StillSecure, After All These Years

Eric Lai has an excellent piece up in ComputerWorld on software licensing. Eric concludes that in spite of a crappy economy that would favor paying less money up front, in spite of the popularity of SaaS models and their monthly or subscription billing, most companies still prefer a perpetual based licensing model.  Eric's conclusion rings true with my own experience at StillSecure.

Almost 9 years ago when we first started at StillSecure, our research indicated that subscription pricing was going to be the wave of the future.  Microsoft was embracing and pushing subscriptions heavily.  The AV guys like Norton-Symantec and Network Associates/McAfee were selling AV on a subscription. It was less money up front and best of all for us, offered the very desirable reoccurring revenue model.

Funny thing happened though.  Pretty quickly we found out people hated it.  They didn't like the idea of buying the same software year after year. Customers who had the product for multiple years wound up paying a lot more for the product. As Eric points out, they couldn't put the cost down as cap ex and that was a problem. The cost difference up front between the two models was not sufficient enough to win them over.  So we pretty quickly started offering our software in a traditional software perpetual model with its 20% yearly maintenance. We offered both subscription and perpetual licenses to our customers and even discounted multi-year subscriptions so that it was price neutral if you bought a 3 year subscription. Well pretty quickly the overwhelming (and I mean overwhelming) majority of customers went perpetual.  We thought the fact that sales people were making more commissions on the higher up front costs of perpetual had them steering customers to perpetual.  But that wasn't it.  As Eric points out, even companies who themselves sell software on a subscription model, prefer to buy perpetual.

So we stopped banging our head on that wall and we offer both models today with most people opting for perpetual.  Now with increased economic trouble and more and more people buying security as a service, maybe that will change.  But I will believe it when I see it. Until then, the winner and still champion is ...

Niel Roiter over at Techtarget has a good article up on what has become of ISS as it approaches 2 years under the rule of Big Blue.  Of course Mitchell and I had Tom Noonan on just a few weeks ago and as we spoke about, Tom is no longer at IBM/ISS. At the time of the ISS acquistion, speculation was rampant over whether IBM would continue the ISS product line or instead concentrate on the services side of the ISS business, which represented the majority of the revenue actually.

Coinciding with the 2 year anniversary, IBM/ISS actually released a slew of new/updated products:

• A new release of its unified threat management (UTM) tailored for small business, including, for the first time, an SSL VPN.
• A virtual appliance version of its network intrusion prevention system (IPS).
• An update to its network enterprise vulnerability scanner.
• An IPS controller, effectively a load-balancer to aggregate IPS appliances to achieve a greater throughput of up to 10 Gbps.
• A new release of Proventia Management SiteProtector, IBM's security management console.

So at first blush it seems that ISS/IBM is still very much concentrated on products.  It took 2 years to find their way within the IBM universe but are getting back to business.  But as Neil points out, a closer look at the new releases show two trends:

1. IBM/ISS is moving down to the SMB/SME market.  Clearly making products easier and better suited to a smaller customer was a driving force here.

2. MSSP or SaaS is the holy grail for them.  All of these products are being made to work together and be managed by a central outsourced MSSP.  IBM, like many others sees the security market for the mid-market moving to a managed model.  IBM wants to move down stream from managing not only the largest networks in the world, but managing every network in the world. 

Network management is more than just security, but security will play an in important role in it.  We are going to see IBM, HP, Verizon, etc. increasingly coming down into the SMB/SME market to offer to manage IT environments for customers. Historically this has always been like herding cats.  The question is, what will make it different this time?

Related articles by Zemanta

• IBM targets SMBs with security upgrades
• IBM and Tata Communications Dig Into Managed Security Services
• Security Products: Suites vs. Best-of-Breed

In this age of outsourcing, securing information that gets further and further away from your direct control becomes harder and harder to control.  The point was driven home again for me today reading a story about a data breach at Grady Memorial Hospital in Atlanta. Unlike other data breaches where a laptop was lost or somebody was able to hack into the hospitals network, this data breach was caused by simplest, but hardest to stop method, human error. It seems that some medical information was being transcribed and instead of being put in a password protected (like that is secure, but fodder for a blog post another day) the confidential information was put on a publicly available web site. 

Of course your favorite web spiders indexed the page and when a doctor did a Google search of his name he was surprised to find this page with confidential notes and information on his patients.  He then notified the hospital who investigated this apparent HIPAA violation.  What they found, according to the article in the Atlanta Journal-Constitution was this:

Grady outsourced the job of transcribing the notes to a Marietta firm, Metro Transcribing Inc., which outsourced the work to a Nevada contractor, Renee Lella. Lella, in turn, turned the work over to a firm in India, Primetech Infosystems.

So how is Grady Hospital supposed to have any control over Primetech Infosystems? It is this 6 degrees of separation that make outsourcing gone wild a potential security nightmare.  As data gets further away, it gets harder to control.  So next time you are going to outsource, you need to check who your outsourcer outsources to.

Michael Farnum continuing his discussion about the never-ending list of responsibilities of a security manager, posts an article about using outsourcing to lighten the load.   I commented that outsourcing generally is good for commodity type of security, like firewalls, IDS, etc., but not for some of the more complex security functions.  CJ Kelly, another Computerworld blogger comments that in her opinion there is never a good reason to outsource security.  While I don't agree with CJ, I think for certain functions and in the right circumstances it is OK to outsource security. I don't think the reason to do it is to save the overworked security manager time. 

From an economic prospective, outsourcing does not save you any money.  For someone looking to stretch the dollar and get more bang for the buck, outsourcing does not deliver the goods.  In an earlier life I helped put together a company called Interliant.  We were an ASP, host and MSSP (before it was fashionable), though we tried to sell the outsourcing saves money point, our own studies proved it did not.  If someone like Michael would take the money he is going to spend on outsourcing and hire a good, young security wannabe, I think he would get a lot more productivity and retain an important level of control versus outsourcing.

Besides the economics, the other outsourcing factor to consider is the quality of the tools that the MSSP uses.  Many use their own homegrown solutions based on the popular open source tools.  Though the open source underlying tools are good, the packaged applications the MSSP uses are generally not exactly best-of-breed compared to COTS (commercial off the shelf) products.  So, not only are you paying more, you are getting less.  There are other reasons to consider about outsourcing, including the stability and integrity of who you are trusting your security to.  I am not saying never to outsource, but I would think long and hard before I did though and I would make sure it was for the right reasons.