Snyder's Hack Job

Submitted by Mike Rothman on Wed, 2006-04-12 15:18.

When I left CipherTrust, I closed the VP Marketing chapter of my career and started to focus on starting up Security Incite. There were lots of things that I liked about the marketing role, and lots of things that I didn't. Joel Snyder in a NetworkWorld column (link) reminds me of something I despised, which is product reviews. His column also questions why a vendor wouldn’t sell equipment to a customer. I have some thoughts on both of these topics.

First of all, let me say that I think Joel’s column was a hack job. This has nothing to do with the fact that I used to work at CipherTrust. It just reads like he’s crying over spilt milk and just being petty. The way he presents his case makes you think he’s hiding something. At least that’s the feel I got reading the column.

I’m very surprised that CipherTrust has not issued an official response to the article. They should. But not by posting anonymous personal attacks on Joel on the Techdirt blog. Mike Arrington Masnick of Techdirt mentioned the column on his blog (link) and then someone from CipherTrust made anonymous comments that were less than flattering. That is cowardly. At least be man (or woman) enough to stand behind what you say. CipherTrust took a bad situation and made it a thousand times worse. Arrington Masnick calls them out on it in this post.

By the way, CipherTrust did not ask me to write this and they are not a client of my analyst firm. In fact, they'll probably be pretty pissed at me for breaking the code of silence. Whatever - I don’t work there anymore. I can say what I want. From a disclosure standpoint, I am a CipherTrust shareholder since I cannot unload the stock - they are still a private company.

First, let me deal with the NetworkWorld review which happened in December 2004. Joel’s recollection is slanted at best and bordering on revisionist history.  Sorry, but I just can't let it lie. A bunch of my friends are scratching their heads wondering why I’m getting involved. It’s actually pretty simple, I think Joel is wrong and I’m going to call him on it.

Joel maintains that we did something below board by turning off the device in the middle of the test. I was the one who shut the box down and I can assure you there was no panic involved. And the only miscommunication was the fact that Joel told us he was going to be on a plane to Europe when the formal testing began, so we didn't think there was any way to contact him to discuss the issues.

Basically, we found that the test was not as we were told. In accordance with the testing methodology we tuned the product for a couple of days, based on what we believed was the entire mail stream. That was not the case. Joel had his mail still running through his managed service during the tuning period. So we were optimizing the product on an incomplete mail stream. So when the actual test began, we saw all the traffic and the box was not performing as it did throughout the entire tuning period. Clearly something was amiss - he sold me a bill of goods about the testing methodology.

I saw no option but to pull out of the test.  I had lost confidence in the methodology and Joel's ability to test the product effectively. So I shut the box down. His test was screwed up and I called him on it.  Joel got all pissed off (which I found entertaining), and evidently he wasn't on that plane to Europe. So we talked it out and came to a mutual understanding. He acknowledged that we should have time to retune the box, which is what we did. Quite effectively I might add. To my knowledge that was the end of the situation, it was in the rear view mirror and he published his findings on the product.

To bring that incident back up as he tries to condemn CipherTrust for something else is juvenile and ridiculous.

Now that's off my chest, let's discuss that other thing he mentions, which is that CipherTrust would not sell him a box. He says he's testing products for a "consulting customer." Well, what consulting customer? Is the company a vendor or an end-user? I checked with the CT people and Joel wouldn't tell them. Hmm. Is it just me or does this smells really fishy.

Why wouldn't the "consulting customer" work with CipherTrust themselves? Or at least say they were working with Joel's firm to test the products. This is not Consumer Reports here. And why would the "consulting customer" (assuming it's an end user) provide the money to actually buy the products they are testing? I’ve been in this business a long time and I’ve never seen an end user buy one of everything to test them out. It's not like you can get any of these products for $2000. If they are testing 4 products, they are looking at an additional $40k expenditure (an adequately configured box costs $10k), especially when all of the vendors would provide a trial version for testing. It just doesn't add up.

And then he changes the story, clearly this box was intended to do a competitive bake-off. But he tells CipherTrust after they won't sell him the box that it's for use in his company. How can that be the case, since everyone in the business knows that Joel uses a managed service? Now he's going to implement an enterprise class appliance for the 5 people in his company? Not likely. Again, I wasn’t there but I would have been a little wary of the situation also.

Mike Arrington Masnick is right in supposing that part of the fear might have been that information would be passed onto a competitor. In general you never sell an enterprise class product to someone unless you know where it's going to be deployed. The unfortunate truth is a great majority of those boxes that are "unaccounted" for end up in the hands of competitors. To be clear, I'm not saying Joel would buy a product for a competitor, but if you are CipherTrust why would you take the chance? The fact that it's a blind test, done by an independent consultant makes your chance of success suspect at best. Certainly not worth the $5000 you'd make for selling the product.

And what about this "consulting customer?" I suspect any end-user would have told Joel to walk away. There are a ton of email security solutions and clearly CipherTrust doesn't want their business. So that should have been the end of it.

In my opinion, it was a no-brainer for CipherTrust to walk away from the deal. Anyone that’s spent any time in a product company knows that you need to focus resources on deals that you can win. Without proper qualification, you are wasting your time. Even worse, you have the chance (however unlikely) that the box falls into the hands of a competitor. That's not a risk worth taking.

Clearly Joel doesn't understand that. Instead of letting it go he chose to be vindictive and petty, spouting baseless innuendo about how a company must treat its customers because he felt slighted. It's disappointing to see a fellow NetworkWorld columnist use his space in the book to settle what is clearly a personal score.

Submitted by Chris (not verified) on Wed, 2006-04-12 16:09.
It sounds like you're endorsing security by obscurity. As far as I'm concerned, any security product that can't stand up to being poked and prodded (whether by a cracker or a compeditor) isn't worth buying. If a product can't stand up to the light of day, then it should never see it.
Submitted by Mike Rothman on Wed, 2006-04-12 16:18.

You are absolutely right, every security product must stand up to make sure it meets the CUSTOMER's needs. But in giving a product to a competitor, you give them the license to obscure the real information and paint their own box favorably. If you could guarantee a fair fight, then by all means let's get it on. But competitors do not fight fair, so you need to work hard to make sure the customer can make a decision based on an even playing field.

That's my opinion anyway.

Submitted by Chris (not verified) on Wed, 2006-04-12 18:01.

It's not about how your security product stands up on this or that artificial comparison; it's about how many eyeballs are examining the product. The more people examining a security product, the less likely there are to be any unknown problems that are going to sneak up at bite me. There's no way to encourage this sort of scrutiny without inviting scrutiny by your competitors.

 Your competitors may not play fair, they may make false comparisons and try to spread FUD about your product. They're your competitors, so I'm going to take anything they say about your product with a grain of salt. On the other hand, if you try to keep a product from this sort of scrutiny, I'm going to wonder what you have to hide. This sort of behavior is going to lead me not to trust you, which is far more damaging than anything your competitor could ever say. 

The bottom line is that buying a security product requires a lot of trust. Securing potential customer's trust is far more important than an getting an even playing field on this or that comparison. I'm going to put far more trust in the company that encourages scrutiny of their product than one that discourages scrutiny.

Submitted by Mike Masnick (not verified) on Wed, 2006-04-12 16:39.
Mike, I think you are a bit confused. The post is on Techdirt, not TechCrunch, and was written by me, Mike Masnick, not Mike Arrington (who writes TechCrunch).
Submitted by Mike Rothman on Wed, 2006-04-12 16:57.
My apologies to Mike Masnick. I referred to the wrong guy. It's been corrected.
Submitted by Vikas Singla (not verified) on Thu, 2006-06-22 22:42.


Thanks for setting the record straight. CipherTrust does have a separate and flexible program for independent testing labs to evaluate our products. In this case, there was no need for Mr. Snyder to purchase the product as evaluations can be conducted free of charge. Also, CipherTrust did respond to the editors of Network World and our response was published in the following month's publication. An online version is also available.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.