Considerations around IT Spend Consolidation

As we approach the next set of earnings for our software infrastructure companies, I thought it worth considering some factors around IT spend consolidation that may help soften the impact from a possible drop in IT budgets. This assumes we are entering some form of recession and enterprises are pulling back on IT spend. Some software companies have already telegraphed a tougher demand environment recently, with examples like ServiceNow and Microsoft. If this trend manifests, it will likely impact the valuations of our software infrastructure companies.

I can’t offer any additional insight into macro drivers and how those will play out over the next 12 months. However, I think it is worth considering some characteristics in software infrastructure spend that could help counterbalance overall adjustments to IT budgets. These factors may help some companies limit the impact more than others. Further, as macro headwinds subside, these factors will ensure that well-positioned software companies can return growth to previous levels.

During economic slowdown and pressure on IT budgets, CTO’s and CIO’s often use these periods to find ways to reduce expenses through consolidation of tooling and reducing total cost of ownership (TCO). This often applies to open source. On the surface, running an open source version of a software infrastructure function sounds like a good idea (it’s free), but the reality is similar to maintaining a data center. Open source software requires staff to install, configure, optimize and operate. In addition, to ensure that they can resolve any unexpected issues with the open source package, many enterprises engage in support contracts for outage escalation. The total cost of these open source projects and similar DIY efforts quickly exceed the cost of simply paying a software service provider for their hosted service. With most open source project sponsors now offering a commercial version that is hosted on the public cloud platforms, the total cost of self-hosting becomes more apparent. This effect explains why we see high demand for cloud-hosted offerings from Confluent, Elastic and MongoDB among others.

Consolidation of spend can be applied to multiple point solutions that proliferate in software stacks as well. Like DIY efforts, point solutions for a particular segment of a software infrastructure function can be appealing to engineering teams, where they assume they can squeeze extra performance out of the solution or anticipate benefiting from a broader set of features. In periods of IT budget expansion, it is easy for technology leadership to greenlight these kinds of projects to keep engineers happy. As budgets start to come under pressure, however, the opposite effect applies. CIO’s and CTO’s will pull back on DIY efforts, open source experiments and point solution sprawl. They will seek to consolidate these functions under the umbrella of fewer vendors, with the expectation of costs savings through volume discounts and less overhead. While the engineers may be disappointed that they lose access to the extra 10% of features (that they probably wouldn’t have used anyway), they are happy to keep their jobs.

This consolidation effect benefits leading software providers who offer a broader set of services in a category or span multiple categories. The effect is most pronounced where the software provider has a strong foundation in one core category and can make a “good enough” argument in an adjacent one. The two categories should be related and leverage some aspect of the IT investment already made, whether in software component deployment (single agent), training or common interfaces (single pane of glass). This consolidation effect can be pronounced and result in an acceleration of spend expansion for entrenched software providers.

I’ll provide a few examples of companies that appear well-positioned for consolidation opportunities. There are likely others.

In cybersecurity, Crowdstrike offers 22 individual modules at this point and regularly reports on rapid customer expansion into subscriptions for multiple products. In Q1, they revealed that the number of customers adopting six or more and even seven or more modules grew more than 100% year over year. This expansion increased ARR by 61% year/year. During the earnings call, management spoke to this trend towards multiple module adoption and provided the explanation that customers want to consolidate their spend onto a single platform for security.

From their Q1 call: “And in fact, when you look at the current environment, we have customers saying we want to consolidate more. We want to go all in with CrowdStrike. We want to get rid of this extra spend that we have in other areas, too many agents. And we can upsize our deals while decreasing the overall security spend by consolidating things like vulnerability management, by consolidating log management capabilities, etc. We can put it together and give them a much more effective technology with better outcomes, lower cost, and lower management concerns.”

Datadog provides another example of consolidation. In their Q1 earnings call, the leadership team cited several examples of customers replacing homegrown, open source and commercial point solutions with the Datadog platform.

From their Q1 call: “We signed a seven-figure upsell with a leading payment company. Earlier this year, this customer’s open source logging tool went down making them blind, but they were able to regain visibility by getting Datadog log management up and running within a few hours of that crash. Not only did this customer regain log visibility very quickly, they were also able to use the Datadog platform to scrub personally identifiable information to meet security and compliance requirements. And as they have expanded with Datadog, they have been able to cut the number of engineers who maintain homegrown and point solutions in half and reassign engineers to other products to work in the organization. With this renewal, this customer now uses 13 products from Datadog.”

It is worth noting that during their Q2 2020 spending reset due to Covid IT spend reductions, Datadog had far fewer products in market. At the end of 2019, they offered 6 separate monetized products. Now, their pricing page displays 17. While it’s likely that enterprises will cut back across the board, I think having more products in market (including 5 for security) should spread out the impact of customer utilization adjustments.

Some others:

  • MongoDB is making the case that their multi-model database can address application workloads outside of document-stores, like key value, time series, search, analytics and even a reasonable replacement for relational. CTO’s may want to use this opportunity to replace open source or point solutions in these segments.
  • Zscaler is expanding their Zero Trust platform to secure not just user-to-app communications, but also app-to-app and machine-to-machine. And while they are at it, customers can protect their cloud workloads.
  • Snowflake wants to become a single repository for all enterprise data, spanning not just traditional data warehouse analytics workloads, but also machine learning and even real-time data applications. At Summit, Western Union talked about replacing a Cassandra cluster that delivers pricing data with Unistore. Underneath it all, enterprises can inexpensively share data with their partners, customers and suppliers, replacing one-off APIs and other data integrations.

While consolidation will be an important influence on IT spending, pure cost savings can be another driver of new business for some providers in a budget-constrained environment. Cloudflare frequently publishes case studies of companies that lowered their spend on hosting infrastructure simply by caching more content and reducing bot traffic. One of Mexico’s highest circulation newspapers reported a 95% reduction in bandwidth consumption and better web application threat protection by putting Cloudflare’s platform of services in front of their web site. From these initial engagements, Cloudflare can then expand spend by cross-selling their other network, application and security products. This motion explains Cloudflare’s increasing DBNR, which reached 127% in Q1, up from 117% two years prior.

This isn’t to say that the next 6-12 months won’t be rocky for software infrastructure companies. Investors should ensure they are positioned for further declines in valuations, if forward estimates trend downward. However, I think that in a budget-constrained environment, enterprise CIO’s and CTO’s will look for ways to save money by consolidating their vendor set or eliminate costly in-house, DIY projects. Software infrastructure companies that can meet these needs have a chance to earn back some of the spend reduction in their core offerings.

Cheers - Peter Offringa, @StackInvesting


…During economic slowdown and pressure on IT budgets, CTO’s and CIO’s often use these periods to find ways to reduce expenses through consolidation of tooling and reducing total cost of ownership (TCO)…

Thanks Peter, that was an excellent, useful, and very interesting post, and it looks at the spending from a different angle that we might not have considered.


Peter, thanks for that analysis.

Applying your logic apply to SentinelOne, since they are earlier on their product breadth/maturity journey (than CRWD, ZS, NET), would they be more at risk as “customers want to consolidate their spend onto a single platform for security?”



Sure. It’s hard for me to say in that case, as I don’t cover SentinelOne closely and haven’t performed a module/module comparison with Crowdstrike. However, the general theme would apply that in periods of consolidation, IT leadership looks towards the recognized leaders in a category who have coverage in a broad number of segments. Also, security is a bit of an outlier given the demand environment.

With that said, I could see vendors like Crowdstrike with 22 modules continuing to expand within existing customers or land new ones with multiple subscriptions, where an enterprise has stitched together several open source and niche security offerings.


Though I retired more than 12 years ago, before cloud, SaaS, etc. existed in a significant way, I think I can contribute in a meaningful way to this conversation.

Let’s focus on cost savings via the implementation of software products (I’ll address cyber-security products later). Virtually all the product offerings from companies favored by the investors that read this board emphasize cost savings as a primary sales point. It should be understood in most cases those savings do not accrue to the IT budget, rather the savings are realized by the various operating units of a company.

So with lots of anecdotal evidence of cost savings having been realized by customers that previously purchased these software products, why isn’t there a mad crush of companies beating on the doors of the vendors of these products in order to cut costs at their own companies? If I can demonstrate that you get $2 back for every $1 spent on my software, what could possibly inhibit you from buying my product?

There are at least two really big and important inhibitions.

The first one is what is known as the “hocky stick.” I’m sure some of you will ask, what’s that? The hocky stick is the typical graph of cost against time for the implementation of a new product. You don’t realize cost savings on day one when you host the product on server (or otherwise gain access to it). Initially, you will spend money, not just on software lease, but people need to be trained. Inevitably, some internal process changes will be required. I won’t bother to enumerate, but there are a host of things that need to be done in order to successfully reap the promised benefits of the new software. Those things take time and cost money. If you draw a graph of cost against time starting at $0 before you do anything, the line will usually descend, pretty much in a straight line manner into negative territory. After some period of time the direction of the line will turn upward as the cost saving benefits begin to be realized. Over time the benefits will continue to outweigh the costs and the line will continue to rise. Visually, this graph will resemble the shape of a hocky stick, hence its name. The depth and length of time that the line spends in negative territory will be an inhibition to purchasing the software.

I’ve already alluded to the other inhibition. I mentioned “process change” in the above discussion. Process change is exactly what it is named. In a nutshell, however work is getting done prior to the implementation of the software, it will be different from the way that work gets done afterwards. Pause for a moment and ask yourself exactly where does the cost savings come from? Inevitably, it comes from a reduction in the number of people needed to get the job done, or in some cases, the complete elimination of the job, along with the people who were doing it. As you might imagine, people are generally resistant to process change. Those people who may lose their jobs entirely tend to be the most resistant. But it may come as a surprise to know that people in the management ranks may also resist process change. Managers often measure their importance by the number of reports in their organizations. Every organization I have been familiar with has a standard ratio of reports to managers. This all depends on the type of work being done (for example, the ratio on the factory floor will be different than the ratio in the finance organization), but irrespective of that, generally speaking, the manager of a large organization will be perceived as more prestigious than the manager of a smaller one. Ironically, the greater the cost savings from reduction of headcount, the greater will be the inhibition to purchasing the software. This is one of the reasons some of these software sales have to be closed in the C-suite.

So, costs prior to benefits and process change are two major inhibitions to the purchase of cost saving software products.

I mentioned cyber security at the outset. These products are in an entirely different category. How do you quantify the cost savings from an event that didn’t happen? Actually, with the proliferation of ransomware this has become easier. But it’s still not an easy sale. The vendor still has to be able to convince the prospect that the product will in fact perform when the company’s system comes under attack. On the other hand, cyber security is now taken seriously at just about every company now. I worked at The Boeing Company. By the time I retired (2010), Boeing’s network was under virtually constant assault with hundreds of attacks daily. I’m confident that has not changed. If anything, the attacks have become more frequent and more sophisticated. I won’t dwell on this subject. I just felt it necessary to mention that software vendors like Crowdstrike, Sentinel One, Z-Scaler, etc. have a sales task which is somewhat dissimilar from the other companies we tend to invest in.