Panda Security is the plucky Spanish antivirus firm that stormed the international market nearly a decade ago as malware threats boomed, beating most of its rivals to the idea of cloud security as an alternative to signature scanning. Well regarded technically and apparently successful, around 2010 the firm suddenly hit a sales wall.
The Spanish economy had tanked in 2009 but from the outside it was never clear whether this was the sole problem – Panda was and is private (mostly owned by private equity) and its troubles remained within its walls. News dribbled out of major job cuts, staff jumping, a shelved IPO and a CEO, Juan Santana, who suddenly wasn’t. Even the PR effort eventually dried up, never a positive sign.
The symbolic low point was perhaps the 2012 hack of a clutch of its web domains along with some user data by British pranksters LulzSec after a spat over the lab's involvment (or not) in the anti-Anonymous Group police hunt.
Now the firm’s fourth CEO since 2007, Diego Navarrete, appointed in January of this year, wants to reboot a firm whose stagnation remains the first question for any interviewer – what went wrong and will Panda Security 2.0 fare any better?
“The company never had a technological problem,” he shoots back, “but in the consumer space it did not address the freemium model. With the big AV firms just above it competing on price and the Euro AV firms such as Avira and AVG offering a basic free product, “Panda got caught in the sandwich,” says Navarette.
With once-reliable Spanish sales plummeting as the Euro crisis cruelly mashed its economy, the firm found that its adoption of cloud malware analysis was too advanced for the market. It had bet on an expensive technology that people weren’t quite ready to buy in place of desktop-only software.
“I don’t think the market was ready.”
Although as Spanish as his immediate predecessors in the job Juan Santana and José Sancho, Navarette is a slightly different proposition after a long stint at IBM where he worked in the security division and, more recently, was a director of the Blue’s Cloud and Server operation for Southwest Europe. It’s a CV that had him spending a lot of time in the UK, one of IBM’s main markets.
Despite nabbing Navarette, today’s Panda retains much the same management team it ever had, comprising the core of people who founded and built the firm from its birth in 1990. The focus remains on its 200-person technology centre in Bilbao, although Navarette mentions that the firm is looking to expand its development to new centres such as the Silicon Valley, the UK, Israel and Canada.
The reliance on Spain has been reduced from 25 percent in 2007 to 18 percent today, says Navarette, with a 50-50 split between its consumer and business software. Put another way, 82 percent of its sales this year will come from outside Spain with the US and other European markets major sales targets.
Navarette says that Panda has just enjoyed its best trading period since 2007, the year its ill-fated expansion plan got airborne.
In June the firm launched Panda Advanced Protection Service (PAPS), a new take on cloud-based security in which all applications are classified as friendly or foe down to process level.
In some aspects, its claimed ability to protect against software exploits is distantly reminiscent of the interesting anti-zero day technology developed by ex-Panda Security engineer Pedro Bustamente whose startup ZeroVulnerabilityLabs was acquired in 2013 by US security firm Malwarebytes.
But as far as Panda Security is concerned things have gone beyond hype, PR flannel and buzzwords about the cloud and whether its technology is better than everyone else’s. It simply has to execute and sharpish.
“You go through pain but this company has crossed the desert,” says Navarette bluntly.