SBN

What Should Thoma Bravo Do With ForgeRock?

Thoma Bravo released a statement back in October 2022, indicating they had entered into a definitive agreement with IAM platform provider ForgeRock. This would be a deal worth $2.3 billion once complete. The deal has yet to complete however, with the US DoJ requesting further information. Existing ForgeRock shareholders did vote in January 2023 however to overwhelmingly approve the deal. ForgeRock’s most recent SEC 10k filing highlights that ForgeRock and Thoma Bravo will respond to the “Second Request” for information by the DoJ no earlier than May 1st, with the completion of the deal not happening within 75 days after that date.

However, it is interesting to speculate what Thoma Bravo may look to do with ForgeRock if and when the deal completes. Why did they wish to pursue the deal – will they integrate, expand or alter how ForgeRock goes to market? What impact may this have on existing customers and prospects?

For a little extra context, Thoma Bravo already has several organisations within it’s portfolio that deliver capabilities within the broader identity and access management arena including Delinea (through their investment in Centrify), the identity governance and administration player Sailpoint who where acquired by Thoma Bravo in April 2022 for $6.9 billion and also long standing access management player Ping Identity who Thoma Bravo closed the acquisition of in October 2022 for $2.8 billion.

On one hand these deals could possibly indicate that Thoma Bravo are becoming a specialist IAM investor – identifying trends, patterns, economics of scale and integration options that perhaps other investors do not possess. On the other hand, competitive scenarios may well exist between existing and new portfolio companies, as the market for IAM technologies evolves and potentially overlaps. Large enterprise clients – which nearly all the established IAM platform players will be targeting – are very likely to have invested or are looking to invest in identity technology from a range of existing vendors.

Whilst analyst opinions are valuable (we would say that being an analyst firm in the IAM space…) it is also important to pose interesting questions and canvas opinion from a range of different stakeholders. At The Cyber Hut we run regular industry polls and surveys in order to gauge the mood on a range of topics.

On March 7th, we ran a poll on LinkedIn asking The Cyber Hut community what they thought of the acquisition and what might happen. Clearly we couldn’t provide room for every single option, and left the question open ended, if respondents wished to add specific comments for “doing nothing”, or “merge all three for example” – see the end of the post for the additional comments respondents made.

At the time of writing n=101 responded. The results turned out as follows:

Merge With Ping Identity

ForgeRock and Ping Identity have quite similar heritage. Ping is slightly older, has more employees, generates more revenue and has made more acquisitions. However, if you look at their recent SEC filings, the use of language, target markets and case studies are quite similar in nature.

28% of the respondents thought a merger was the best bet. Why so? Clearly a merger would help materialise economies of scale and operational efficiency if target prospects are similar. Another possibility is that they have overlap with existing customers. It maybe possible that both ForgeRock and Ping have sold into the same large accounts.

However, the flip side of course, is that if they are competing heavily in particular geographic regions or virtual sectors, a merger would effectively be a bit cannibalistic.

One major difference however is the locations they derive their revenue from. For the year ending 2022, the ForgeRock 10K annual filing showed they derived approximately 44% of total revenue from International (non-Americas) regions. Ping in comparison derived only 26% internationally for their year ending 2021. ForgeRock was originally founded in EMEA so that could well be a likely reason for the difference.

Merge With Sailpoint

So Sailpoint bring a very different capability to the table. They have a long history in the identity governance and administration market – which is focused on the access review, access request and identity analytics/reporting set of use cases. This has not traditionally been the domain of access management players such as ForgeRock and Ping. Ping indeed have worked alongside Sailpoint at different levels as evidenced by integration data sheets from Ping and a microsite by Sailpoint.

In recent years ForgeRock had added in some IGA capabilities natively to their platform. The Gartner Peer Reviews micro-site for IGA, only lists 52 reviews for the ForgeRock platform in total (not just IGA) whereas Sailpoint has received over 500 – indicating adoption and references are potentially lower.

However, clearly ForgeRock sees IGA as an option for cross-selling more software and services to its existing customer based as mentioned in it’s most recent 10K filing.

A merger with Sailpoint only received 12% of the vote, so perhaps focusing on IGA directly may provide ForgeRock with a net-new revenue stream going forward.

Focus on Workforce Only

Instead of focusing on mergers with existing player, a question was also posed with respect to narrowing the focus of ForgeRock. Both ForgeRock and Ping Identity serve customers using their platforms for workforce and consumer ecosystems. Should ForgeRock narrow that focus to just the workforce arena? Their history and origins come from that sector – with a magic quadrant leadership position by Gartner for their access management capabilities too – and coupled with strong features for single sign on, federation, authentication orchestration and the recently mentioned IGA components – it may seem sensible.

However, only 6% of the respondents thought this was a decent plan – perhaps due to the increasing competition in this space from the likes of Microsoft, Okta and smaller startups who are delivering more focused capabilities.

Focus on CIAM Only

The answer which received the largest percentage was this one. Focus on consumer/citizen/customer identity and access management – which received 54% of the vote. Why so? ForgeRock have invested heavily in this space since about 2016 with numerous public references and case studies for large scale and complex CIAM projects.

This is an area that is clearly growing due to the rise in digital transformation (DX) projects both large and small enterprises are embarking upon as they look to deliver online-only delivery of services, content and products. CIAM projects have a very different makeup – from both the requirements (functional and non-functional) perspective, the buyer personae as well as the success measurements too. All very different from the workforce IAM space – there is a decent book on the topic for those wanting to know more 🙂

So why just focus upon CIAM? I guess this could be handled via two different questions – why drop workforce and who else is competing in the CIAM ecosystem? Dropping workforce allows ForgeRock to concentrate sales, marketing, development and analyst relations on one sector. Whilst workforce is stable with respect to budget and business case development processes, it is also a very saturated market – with numerous authentication providers, governance and single sign on vendors.

CIAM on the other hand does not necessarily see one dominant player. Vendors such as Transmit Security, WS02, TrustBuilder, LoginRadius and OneWelcome are all providing alternatives to the likes of Auth0 (now Okta). ForgeRock with historical expertise in scalable and highly available directory services technologies could see as an area they could successfully compete in for the next 3 years.

What Does ChatGPT Think?

In a world that is seemingly either paranoid about AI or thinks AI is the saviour to all of mankind’s problems, it seems only fair to ask “it” what it thinks about the potential acquisition.

So on March 14th (the date is important as the “machine” is always learning of course), I asked ChatGPT “What should Thoma Bravo do with Forgerock?”. In honesty the answer was heavily laden with what was essentially “I don’t know”, but nonetheless, provides an interesting signal.

Time will tell how both Thoma Bravo and the market will respond to the acquisition if and when it completes.

A few of the additional poll comments are below.

Reach out for a more detailed inquiry on this topic if necessary.

LinkedIn Poll Comments:

  • No “keep the same” option?! I don’t see reasons to perform any of the actions above. ForgeRock has a huge portfolio of on-prem customers and the ciam ones are increasing day by day.
  • I would guess they do nothing because any merging or singular focus will alienate existing customers and create more disruption and opportunity for customers to look elsewhere and potential lost revenue. Look at Sun/Oracle back in the day. How many orgs stayed on Oracle after Waveset went away?
  • What about merging it with both Ping and Sailpoint 🤔
  • Probably will keep Forgerock for CIAM, Ping for workforce

The post What Should Thoma Bravo Do With ForgeRock? appeared first on The Cyber Hut.

*** This is a Security Bloggers Network syndicated blog from The Cyber Hut authored by Simon M. Read the original post at: https://www.thecyberhut.com/what-should-thoma-bravo-do-with-forgerock/?utm_source=rss&utm_medium=rss&utm_campaign=what-should-thoma-bravo-do-with-forgerock