With the global economy apparently warming and lots of IPOs hitting the Street, it was a bit surprising to see TripWire opt for a buyout by Thoma Bravo, as opposed to continuing with their IPO plans. But I found an article by the local Portland OR Business Journal which explained things a bit.

Basically, TripWire is growing at 20%/year, but that does not create a lot of buzz on the Street compared to monster growth stories like Groupon. They also mismanaged expectations a bit last year when they issued the S-1, by talking about hitting $100MM in 2010 revenues, then missing their target (hitting $86MM on the top line). It’s ancient history, but ask SourceFire about not hitting investor expectations when going public. So the stock was likely to languish and that’s not good for anyone. Clearly their investors were tired (having been with the company since 1997), so something had to give. The private equity buyout by Thoma Bravo provided liquidity for the investors (and some founders/early employees) and the runway to continue building the company.

Thoma Who?

You probably haven’t heard of Thoma Bravo before. They are a buyout firm, specializing in tech companies. You may know a couple of the companies in their security/IT management portfolio: Attachmate (which just acquired Novell after swallowing NetIQ a few years ago), SonicWall, Entrust, LANDesk, and now TripWire. It’s a pretty broad portfolio of mature companies that aren’t really leaders in their respective spaces. That’s why they got bought out in the first place, but these mature companies generate significant revenue, which can be milked and perhaps used to buy other assets.

You all know the game in private equity, right? They acquire assets (usually using a mix of equity and debt), clean things up either by fixing operations or merging with other companies to gain scale, and then take the asset public again or sell it to a strategic buyer. If it works out, they generate tremendous returns using the leverage of the equity/debt mix. If you buy an asset like Chrysler (as Cerberus did), that might not work out. But if you look at the Forbes 400 of really rich folks, quite a few specialize in buyouts. So evidently it can be a pretty good model.

Thoma’s security portfolio is pretty comprehensive and they have the pieces to compete against some of the bigger players in the space. But only if the various companies are integrated to some degree. Thoma has not talked about any larger strategy in the security market but don’t assume they have one. Maybe they just see a couple companies that can operate more efficiently and at some point provide a decent return on the investment – we will see.

Market Impact

The fact that the deal was announced as a standalone may mean they plan to leave TripWire alone, especially since the Business Journal story reports that Thoma tends not to mess with its companies. If so there will be little to no impact on existing TripWire customers. Given the market opportunity in security this seems like a mistake to me.

Moving forward, security is all about reducing the complexity of protecting a very complicated environment. Having 5 standalone security companies does not reduce complexity for customers, wasting any leverage TripWire could provide with Thoma. If you believed in TripWire as a long-term, sustainable standalone company, this approach is fine. Personally, I think there are only a handful of sustainable, standalone security companies, and TripWire isn’t one of them. So over time I hope they fold into a more comprehensive offering.

For the time being, TripWire keeps doing their thing, looking for smaller tuck-in acquisitions and trying to grow to the next level. That just seems like a horrible waste of assets. Folks like McAfee and Symantec have spent years assembling large portfolios of products to package into solutions for customers. Thoma Bravo now controls a significant security portfolio, and with a few more strategic acquisitions (such as monitoring, endpoint protection, and professional services/integration) they could have enough to legitimately compete with Big Security.

That assumes competing with Big Security is the end goal, and I’ve been around way too long to think I understand the strategy of any financial buyer. I know the motivation (generate return on investment), but there are plenty of ways to skin that cat.