Secure in His Domain

Back to Contents of Issue: February 2002


Internet security company Asgent has turned into a New Economy juggernaut since September 11, but its founder and CEO says the company's success is due to two factors: firstly, its ability to develop markets and, most intriguingly, a little bit of 'Far East mystery.' You can still call Takahiro Sugimoto 'Shuji' if you like. After all, that was the name he grew up with. But his legal name is now Takahiro. He changed it when launching Asgent in order to tap into the power of 4,000 years of Chinese numerology. 'Shuji' just didn't have the right number of stroke marks, but 'Takahiro' did. Laugh if you want, but expect Shuji...er, Takahiro to be laughing with you -- all the way to the bank. Since Asgent's IPO on the last day of July, business has been going gangbusters for Asgent. In the three months since September 11, the company's stock price had risen more than 130 percent; Sugimoto projects pretax profit of about $4 million for the year through March and better things ahead. Anyone counting the letters in their name yet? While the 44-year-old Sugimoto attributes at least some of his success to the numerological advice one of his board directors gives him, he has a pretty savvy business mind too. His company is New Economy only because it deals with the Internet; otherwise the offices of Asgent, located in Nihonbashi (nowhere near Bit Valley), seem very traditional -- desks aligned in blocks, employees wearing name tags and dressed conservatively. And his business model focuses on large corporations, universities and the government, Sugimoto says, because that is where the power still lies in Japan. J@pan Inc's Bruce Rutledge talked to Sugimoto about his business model, Chinese numerology, September 11 and the threat of cyberterrorism.
by Bruce Rutledge
Where does the name Asgent come from?

(Laughs) There is a true story and the one I tell businesspeople. Which one do you want to hear?

Both.

OK. Usually I explain to analysts or fund managers that Asgent comes from 'security agency.' Also, I wanted the company name to start with A and ‚  so that if there is an exhibition, our company name comes to the top of the list. Those are the business reasons.

The behind-the-scenes story is that for the past decade, I have had a very good adviser. Sometimes, people do not really like to hear this kind of story. It's not really a religious thing or anything like that, but you know, based on 4,000 years of Chinese history in statistics, there are some people who can tell the directions of things, and also the combination of (Chinese) characters in a name can give special power. (Laughs).

(Numerology has affected) the date I established this company and the location of this office, the company name, and even my name -- I changed my given name.

You did?

Yes. My original name is Shuji, but my legal name is Takahiro. I have this very successful adviser (Seiichiro Kawamoto), and that is probably one of the key factors in the success of this company. You know Tokugawa Ieyasu (the Japanese military leader in the 16th and 17th centuries who founded the Tokugawa dynasty of shoguns)?

Yes.

When he protected the castle, the number of soldiers were limited, so each day they would look at the directions. Today, the east side is unique, they would say, so let's put the soldiers to the north of the east side, and things like this. It works! (Laughs.) Far East mystery, huh?

Do you make your staff move their desks around?

Not exactly, but the way their desks are arranged is according to ... if you do some creative work, it is better to face north or west. In my office there is a small shrine. Even Japanese writers come into my office and see the shrine and say, 'Wow. You are doing business in the computer field but this is very rare to see this kind of thing.'



You IPOed on the last day of July, and your stock price has been rising, especially since September. Is that because of the September 11 attacks in the United States?

I don't know exactly, but I guess that could be one of the reasons.

I understand that your company does a mix of vending, consulting and software developing.

We are unique in the Japanese startup environment, which is different from the environment in the US. Traditionally our country is governed by the major players, the large entities, the established companies. So it is quite difficult for startups to actually gather money, do the business and become successful in a short time.

When startup companies become successful (in Japan), I would say that of course the founders are capable, but there is luck, and frankly, those people used other people or 'enslaved' them, something like that.

When we formed our company four years ago, one of the biggest points was that one of Japan's biggest banks, Fuji Bank, actually backed us up from the top level. They came to me and said that if I were to start a company, they would help me. How much money do you need? I said, OK, let me get back to you, and I told them that I need at least $5 million to start a good company. They said, 'Hmmm, that's going to be difficult, but we will back you up as much as possible.' That was the beginning.

Fuji Bank kept its word even though when we incorporated this company (in 1997) it was one of the most difficult times for Fuji Bank (because Yamaichi Securities went bankrupt that year). Within two years, we were showing some profit, and I could show them that the company was doing better than I had expected in the business plan I originally wrote. In three years and seven months, we went to our IPO.

Fast for Japan.

Yes. Startup companies in the US that begin in the IT business say, 'OK we have technology and we will develop new software.' Venture capitalists will probably invest in them. The amount of investment is, I would say, more than 10 times or 100 times the investment that Japanese VCs are likely to invest in Japanese startups.

Consequently, US startups can concentrate on developing the products, and they can gather money in the second stage to develop the market.

The usual Japanese case is different. Startups in this country have passion and vision, probably, in the beginning. But unfortunately, VCs do not put up enough money for the startup company; therefore, in the middle of their development, many of the startups become subcontractors of larger companies. That's one scenario.

Another scenario is they fortunately finish developing their software package. However, in today's IT industry, the movement is very quick. So even though the startup develops its software package, most likely, there will be a 'king,' or a company that has already established the market in that particular software field. It is very difficult for newcomers to beat them. So nobody will want to buy this new software and will instead buy the best-seller.

The third scenario is that the startup finishes developing its software package, however the market is not there. So they have to develop the market by themselves. Frankly, those technology companies do not know how to develop the market, and it will take almost the same amount of money and time to develop the market as it did to develop the software. That's why the failure rate of startups is very high in this country. Also, today, I don't see any of the Japanese-made software packages selling well worldwide.

So where does Asgent fit in?

I thought that to be a successful software company, first of all we have to generate sales by ourselves. Today our sales of Nokia products are a very important portion of our entire sales. As a matter of fact, we are the largest distributor in the Asia Pacific region of Nokia network devices.

By the time I started this company, I knew this security market. I developed the firewall market in Japan by bringing the best-selling firewall software developed by Checkpoint -- an Israeli company -- to Japan back in 1995. I was hired as a CEO of the company. I was also a founder, but I only had a 5 percent share of the company, and like Japanese subsidiaries of big companies, the parent company took most of the equity.

With this company, I brought Chameleon (TCP/IP software) to the Japanese market in 1991. The Japanese personal computer market was still governed by NEC 9801, which was a DOS machine. At that time I met with NetManage, the company that developed Chameleon and brought TCP/IP for Windows to Japan. Two years later, Microsoft Japan finally released Windows 3.1J. That was the first Windows product which people could actually use. Then, my sales of Chameleon skyrocketed. For the first two years, we couldn't see much volume, but then sales skyrocketed, and the company started to see some profit. Within three or four years, the company was making profit of $4 million before tax.

Then I thought, we have to find the next thing. That was Firewall-1. TCP/IP enabled large companies to connect their PCs to minis and mainframes. The next step was Internet connections. Besides, Clinton and Gore started talking about the 'information superhighway.' I started telling my customers that from this point, everyone will start to connect to the Internet and because you are using TCP/IP, you can seamlessly connect to the Internet. Then the next issue is security.

At that time, people were telling me, 'Oh Sugimoto-san, it is so dangerous. We're not going to connect our company's network to the Internet.' Or if they connected, it was only a limited segment. This was back in 1995.

That was the prevailing mindset at the time.

Yes. For firewalls, we could not see sales for 18 months, but we've been educating opinion leaders and giving them free seminars explaining why security is needed and what a firewall is. When I decided to develop this company, I thought I don't want to get caught in the dilemma of the Japanese startup. I understand the security market; I created the firewall market, and the firewall market is the largest segment of the security market. I felt there would be a small paradigm shift in the Japanese market, which did occur two years after I established the company. Sales skyrocketed on sales of Nokia-wired firewall appliances. Then Asgent could IPO in three years and seven months with sales of about $25 million and profit of $3.5 million. Compared with the standard of Japanese startups performance-wise, we are, I would say, excellent.

At the same time, when I started this company, I thought we would not be just a distributor. We started to develop our own software package called MagicPolicy, which doesn't really compete with the several security packages we are bringing to this market. Instead, it creates great harmony with other security packages because MagicPolicy is a software package which allows systems integrators to develop security policies. A security policy is something like security design. For example, if people start building a house, they don't just start building. First they design something. They consider the strength of the structure and the intended users. Then they start building. Software developed by a systems integrator is also the same.

What sort of security policy does Asgent have?

I made a policy that employees must wear a company ID. The reason is that since the number of employees is increasing, some of the subcontractors are coming to the office. I do not want some strangers hanging around this office. So I created this policy: No. 1, everybody needs to wear an ID, and No. 2, if employees find somebody who is not wearing an ID, please ask them who they are. If they are strangers, then just kick them out of the office. However, the second part of this policy is not really enforced. Employees are sometimes -- always -- very shy or hesitant to ask who you are even though they find people who are not wearing the IDs. So there is a need for enforcement. To enforce, we make the ID cards into IC cards, and in physically important areas of the office such as server rooms, without an IC card people cannot get in.

The same thing applies to network security. The important thing is policy. But even though people set a policy, it is very difficult for other people to follow that policy. That's why a gatekeeper such as a firewall is necessary to enforce that policy. That's the relation between policy and security problems.



You are doing seminars on international security standards, I believe.

Yes. Today the British standard called BS7799 is probably becoming the global standard because the International Organization for Standardization, or ISO, adopted BS7799 in December 2000. Now they are in the process of developing the certification procedures.

It is very difficult for engineers to develop security policies (as global standards are still emerging). So I thought that if we develop a standardization tool for engineers to use and create security policies, then it will be harmonious with our security products, which enforce policies. That's why I started developing MagicPolicy four years ago.

When I talk with the Japanese government, even when I explain this policy tool, they do not understand what it is. (Laughs) If they don't see it, they don't want to pay for it. But I finally got some government funds (about JPY90 million) to develop MagicPolicy.

Last year?

Actually in the budget for 1999. And we finished developing the first version of MagicPolicy in June (2000).

We have been trying to develop synergy products, products that synergize with the firewall, for example. This will help put us in the lead as one of the top security providers. And we have been developing MagicPolicy. I think this is one of this company's unique points.

Analysts and fund managers first thought when we IPO-ed, 'OK, Asgent is just a distributor.' But from time to time, I explain to them what we are. Then they start seeing how we are different. We have a platform strategy. Why is Microsoft so strong? Because it has an operating system, which is its platform. MagicPolicy is a security platform and a software product that allows for a policy to be developed based on global guidelines.

These seminars you run are not to generate profit?

My first goal is to educate opinion leaders because our target is large entities. Awareness of BS7799 is spreading among these people. Systems integrators know that BS7799 is becoming the de facto standard. When we have these seminars in a large hotel, about 500 people come. I would say two-thirds of the audience is systems integrators wanting to get the most updated information regarding security policies. This is very good for us because our sales go through systems integrators. We don't really do direct sales. If the SIs earn more money (with our products) then we earn more money.

The other one-third of the audience comes from large entities. We don't really depend on any one field, like the financial field. Instead, our audience comes from a wide range of fields.

We hear the second version of MagicPolicy will be released by March. What will be new about it?

ISO is now working on certification procedures. You probably hear in this country about ISO9000 or ISO14000. Actually, the organization is trying to set certification procedures to give ISO17799 (for Internet security systems) to companies fulfilling ISO requirements.

With MagicPolicy, companies can generate all the necessary documentation to go through the certification procedures. No software package is excellent in its first version. In one year, we got market feedback about upgrading the software and improving the user-friendliness of it. The second version of MagicPolicy is the product; the first version is, I would say, a test product.

This company operates on a front-runner type of business model. We are not going to sell a product in a market developed by some other companies. Our policy is we develop the market in the beginning. By the time we bring out a new product, the cost always exceeds the sales. Chameleon, firewalls and Nokia products are the same. MagicPolicy is the same.

In order to develop the market (for MagicPolicy), we provide a lead auditor course on BS7799, a risk assessment course and free weekly seminars to let people understand what a security policy is and also what BS7799 is. We also hold large security conferences at least twice a year. This is also free of charge.

We are developing the market, but sales of MagicPolicy have not exceeded our spending of marketing dollars. But that's OK, because I have developed the market several times.

Corporate executives don't really know what (Internet) security is. However, many Japanese companies started getting the certificate of ISO9000 or ISO14000. That means executives have started to see the value of letting potential customers see that the company has achieved these standards. Executives see the value of ISO certificates.

I could see that this would be true in the banking or brokerage industry, where Internet security would rank highly. But how about other industries?

Security today is not really depending on any industry, but on large entities -- not medium-sized or small companies, but large entities and foreign affiliates. Today's security market paradigm is what I call the drugstore model. People only buy the security solutions that they are aware of. If you get a headache, you go to the drugstore and buy some headache medicine or cold medicine. That's the paradigm today. However, we have been trying to change the paradigm from the drugstore model to the doctor model by using security policies.

Today many companies have security products in Japan, but they are not selling well. The reason is that companies are not aware of them. They rely only on firewalls or IDS. But like the medicine industry, there are a lot of security solutions that focus on niche fields. To develop awareness of each small security product, it could take two years or so -- but once we develop awareness of security policies, then it is a doctor model. Once a company creates a security policy, then they understand the assets, vulnerabilities and needs of solutions. That's why I am saying this is a paradigm shift.

We are also trying to build synergy products. It's like what the instant coffee manufacturers do. It is easier for them to sell milk-related products with their coffee products than, say, to start selling soda. The customer is the same, the market message is the same and the channel is the same. The firewall is the core product, and the synergy products are log analyzers. WebTrends is a well-selling log analyzer, and in Japan we have a 90 percent market share.

Because we are a Japanese startup, we could not get a lot of money in the beginning, so we had to develop sales by ourselves.



You mentioned earlier that a lot of the software developed in Japan doesn't have global reach. How about MagicPolicy?

By the end of this fiscal year, I am going to take the first step to globally market MagicPolicy by doing something in the US market.

How about your projections for fiscal 2002 through March?

We are officially announcing projected sales of JPY4.5 billion and almost JPY480 million in pretax profit. In the second half of the fiscal year we have been doing very good. We haven't made an official announcement about this, but we feel we can achieve our target and have a lot of extra left over.

You've been developing markets over the last decade. Is it getting any easier?

Asgent has been very successful in the last four years, but I have experienced a lot of failures in the past, so I know how to fail. (Laughs). That gives me confidence to develop new markets today.

For the first 10 plus years after I graduated from school (he went to Rikkyo University in Japan and did post-baccalaureate work at Portland State University in the US), I tried several new product developments, and new business developments in a few companies. Those projects failed, but through those experiences I learned how to fail.

I don't always go on logic. Sometimes I'm driven by, how can I say ... inspiration. If I think we can bring a product to market, then we do it. Today we have more than 10 products which are still under screening procedures.

Are any getting ready to be released?

By the end of this fiscal year, we are going to announce at least two or three new products.

While you are busy developing awareness of the need for Internet security, there is also the danger that this weak economy will lead companies to cut back on that type of spending.

That's a good point. How do I counter that? First of all, our customers are large entities, and they are pretty healthy even in this bad economy. For firewalls or gatekeeper technologies, the key is not the number of companies but the number of Internet connections. Today large Japanese entities physically have several locations, and they want to connect them all via the Internet. Gatekeeper types of products are mandatory each time they create a new access point. Plus, finally the Japanese entities are getting faster and faster Internet connections. Not just ADSL 8-MB speed, but ATM or fiber connections are becoming affordable. Each time the boundaries widen, the gatekeeper creates a bottleneck because its performance is limited. So entities need to keep buying or duplicating firewalls or use another type of software to balance the traffic. So firewalls keep selling well. As a matter of fact, firewall sales are up 200 percent compared with last year.

Plus, with e-business, each sales division wants their own Web site and Internet access point, and they need a firewall. So these sales multiply. And our customers are not medium- or small-sized companies.

Here is a Nikkei newspaper article saying that Japan's top players are not really cutting the budget for IT. Besides, security even today is a niche portion, so even though companies may try to cut down on IT expenses, they are not going to cut the niche area of security.

Maybe the US market is a little different, because the dot-com companies were creating demand for the telcoms. But when the bubble burst, it reflected severely on telcoms so the entire IT field, even security, is flattening. However, the Japanese market condition has a different structure.

Who are your main customers?

We have over 100 systems integrators in our sales channel, and those SIs sell our products to large enterprises. Some of our top SIs are Fujitsu, NTT Data, Oki, ShinNittetsu Solutions and Toshiba Joho.

And you also sell to universities?

Yes. Universities, the government, laboratories. Demand from the government is very strong. The Japanese government is launching an e-Japan project and they've committed to spend almost as much as the US government is spending.

Finally, governments are spending more on Internet security. At the same time, we hear a lot of talk about cyberterrorism. How real is the threat?

The most important thing is that it is very difficult for people to know when they've been attacked. That's the characteristic of cyberterrorism. The reality is, if someone set out to do cyberterrorism, it is very possible because today's IT security among large entities is not so strong. They haven't developed their security policies yet. They buy just the point-to-point security solution -- the drugstore model. @

Note: The function "email this page" is currently not supported for this page.