What the acquisition means for the 400 million Avast and AVG users (Q&A)

The Internet could be getting a lot safer for more than 400 million people, thanks to the close of Avast’s $1.3 billion deal on Friday to purchase its largest free antivirus competitor, AVG. That’s the hope, at least, of Vince Steckler, CEO of Avast Software, which sponsors this site.

The deal, announced in July, comes at a time when many smaller and far younger Internet security firms find themselves up for grabs, while Avast and AVG are older than many people using the Internet.

Adrian Sanabria, a security industry analyst at 451 Research, says Avast’s newly expanded user base gives it insight at a level few consumer-based security companies achieve.

“Free antivirus or not, 400 million is still a significant number,” Sanabria says. “That alone gives you some pretty powerful insight into the market and what’s on people’s systems.”

While Avast and AVG are primarily known for their consumer products, the security business is finding more and more people using their personal laptops for work purposes. The “bring your own device” trend includes home laptops, Sanabria says, which means that traditional consumer antivirus is bearing an increasingly large load of enterprise security. The vast amounts of data that the larger Avast user base will contribute is expected to help the company stay ahead of market trends.

“Users are already so confused. The day we made the acquisition announcement, my own daughter in Australia messaged me and said, “I just saw the news, but I thought that Avast was the company name, and AVG was the product.” My own daughter!” — Vince Steckler, Avast CEO

The newer, larger Avast will be the largest antivirus company by market share, at 22.6 percent, according to a January 2015 report by Opswat. In addition to the overall user base total, the company estimates 160 million users are on mobile devices, with estimated annual revenue in 2016 of more than $700 million. Both companies were founded in what is now the Czech Republic, in the early days of the commercial Internet: Avast in Prague in 1988, AVG in Brno in 1991. Up until the deal closed, AVG was a publicly traded company based in Amsterdam.

After three years as Symantec’s senior vice president of worldwide sales, Steckler joined Avast in 2009. He says there’s more to the company’s vision than becoming the biggest player on the block.

“Case by case, we tackle problems in different ways, but I think the joint solution will be better for users than a single solution,” Steckler says.

During an interview with The Parallax, Steckler detailed his vision for how the two companies will combine efforts while maintaining separate products and brands. Confusion between them, he notes, “doesn’t matter anymore.” He also shared thoughts on threats such as Internet of Things exploits, as well as predictions for the broader security software industry.

What follows is an edited transcript of our conversation.

Q: Avast and AVG offer very similar security and antivirus products. What’s the strategy, going forward?

We’ve kind of fleshed out a high-level product strategy. On the consumer side, dual brands will have a different look and feel, and some different features, but they will have a common security engine.

How will Avast determine who uses which product?

It depends on what they came in with. AVG users will continue to use an AVG-branded product, and Avast users will use an Avast-branded product. We’ll roll out the new products early in January. AVG users will get updated through their update mechanism to the new AVG, and the same for Avast users.

Both sets of product users will see some new features they did not have before, so there will be some cross-pollination.

Has there been any negative feedback from existing users about the deal?

There are a few negative comments on blog posts, but most are positive, including at more geeky forums, like Wilders. Geeks are our community, and we care about them. Geeks at both companies are recommenders. Ondrej [Vlcek, Avast’s chief operating officer], has been monitoring lots of “geek” forums, and he tells me that things are very positive on them.

We didn’t have a big concern about “normal” users getting upset, because they don’t really know which company owns the underlying technology. How many WhatsApp users know that WhatsApp is owned by Facebook?

Because we’re taking some of these technologies from both products and putting them into the other product, we’re actually going to be improving both products for users. AVG has a really neat cloud-based behavioral analysis system. We’ll be putting that into the Avast product. Avast has a system of using the cloud to scan Web pages. It’s more sophisticated than AVG’s, and we’ll eventually migrate it into the AVG product.

Any concerns about confusing your existing users?

Users are already so confused. The day we made the acquisition announcement, my own daughter in Australia messaged me and said, “I just saw the news, but I thought that Avast was the company name, and AVG was the product.” My own daughter!

Five years ago, I gave a pitch on Avast at an investment conference. An hour after I gave it, I was talking to a guy who said, “That was a really good talk you gave on AVG.”

So, is it worth the company’s time to keep people from getting more confused?

I don’t think there’s too much we can do about being confused, but now at least, regardless of which name they use, they will be correct. Confusion doesn’t matter anymore.

I’m being a little jocular here, but when you have a user base of 400 million, and you count the overlap with mobile, there are probably 300 million unique people, and then probably twice as many know at least one of the two brands in general.

We will look at whether it makes sense to merge the brands sometime in the future. But for at least the next year or two, we won’t even be thinking about that. It may be useful in the future to merge them together, as their capabilities get closer and closer to each other.

But there are so many examples, especially in the car industry, of maintaining different products and brands, even when they use many of the same parts.

In the near term, what does Avast hope to achieve?

Businesswise, it’s to not damage the existing business while getting on with the integration, which is a large and complex task.

That’s the biggest near-term concern. The actual technical work of running the products with a common engine is pretty straightforward. That’s going to roll out in three months. It’ll be ready before that, but it doesn’t make any sense to roll out a new product around Christmastime.

Technical support represents the first point of human interaction users and software vendors of all stripes, not just security. How will you integrate support for Avast and AVG?

We run fairly similar models: crowd-sourced support for most of the users, with premium options, including for virus removal. We’ll probably migrate to AVG’s premium support, but that’s not a huge change. It’ll be the same support phone numbers, doing the same work, but the business model may be a bit different.

What can you say about upcoming job losses because of consolidation?

We don’t have all of that sorted out yet. Partially because, until the two companies are actually one, we’re not allowed to share a lot of data.

But there will be synergy losses, redundancies, whatever you want to call them. Some are expected. You don’t need two complete big finance teams, two complete big legal teams. They won’t be consolidated at 1x, but they won’t be as big as 2x, either.

For engineering, of course, we’ll be running one consolidated engine, but it’s going to be a more complex engine, and we also want to do more with future technologies. It too won’t be 1x but won’t be 2x. We have to sort out function by function, and handle things internally with employees before we can make a public announcement.

What are the differences between Czech, Dutch, and U.S. law, with respect to the acquisition?

The two legal entities are both Dutch. The Dutch rules require 95 percent of shares to be tendered, versus the U.S. rules of 80 percent. But they allow that once you get to 80 percent, you can do an asset sale and basically sell all the assets to the acquiring company.

On paper, there’s a difference, but practically, there is not. Since we both have German entities and U.S. entities, you have to follow their laws. None of this is greatly different around the world.

Is antivirus successfully changing as a business to “Internet security”?

You’re never going to change the name in the consumer space. Billions of people know it as expressly antivirus.

In the corporate space, you have all these next-gen companies, trying to say that they’re not one of the old dinosaurs, but when you peek beneath the covers, it’s a lot of the same. A lot of these companies were gathering data from VirusTotal, or some of the gray sites that sell comparative data from all of the traditional companies. In my mind, that’s kind of cheating, because you’re avoiding building your own intellectual property and kind of improperly exploiting someone else’s.

On our own security engine, all the end points are centered, they all have a virtual machine in them, they all have a honeypot in them, they all throw massive amounts of data onto the machine-learning servers.

Technology-wise, our product is identical to any that call themselves a next-gen product. AVG’s is probably slightly less identical because they don’t have as much cloud emphasis as we do. If you look at the big guys—Symantec, Kaspersky, McAfee, AVG—we’re all running technologies that are indistinguishable from next-gen except being able to brand it.

Where do you hope to take security technology?

There are differences in how we are both trying to protect the Internet of Things. Fundamentally, you need to protect the central gateway that the Internet of Things uses to access the Internet, which in the home is the home router.

We looked at building protections into the router but decided that it was too difficult to get the router companies to cooperate. So we went down the path of trying to secure the router from one of the connected devices, such as your phone or PC.

AVG went down the path of working with router manufacturers to incorporate [AVG’s security technology] into the router. So we’ve got two different approaches to IOT security, and we can combine them together to get something even better. We use machine-learning and artificial-intelligence technologies differently. AVG has some neat things on cloud-based behavioral detection, and Avast has some neat things with basic malware detection through the cloud via machine learning.

While smaller security startups and full-fledged companies are being bought by bigger fish, we don’t see too many big acquisitions. What does your crystal ball say? Is Avast-AVG the only one?

That’s tough to say. The thing that holds them up is the business model difference. It would be very difficult for a traditional player like a Symantec or a McAfee or a Kaspersky to acquire a company with a freemium model because it’d mean too much cannibalization by the free product.

And for the same reason, it’s also difficult for a company with a freemium model to acquire a traditional company. If you’re going to do something like that, you need the synergies of a common engine.

Mergers of security software companies with traditional models are very conceivable because there are so many of them. You’ve got Bitdefender, Panda—10 or 15 of these small regional companies. In the freemium market, the only other meaningful players are Microsoft, Qihoo, and Avira in Germany. Avira’s pretty small in Germany these days.

Do the “next gen” companies have acquisitions in their future?

Over the last 10 years, next-gen technology companies have come and gone. The only one that still really exists is Palo Alto Networks, but it just more cheaply and efficiently did a traditional-company thing. FireEye did really well, then plunged. The last truly successful new security company is from 20 years ago: Kaspersky.

Many of them end up just burning out. None of these next-gen guys have smarter developers or smarter researchers than the traditional guys. And their R&D budget is much smaller. Why would people expect that they would come up with some startling new way to do things?

The only next-gen guy that has been really exciting to me is Bromium. But even it is struggling now to scale its solution because it’s a massive virtualization product. You get rid of antivirus by virtualizing every process on every computer in your organization, but now you have a massive process management administration issue.

There’s no silver bullet in security. It’s just hard.