An Information Security Place

Everyone seems to be commenting on the Counterpane acquisition by BT.  But unlike most of the “analyst” type comments out there (here, here, and here), I want to comment about this acquisition from my not-too-long-ago viewpoint of a security manager.

First all, with all respect to Mr. Schneier, I was never impressed with Counterpane.  They pitched to me about a year ago, and I was singularly unimpressed to say the least.  The sales person talked like she had been on the job about a week.  I don’t mean to be nasty.  Maybe she had not been there very long and was just learning the ropes, so I this might not be a fair critique (another thought - maybe she was just too stunned by my dashing good looks to get her thoughts collected - hmmmm).  But no matter what the case, she really seemed to have zero clue as to what she was saying.  And I expected a little more from Counterpane.  That was my first clue that they were not doing too well. 

Also, about a week after our meeting, she called and basically went through the whole sales pitch that she should have gone through when she was face-to-face with me.  So one of two things was happening: 1) either my suspicion about my stunning good looks is correct and she had no problem when she didn’t have to see me (though my voice is nothing to sneeze at, I tell ya’!), or 2) she didn’t receive any sales training before she was thrown to the lions.  If the latter reason was the case, then that also did not show positive for Counterpane.

And while the engineer she brought along seemed to be knowledgable, he also could not tell me what exactly brought Counterpane to the forefront in the field besides some reference to them pioneering the field (and what I talk about in my second point).  They just didn’t have anything that floated to the top.

The point is that an MSSP is an MSSP is an MSSP.  In the finer points of the trade, that statement is probably not totally true.  But in general, they all do the same thing.  So you have to have some fine point that makes you different, better, or just cooler.  And they did not have it.  By the way, I also met with LURQH and Solutionary.  They all had somewhat the same stuff.  Honestly, of all of them, LURQH had the best sales pitch and seemed overall better than the other two.

Second, as to Alan Shimel’s comment that “Counterpane was not a professional services company”, I would say that I think he forgot to tell them.  First, just look at this page from their website.  Second, when they talked to me, they seemed to want to push their professional services down my throat.  They seemed to focus on that during a great part of the meeting, maybe even more so than their MSSP services.  This is what they seemed to think gave them the edge (I alluded to this above in point 1).  And I honestly got the feeling that was was a key area that they were trying to develop heavily and on which they planned to spend some focused resources.  Maybe I put too much stock in what a couple of sales types were pitching.  Maybe they just picked up on something and thought they should pitch that side heavily.  But they way they spoke of it, I was literally waiting for an announcement with them changing focus.

Before I go on, I have to admit that this next point is a little bit “analyst-ish”.  I ask forgiveness from the people in the trenches.  OK, here goes…

Third (and this is again with all due respect to Mr. Schneier), you cannot bank your business on a hero figure, even one such as Bruce.  Yes, he is a security master and a legend.  Yes, he is brilliant.  Yes, he could whip Chuck Norris in a fight (uhhh, went too far - sorry).  But that really can only carry you so far.  You have to produce and keep producing.  You have to differentiate, especially in a field where most of your competitors are offering essentially the same services.  A name just is not enough.

So, that’s my take on the deal.  I honestly was not at all surprised to see this happen.  I think BT is basically doing what the market is demanding, and they went the cheapest route possible.  No more, no less (crap, another analyst comment - I need to watch that).

Vet

Karn Griffen over at the the Information Security Gurus blog mentions my post about getting out of security management.  He has a good post today about how we should all be getting out of the front lines when there are so many possibilities with outsourcing.  He also commented on that same post, where he said the following:

If I can turn on secure networking services, complete with IPS, Virus, Spam filtering, etc. and the company I outsource this to will provide me an SLA that guarantees the service parameters I’m looking for, why would I bother with a full-time person (or more) to do these things.

While I agree with Karn on this point, the question that comes to my mind is if you can’t convince an exec that security is needed at all, then why would he  / she do either?

The big problem is that execs often cannot justify security at all as a cost.  The ramifications to not spending money on security are still so light.  Much of the legislation out there still does not have teeth.  The media is getting tired of printing stories about this stuff because readers are tired of it.  Some non-governmental regs like PCI are starting to get somewhere, but that is not anywhere close to where it needs to be.

So unless you can convince your execs that security is needed, they ain’t gonna spend money on it, no matter if you outsource or insource it. 

But let’s play devil’s advocate here and assume that all exec’s get smart and buy off on security.  Then, the SMB exec’s get even smarter and see Karn’s point that they can outsource.  Where does that leave guys like me getting out of operations and trying to sell security?  Should I be selling to SMB’s now when I know they would be better served by outsourcing?  Do I sell to MSSP’s?  Better yet, do I have to start working for MSSP’s, sitting in a chair watching packets go by?  Do I lose even that job to ever-more sophisticated UTMs / IPSs / heuristic filters that can figure this stuff out better than I can?  Does the UTM take over for those MSSPs where there are only 2 or 3 viable options for them to filter traffic for their clients, essentially killing much of the security market?  Are the enterprise-type clients enough to hold up the market?  Does the technology get so good that even enterprise clients can use it?  Does my job just go POOF in 5 - 10 years?  AAAAAAAHHHHHHHHH!!!!!!!!!!!

Karn, you are on to something, but I’m not sure it’s good.  But good or not, is it inevitable?

Vet