This post is written by Jesse Medcalf, Integer Investments' analyst.
A New Business Model, A Better Set of Incentives
WannaCry is just the latest in a two decade series of security disasters that set back trust and have consumers looking for other options. This suggests that the failure is systematic, and the most likely explanation is a business model that failed to put the incentives for security in the right place.
For much of its life, Microsoft's (NASDAQ:MSFT) software has been sold for a one-installment, upfront price. Consumers and businesses bought packages or licenses of software and expected it to act like any other piece of depreciating capital asset. Though some subscription models have existed, the traditional model has dominated Microsoft's products.
This dynamic, though, has incentives in the wrong place and doesn't prompt Microsoft, vendors or buyers to take security seriously and pay for it.
First, Microsoft has been compelled to support multiple distinct code bases. As buyers refuse to upgrade, each new software innovation is dragged down by its requirement to work across multiple platforms. Microsoft is then placed in a bind, either wasting innovation and engineering resources on retrofitting new progress to old systems, or attempting to grandfather out old platforms and eventually leaving them unsupported. That the WannaCry bug exploited an already patched bug highlights the dangers of leaving old software running without the utmost care and attention.
Second, vendors of third-party applications designed to run alongside Microsoft software view each purchased release as something fixed. Once released, and compatible with the then latest version, the upfront purchase model gives them no incentive to update their software and fix bugs as they arise with new updates. Problematically, this leads to companies avoiding updates when released. Much reporting in the wake of the latest attacks centred around the UK's NHS still running Windows XP, for which support was cut to the majority of users in 2014 due to compatibility issues with embedded systems, and third-party software running hospital machinery. What much of this reporting missed, though, is the root cause of this mismatch. With operating systems and other applications purchased upfront, Microsoft couldn't control user upgrades. This is why despite Windows 10 being a free upgrade to users, and ample warning that support would stop for XP, third-party vendors had no monetary incentive to follow Microsoft's updates, and end users were stuck using systems that faltered on a patch and would have been toast following a new OS. As such, despite Microsoft's best efforts to dislodge XP, the old system has a similar market share to Windows 8.1. Further, Windows 7, though a better and more secure option than XP, still commands a clear plurality of users, with the latest Windows 10 only half as popular.
(Source:Net Market Share)
Finally buyers and end users have historically seen software purchases as one-off capital outlay, rather than an ongoing series of costs. Business owners thus consider security as something you get when you purchase the latest software and implicitly assume that the security profile of their most recent purchase remains static over time. As patches and updates are developed however, this is clearly not the case and software becomes more and more vulnerable as time goes on. Given this view, ongoing support and security seem like an extra cost above and beyond the cost of the software itself, disincentivizing those with the power to keep up to date from doing so. It is exceptionally difficult to predict the future probability and cost of attacks, so making the economic case for security top ups or specific upgrades to boost security can be difficult. Moreover, keeping up to date means relatively frequent updates, pouring both money and managerial energy into making the decisions when and how to update to stay secure. The burden of security under this old model is a perpetual one, clashing with the buy-and-go ethos of upfront purchase software.
Fortunately for Microsoft, Nadella's decision to adopt a cloud first, SaaS heavy strategy is the correct one to realign these incentives.
Microsoft can focus solely on its latest, most secure version of its various products, concentrating talent and resources into its latest endeavours. Vendors are forced to keep their applications up to date and compatible with the latest, and soon to be only, versions of the Microsoft software on which they rely. End users and buyers aren't faced with an ambiguous economic decision every time a new update is released, instead Microsoft makes that decision for them. Further, SaaS is predicated on a subscription pricing model, that naturally dissipates the assumptions inherent to one-off capital purchases. No longer are security and support metrics seen as add-ons to be assessed independently, rather they are now an interconnected part of the subscription offering. Though some subscription based security products existed, that they were not part of an all encompassing subscription made them feel as if they were an extra cost. The key change here is integrating security concerns into the software's primary offering. In competing with the infrastructure providers such as Amazon's (NASDAQ:AMZN) AWS and IBM (NYSE:IBM), Office challengers like Google (NASDAQ:GOOG) (NASDAQ:GOOGL) Apps for Work, and CRM providers such as Salesforce (NYSE:CRM), Microsoft now touts superior security as a driving incentive to purchase. Microsoft's incentives to provide security, and consumers willingness to pay for what is now a core offering are much better aligned.
Why is this such a boon for Microsoft? Security scares generally blunt the uptake of new technologies. For the consumers least likely to upgrade, and most likely to provide headaches under the old model, ubiquitous digitization represents a series of risks. Microsoft's foray into the Internet of Things through IoT Central depends on businesses finding new ways to run new segments of their operations through a digital world controlled by Microsoft. How widespread the uptake of this technology will be and the value it provides to customers relies on firms being creative in finding these applications of the technology. Creativity here depends foremost on trust. The next WannaCry looks further and further away as SaaS becomes Microsoft's dominant business model for its software. This paradigm shift will be self accelerating as its focus on safety and security bears fruit, prompting consumers to speed up their uptake.
Charting the Path for Cloud Computing
IaaS is the base level of infrastructure. It provides access to physical data centres, networking tools and firewalls and, ultimately, the server and storage space that the cloud runs on. PaaS is the platforms; these are the online versions of traditional operating systems, and developer environments from which applications can be created and deployed. In the Microsoft model, Microsoft Azure is the base for these two parts. SaaS is the software applications that the end user sees and interacts with, things like Office 365 and SharePoint in the Microsoft toolkit.
Microsoft's advantage is that it has aggressively fostered all three parts. Nadella refers to this end-to-end offering as "the entire digital estate", and it's clear that this has been a conscious strategic decision. Microsoft Azure forms the centrepiece for enterprise customers that want scalable, secure infrastructure and a developer environment that's incredibly flexible. But most importantly, it's the IaaS and PaaS that's most compatible with Microsoft's steady performer in Office and its latest 365 iteration. Importantly, Microsoft is making sure that it's providing technology at every stage of the customer's journey through the cloud, supplying products ranging from mobile and desktop devices, to servers, to data centres, to IoT sensors.
This end-to-end focus is critical. If Microsoft can outline why its offering is a must-buy at any stage of the computing chain, whether that be through superior security at the data storage end, or in supplying the most powerful Office tools, buyers are likely to go with the whole lot. Compliance costs in making sure that various vendors of different products at different stages of the technology are enormous for companies and a logistical headache for the CTOs that tend to be at the forefront of purchasing decisions. Integrating various technologies can also be a nightmare from a training perspective, with Microsoft's complete offering streamlining the onboarding process, especially for less tech-savvy employees.
The strategy seems to be working already, as borne out in the data. Amazon Web Services (AWS), which has enjoyed exceptional profitability and an early lead in the IaaS space, has seen its growth stall. The Kleiner Perkins Internet Trends 2017 Report shows that despite still being the leader in cloud based applications, their user numbers remained stationary at 57% between 2016 and 2017. Microsoft Azure's, on the other hand, increased a massive 70% over the same time period, from 20% to 34% of cloud users. Amazon's lead looks fragile, and with Microsoft tearing into the cloud spaces beyond infrastructure and closer to the end user, the recipe for the majority of enterprises to shift over is in set up and ready to go. Nadella puts it this way "[Customers] value our differentiated approach as the most trusted global hyperscale cloud with hybrid support and higher-level services to help drive their digital transformation. Moreover, they appreciate the agility, operational consistency, and security across the entire digital estate, spanning enterprise mobility, Office 365, Dynamics 365, and Azure."
(Source: Kleiner Perkins)
So far, this has translated into Microsoft's revenue from what it calls its Intelligent Cloud growing 11% to $6.8 billion driven by Microsoft Azure which grew by 93% over the past year. If Microsoft is able to ride these trends to an increasing market share, it should be able to continue to turn these gains into profits in the long term.
The recent announcement by Dell EMC of the Dell EMC Cloud for Microsoft Azure Stack is an excellent example of this in motion. As Microsoft becomes the default cloud computing provider, other names in the space are forced to see Microsoft compatibility and even partnership offerings as the way forward. Indispensability has seen Office products long regarded as the enterprise standard, and now the torch is being passed to Microsoft Azure as the technology around which all other providers must navigate.
Moving forward, Microsoft has attempted to make Azure a particularly machine-learning friendly space. This burgeoning technology provides an immense opportunity for developers, and if Microsoft can secure itself as the default resource provider for this computationally heavy industry, it sets itself in good stead to be the beneficiary of cloud based resource demands. Further, the company is attacking its traditional weaknesses in the space. A Vision Mobile Report confirmed the suspicions of many that Azure has performed better with developers working with and for large enterprises, but not as well with those who double as the individual consumer or the single user in a startup environment. Microsoft, though, is addressing this with the design of its BizSpark offering, and aggressive marketing of this lead-in to startups by offering generous credits.
(Source:Data Centre Post)
Microsoft is already beginning to see the fruits of Satya Nadella's push toward dominance in the cloud computing space through a slick and integrated suite of software products. Market share is growing, and Microsoft Azure is providing an effective centrepiece to hold its more innovative forays together. The natural shift toward the subscription pricing that underlies this new technological space will bulwark against future security issues and see the pie grow for the entire industry at a more rapid pace. Microsoft is on track to reap the gains of these shifts.
As always, thank you for reading. If you wish to follow our future articles, just click the "Follow" button next to our name at the top. If you would like us to cover a company, please let us know in the comments. For information about Integer Investments, visit our website. Thank you for reading.
Disclosure: I am/we are long IBM.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.