Security Marketing

After Alan's plea to add some heft to the Black Hat Blogger Network theme of virtualization security, I figured I'd weigh in a bit on the topic. But first, I want to be very clear that I'm not challenging guys that are much smarter than me. Like Hoff and Thomas. Even guys like Greg Ness and John Peterson are correct in their assessments of the number of new attack vectors that virtualization brings to our data centers - even if they are vendors.

So I'm not going to talk about technical stuff. Yet, I do feel compelled to draw the conclusion that despite the dangers, it doesn't matter. All the folks that are trying to make VirtSec into a market are basically just pushing on a rope.

That's right. Now matter how hard you push (or how many blog postings you write), you are not going to make VirtSec into a market for at least 2 years. And that is being pretty optimistic. So for all those VCs that are thinking they've jumped onto the next big security opportunity, I hope your partnership will allow you to be patient.

Again, it's not because the risks of virtualization aren't real. If guys like Hoff and Thomas say they are, then I tend to believe them. But Mr. Market doesn't care what smart guys say. Mr. Market cares about budget cycles and priorities and political affiliations, and none of these lead me to believe that VirtSec revenues are going to accelerate anytime soon.

1. Budget cycles - This is what every optimistic marketer seems to forget. Customers just don't buy stuff. The large ones tend to work in 18 month (at least) budget cycles. Yes, that's too long - but it's reality. Many organizations are still working on that IPS deployment and maybe Web filtering. The idea of something that doesn't have a clear and present danger... not so much.
2. Priorities - Of course, there are exceptions to this budget cycle issue, and that's when something really lifts in priority because of a real high profile attack. Kind of like when anti-spam hit the jets in 2004. It was a big enough problem that demanded a solution. Is VirtSec there? Nope. So most enterprises will buy a VirtSec widget or two, but not go into real deployment until they really have to. But, that can change in an instant if a verified exploit hits.
3. Politics - This is the stickiest issue of them all. Who owns VirtSec? Is it the security guy/gal? Do they really own anything? It's probably a data center thang, but those folks are concerned with other issues (I'll hit that in a minute). What about the network folks, since a VM basically creates a network in the physical enclosure? It's about as clear as mud, and with the lack of clarity, most organizations will opt to do nothing.

Keep in mind how early we are in the adoption of virtualization. Sure, lots of customers are playing around with it. The early adopters are entering massive deployment cycles, but this is not representative of the broad market. Not yet anyway. So we are early, and early markets tend not to worry about security.

It seems the killer need right now for virtualization is VISIBILITY. That's right, increasingly virtualizing your servers creates any number of blind spots that makes operating your infrastructure effectively pretty hard. Now a lot of the VirtSec folks have come to the same conclusion, but like their NBA brethren - they are screwing it up.

Visibility is NOT a security issue - it's a MANAGEMENT issue. Funny how the NBA guys are finally getting there like 7 years later. Security is a tangential benefit, not the customer pain. If you sell a security solution to a management problem, it doesn't work out too well. Why can't these guys figure that out?

It gets back to that ongoing faulty belief that security is cool and that positioning security solutions is the easiest path to success, since everyone is paranoid about hackers and compliance. They are wrong. Very very wrong.

Security is ALWAYS the last thing to get addressed when a new technology hits. The security folks are not consulted when a new application architecture or data center infrastructure technology hits, are they? So why would security be one of the first things to get addressed in the virtualization space? Besides the fact that a bunch of entrepreneurs and VCs want it to be so.

The logical order of things (dramatically simplified) is: innovation -> management -> security (maybe). Pick a new technology and prove to me that the order was different. I dare you!

It will be fun to see yet another generation of folks try to change these universal truths of technology market adoption. Fun for me, but not so fun for the guys that are trying to explain to their investors why the market hasn't taken off.

Photo credit: "David Blaine - no mask" originally uploaded by Mirka23

Amazingly enough, every time it starts to look dour for the security business, a new regulation comes down from the heavens to give security marketers another wave of fear, uncertainty, and doubt to throw at unsuspecting customers.

Yes, the recent "clarification" of PCI requirement 6.6 (pdf) is the latest in the ongoing wave of regulations that are meant to keep security professionals on the edge of their seats in Depend undergarments. Given the number of ways you can get killed today (just ask the security marketers for a few examples), there is no shame in a blowout or two every so often.

Though this rant is not about PCI 6.6, which I think is the kind of clarification we need to provide good direction to security professionals about what good practice is. My problem is in how some security companies are using the regulation to try to get some level of urgency, so they can sell their stuff.

I'm a businessman, and I've been in the game long enough to understand how it's played. I know fear-based marketing is part of the process. Security is like insurance and unless you think you are going to die or wreck your car or have a tree fall on your house, you wouldn't buy much insurance. So the job of the insurance salesperson is to convince you that not only will those scenarios happen, but they are even likely.

From a disclosure standpoint, I carry insurance on my life, my cars, and my house -even though I understand statistics and know that it's probably a bad deal. I still buy it anyway because you never know... But security is a bit different. Most folks understand what happens when a tree falls on your house (it isn't good). Most executives can't really envision what it means when a hacker sells your customer database to the Russian Business Network.

Yet again I digress. I got a head's up about a release from Ounce Labs last week when I was about to board a plane. Thankfully they had barf bags on the plane, so I didn't make a mess. The release pretty much made me sick because it represented pretty much everything I hate about security marketing. OK, not everything - but a lot.

Let's start at the title: "Leading Security Expert Asserts that PCI Compliance is Not Achievable Without Source Code Analysis." I hope you haven't eaten yet today because you are about to be served a FUD sandwich. Yummy. The release goes on to talk about how PCI compliance is about more than a firewall and that an organization cannot be truly secure (or PCI compliant) without reviewing their source code.

Let's be very clear. An organization CANNOT be truly secure - even if they review their source code. There is no such thing as "truly secure." But it does provide a good sound bite and some good FUD for security professionals to chew on.

In this case, Ounce is both right and wrong. Since I'm trying my best to be a half-full type of guy - they are right in that source code analysis needs to be part of any security program. You won't get much disagreement about that.

What I object to is saying that you cannot be compliant without source code review. Huh? How do they know? I'm sure there are lots of QSA's out there that will provide the rubber stamp via other methods to secure applications. Like a web app firewall or other compensating controls (like database monitoring and leak prevention).

PCI Assessments (and every audit for that matter) are a totally SUBJECTIVE process. It's based on the judgement of the auditor/assessor that shows up. Sure they have guidelines and even some new quality standards, but at the end of the day, it's based upon whether the auditor buys into your security strategy and believes you can meet the spirit of the regulation.

Anyone who tells you any different is:

1. Full of crap
2. Trying to sell you something
3. Just fell off the turnip truck
4. A combination of all 3

Relative to PCI 6.6, I personally believe that the best approach is to deploy a web application firewall (or some other application layer blocking technology) to eliminate the low hanging fruit of application attacks. At the same time, high profile applications should be reviewed for security problems, first with a scanner and then a pen test to isolate logic flaws.

Finally, to complete the secure application triad, the development process should evolve to include things like source code analysis and other secure coding techniques. But in the real world, it's unlikely you get to complete the triad, so you do your best to eliminate the most obvious issues and pray that the less obvious ones don't bite you in the ass.

Ultimately this gets back to money. Since the beginning of time, it's been easier for security folks to throw boxes at the problem, then to change behavior or evolve process. And the 6.6 clarification provides a clear excuse to look for a silver bullet wrapped in a 1U enclosure with flashing lights.

Ounce is just trying to say that a WAF is not a panacea. And that they have a quarter to make and investors to keep happy and customers really should look at source code analysis. Please, pretty please, with sugar on top. I get that, and I empathize with the folks that are trying to sell "solutions," when the market wants to apply a band-aid and make the problem go away.

But leveraging FUD, conjecture, and other marketing tactics like this still annoys the crap out of me. It's disappointing, but I'm a big boy and I know it will always be part of the process. That doesn't mean I won't continue to call it out for what it is.

OK, off soapbox now.

Photo credit: "FUD Truck makes a delivery.... (NEW! Savoring our FUD)" by crmudgeon23

 

I get asked pretty frequently by start-ups about how to get more exposure for their company. Basically, they are looking for free PR advice. Most of the time I'm pretty gracious in providing it. They also hope that I'll say something nice about them in TDI or on the blog. That is playing with fire. As we all know, I call it like I see it, so there is risk in "hoping" I'll favorably cover any vendor.

But I've got another idea, as the folks promoting the EMC, I mean RSA Conference reminded me about the Innovation Station awards. Basically, if you are a start-up or early revenue company that has something interesting, you can get an invite to participate in this program. You get a kiosk on the show floor (it'll cost $4K, but booths usually costs $25-30K, if you can even get one) and you get an opportunity to pitch a panel of CSO's and VC's with your idea. The catch? You get 5 minutes to pitch. That's it. 5 minutes. Even at DEMO you get 8 minutes - so this is really an elevator pitch.

When i was VP of Marketing at CipherTrust we did the inagural Innovation Station in 2005. I gave a 3 minute pitch (they are more generous with their time now) and it was great, despite the fact that I had laryngitis for the first time in my life. You really need to be laser focused. We came in third, with Sourcefire being the winner. Both companies have do OK, so performing well in the Innovation Station is usually a good sign.

So I think the Innovation Station is a great way to generate some interest in your company at RSA. The information is below, including the sign-up link. Good luck.

RSA® Conference 2007 Innovation Station

RSA® Conference is looking for the most innovative emerging company in the information security industry for its Innovation Station program – held in conjunction with RSA Conference 2007, February 5-9, 2007 at San Francisco’s Moscone Center.

The submission process is open for pre-IPO companies in the information security technology space interested in participating. Companies must be privately-held and in business for fewer than two years, with confirmed 2006 booked revenues under $5M and a new product or service introduced between March 2006 and February 2007. Once selected, these companies are provided with a unique opportunity to showcase new products or services to a judging panel comprised of leading venture capital investors, CSOs, press, and industry experts, as well as exhibiting in a special Innovation Station pavilion on the expo floor.

The winner will be named “the most innovative new company” at RSA Conference 2007 and be promoted on the RSA Conference 2007 Web site, in a follow-on press release – and also be provided two individual face-to-face meetings with members of the judging panel after the Conference (subject to availability).

This is a great opportunity for relevant clients on your firm’s roster. Please feel free to forward this information to any companies or clients that you feel would be a good fit for the Innovation Station.

To nominate a company as a candidate for the Innovation Station, please visit http://www.rsaconference.com/2007/us/expo/additional/innovation/.

Nominations will close on Friday, December 15, 2006 at 5:00pm PDT.

I am a big fan of history. I wish I could read non-fiction more frequently because there are tremendous nuggets in there that can help us do our jobs every day. Part of my job is to be a pattern matcher, for lack of a better term. So the more patterns I see, the better chance there is that I'll recognize it and know what to do. There are very few things that are really "new," and if you've been in the space for as long as I have - you've probably seen everything at least once.

It's remembering it that's the challenge. Thankfully my friend Scott Santucci of BluePrint Marketing remembers lots of stuff and understands how to use history to illuminate how we are failing at sales and marketing today.

In this post (here), he goes through some facts about General George Patton. He was a legend. Scott uses those facts to make the points about how difficult technology marketing is today where differentiation is nil and training cannot happen fast enough to keep pace with change, in a big company anyway.

So what's a marketer (especially a security marketer) to do? Basically you need to change the game. It's not about why your product is better, it's about what you enable the customer to do with your product. But Scott is much better at making the point than I am, so here's a little excerpt:

It is much more valuable to help buyers figure out:

1) What the world will look like once your products and services are installed;

2) How to build a reasonable and accurate business case (note, I did not say ROI) for the project;

3) How to scope and staff the project team;

4) How to help the customer move from where they currently are to a more desirable outcome.

Read the post and pay attention to history. We've all seen it before, you just need to remember.

DISCLOSURE: BluePrint Marketing is a Security Incite client and Scott and I are collaborating on a set of blueprints (templates) to apply his marketing approach to the security business.

 

 

First, thanks to Mike Murray for his kind words. In his response (here) to my thoughts on differentiation in Wednesday's TDI (here), Mike says some nice things about what I'm doing. Note to readers, positive feedback is appreciated - though that and $4 will get you a coffee at Starbucks. Remember I BITE EVERYONE'S HAND (here).

But in all seriousness, let's dig a bit deeper into what constitutes a durable advantage and clearly it's not all about technology. But I'll also maintain that we have VERY few companies that have navigated multiple product cycles successfully and kept a competitive advantage for 5-10 years.

As Mike correctly points out (and had kind of slipped my mind) competitive advantage is about more than technology innovation. Customer intimacy and operational excellence are certainly other ways to differentiate. Wal-Mart has thrived because their scale allows them efficiencies that other competitors can only dream about. Dell excelled for a long time because both customer intimacy and operational excellence resulted in a distinct business model advantage for many years.

But here's the kicker, none of these areas of differentiation last forever. HP has come back to regain the market share lead in PCs because they suck a bit less than they used to. Customizing PC's on a web site is now common place and HP sliced headcount until they were price competitive. Dell is in a world of hurt right now because they haven't innovated their business model to keep ahead. They also alienated a lot of customers as they were scaling, so their customer intimacy advantage is also gone.

I'd also question whether Sony really has innovated since the days of the Walkman. I mean they MISSED the whole MP3 thing. They hardly even showed up to the game. They make nice LCD TV's (I have one), but it's not like they were the first to either LCD or DLP big screens. So where is their innovation again?

I guess my point is that size itself has become a source of competitive differentiation. Not sure what Geoffrey Moore has to say about that, but companies like Cisco, Microsoft, Oracle and Intel can weather the storm of a new, more innovative (or more customer intimate or more operationally excellent) competitor because they have momentum and inertia on their side.

These huge companies have multiple product lines and they have diversified their operations, so even a new competitor that consistently kicks their ass (like Google is doing to MSFT in search) hardly puts a dent in the machine. Of course, a company cannot get their ass kicked for years without a successful response and not have the luster knocked off the rose. Novell and 3Com are examples of that.

But ultimately my point is that long-lasting differentiation is a myth. No technology brands create the loyalty that you'd need to create a truly durable advantage. Whether you consider the innovation, intimacy or operational excellence flavors of differentiation, the only way to insulate yourself from the cyclical nature of everything is to be big enough to weather the storm.

That's one of the reasons why "Big is the New Small" and "Huge may be the New Big."

I'm a big fan of case studies and references during the procurment process. For end users, understanding how someone else is using the technology to solve a problem that you may have is instructive. That is, when the case study is done right. So when I saw a feature in NetworkWorld that said they were going to highlight 40 end-users and what they are doing with networking and security, I was ready to suit up and get some perspectives from these All-Stars.

The game was called on the basis of mediocrity. You can read it for yourself here.

I'm sure these are all wonderful people that are doing good work to protect their environments. But what good is a 50-100 word paragraph within the context of a case study? Not a hell of a lot. Putting myself in a typical NWW reader's shoes, these snippets are not valuable in the least. I see one sentence on what the problem is, one sentence on the vendor that provided a solution, and a quote from the "all-star." How do I use that information to make myself better or to learn something?

I get that NWW has limited space, and they have a lot of PR people hounding them all day (and probably all night) about all the cool references they can provide for vendors, whose technology had made these users into all-start. It feels like NWW took the easy road, as opposed to the useful road. How hard could it be? PR person supplies case study. Reporter maybe calls the reference to confirm. They write a paragraph and move onto the next one.

What I'd like to see is a more detailed treatment of one (or maybe two) environments. Where you get a feel for what they are doing in their entirety, not just one very constrained problem that allows the reporter to mention a product. Network Computing does this and calls it The Centerfold (here). They provide a map of the network and list all of the products in use (or most of them anyway).

The centerfolds are outstanding and useful. The All-Stars are not. Again, it's a shame that NWW couldn't derive much useful information from talking to 40 enterprise customers, who are clearly on the leading edge of deploying security technology.

 

I may as well introduce my friend Scott Santucci, because I'm about to steal one of his posts. And with his permission, of course. Here is the original, just in case the splogging police are in the house (here).

Scott is a former META Group guy who now runs a consultancy called BluePrint Marketing. BluePrint is very cool because his process models the "conversations" that vendors and users should be having through a complicated sales process. He works with big vendors like Unisys, Sungard and BMC and helps build content (BluePrints, in fact) that give reps what they need to differentiate and match customer requirements based on the customer BUYING cycle, not the vendor's sales cycle. I'm sure I did a crappy job of describing BluePrint, so if you work for a big vendor and your reps need some help making your products relevant to your customers, Scott is the man to talk to.

Scott has assembled a rouges gallery of former META Group analysts to provide perspective on almost every aspect of technology. I've been working with Scott for the past 6 months on adapting my Pragmatic Security architecture into a set of blueprints that big security vendors can use to model the conversations they should be having with customers. We are going to be doing a number of relevant podcasts and publishing some additional information over the coming months, so keep an eye out for that.

But first things first, Scott's post on creating a compelling value proposition really resonated with me. First, I love Spinal Tap, so anytime you mention "It goes to 11," I'm rolling on the floor. Second, we in the security business have this problem in spades. Every category has 5-10 players (if not more). Every vendor sounds the same. They make the same claims and they think that their "unique" way of solving the same problem matters. Customers don't give a rat's ass. So lots of what I see from security marketers on a daily basis is futile and lame.

Here is the post with some of my security mojo in [brackets].

--> snip

Do Your Value Propositions Go to Eleven?

In Rob Reiner’s 1984 “rockumentary” This Is Spinal Tap, one of the main characters, Nigel Huffens, proclaims they are different than other bands because their speakers “go to ll.” (Click here to see a video clip of the scene).

I cannot help but be reminded of good ole Nigel every time I talk to clients who are working on their value proposition. A few claims I’ve heard over the years:

 

• “We are more scalable”
• “We are truly global”
• “We are more adaptive”
• [we stop zero day threats with proactive protection and zero false positives is a common security claim]
  

Translation? "These go to eleven".

 

I hear those claims and think to myself, “What prevents their competitors for saying the exact same thing?”

Almost every marketing organization I encounter seems to be making a major effort to differentiate or improve value propositions.

 

So, what happens?

 

A bunch of people (mostly a blend of product or solutions people and marketers) have a series of meetings and word smith a set of ideas into a few paragraphs and then say, “If we can only get our sales force to deliver this message, we will outsell our competitors”.

Here is an example. Given our META Group heritage, we know a lot about outsourcing and continue to advise G2000 IT organizations on selecting vendors to meet their needs.

 

Many of these outsourcers claim they are “truly global” while the others are just globally dispersed. It is almost comical to watch them try to communicate the idea that they are the only provider that is “truly global”. With all of the vendors parroting the same concepts, is it any wonder that the outsourcing market is becoming increasingly commoditized, win rates across the industry are about 30% (or less), and the costs of pursing these opportunities are on the rise?

Don’t laugh. It’s happening in your market too.

 

[NAC, extrusion prevention, email security - you name it and all of these markets have the same characteristics. Too many vendors, not enough differentiation.]

Why?

 

Anything you can say on your website, your competitors can say as well.

 

Let’s say your value proposition is different than anyone else’s and that you do come up with some concepts that resonate with customers as truly unique, and this helps get you traction. How hard is it for your competitors to steal this value proposition, reword it, and use it?

 

[I know this is true because it happened to me in every marketing job I've had. I came up with a cool term (like Early Warning System or Connection Control) and every other vendor talked about their capability to do this within a month. Literally a month. Of course, none of it was real - but it still confused the customer. That means longer sales cycles, etc.]

The approach violates three of the Seven Irrefutable Laws of Customer Centricity:

 

• Law 1. Customers buy solutions to their problems, they do not buy products. Creating a generic value proposition implies you have the solution for all clients before you understand their problems.
  

• Law 3. Only a customer can call it a solution. The formula for value propositions that people follow today is a legacy of the product-centric marketing world that is dying out in B2B markets. Basically it is: problem statement, solution, how you deliver that solution, how it’s unlike your competitors, and what outcome your customer can expect. How can you determine all of that for a specific G2000 organization in a meeting room?
  

• Law 6. Value is in the eye of the beholder. For argument sake, let’s assume for a minute that your value statement meets a customer’s needs, is compelling, and has tremendous impact. Who is it written for? The stakeholder (or set of stakeholders) this message is delivered to each listen to, as Zig Ziglar likes to say, “radio station WIIFM. What’s In It For Me”.

Please don’t fool yourself into thinking you are creating messages for CXO’s. I’ve yet to meet a CFO whose issues who are identical to those of his CIO.

[Sound familiar? Of course it does. Check out Scott's site. Learn more about what he does. It's very cool and it works.]

 

and assholes sleep with super models. I don't make the rules, I just comment on them. By now, you should be sufficiently confused, so let me tell you where I'm coming from.

Shimel just loves to stir it up (here). Says it's good for ratings. And he's quick to rush to the defense of vendor-land when the big bad analyst starts calling everyone names. He's referring to my rant yesterday about Dark Reading's 10 Reasons Security Products Don't Work (here). It seems that he mostly agrees with me, except my unfair and harsh characterizations of vendors. But Alan is off-base here because he fancies himself to be a good and ethical guy.

But this isn't Alan's first trip on the tuna boat, so unless he has temporary amnesia, he's forgetting about the calls we've had discussing those "lying" competitors. Those marketing-driven companies that have no technical chops, but make their products seem like the second coming. He's forgetting that in competitive markets, everything is fair game.

This is a problem the success of the security business has created. There are just too many damn companies. Pure and simple. They are all chasing the same customers with the same limited budgets. This is a zero-sum game. If you win a deal, the other guys lose.

So every vendor has to try really hard to differentiate and sometimes they take liberties with the truth to do so. It happens in the form of outrageous claims that seem to surface during the sales cycle. It's something as little as "we handle zero day attacks with no false positives." Of course that isn't the case, but that's what customers want to hear, so that's what the rep says.

Alan is right. Sooner or later the truth is going to hurt. But if your competition has told the customer they can do it, you have a choice. Do you tell them the competitor is wrong? Hmm. That's mudslinging and bad form, the customer thinks you are a schmuck. Do you say you can do it, but with lots of caveats to stick close to the truth? Well, that doesn't work either. The customer heard no caveats from the other guys. Your product must suck.

If you don't join the "fun," you will lose deals because the uneducated customer won't know the difference. By the time they figure it out, the other rep has cashed the check and made the payment on his damn 911. Sure he'll have to clean up a mess, but the ride will be nice to get there with 450 horses under the hood.

I had this problem big time when I was a marketing guy. We had a very aggressive competitor that wasn't constrained by the truth. They'd lie about what they could do, and make up stuff about what we couldn't. I tried to take the high road for a while, but it wasn't working. If the other guys were in the deal before us, we had to spend countless hours unwinding the web of lies. If we were in first, the other guys would show up and start the fabrication engine and we'd again be playing defense.

Just like in poker, you don't necessarily have to have the best cards to go on the offensive. Our best reps were always on the offensive. They would sit with the customer and say, "this is what you will hear from the other guys and this is why it's wrong." They would do pre-emptive strikes. It's a brilliant sales strategy, and when you have the truth on your side, you win more often than not. But reps that can stand in that kind of fire are few and far between. Maybe 15% of them. That's not enough to scale a business.

The sad truth is that the other 85% get scared and fold when faced with a very aggressive competitor. They stumble over their words, can't compete, and lose. Then they get fired. It's very sad.

The purists out there will say, "what goes around comes around." And in fact, in some cases is has. But as products mature, technical differentiation becomes less noticable. The vendors more successful during the early land grab phase will maintain market share because their product will get better. They figure out how to pacify those grumpy customers and they've successfully cut off the competitor's oxygen.

So what does this have to do with the managing expectations? It's that there is a HUGE incentive for vendors to grab market share in an early market. And that means a lot of folks will bend (or outright break) the truth to get the box in there. Since the typical lifespan of a start-up that gets positive exit is maybe 3-4 years, and a bulk of their boxes are sold in the last year - it's usually the acquirer that gets to clean up the mess.

Most importantly, what does this have to do with super models? By the time the users figure out it's Medusa lying next to them, the vendor has probably sold out to Cisco or Symantec for a crapload of money. They buy big boats, hang out with super models and then do it again. The virtuous cycle starts over.

For customers, the reality is unfortunate. We are going to continue to see this behavior because there is too much money at stake. And maybe there are some folks that do the right thing and in a few cases you can point to the nice guys finishing first. But that's the exception, not the rule.

I'm going to rant a bit about security marketing and hyping of a new CEO. I read this release announcing Anne Bonaparte as Tablus' new CEO yesterday (here) and thought I had stepped into an alternate reality.

Now I get that a new CEO is a big deal and you want your employees and customers to say "cool!" Your competitors should say "oh crap!" when the new person is announced. But what you can't do is over-hype a CEO to the point where it's laughable.

In terms of disclaimers and caveats, I don't know Anne Bonaparte. Never spoke to her. Though it wouldn't surprise me if we became acquainted very soon. She may very well be a very capable CEO and the right leader for Tablus right now as they fight in a very crowded market doing not a hell of a lot of revenue (6 VC-backed vendors chasing after maybe $60M in revenue this year). This is not an attack on her, more about how she's been over-hyped.

What I object to is how the PR folks have spun her last gig at MailFrontier.

"She previously served as the president and CEO of MailFrontier, where she established the company’s market leadership in the e-mail security space, developed strategic partnerships, dramatically accelerated organizational growth and spearheaded the company’s acquisition by security vendor SonicWALL. Under her leadership, the MailFrontier brand achieved worldwide recognition."

Maybe this is a different MailFrontier. The MailFrontier I remember from when I was in the email security business was a non-contender. I guess they sold a couple hundred boxes to SMB customers and were then thankfully rescued by SonicWall for $31 million.

That's a good exit? Market leadership of what? Worldwide brand recognition? That is a load of crap. MailFrontier was one of many losers in the space and they got lucky to be acquired for more than 10 cents. I covered the deal (here) and my analysis still stands. I think it was a good deal for SonicWall, but not because MailFrontier was some sort of gem.

My point here is that exits are good. And many CEO's are talented. But to try to reinvent history for the sake of hype just annoys the folks that were actually there. It impacts the credibility of the organization when a gig is described through such rose-colored glasses to be unbelievable.

Good luck to Ms. Bonaparte in her new gig. I hope it works out better than the last one. I suspect Tablus' investors have similar hopes.

OK, off soapbox now.

 

The old saying goes: "Lies, Damn Lies, and Statistics." From my time on the vendor side, I can tell you that statistics make great news pegs, but the data is usually not worth much. Case in point from an article I saw this morning: "Botnets spike in wake of Windows flaw."

Bill Brenner of SearchSecurity quotes CipherTrust research numbers here about the number of new "bots" exploiting the Macbot worm has increased 23% in the past week. I say that's hogwash. Why? Because CipherTrust only sees spam bots. The real number of new bots could be considerably more, or considerably less. And these bots could be caused by a number of things, not just Macbot.

Heresy you say? Especially considering I still own CipherTrust stock (for the next two weeks or so until the SCUR deal closes). I don't think so.

This quote from the story says it all: "Much of this increase can be attributed to the spam originating from the new zombies unleashed by the Mocbot worm." Huh? If they know this, I want these guys picking stocks for me. Obviously they have a kick-ass crystal ball.

CipherTrust makes a number of assumptions here that I'm not sure hold up.

1. They assume that all new zombies are as a result of Macbot - so basically every other attack vector that turns unsuspecting machines into spam bots have gone away?
   
   
2. They assume every zombie is a spam bot - Again, CipherTrust only sees devices that are new senders of spam. They make the assumption that those are bots. That may or may not be true. They also assume that there are no zombies out there doing other things, which I know is not the case.
   

Maybe I just disagree with the terminology, but I don't know how new spam sender = bot. I also don't understand how they can pinpoint that Macbot is the source of all these zombies.

Maybe there are good answers for this, and if so I have no doubt I'll hear from some of my friends. But I've always said that you can make numbers sing, and lots of vendors do that to generate PR.

End users should take these numbers with a grain of salt, unless they help you get an important project funded anyway.