WithSecure needs a major rethink to survive in the enterprise security market

There’s a contradiction at the heart of WithSecure, the newly anointed B2B security firm that recently spun-off from Nordic security outfit F-Secure. Its surprise emergence in March followed a seven-year foray into the realm of enterprise security, with a series of high-profile acquisitions culminating in executives sharply slamming on the brakes.

F-Secure’s plan in 2015 to transition from consumer to enterprise cyber security, was a sharp move. By 2022, it became clear there was a need for execs to divorce these two competing strands after trying for years to grow them together, and falling short. Keeping its products business conjoined with its enterprise and consultancy divisions for much longer would have been counterintuitive to investment and growth, experts say, evidenced by its sluggish growth compared to market competitors.

“Investors hate it when product businesses have large services arms, as it’s dilutive to profit margins,” Forrester principal analyst Paul McKay tells IT Pro. “[The move] has essentially been done to take two businesses that are very different both in their investment and development needs, and in their margin profiles.”

Spinning off WithSecure isn’t a silver bullet, though. As much as the enterprise security challenger may be buoyed by its surging cloud business, its ailing consultancy arm hangs limply. At Sphere22, its inaugural conference hosted from 1 June, WithSecure finds itself penned in by a host of unfortunate challenges, and it needs to come out swinging.

WithSecure must reinvigorate its consultancy business

WithSecure is a solid company in a solid position, according to TechMarketView principal analyst, Simon Baxter. However, while the industry as a whole sustained average growth of 11.5% in 2021, WithSecure grew just 3%. Its low profitability, too, could be explained by heavy spending on sales and marketing, Baxter says, which might be fine for a high-growth company – but not ideal for one growing its revenue at this pace.

Delving deeper, a highly promising surge in cloud-native software as a service (SaaS) revenue contrasts with a decline in on-premise revenue, and weak performance in its cyber security consultancy division.

Consultancy, in particular, might prove to be a thorn in its side. Especially as it hopes to make serious inroads in an industry in which it enjoys but a slither of market share (roughly 1%). The likes of Trend Micro and McAfee, by contrast, occupy roughly 15% of the market apiece.

Much is made of the cyber security skills gap, and it’s an area WithSecure is likely to find difficult to overcome in the coming months. A near-20% decline in its consultancy business looks bad on paper, but this is deceptive, given this figure is largely driven by divestments; it would have otherwise been flat. Nevertheless, the performance here stands in contrast to greener shoots in the wider industry. It’ll also cause problems in the context of a labour market, in which talent is becoming increasingly rare. Wage inflation, too, is expected to bite, alongside the crescendoing demand for security-aware staff – across companies of all sizes. It’s been tough for WithSecure to retain and attract talent, and it won’t get any easier. Coming from a position of weakness, in this way, compounds the challenges, and risks undermining its growth ambitions; growth, Baxter says, is the priority.

As for how WithSecure can achieve this, McKay says the firm must strengthen its ability to engage with more senior stakeholders. “Its work is very focused at an operational level, and its attempts to communicate with senior executives is less effective than other types of consulting and managed services firms that I work with,” he says. “If it could bridge this gap more successfully, it would help its positioning in the market, as clients are very appreciative of their technical skills, but less happy putting that into the boardroom.”

Finding a niche in the mid-sized bracket

F-Secure has a long history in the consumer cyber security space, launching its first antivirus software for Windows PCs in 1994, under the Data Fellows brand. It wasn’t until 2015 with the acquisition of nSense, a Danish firm specialising in consultation and vulnerability scanning, that F-Secure branched out into the enterprise sphere. F-Secure followed its nSense purchase with the acquisition of consultancy businesses Inverse Path in 2015 and MWR InfoSecurity in 2018.

Despite the high-growth potential this presented, much of F-Secure’s revenue in the last year has come from the consumer side. Ditching its B2B arm, in this spirit, now primes it for investment and independent growth. There is, after all, a track record of this strategy reaping rewards.“We have also seen this pattern twice before with Symantec and McAfee when those businesses had their B2B arms demerged from the consumer facing business,” McKay points out.

Baxter speculates that an independent WithSecure better positions itself to be acquired by a larger company, especially given the success and technical proficiency of its flagship WithSecure Elements platform. On the other hand, a healthy balance sheet – roughly $100 million in cash – allows some room for investment into areas such as artificial intelligence (AI) or Internet of Things (IoT), or even scope to make its own mergers and acquisitions (M&As).

Ultimately, the company has the opportunity to position itself strongly for a plethora of mid-sized companies that lack defined and robust IT departments. Its end-point detection and response product, for example, would be useful for many companies without such a system in place. Building partnerships with organisations seeking to outsource cyber security functions, too, would be a huge opportunity for WithSecure. This would, of course, depend on whether it manages to get its consultancy division in order.