulting Services business for an undisclosed amount. The news was not shocking, since VeriSign had been shopping around for a buyer a few years now and AT&T had to acquire additional competencies in their security service portfolio to compete with other telcos – who have already acquired specialized security companies. Here are my initial thoughts on this acquisition.
AT&T is better equipped to handle competition and breadth of services being offered by other telcos. Many telcos around the globe are salivating at the idea of offering a comprehensive suite of security services to their large existing client base. As security become a necessity for businesses around the globe, having a strong security service capability ensures a guaranteed revenue stream for telcos. Verizon Business and BT caught on to this idea early and invested in buying security specialist companies (Cybertrust and Counterpane). More recently we have saw NTT (Japanese telco) to take over Integralis (German MSSP) and Tata Communications (yet another telco) enter the US MSSP segment.
PCI and application security capabilities bring new revenue streams for AT&T. VeriSign consulting had built really strong consulting capabilities around PCI. They were not only one of the top QSAs but also had built decent reputation around forensic capabilities and post incident work for their clients. Also, VeriSign boasted strong capabilities in application security doing secure code reviews and applications security assessments. AT&T did not have services in either of these areas. What makes this especially interesting is that a substantial chunk of VeriSign consulting revenue comes from these services.
VeriSign adds credibility to AT&T security services. VeriSign Security Consulting had a well respected brand name and experienced consulting staff (boasting an average experience of 12 years). Combined with the research heritage of AT&T, this could provide AT&T a definite edge over its competitors.
While I believe that this is overall a good acquisition on paper, it remains to be seen how well AT&T executes on its vision to bring together competencies from both companies to offer world class security services. Here are a few pieces of advice for AT&T:
Make security services count. I have always felt that you need to have decent consulting capabilities to be an exceptional managed security service provider, but if you are a telco, where a majority of the revenue is coming from managed services, you are tempted to throw in the consulting services for free or as part of other IT infrastructure or operations deals. AT&T has to be careful to ensure that these security services are not lost in large telco deals and get their due respect. On the other hand if these services are a distinct but integrated part of other deals, it can be a great endeavor.
Focus on the customer retention. VeriSign customers primarily consisted of fortune 500 companies that were reasonable mature in their security programs. AT&T customers on the other had a spread across the spectrum from large sophisticated ones to small and less sophisticated ones. Addressing the needs of VeriSign customer base would require additional time, effort and resources but in the end would be more profitable for AT&T. Therefore it is essential not to lose sight of this goal while the transition is taking place, and continue to meet and exceed the expectations of existing customers.
Ensure quick integration and long term employee satisfaction. In the service sectors, the most valuable resource for a company is its employees, and security services are no different. AT&T needs to ensure that it is able to not only retain but also nurture the talent it is acquiring and integrate them into the AT&T processes quickly. Many acquisitions have failed miserably where the acquiring company was not able to keep the people after the acquisition. It will also be critical to ensure that AT&T sales and external facing teams are quickly trained and incented to sell and deliver the “enhanced” security services.
As always I would be interested to hear what you think. How do you feel about this acquisition? If you have had the experience of working with wither of the companies and what your thoughts are?