ConnectWise Bets Big (Again) on Ecosystem
CEO Manny Rivelo’s plans in security and beyond include building, buying, and a lot of partnering. Plus: Sophos’s CEO on how private equity owner Thoma Bravo is supporting investments in MDR and MSPs.
Manny Rivelo, the recently named CEO of ConnectWise, had planned to spend this week in Tampa at the company’s headquarters until Hurricane Milton got in the way. Like everyone else, he was mostly awaiting—and dreading—the storm’s impact on Tuesday when he spoke with me from his home office not far from my own home base in the Pacific Northwest.
“We will help our colleagues recover from this as quickly as we possibly can,” he said.
In the meantime, Rivelo has plenty to do, from preparing for his debut appearance before partners at the upcoming IT Nation Connect event four weeks from now to thinking through his strategy for the next stage of ConnectWise’s 40-plus year evolution.
That security figures prominently in his thinking is no surprise given that Rivelo (pictured) won his new job partly on the basis of his deep experience at security vendors like Forcepoint and Valtix.
“We have an opportunity to look at the breadth of security services that can be offered by an MSP to the SMB and expand on that,” he says. “It’s a massive opportunity.”
ConnectWise does a lot in security already. How much more breadth does it need? The answer to that question is still a work in progress, but Rivelo has a few preliminary thoughts.
“Email protection, as an example, is very important and we could probably do more there,” he says. Phishing protection, SASE, and web access management could all factor into the plan too.
One thing Rivelo knows for sure, though, is that ConnectWise’s ecosystem of third-party vendors will be part of whatever he and his leadership team ultimately decide on.
“We are not going to build everything,” he says. “Our strategy has to be a combination of build, buy, and partner.”
It has been for many years, in fact. Most recently, the company built a new “stealth XDR” solution named Security 360 and bought both BCDR vendor Axcient and cloud backup/security vendor SkyKick. In the instructive case of EDR technology, meanwhile, it partners closely with Bitdefender, Microsoft, and SentinelOne, and further alliances could be in the offing as well.
“There’s still potentially additional partnerships that we can do,” Rivelo says.
What’s not on the way now or ever, Rivelo says, is an EDR solution of ConnectWise’s own. Building a competitive product in a field that mature would be difficult and expensive, he notes.
“It’s very established, very rich, very deep in the technical innovation cycle,” Rivelo says of EDR. Even with access to private equity owner Thoma Bravo’s deep pockets, moreover, buying a vendor isn’t feasible either.
“The economics of some of these companies from a market value are tens and hundreds of millions or billions of dollars,” Rivelo says. “It doesn’t make a lot of sense.” Better, then, to tackle the undeniable need for endpoint protection through partnerships with some of those companies instead.
The same thinking will guide Rivelo’s approach to other technologies. ConnectWise must have something for MSPs in every market that matters to them, he says. When the smart way to meet that need is owning a solution, the company will build or buy. Everywhere else it will partner and rely on what Rivelo calls “packaging” to deliver 1+1=3 value.
Packaging could mean complementing a partner solution with tightly integrated services like MDR from ConnectWise itself, or weaving the solution together with ConnectWise software. Security 360, for example, provides a unified view of an end user’s security posture through a single interface by combining telemetry from ConnectWise products with input from third-party solutions.
Betting on APIs
ConnectWise’s faith in the power of ecosystems, while hardly unique among managed service vendors, is also not universal. As CEO Fred Voccola reminded Channelholic readers recently and will no doubt reiterate in three weeks’ time at this year’s DattoCon event in Miami, Kaseya believes the kind of integration MSPs most need to run profitable businesses simply can’t be delivered through open APIs.
ConnectWise, by contrast, considers APIs a key selling point for Asio, the next-generation platform used by a growing share of its own solutions and products from integration partners too. Indeed, Rivelo plans to double down on that part of Asio’s value proposition.
“We’re actually going to make it even easier on how those APIs can be connected through low code into the services that we offer,” he says.
More imminently, he continues, partners can expect integrations to be among the announcements ConnectWise makes at IT Nation Connect next month. “It’ll be a mixture of multiple things,” Rivelo hints, “M&A, organic, and third party.”
Which is to say build, buy, and partner. “All of that will be a part of the agenda, and I’ll talk about it in the opening session,” Rivelo says.
Sophos wants more MDR and MSP
I don’t know if Rivelo has ever met Joe Levy, who officially became CEO of Sophos in May. Either way, they have a few things in common:
Both are CEOs of large vendors (Sophos is at $1 billion of ARR presently, according to Levy) with plenty of partners (some 25,000 of them at Sophos, including 7,200 MSPs).
They both have a substantial background in cybersecurity.
They both lead companies owned by Thoma Bravo.
They also, not surprisingly, both discourage MSPs from assuming only bad things can follow from PE firms buying a vendor they like.
“They’re not the Gordon Gekkos of the world, Rivelo says. “They’re not here to destroy organizations and tear them apart.” The good ones, at least, know that the only way to produce outsized gains on the companies they buy is to make them bigger and better before selling them. Levy (pictured) agrees, and has a specific take on how Thoma Bravo in particular goes about that task.
“They’re pattern seeking machines,” he says. “They recognize when things are going well and they say, ‘go do more of that.’”
In the case of Sophos, “that” is actually two things: MDR and MSPs. The first of those, according to Levy, has been one of the fastest-growing products in the vendor’s history since its launch just under two years ago.
“The board recognizes that and they realize that there’s an insatiable demand for competent security services in the industry today,” he says. “Companies that are doing it well are experiencing this kind of highly concentrated, greater than cybersecurity industry average, growth.” In response, and with Thoma Bravo’s encouragement, Sophos is investing in additional managed offerings like the managed risk monitoring service it introduced in April and the incident response retainer service it unveiled last September.
Through-partner revenue from MSPs is outperforming industry averages too, Levy adds, not to mention the rest of Sophos’s channel. “MSPs are a more effective model of delivering products and services to customers than perhaps traditional models allowed us to achieve,” he says.
Recent Sophos investments in MSPs and its other partners, Levy continues, include the partner care group it rolled out in February, the customer success team it introduced in August, and the partner training and enablement site it announced last week.
All three reflect a bigger pattern that Thoma Bravo hopes to match with Sophos, beyond MDR and MSPs. Per an excellent recent blog post by Ross Haleliuk and Chris Hughes, there are a lot of SMBs living below the cybersecurity poverty line at present, and relatively few vendors are doing anything about it.
“There are somewhere between 6,500 and 7,500 cybersecurity vendors,” Levy says. “The vast majority of them tend to go after the enterprise, and they tend to take at least some segment of their deals direct, which inevitably introduces some kind of conflict with the channel.” That leaves a big opening for Sophos and investors like Thoma Bravo to fill.
Levy doesn’t expect MSPs to endorse every aspect of how Thoma Bravo fills that opening. As important as the channel is to its strategy, the firm is ultimately accountable to its investment partners, who crave big returns on their money. Just as an MSP’s sale price hinges on EBITDA, so does a security vendor’s.
“There’s always a bottom line to be concerned about, of course, and sometimes it takes the form of trade-offs, like in order to do X what are you going to stop doing in order to be able to fund it?” Levy notes. MSPs don’t always like the way PE firms answer that question, he continues, but if anyone ought to appreciate the difficulty of growing a business without disappointing anyone along the way, it’s an MSP.
“They understand probably better than the average person by necessity the importance of maintaining budgets, the importance of making hard business decisions, the importance of trade-offs,” Levy says. “They live this every single day.”
Wait, see, and question
Speaking of private equity, meanwhile, my post last Friday discussed why PE firms are on the verge of exiting from a lot of vendors they’ve owned longer than usual thanks to elevated interest rates. I still believe you’ll see that process get started next year, but now suspect it’ll go more slowly than I initially thought, for two reasons.
First, per an insightful Pitchbook writeup, as badly as private equity firms might like to get portfolio holdings off the books at least some of them will be too fearful of disappointing sale prices to make deals right away.
And second, per an equally insightful conversation with Larry Walsh (pictured) of Channelnomics this week, though interest rates may finally be dropping they haven’t dropped a lot and won’t overnight. Indeed, the Federal Reserve (in projections made before last Friday’s blowout jobs report or this week’s slightly hotter than anticipated inflation numbers) expects interest rates currently in a target range of 4.75-5.00% to reach 4.4% in December and take another 12 months to reach 3.4%. “The actual interest being paid on notes is going to remain high for a while,” Walsh says, and there are a lot of notes out there.
Still, whether it’s next year, the year after, or the year after that, there are bunch of exits coming, and Walsh counsels MSPs (much as I did last week) to resist the urge to panic.
“Whenever I see either a PE acquisition or an acquisition by another company, everybody starts to think about what’s going to change,” he says. “Chances are nothing is going to change, at least in the short term. It will take 12 to 18 months for them to figure out what to do and to integrate systems.”
Yes, unpopular spending cuts will be among the decisions they eventually make. “That’s always part of the playbook,” Walsh says. So too though, more often than not, are spending increases on products and resources expected to accelerate revenue growth.
Partners anxious about where all that nets out, he adds, should regularly ask themselves the following questions, and be as objective as possible about the answers:
Has product quality declined?
Is support deteriorating?
Are my day-to-day contacts within the company disappearing, due to layoffs or resignations?
Has the product roadmap stalled?
If the answer’s no, Walsh observes, what’s the problem? If the answer’s yes, it may be time to move on. But then again, he adds, partners should always be asking those questions of vendors, and always acting on the conclusions they draw.
“If a tool or a resource isn’t getting it done for you, then get out of it,” he says.
More PE and M&A chatter
Want even more on that coming wave of private equity vendor sales I wrote about last week? Tune into the latest episode of the podcast I co-host.
Also worth noting
The nine new XGS Series firewalls introduced by Sophos this week, the company says, deliver double the performance of their predecessors while consuming half the energy.
Fortinet’s brand new cloud-native application protection solution, the vendor says, is designed “to secure everything from code to cloud.”
NinjaOne’s new patch sentiment analysis tool uses genAI-based insights and community feedback on Windows updates to help MSPs decide which ones to apply.
Not coincidentally, Ninja has a new SVP of data and AI named Joel Carusone too.
Hornetsecurity’s new 365 Multi-Tenant Manager for MSPs solution aims to simplify onboarding, governance, and compliance for M365.
Barracuda has introduced a new Partner Sales Engineer Community designed to help partners drive revenue, improve productivity, and boost profitability.
ESET’s new cyber-detective-themed “Digital Shadows: Cryptic Chronicles” training course aims to make learning about employee-related threat vectors a bit more fun.
CardinalOps, Nagomi Security, and Veriti have forged strategic threat intelligence alliances with CrowdStrike.
EasyDMARC is ConnectWise’s newest integration partner and Invent program graduate.
Yikes: 62% of companies impacted by ransomware in the past year say the attack originated with a software supply chain partner, according to new data from OpenText.
D&H, which says its security practice is on track for 63% year-on-year growth, is making investments to sustain that momentum.
TD SYNNEX’s new Destination AI Practice Accelerator seeks to help North American partners go to market with AI solutions and servers faster and more profitably.
Atera’s all-in-one IT management platform now includes GoTo’s Miradore MDM solution.
Aryaka’s latest UCaaS release adds CASB and remote browser isolation technology.
CrashPlan has bought Microsoft 365 data security and resiliency vendor Parablu.
Subo Guha, recently of Asigra and formerly of N-able, is now VP of product management at Stellar Cyber.
Oguo Atuanya is the newly named VP of vendor experience at Pax8.
Periscope is a new remote management tool for retail outlets from Mako Networks.
Procure IT has a new AI-powered procurement platform.
MSP Sales Revolution’s new Channel Sales Accelerator is a coaching service for vendors with MSP and MSSP partners.