On September 21, Cisco announced its intention to buy Splunk for $28 billion in cash, its largest acquisition ever and fourth this year. This is a massive investment and win for Cisco from two perspectives: observability and security. Cisco’s full-stack observability platform could catapult into relevance against established competitors overnight. Similarly, on the security side, Cisco gains the leading security analytics platform on the market today with an incredibly loyal customer base.

Cisco also gets an added benefit from the Splunk acquisition by way of a recent addition to Splunk’s leadership team that may highlight its plans for generative AI. The acquisition brings with it talent, including Min Wang, Splunk’s chief technology officer. Appointed CTO of Splunk in June of this year, Min has been in technology R&D for 20 years and spent more than five years at Google leading a team responsible for the AI-driven Google Assistant. She is establishing the generative AI capabilities at Splunk to go beyond domain use cases and be open and extensible.

Read about the dynamics for security and observability with the Splunk acquisition below.

Splunk Is Good For Cisco, But Splunk Security Customers Are Wary

Splunk is one of the most ubiquitous and most frequently used security tools in enterprises today. The platform has consistently been named a Leader in the Forrester Wave™ evaluation on security analytics platforms for its flexibility and vast capabilities for alerting and compliance. Splunk also has an incredibly loyal set of users, which, more than anything else, serves as a fanbase for the brand. Security leaders struggle, however, with Splunk’s lack of innovation over the past several years and how costly the offering can become. Even the addition of alternative pricing models has done little to change that.

These factors add up to this acquisition being a massive win for Cisco’s security business. Most XDR vendors have shifted to having a SIEM or SIEM alternative offering in their portfolio. This acquisition positions Cisco to have both sides of the coin — detection and response focus in XDR with Cisco XDR, and flexibility and adaptability in a security analytics platform with Splunk. This solidifies Cisco as a key player in two massive markets: XDR and SIEM. The acquisition also helps position Cisco to better compete against the Cortex platform for security operations from rival Palo Alto Networks.

Security Practitioners Will Need To Be Won Over

As with most acquisitions, it’s not all sunshine and rainbows. What Cisco does with the Splunk product will determine if it’s a win for security practitioners. Cisco has long been a case study for acquisitions that don’t live up to their initial promise and suffer from underinvestment and a lack of focus. Security leaders know this. In fact, since this was announced, many have demonstrated concern that this pairing will degrade the quality of the SIEM that they’ve come to rely on more than any other SecOps tool.

That said, there are exceptions to this, such as how, in recent years, Cisco has maintained the Duo, Meraki, and ThousandEyes acquisitions as standalones. To keep Splunk’s massive, loyal user base, Cisco needs to follow a similar model and let Splunk deliver what Splunk does best: a flexible, powerful SIEM offering (and the cool t-shirts and hoodies their loyal users love).

There will also be an opportunity to evolve the Cisco story for identity threat detection and response (ITDR). Cisco acquired ITDR startup Oort earlier this year. The combination of Splunk, Oort, and Duo will allow Cisco to tell a differentiated ITDR story. This would also demonstrate an emphasis on identity security that hasn’t previously existed at Cisco.

The Security Industry — And SIEM Market — Is Experiencing Massive Disruption

This acquisition signals a massive inflection point for the SIEM market. It is raising concerns from Splunk users who have a sour view of Cisco’s role in the security space alongside how this will affect what has already been several years of stifled innovation from Splunk.

This uncertainty will cause Splunk customers to explore alternatives, and we expect to see experimental deployments of other smaller security analytics players as backup. This will also be a boon for Microsoft Sentinel. Microsoft is the biggest SIEM competitor to Splunk right now. Splunk customers will flock to or expand their Sentinel deployments as they hedge their bets between where Cisco takes Splunk and where Microsoft takes Sentinel.

Lastly, this shift in the market opens up an opportunity for XDR vendors with a SIEM replacement strategy like CrowdStrike and Palo Alto Networks to swoop in and push customers away from a traditional SIEM deployment. This is still early days for vendors and customers and requires a change in mindset to get right, which will hold certain teams back from making the transition in the short term.

Cisco Acquires Splunk To Increase Its Relevancy In An AIOps, Hybrid, Multicloud World

Splunk is a stalwart in the operational arena, used by enterprises across the globe in every industry. Its superior log management capabilities are entrenched in enterprises, but its observability features within its AIOps offering are what made it a Strong Performer in The Forrester Wave™: Artificial Intelligence For IT Operations, Q4 2022. The Splunk platform is trusted by practitioners to provide a complete service view, from back-end monitoring through end-user interactions.

Its loyal customer base openly praises its access to Splunk product teams, describing them as “always willing to listen to their suggestions.” Will this access to product leaders continue under the Cisco banner, or will it get cut off and initiate a Splunk customer revolt?

For Cisco, it gets a Splunk platform that currently surpasses Cisco’s recent announcement of its Full-Stack Observability (FSO) offering. FSO integrates Cisco products such as AppDynamics and ThousandEyes as well as third-party offerings to deliver business risk observability.

FSO will be bolstered by Splunk’s vast and highly regarded observability features, which are sure to fill many of the likely roadmap objectives that Cisco had for FSO. Additionally, Splunk’s strong cloud-based revenue stream adds to Cisco’s top line and helps its transition from hardware producer to operational software provider. With the acquisition, Cisco is also positioned to deliver offerings that support the convergence of operational observability with security, which is already underway.

AIOps And Observability Acquisitions Naturally Cause Hesitation

Splunk’s acquisition marks the fifth AIOps and observability vendor to change ownership in 2023 (the others include Sumo Logic, OpsRamp, Moogsoft, and New Relic). Practitioners are in for an interesting ride as they wait to see what exactly Cisco will decide to do with Splunk. Cisco observability offerings could migrate to the Splunk platform, or FSO could become the underpinning platform upon which the Splunk capabilities land.

Cisco could also choose to simply leave Splunk as a standalone offering in the same manner it did with Duo, ThousandEyes, and others. Each direction poses different challenges to practitioners who may need to learn new environments or change vast amounts of integrations.

Not surprisingly, purchases and strategic long-term project plans will go on hold and alternative platforms will be considered while the dust settles on this acquisition and direction becomes clear.

Cloud Migrations Are Transforming AIOps And Observability

The AIOps and observability vendor marketplace is shifting fast to meet the demands of enterprises that are moving workloads to the cloud. AIOps platforms such as Splunk with strong observability capabilities are needed to process the data and deliver AI-enriched actionable information.

Competitors such as Dynatrace, Datadog, and ScienceLogic will certainly look to capitalize on this transition period. Data-driven actions require high-quality data that has been correlated and analyzed for causality, something Splunk excels at and Cisco will soon possess. The addition of Splunk gives Cisco an expansive portfolio, and a strategic direction set by FSO makes Cisco a formidable opponent for established market leaders.

Technology leaders as well as AIOps and observability competitors will be watching this closely for any signs of delays or conflicts. Millions of dollars worth of decisions will be held up or redirected while the portfolios, leadership teams, and customer bases of these two organizations learn how to best work together.

Approach With Caution

Since Splunk will span two product groups in Cisco — security and observability — it runs the risk of being torn apart by internal forces. Operating it as a standalone will allow Splunk to serve both constituencies equally and continue growing and innovating. Splunk President and CEO Gary Steele reporting directly to Cisco Chair and CEO Chuck Robbins is a positive sign.

These markets and the vendors in them need the disruption that this acquisition will bring forth, but this all comes with a lot of uncertainty for practitioners. Schedule an inquiry or guidance session with Allie Mellen or Carlos Casanova to review your options and validate your approach to this massive change.