StillSecure, After All These Years

We have all heard of the millennium generation. Generally it refers to people born after 1985 through now.  The older millennials are already young adults and their impact is being felt in social networking, politics and many other fields.

But it is the younger millenniums who are going to blow us away.  They are growing up in a world where the internet, ubiquitous connectivity and unfettered access to information is the norm.  They never saw an encyclopedia made out of paper. I was reminded of this tonight while getting Google tips from my 7 year old son Bradley.  Bradley was working on some Pokemon character and was looking for a picture that he needed edited.  He asked me to Google the character’s name and then grab a picture and edit it.  When I Googled the name no pictures came up.  Bradley said, “Dad put “for real” after the characters name.” When I asked why, he said that is what he does when he can’t find something on Google.  Frag (Battlestar Galactica word) if that didn’t work!  How did Bradley come up with this?  Is Google aware of it? It must change the search algorithm or something. Glad I have web filtering on the machine.

What is going to happen when Bradley and his friends grow up? What challenges will this present for the security industry?  Maybe they will help with security. I don’t know, but I do know that they have an instinctual intuitiveness around computers and such that previous generations on the whole don’t have.

Anyway, here is something you very rarely get with Mike Rothman’s Incite – a report on Friday!  Have a good weekend!

1. When open is open only if  or its about the platform stupid – Hoff has a good point today about VMware’s use of the terms open and interoperable.  These two abused terms get tossed around alot. Open used to really mean open source. You had access to the source. Interoperable in my meant that out of the box it would work with other platforms and products. Then open was not really about source, but at least the openness of the product to use generally accepted means of communication. In my mind SQL and ODBC connectivity in databases is a perfect example of this. But I think what Hoff is getting at but is not saying clearly is that now it is all about the platform.  VMware wants to be the platform here. They want you to use tools and applications, as long as you use their platform. By having to use their APIs to connect, you are locked into their platform. That is the real hook and makes it not very open at all.
2. Can IT Vendors be Objective? Probably not – Michael Farnum has a guest post up from a vendor friend of his venting about the fact that he has been “discriminated” against because he is a vendor and therefore deemed not objective.  I agree that most people out of hand say you are a vendor and therefore not objective.  Not that you can’t try. I have been accused of the same thing.  But being objective on this question, I have to say vendors can’t be objective. Not to say we would lie, but if we didn’t believe that our products were better, could we sell them? So yes IT vendors are not going to be objective.  But here is the kicker, neither can anyone else.  We all bring our own views and prejudices to the game and that effects our objectivity.  Therefore it is up to the audience to filter what they think is truth from fiction, opinion from fact. I think most people recognize that and perform that task.
3. Mogul calls BS – Rich Mogull calls out Bob Russo of the PCI council.  Seems Russo says that no business that are PCI compliant have ever been breached.  They may have been compliant once, but when they were breached they were not. Rich rightfully I think calls bull on this. I am not sure if Russo is playing semantics here or what.  Maybe he means that having a breach automatically puts you out of compliance? I don’t know but have invited Rich and a few friends I know on the PCI advisory council to appear on a podcast. Stay tuned!

So that is it for this week.  Have a great weekend!

I first came across this story on Michael Farnum's blog. Michael is talking about a story in in CRN detailing a courts ruling that parts of Cisco's reseller agreement are unconscionable and should be stricken down.  I must say I am not surprised.  But surprisingly I am not bashing Cisco on this. I don't think they are any different than many other vendor contracts.  That includes EULA contracts as well.  The fact is most of the contracts are written by lawyers for companies and they try to carve out as one-sided and advantageous a relationship as possible for their clients.  There is no sense of fair play or win-win.  It is usually just a lawyer trying to show how much he can get for his client.  Sooner or later a court looks at this and the greedy drafting lawyer is rewarded by having his clients agreement thrown out.

Take a look at some of the agreements you are clicking or signing. I am sure you will be amazed at some of the warranties that come with your software and hardware.  This is really something that if people spent more time with it would force some of these greedy lawyers to think twice and make fairer contracts.

My friend Michael Farnum besides being a comic book nerd, blogs over at ComputerWorld. Michael writes today about his opinion that vendors have changed focus from concentrating on the tech geeks to focusing on the business decision maker. Michael's proof is rather subjective, but revolve around the fact that when he was a geek not in management, vendors use to wine and dine him to influence him to support their technology and tell his boss to buy their products. As he moved up to become a geek in management, he noticed the vendors shifting focus away from the technical stakeholder to the business stakeholder. Michael has a theory on some of the reasons for this shift of focus. The dotcom bubble, the evolution of IT, people making decisions on sound business principles, not on what technology is cool.

Michael I say rubbish! I think that sales techniques haven't really changed that much from the 90's. Good selling always involved courting the three stakeholders - technical, business and financial. It is just as a green (meaning new, not environmentally friendly) geek, you were not even aware of the vendors courting you, also reaching out to your management team and the business and economic stakeholder. You were blissfully unaware that the vendors you were dealing with had a full court press going on. Instead you went to a nice dinner, a ball game and got some t-shirts and other swag and thought you were making it happen for them. In the meantime your boss was getting tickets to the game too (I bet even better tickets) and nicer schwag than you were! As you started to move up the chain, you just assumed that everyone must be moving up with you. That Ptolemaic or geocentric model of the sales process, with you at the center is just your view from the inside, but sales people have been multi-threading into accounts for a long time.

Yes during the dotcom era and even before that sales teams used to spend a lot more on wining and dining. I still remember fondly the EMC sales teams of the mid to late 90's partying with their customers like it was 1999 (it was 1999). I was on the receiving end of many of those great dinners and other perks. With new economic times, it became less fashionable to lavish money in trying to buy business. But that more economically austere model did fundamentally shift the focus in sales from the technical to the business stakeholder.

Some companies like Symantec for instance have always concentrated on the business stakeholder more than the technical stakeholder. But Michael in sales there is little new under the sun. Just because you have begun to become aware of it, don't assume it has not always been so.

So here is one of my pet peeves about the IT world. Too many "technical" people consider themselves (pick one:) superior, smarter, more ethical, better than, their marketing counterparts. Hey people, everybody is selling something all of the time, even if it is themselves. Case in point, a recent "spat" between my bud Mike Rothman and another friend, Misha Govshteyn. Now Rothman and I go back a bit and have had our share of blog bad blood, but all in good spirit. Misha is a good guy too. Anyone who knows where to find a schmaltz herring in Houston after all can't be too bad. And my friend Farnum who serves as the peanut gallery in this story is solid as well. OK now that we have the players, lets lay out the story.

It seems that Alert Logic had a webinar titled _ Simple & Affordable PCI Compliance w/ Alert Logic. Mike thought that this was very misleading marketing from the slimy, no ethics, don't understand the real pain marketing folks at Alert. They are preying on the simpletons who are responsible for security and PCI compliance in the world and Mike delivers his full venomous wrath (according to Misha anyway, I bet Mike could be worse) on Alert Logic and their marketing team. Misha than responds with his own venomous wrath, that Rothman is literally full of baloney, a shameless self-promoter on par with Michael Savage. To add fuel to this fire comes Michael Farnum, who tells Misha in his comments that while he likes Alert Logic, "many manufacturers use their marketing as fly traps."

OK, here is my take. To Mike Rothman: come on Mike, you never did anything like that when you were a marketing guy? What are you some kind of reformed smoker? What would you have them name the webinar: "PCI is hard and our stuff can only help a little". Give it a rest. Also a little respect for the people they are marketing too. I think they realize what is what and can separate the bull from the cream. To Misha, hey at least Mike gave you some PR. I understand your frustration but instead of pointing at everyone else, say we stand by the name and that does it. Most of all to my buddy Farnum, dude, we know what you do, it is just a question of price. If those Venus Fly Trap marketing people weren't drawing people in, you would have to have a second job to feed the family and many not have the leisure time for blogging.

But seriously folks, marketing people have a hard job too. It is not that they are not technical or don't understand what is involved in PCI compliance or the like. It is their job to make these webinars appealing. I don't think most marketing people think of what they are doing is being misleading. They try to make these webinars deliver as advertised. The same way engineers try to make a product work as intended. Lets understand that it "takes a village" to develop, market, sell and support a product. Everyone has their job to do and for the most part do it the best they can and again for the most part with the highest of professional standards. Thinking that marketing people are slimy fly traps does a disservice to them, the people they market too and frankly comes across as self-serving arrogance.

Michael Farnum has a great post up today wondering if we in the security industry have been stifling our creativity by designing all of our management interfaces in one of two paradigms. The GUI kind of look and feel pioneered by Checkpoint or the command line standard that Cisco has made their own. It struck a chord with me because it was actually the second time I have heard the same comment this week alone. In speaking with one of the big analyst firms our own VP of product strategy, Andrew Grealy made the same comment.

This actually goes to the heart of what we are trying to do, especially with our Cobia product. We think there has got to be a better way. Why can't products just work, the way Apple does it for instance. So many things in the Mac interface are binary. You plug a mouse in, you don't get a message that the system has detected a new pointing device and goes through the install and you may have to pick a driver. You plug it in and the mouse works. If it doesn't work, something is wrong. Andrew has some great ideas on this around security. Instead of plugging in your IPs and stuff, wouldn't it be great to just tell your security product to protect your web servers? Is there a better way to let you manage a firewall? We think there is.

At StillSecure we have a history of creating easy to use GUI that are powerful yet intuitive. Andrew and his team are working on a rework of our Cobia GUI and some of our other products that we think are going to break out of the Checkpoint/Cisco mold for good once and for all. We hope the market will reward the innovation and the easier way to do business.

Michael Farnum has a good post up today about a customer of his over at Accuvant. In a real life reenactment of every security vendors dream (come on, admit it), while the customer was procrastinating about whether to spend the money on security or not they were pwned. Michael says this is the second time this has happened since he has been at Accuvant. Obviously nothing loosens up the purse strings like a real live security "incident". However, we can't as an industry rely on a security breach happening at the moment a customer is contemplating a security purchase to drive the sale through.

What does drive the security sale? Over my years in security I have seen the answer change from FUD to compliance. There was a time when to sell security you would ask your customer, what would happen to your business if your network was brought down? What would happen if your IP was stolen? What would the negative publicity of a security breach cost you? Of course some of these questions could be turned on their side into the infamous Security ROI argument. But whether or not security can show a true ROI is highly questionable and I am from the school that it does not really exist. Than about 5 or 6 years ago, we started to see compliance becoming the driver. The first big driver in compliance for me was the Graham-Leach-Biley Act for the financial industry (when was the last time you heard that as a driver for security). Then always on the horizon and promising more than it actually delivered was HIPAA. Of course as Ilena Armstrong says "...HIPAA, say it with me now, "had no teeth." After HIPAA, California's breach notification law served as a model for many other states and finally brought some real compliance drivers to business outside of finance and health. FISMA brought the fear of God to the federal space.

Of course these all paled in comparison to the twin giants and darlings of the security industry, SOX and PCI. Have there ever been two sweeter words to the security industry. I remember speaking to security consultants who would relay how in their sales pitch to C-level execs they would tell them that failure to do something now about SOX could put them in jail. How did they look in stripes? PCI is still driving the merchant world security business and I don't think we have seen it peek yet. Yes, how sweet it is.

But what is next for the security industry? What is going to make people buy security next. Can we rely on the next gimmick or sales angle? Will there be a new statute, rule or regulation? Will a security breach scare the rest of us into doing something. Should we just wait around for our customers to get pwned and than come in like the cat that swallowed the canary with the magic bullet (even if there is no such thing as magic bullets). Or maybe as Bruce Schneier says people will just start expecting security as part of what they buy, not as a separate entity. They don't need to buy products that secure their network, they buy a network that is secure. Bruce says it better than I here:

Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear. It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling.

It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

To be fair Mike Rothman has preached a similar heresy for sometime as well. I use the term heresy because writing this article I feel a little like Jerry Maguire having a moral epiphany. However, the more I see and hear and learn, I become more convinced that StillSecure's emphasis on convergence is actually an off shoot of this truth. People are going to want secure networks, secure endpoints, secure products. Not products that secure them. Security companies that recognize this fact will succeed in the years to come, companies that do not will be the dinosaurs of tomorrow.

My friend Michael Farnum is a big boy and doesn't need me to stick up for him.  But reading the comments to Michael's article on an admittedly mistaken DDos attack on a school in the Netherlands that was intended against the Church of Scientology moves me to write.  The overwhelming majority of comments seem to be negative to Michael's position. The comments which are overwhelmingly from anonymous folks seem to be from the no harm, no foul school of thought. However, underlying these comments and more outwardly in others is that the COS is a bad thing or is somehow worthy of DDOS attacks. That it was just a shame that this school got in the way, but pleeease give me a break about the poor students. 

Now, I don't know a lot about COS and am not a member or even a fan. I know even less about the school in question. But I am a fan of the constitution of this country which grants us all the right to practice religion as we see fit. I think the folks commenting about the no harm, no foul attitude miss the point. It isn't the fact that the school suffered little, if any damage. It isn't even the fact that it was a school that was attacked. I have a problem with this group attacking any religion because they don't agree with that religion. I don't care whether it is Islamic fundamentalist sites, Christian sites, Jewish sites or any other religion, including the COS.  People have a right to practice and to attack them either physically or via cyberspace because of it by using illegal means is just plain wrong.  If you want to do something about the COS, do so within the bounds of legality and by all means have the stones to at least state your name and don't hide behind the veil of anonymity. 

I have been following the Don "Cutaway" Weber/ Chris Hoff "dialog" around whether UTMs just add complexity and risk to the security equation. Of course the peanut gallery than had to join in.  That Georgia peanut, Mike Rothman puts in his 2 cents and complete with a reference to Shinola comes Michael Farnum with his own play-by-play and color commentary. This in addition to lots of comments from various sundry sources like AndyIT Guy and others.  Frankly, I was content to read, chuckle and keep quiet.  However, something Michael Farnum wrote struck a chord with me and reminded me of a discussion I had with some folks at a large tech company recently. 

Michael says that Don, Andy and that crowd are equating "UTM=big Linux box with a bunch of security apps thrown on it."  Michael is of the opinion that "real" companies like Checkpoint, Fortinet, etc. don't use that and have "proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it".  To that I say, jokes on you Vet.  Many of the biggest names including some of the ones you mention do in fact take a Linux distro, pile on some open source, slap a GUI on and abracadabra you have a UTM.  Yes they  may have ASIC or custom silicon, but many of these UTM's are Linux and many may have one or two non-open apps and then load the open source on from there.  ClamAV, Spam Assassin, etc are staples of these boxes.  Yes, Hoff's old company Crossbeam may not follow this, their schtick (put that with your Shinola, Michael Farnum) was they took best-of-breed apps and put them together on one UTM.  But the rest are guilty as charged.  Let me be clear.  I am a big believer in UTM.  I don't buy the single point of failure stuff, I don't buy the increased complexity and security crap.  But Linux and some open source mash up with a smiley GUI is unfortunately the state-of-the-art with many UTM vendors.

As I said earlier in this post, I was talking to a large tech company who wants to bring a UTM/Network gateway product to market.  In our discussions it was clear what type of applications they would want on the box.  But no matter how much I tried to explain and not matter how much I banged my head on the brick wall, they just could not understand that when you pile crap high one on top of another, you end up with high pile of crap!  There has to be more to it.  You need to leverage efficiencies, you have to make products work together.  Customers want to manage these things out of one GUI.  Not a portal where you click on an app icon and it launches another browser window.  You need a way for them to share information, licensing and user accounts.  In short you need a framework, much like we built with Cobia. If you think you can do a mash up of a bunch of open source apps all just running on Linux without any glue holding them together, you don't have anything worth buying.  I suspect the tech company I was speaking to is going to find this out the hard way.  I also suspect that many of todays UTM players who are not doing more than this are going to learn that hard lesson as well.

In the meantime, Don, Andy and the rest, you are spitting into the wind. The UTM train has already left the station.  Though it may not account for 50% of network security purchases by 2011 as Stiennon and IDC project, it is gaining momentum every day. It is going to be tough to buy a stand alone IPS or firewall in the near future.

My bud Michael Farnum has an interesting, yet naive post up about using friends as business contacts being potentially dangerous.  I think Michael being new to the "sales game" shows that he has a lot to learn about networking (I don't mean ethernet either), friendship and business. Michael's point is that when you "use" a friend to get into a potential new customer account, you run the risk of damaging the friendship if things don't go well.  My reply in short is, "nothing ventured, nothing gained", Michael.  But lets dig deeper.

I think there is a ton of business done through friends and acquaintances making introductions. In fact it is the norm rather than the exception. I also think it says a lot about you and your friends expectations around your friendship if you think that the fact that your companies products or services didn't work as planned would kill your friendship.  In sales this is a classic example of sales reluctance.  Many unsuccessful sales people suffer from sales reluctance and not wanting to risk a friendship is only one type of it.  Here is a chart inspired George Dudley, the founder of Behavior Science Press.  It is his dirty dozen of sales reluctance as explained by Sales Champions:

The Twelve Faces of Sales Call
Reluctance®

Michael, you fall under the separationist category.  You are losing 3 new accounts every month!  What is interesting, is if the friends contact you, then it is OK to go in and try to "help" them.  What happens if it goes south from there?  Is your friendship OK because they came to you?  What difference does it make who came to whom.  If both parties recognize you are trying to help and doing your best, there should not be any long term effects to the friendship. Don't worry Michael there is still hope for you yet.

What about the rest of you?  Do you recognize any of your own traits in this chart?  Are any of these holding you back from success?  Don't think it is just selling products either.  Remember in one way or another we are all always selling.

A while back I left a comment on a post my good friend Michael Farnum wrote about a recent sales call he made along with a vendor partner to a potential customer.  It started a bit of a dialog between Michael and I and some others about what the expectation should be for a VAR or reseller's engineer selling a vendors product.  Today the Georgia peanut gallery weighs in by way of Mike Rothman.

Let me first of all say that I get it.  As a vendor, my expectation that the VAR/reseller's (should there be different expectations between a VAR and reseller?) engineers should be proficient in my products is pie in the sky.  Today's VARs sell too many products and have too much to learn to really know it as well as my own people do.  What I don't buy is that they are not making enough margin on the deals to make it worth their while to learn.  Yes, VARs may fall over themselves and cut their own throats on a Cisco deal and wind up with less than 5% margin, but VARs selling products from smaller companies like StillSecure routinely make 25 to 30% margins on sales.  Granted there is a lot more demand and business from Cisco, but you have to make the decision if low margin-high volume is your game or not.

So if as a vendor I should not have an expectation of the VAR engineer being proficient in my product that he is selling to his customer, what should my expectation be?  Yeah, I know that they all worship at the alter of customer satisfaction and trusted security adviser. But making sales and money is ultimately what they are there for. Let a few bad quarters of sales go by and watch how quick they convert to the god of the almighty buck.

Let me give you an even better example.  Post-sales professional services.  VARs like to claim that they add value by adding services and support. They don't want the vendor to do the post-sale install, as that is high margin work that they would prefer to do themselves.  So, what is my expectation as a vendor there?  Should I not expect that if the VAR is taking it on themselves to install and implement the solution, they should have a level of proficiency in the product to properly do so?  I would think the answer is obvious, but it is not.  In fact with things like NAC, I see lots of VARs that though they want to make the money from pro services, don't have the network expertise and the product specific expertise to do it right.  Before we learned this lesson we had several customers that we had to come in ourselves and rescue because the VARs limited knowledge really screwed the pooch. 

Now, we just tell the VARs that we understand their model. We will do the pro services and implementation ourselves and still give the VARs the margin on it. It actually is more profitable for them to do it that way, then for them to have their own people do it.  Mike Rothman says I am trying to buy their business.  Maybe I am.  But I am also trying to make sure that the customer gets the solution he paid for, working the way it was intended.  Is that such a bad thing?