6 reasons Cisco acquired Splunk

Like many others, I first heard a rumor last year about Cisco buying Splunk. It seemed exciting, but as the days turned to weeks and then months, I dismissed it as industry hearsay. I guess not.

There are several financial reasons why this deal came to fruition, including Cisco's desire to bolster annual recurring revenue and diversify into higher-margin software sales. I'll leave this economic analysis to the Wall Street analysts. From a technology business perspective, here are my six reasons on why this deal is a strategic success for Cisco:

1. It's all about the data. In the past, security technologies like antivirus software, email security gateways, firewalls and access control systems enforced policies and made decisions based on preset configurations, rules and threat intelligence feeds. This led to security balkanization. As enterprises consolidate disparate tools, back-end data and analytics engines take on a greater role by analyzing all the data, considering new risks, monitoring IT changes and then directing distributed security technologies on what to do. In other words, technologies like Splunk become the brains of the operation while individual security controls (i.e., antivirus software, firewalls, access controls, etc.) become sensors and actuators by collecting data, sending it to an analytics engine and receiving enforcement instructions. Cisco already has mountains of data from software such as Talos, Secure Network Analytics (formerly Stealthwatch) and Cisco Endpoint Security Analytics, but customers tend to centralize analytics and telemetry at the SIEM level. Splunk ties a bow around existing Cisco security technologies.
2. Cisco and Splunk can modernize the SOC. Security operations center (SOC) modernization is an ongoing trend as organizations need the scale, analytics capabilities and automation to address multi-cloud IT infrastructure. Splunk is addressing SOC modernization by embracing the Open Cybersecurity Schema Framework, by migrating the Splunk SIEM to the cloud, by integrating a threat intelligence platform and creating a common SOC workbench with Mission Control. Cisco can further contribute to SOC modernization with Talos threat intelligence, curated network telemetry and its XDR -- or extended detection and response – offering, which provides risk-based vulnerability management. The key is tight integration between all the parts, creating a security operations and analytics platform architecture, while still accommodating third-party telemetry and technologies. As SOC modernization efforts continue, Cisco sales can extend Splunk environments with Cisco security technologies or start with Cisco technologies and look to replace legacy SIEMs. Either way, Cisco wins.
3. Splunk expands the universe of potential managed services deals. ESG research indicates that 80% of enterprises use managed services for security operations, and of those, 88% plan to increase their use of managed services moving forward. Managed Splunk is already a well-established market, and Cisco can align managed Splunk with its managed detection and response offerings to greatly expand its market opportunities. It's also worth remembering that Cisco sells a lot of its products through a worldwide network of channel partners. Cisco will likely work with these partners to find additional services revenue opportunities around Splunk, XDR, SOC modernization and cyber-risk management.
4. Splunk complements zero trust. If you haven't noticed, zero trust is composed of a lot of moving parts across identity, devices, networks, applications and data. To make zero trust work, a system has to act as the policy decision point (PDP) while many technologies will take on a role as policy enforcement points (PEPs). Currently, Cisco has many PEPs (VPNs, firewalls, user authenticators, etc.) but lacks a PDP. I could see Splunk (SOAR, ES, UEBA, etc.) and Cisco (Kenna, Talos, etc.) coming together to fill this PDP role.
5. Observability and security can move Cisco toward a self-service network. Imagine a network where a new device is automatically provisioned, secured, updated, tuned and monitored continuously, through a combination of observability, security, analytics and policy enforcement. The theory here is that Splunk constantly monitors the state of the hybrid network, recognizes changes and responds with an action (provisioning a system, redirecting traffic, load balancing an application, or quarantining a device). I know we've been talking about this forever, but Splunk makes this Cisco vision a bit more real.
6. Cisco is one of few companies that can compete with Microsoft licensing. The Microsoft E5 license opens the door for organizations to pay one enterprise licensing fee and get a potpourri of security tools, including Microsoft's SIEM, Azure Sentinel. On its own, it would be difficult for Splunk to compete on price, but Cisco has a broad enough security portfolio and a similar pricing model to go head-to-head with Redmond. If this happens, one of Splunk's major obstacles goes away.

I've read a lot of pundits claiming that Cisco will use Splunk data to build security and observability-focused large language models (LLMs) for generative AI use. Maybe, but it's more likely that they will take any native telemetry and enhance existing LLMs that already contain tons of Splunk and Cisco content available on the Internet today. By doing so, Cisco can create generative AI tools that can help customers use the vendor's technologies to better manage, operate, secure and maximize a modern hybrid IT infrastructure. This will make end-to-end Cisco technologies much more attractive to CIOs, CISOs and business executives.

I've tried to outline some of the strategic benefits possible through a Cisco/Splunk merger, but Cisco has some work ahead of it. As Splunk customers transition from on-premises to modern cloud-scale SIEMs, many consider alternatives from vendors like Devo Technology, Google and Microsoft for several reasons. First, there's Splunk's history of being the highest-priced option. Splunk's salesforce has a reputation for always having its hand out, looking for more money from customers. Finally, Splunk made some ambitious announcements in the past that it struggled to live up to. Splunk has done a good job of addressing these issues over the past few years, but cybersecurity professionals have long memories. To address historical bitterness, Cisco should encourage executive visits to key Splunk customers while applying its customer success methodologies to the entire Splunk base as soon as possible.

Speaking of long memories, old timers like me will even remember the Cisco Security Monitoring, Analysis, and Response System, an early SIEM-like product that was killed in 2014. I know this is ancient history and Cisco is a different company today, but I'm sure some Cisco/Splunk salespeople will hear tales about how Cisco tried and failed with security monitoring in the past. As the saying goes, "old memories die hard."

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.