Software Veteran John Mutch Moves IT Security Specialist BeyondTrust to San Diego, on Path to Build “Freemium” Business Model
When Agoura Hills, CA-based Symark acquired Portsmouth, NH-based BeyondTrust for a little over $20 million a year ago, the deal was viewed as a complementary combination of similar IT security technologies for fundamentally different markets.
BeyondTrust specialized in providing IT security for Windows-based networks by managing the access privileges granted to both system administrators and ordinary users. Symark, founded in 1985, addressed the IT security requirements of Unix/Linux-based networks.
But the combined company, which took the BeyondTrust name, is aiming its IT security technology more specifically at the regulatory requirements that top public companies have to maintain and protect their internal financial controls. This became apparent when I sat down with CEO John Mutch, who recently moved the company’s headquarters from Agoura Hills, CA, near Los Angeles, to Carlsbad, CA, about 44 miles north of San Diego. Mutch, a San Diego enterprise software veteran, joined Symark at the end of 2008 as CEO and investor.
Mutch told me he now owns 10 percent of the company, after he partnered with Insight Capital, a private equity firm in New York that purchased Symark in December of 2006. “They saw the potential with the core product that they acquired at Symark,” Mutch said, “but then they really hired me to come in and execute a transition into a ‘freemium’ model software company.”
Freemium is a Web-based software business model that offers customers a basic software program or service for free, and coaxes them to pay to upgrade to a premium version with more features. It is a low-cost model that enables a software company to avoid establishing its own sales force or creating a network of sales partners. “So our whole thing is driving traffic to our website, getting people to download the free version of the product, and then converting them to buy the pay-for version,” Mutch said.
“We’re in a whole new innovation cycle in the [software] industry,” Mutch said, due in part to widely available access to online information and the “instant on” capability of mobile devices like the Apple iPad. “The way people buy things now, the way they consider purchases, and the way they research purchases has changed dramatically.”
How Mutch and BeyondTrust plan to ride this wave was less clear to me, however, especially since Mutch is targeting what he calls the “global 2000″ market of the top public companies around the world, rather than a mass market of small-business and home consumers. In addition to offering such corporations security software for delegating user privileges on their networks (technology categorized as “identity and access management”), Mutch says BeyondTrust is ideally suited to help public companies address matters of corporate governance, risk, and compliance.
I told Mutch it’s hard to see a stodgy public company downloading a free version of something as important as the IT security software needed to help U.S. public companies satisfy the section 404 requirements of Sarbanes-Oxley.
In an e-mail response this morning, he writes: “The business has changed. The process of learning about new technologies, acquiring demonstration of those technologies and executing a proof of concept can be done most efficiently through the Web. With a high “clutter factor” companies must offer value in everything they provide in order to attract interest. So the use of the freemium model accomplishes this.” He also notes that the employee doing the shopping is more often a mid-level IT manager, who is presumably more comfortable with the freemium model.
BeyondTrust’s technology attempts to provide IT and corporate governance executives the ability to ‘monitor the monitors’ in IT—such as a rogue system administrator who otherwise might have access to everything in the network, Mutch says. In this age of Sarbanes-Oxley compliance woes, Mutch says, BeyondTrust aims to address compliance concerns that might be raised by a company’s outside auditors. For example, he says an auditor might ask: “‘Do you have security and a lockdown over your IT infrastructure? Can the segregation of duties be maintained? Can the same guy who issues an invoice to a vendor also write a check to a vendor? How do you know? And [how do you] protect against that?’”
Mutch says BeyondTrust’s system sets authentication information for each employee and authorized network user. A system administrator or some other high-level user can get access to a particular system on the network by obtaining a temporary password that grants access to specific resources. “Once you have access, we basically decide what you can do, how often you can do it, when you can do it, and to what level you can do it,” Mutch said. For “mission critical” servers, Mutch says, the system also maintains a record of everything users do after they are granted access.
Mutch is one of the few CEOs in the industry with insight into the misdeeds that high-level employees can do—and in meeting the regulatory requirements of internal financial controls. In mid-2003, he was named as CEO of San Diego-based Peregrine Systems during the scandal-wracked company’s bankruptcy reorganization—after Peregrine’s largest creditor group wrested control from John Moores, the Texas software mogul who had controlled Peregrine as the company’s single largest investor. Peregrine specialized in enterprise software installed on corporate computer networks designed to help big companies and other large organizations track and manage their laptop computers, software licenses, and other high-tech assets. Peregrine had about 4,000 employees and ranked among San Diego’s biggest technology companies until it collapsed in a financial accounting scandal in early 2002.
In its bankruptcy reorganization, Peregrine eventually disclosed that its fast-growth story was an illusion. The company had inflated its sales by more than $500 million and under-reported its losses by $2.55 billion over the two-and-a-half-year period before its collapse.
During the bankruptcy reorganization, it was clear the company’s financial controls were a mess, even after Mutch took over with a new financial team. The company disclosed in financial documents nearly a year later a litany of problems, including insufficient segregation of accounting duties, deficiencies in contract management, undocumented accounting policies, and lack of certain internal audit functions.
Beyond Trust’s technology aims to make such shenanigans far more difficult, if not impossible, to pull off. “This is a solution that directly addresses from an IT perspective issues around the ability of people to perpetrate a fraud,” Mutch says. “CitiBank is our biggest customer. Our technology runs on every server they have. You can basically go to a server and ask ‘Who accessed it? What privileges were they granted? And what did they do when they accessed the server?’ Or at least that’s the goal.”
BeyondTrust currently has about 85 employees, and generates about $50 million a year in sales, according to Mutch, who describes the business as “extremely profitable.” Last month, the company announced it was hiring Ken Saunders, who had worked with Mutch as CFO at both Peregrine Systems and HNC Software, as Beyond Trust’s CFO. Mutch, who plans to retain some operations in Portsmouth and Agoura Hills, told me he’s also looking to recruit a new chief technology officer. The company, which has only a handful of employees in San Diego now, should have about 30 employees here in the next couple of months, and about 45 by this time next year.