If you’ve ever had a Windows computer, the odds are pretty good that you’ve used Avast or AVG for antivirus protection. At the end of last week, the two providers of free antivirus software announced that Avast will buy AVG for $1.3 billion.
Steckler, who joined Avast seven years ago, after serving as senior vice president of worldwide sales at Symantec, argues that the merged company will weather an incoming computer security storm of consolidation and other challenges because of its combined user base of more than 400 million computer end points (160 million to 170 million on mobile devices, the rest on Windows and Mac computers) and its willingness to invest in new security technologies.
“I wouldn’t commit that our products are going to have the highest test scores. We’re really looking for what users think about our products—how they rate us on Amazon. That’s a much longer-term indicator of how good a product is.” — Vince Steckler, CEO, Avast Software
Both companies were founded in what is now the Czech Republic; Avast in Prague in 1988, AVG in Brno in 1991. AVG is now a publicly traded company based in Amsterdam. Presuming that the sale is approved by regulators and shareholders, the purchase price represents a 33 percent bump over the closing price of AVG stock on July 6, the day the sale was announced.
On Monday morning, Steckler spoke with me about his vision for the combined company and for the broader security industry. Here is an edited transcript of our conversation.
Q: What’s your vision behind the merger?
Security companies—especially those that are PC-oriented—have to start consolidating. Right now, things are still fairly fragmented. You’ve got the American players (such as Symantec’s Norton and Intel’s McAfee), you’ve got the Russian player (Kaspersky Lab), you’ve got the Korean player (Ahn Labs), you’ve got the Spanish player (Panda Security), and you’ve got a lot of regional players. As the market for PCs matures, so must the market for security.
We thought that AVG and Avast had a much better future together than separate. One of AVG’s issues has been its U.S. customer base and thus its reliance on the health of the PC and mobile business in the United States. Avast’s customer base, by contrast, is much more non-English-speaking. This has given it a lot more breadth, of course, and made it less sensitive to U.S. movements, but it also has made it a less significant player in some of the world’s richest markets for IT.
Bringing us together will give us a lot more oomph and scale and stability.
What does the merger mean for consumers?
It means two things: First, there won’t be a noticeable change. Avast and AVG are very strong consumer brands. We plan on running a dual-brand strategy. Of the security products people around the world are searching most for on Google, No. 1 is Avast, No. 2 is Norton, No. 3 is AVG. We have very strong brand visibility around the world. Some markets, such as France and Brazil, are stronger for Avast; some, such as the United States, are stronger for AVG.
The second part is that by merging the underlying technology and increasing the number of sensors, we’ll be making users more secure. The idea is, though, that they won’t see that happening.
What’s the underlying value to Avast of having more people using its software?
Avast is very strong with consumers, but we needed a second strong revenue link, and we wanted that to be mobile or corporate.
We’ve been wanting to work with mobile carriers, providing security or family safety or geofencing middleware they can offer their subscribers. Doing this would provide value to the subscribers and brand stickiness to us. For now, we have a nascent mobile business, which is going down the path of an advertising-based model.
To make an advertising model really work in mobile, you need a minimum of 200 million end points, by our calculations. We have 65 million end points, and although it’s growing nicely now—we grew 5 million in the last two months—it takes a long time to organically get to 200 million.
To get to scale rapidly, we could spend a massive amount on pay-per-click/pay-per-impression, but we don’t spend that kind of money. (Cheetah Mobile, which has a lot of money from its IPO and is trying to get to scale quickly, spends $6 per monthly active user to acquire and keep users. That’s phenomenal.)
AVG offers us two things: It has its own base of organic-built users—105 million to 110 million on mobile. So together, we have 170 million mobile users, which gets us pretty close to that magical 200 million point.
With acquisitions and other endeavors, AVG also is also getting into the market for small and midsize businesses. Its SMB business plus ours is still relatively small, compared to McAfee or Symantec, but it’s about five or six times bigger than what we have by ourselves right now. It’s a nice start. Adding real complementary product lines makes Avast, as a whole, a much more sound company.
What does the deal mean for the antivirus industry as a whole?
It’s hard to say. Most of the larger security players use their consumer business to support their investment in enterprise. If you step away from the top-tier traditional, pay-only business model guys—Norton, McAfee, Kaspersky—you’ve got a bunch of smaller traditional guys, and then the three guys with a more disruptive, freemium model: Avast, AVG, and Avira.
Avira is basically just in countries that speak German. Panda has a footprint in Spain, Ahn Labs in Korea, Trend Micro in Japan. The only two companies that have large global footprints were Avast and AVG. So this acquisition will take two of the most attractive candidates off the table.
What’s the future for antivirus companies? Is the label antiquated? Misleading?
It is so 1980s!
And with consumers, you can’t change the name. Antivirus products, for 10, 15, even 20 years, have been so much bigger than just antivirus. This is all the protection most users have. Their vulnerability assessments, their intrusion detection, their everything.
Antivirus products, like the devices they run on, are not going away. They’re going to be around for many, many years. There’s still a huge market for them, and there’s still a tremendous opportunity in that market.
What role did technology developments play in driving the merger?
Each device is actually a sensor. In the old days, when malware was very long-lasting and had a big reach, you could get by with a lot of other ways of doing security—the traditional virus lab stuff, exchanging data with your competitors—and it didn’t matter if you were a few days late because the malware would still be out there in the wild.
Security products today are being designed to collect data from each user—each end point—as a real-time security sensor. Each end point runs a virtual machine, and inside the virtual machine is a honeypot to attract threats and a sandbox in which to test them. You can collect a massive amount of data.
And the amount of data that you can collect with hundreds of millions of end points is just phenomenal. It can really improve the security of our products.
So a year from now, we should expect the combined technology to take the No. 1 slot on independent threat-blocking tests?
The problem with the tests is that they’re not based in reality. Is there much of a difference, if you’re 98.3 percent effective versus 97.8 percent? As far as the test is concerned, that’s fairly trivial.
I wouldn’t commit that our products are going to have the highest test scores. We’re really looking for what users think about our products—how they rate us on Amazon. That’s a much longer-term indicator of how good a product is.
So users should look to how antivirus products are rated on Amazon?
Formal product reviews are OK for telling how the product works, but the vast majority of users want to install it and forget it. You want a product that does reasonably well on those tests, but slight differences don’t necessarily harm the user.
On the tests, one false positive gives you a fail. The test samples largely come from German download sites, which are rarely seen outside the German markets. So it’s easy to tune a product to detect those samples.
You may read a review on Consumer Reports, but it’s the user reviews that will tell you over time how your product is really doing.
What are some of the risks of the acquisition?
The big one is not integrating well enough. The whole point of doing this is more scale, so we have a better business for the future. We have to be able to execute very, very well on that, or we can sink. We obviously will pay a lot of attention to that.
Avast appears to be taking on a lot of debt for this deal.
It is a lot of debt, in terms of dollars. But in terms of ratio, it is not. The ratio that we’re taking is about the same when CVC invested in the company. It’s not highly leveraged. And that’s because Avast throws off so much cash, Avast’s profit margins are plus or minus 70 percent.
Given Avast and AVG’s historical proximity and similar business models, had you previously discussed a merger or acquisition?
These talks have been happening off and on for years. Ondrej [Vlcek, Avast’s chief operating officer and an employee of the company since 1995], remembers a meeting in 1998 with AVG’s founders.
What changed this time?
AVG said yes.
Where are you seeing Avast’s growth in the next few years?
The consumer market is still growing for us at about 20 percent a year. We see the potential to grow AVG’s core consumer business too, re-energizing growth there. And obviously mobile. By getting these two mobile install bases together, there’s so much more you can do with that now.
What about the Internet of Things?
There’s development to handle the scale. That’s the continued pushing of the cloud-based technologies, and the machine learning to handle that instantaneous real-time or zero-day protections.
The Internet of Things is really intriguing, but it’s really hard to define what the heck Internet of Things is. Very few of these “things” talk on the Internet directly. Because they’re largely connecting to a home router, our IoT focus on is layering additional protections and security on the home router.
Once they start connecting on the Internet, they’ll essentially be mobile devices, which is why getting a big footprint in mobile for us became important. Mobile will become the core of IoT.
While both Avast and AVG have some iOS options, VPNs and Family Management tools, neither Avast nor AVG has its core threat-blocking technologies on the iPhone. Is that the extent the role of antivirus on iPhones? Has Apple solved core security problems?
Very few security products are allowed in the App Store, but that’s not the same thing as saying Apple devices don’t have security problems. The largest security problem on an Apple device is also the largest security problem on Android devices or PCs: the user. It’s just as easy to spear-phish someone on an iOS device as on an Android device, for example.
Software can detect a lot of that. But on iOS, you’re not allowed to distribute it.