An Information Security Place

I had a long talk with a client yesterday regarding IPS.  They were setting up a nice sized extranet infrastructure to serve their clients, and they needed to build some security into the design before they implemented.  They had already thought of a lot of pieces, and now they were looking at putting in IPS.  They were already being courted by one IPS company, but they wanted to know about others and what the strengths and weaknesses were.

So as I started into the discussion, I diverged a bit from the pure technical discussion and talked about the view of the network as a whole.  Basically, I tried to get them to look at the big picture of what they were buying versus just an IPS as a single silo.  What I talked about was how the one IPS they were looking at was an excellent IPS, but I also told them that they really had no big advantage over any of the other big IPS vendors in the market.  If you look at the Gartner chart for IPS, there are about 5-7 vendors in the magic quadrant.  Basically, the product is a commodity, just like anti-virus and other mature products.  Though some boxes have advantages over others, they all really can do the job.  Most are able to protect multiple segments and can handle multi-gig speeds.  Most have a default set of policies that are not very noisy and protect against the big threats.  Most are HA capable.  Most have fail open or fail close options. Etc, etc, etc.  Some people might disagree here, and I understand that.  One IPS might have a feature that another one does not that may fit a certain need.  But I contend that in a general sense, none of the big ones really have a huge advantage.

So in that light, what are the factors you have to consider?  Well, it really comes down to the intangibles.  Let’s look at a few of those:

Is the company diversified in their product line?  In today’s converging security market, that tells us whether the company is likely to be snatched up or simply disappear, depending on product quality and whether there is someone out there who has money and has a whole in their product line. 

Product diversification may also mean that the company is trying to take a look at the network as a whole versus just one piece.  If they have developed or bought different products that compliment each other and are trying to bring them together in a way that gives insight into the network and allow collaboration, then that type of company is likely planning on sticking around for a while.

In this light, also look at management of the product.  Though this is not exactly an intangible, it is still something that many companies don’t think about.  What about the learning curve for you employees?  Do you already have products from this vendor?  If so, does this new technology fit well into that console, thus lessening the time the your employees need to learn it? If a company fits the diversification example above, they might have a problem in this area.  Of course, if they are serious about making it work, they might very well have an EXCELLENT console.  Take a close look.  You also have to consider the talents of your employees with this factor.

Another intangible is support.  How well do they support their product, keeping in mind that the company with one product may be better at this versus the big one with multiple products?

There are probably many other factors to consider here, but the basic point is that when you are looking at a mature, commoditized product (this does not just apply to IPS, obviously), a decision should not be made on technical issues alone.  Look at your business. Look at your risk.  Look at your employees.  Look at the vendor as a whole.  Compare their position in the market to other vendors.  How do they stack up?  Do they seem to have tunnel vision, or are they trying to diversify?  Make sure you don’t let your technical folks make the decision by themselves and then hand you a PO to sign.  They may like the product in the short term, but you have to think long term.  You might piss off the team for a bit, but you can use the decision as a lesson to help mature your staff.

Vet

I went out to see one of our customers this week who had their web app pwned a while back.  This is the second client since I have been with Accuvant that we were trying to help via our security assessment services who got smacked around before they could make up their mind to spend the money or not.  It has been several weeks since they were attacked, and they are still running around like school girls with their hair on fire. 

Yes, they are making a lot of progress (much of it due to us having a couple of guys helping them out for the last 4 weeks).  But the point is that they could have avoided all this craziness and stress if they would have made the right choice in the first place.  Like I have said in the past, business decisions have to be made.  But when you are a financial company that serves a lot of customers, you need to make sure due diligence is performed.  Sitting on your hands is not an option.

Vet

There’s a new security blog out there, and this one is another Accuvant employee (so you know it is going to be good). 

His name is Jim Broome, and his blog is called Jim’s Bloggyness.  Jim is an Assessments Team Lead at Accuvant, and he is one smart dude.  Here’s his profile:

Jim Broome, an information security industry veteran with over a decade of experience in the field, is a Principal Consultant with Accuvant?s assessment team and also acts as the technical lead for the assessment practice area.

Accuvant is a leading national security consulting organization that designs and executes strategies to address its clients? complex information security challenges. Jim?s role is to provide world class security consulting services to Accuvant clients while still providing technical leadership to the assessment team as a whole.

Experience

As one of Accuvant?s more seasoned assessors, Mr. Broome, has performed a number of consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments and penetration testing, and wireless security assessments for a large number of fortune 500 clients. These clients represent a variety of markets including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Prior to joining Accuvant, Jim was a Principal Security Consultant for Internet Security Systems and a member of the X-force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western Region consulting practice while performing his day-to-day duties of performing network assessments and penetration testing. Prior to ISS, he was the Director of Network Operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Notable Accomplishments

With a been-there-done-that attitude, Jim is a constantly sought after consultant, due to his extensive level of knowledge in most areas of security implementation and management from both a technical and managerial level. As one of the original authors of several training programs including Checkpoint Software?s CCSA/CCSE program, Jim is a well regarded security/technology instructor and mentor to many administrators and IT management organizations.

Since coming to the Accuvant organization, Jim has been responsible for establishing and standardizing many of the solutions and techniques employed by the Assessment practice. This provides our clients with a level of consistency that is unparalleled in the industry and establishes Accuvant as the premiere security services company.

Certifications and Training

Jim is a Certified Information Systems Security Professional (CISSP); Checkpoint Certified Security Engineer (CCSE); NetScreen Certified Security Associate (NCSA); ISS Certified Engineer

Professional Education

BS in Computer Information Systems from Trinity College and University

Welcome to the blogosphere Jim.

Vet

I was at a client site the other day…  Wait a minute.  I just realized how often I open posts with that line now.  I feel like Snoopy: It was a dark and stormy night!

Anyway, I was visiting a client the other day (yea, that’s better ), and I was accompanied by my sales guy and a sales guy from a vendor with which Accuvant partners.  My sales guy had invited the partner on the call, and then let me know a couple of days ahead of time that this was going on and that I needed to be there because the vendor’s sales guy was not going to have an SE available from his company.  I am fairly familiar with this particular partners products.  I have used them a lot in the past.  But during the meeting, the conversation turned specifically to a particular product line, and it just so happens that I am not as familiar with this product. 

So long story short, I basically had to admit in the meeting that I did not know the product line very well and I would have to do some research.  Now the customer had no issue with that at all, but I could tell that the partner was none to happy. 

Now generally, I could not care less about what partners think of me.  I have been in trouble before with vendors, and I will be in trouble again I am sure.  But in this particular incident, I felt like I had not done enough prep before hand and had done a disservice to the partner.

Anyway, the meeting went forward and turned to more security-centric talk, such as where they should place IPS, etc.  The sales guys got bored for a while because we got to whiteboarding a bit, but it turned out real well, and the customer ended up giving me some kudos because I pointed out some issues he had not considered.  And several times during the technical talk I pointed out products that the vendor had that could help with certain problems.  So me and my sales guy left feeling like the meeting went well, and I am pretty sure the customer felt the same.  But I still am not sure what the vendor’s sales guy thought.

As a pre-sales engineer, I am expected to know product as well as have in depth security knowledge.  Now I know which one I am better at (three guesses), but I realize the reality of these types of situations.  But as a VAR pre-sales engineer, I am expected to know a BUNCH or products.  It can be a little crazy at times.

So really this is just some thoughts on my blog about this.  I don’t know that I have a specific point.  But for some reason it just struck me to write about this.

Vet

OK, now that I am settled in my hotel room in Dallas, I have some time to respond to Alan’s post calling me a hooker (like I said to Alan, at least he called me high-priced).  I will also be responding to a comment left by a reader who goes by the name of Shaneo.  You can read that comment here.

The first thing that strikes me about Alan’s and Shaneo’s comments is that they seem to think that selling products is what makes a person bad.  Either that, or they think I was making that implication.  Alan says:

To me Michael sounds a bit like an expensive call girl talking down on a lowly street walker.  At the end of the day they are both working girls, who work hard for the money, but they are what they are.  As long as Michael is putting the food on the table by selling products to customers, whether they be from a line card that Accuvant offers or from a specific vendor, he is selling nevertheless.

Shaneo says it like this:

You make me laugh! A VAR is still always a VAR - a sales engine. If you were an Independent consultants and didn’t sell any product, then I could support some of your statements.

…don’t put yourself so high and mighty above all the rest…When your a part of the food chain.

I seriously do not get why they think that because I sell products that I am a whore.  My point was never that selling a product was a bad thing.  In fact, my point in the original article wasn’t even to attack vendors, though I’ll admit I was harsh on the vendors (not apologizing, just admitting ).  My point was that I, as the trusted adviser to the client, need to make sure that their expectations are managed so that they can make the right decisions.  I made that point by saying that vendor marketing departments often try to make their products look like they can solve all ills and the client often buys what the marketing department says because they WANT to believe it. 

When Alan asked me in a comment what I would do if I worked for a vendor, I told him straight that I would have to look hard at the vendor before I made a decision “because of the situations I would be in that would require me to sell a product that was not a good fit”.  Do I think every vendor will try to sell something even if it is not a good fit?  No.  And I believe Alan when he says, “It is not some sort of pump and dump scheme over here.” But I also know that it is extremely hard for a salesperson (VAR or vendor) to turn down a sale, and it makes it doubly difficult when you are feeling pressure from above.  So the temptation is there to push the product whether it is a good fit or not.

Now where Accuvant comes into play is that we look at the product that the client is asking about, and since we are the trusted adviser in the situation, we have the leeway to tell them the truth.  If we don’t, then we can lose that status.  Not a good idea for a company that leads with services, not product.  And Alan, you asked, “if Accuvant did not have a product that was a good fit, would you send the customer to EnPointe, Cadre, Fishnet or another VAR?”  Actually, yes, I would.  And I can speak for most, if not all, of Accuvant when I say that they would as well.  That may be hard to believe, but I think you know me well enough to know that I ain’t jerking you around.  In fact, we have contracted with competitors before for stuff that we could not do because of lack of resources or whatever (and no, we did not make them wear Accuvant shirts and not tell anyone where they were from).  We have done that because we place our customers first.  If the competitor gets in and steals the business, then obviuosly we weren’t doing our job in the first place, and we deserve to lose the customer.

Alan also says:

Michael here is another example you site.  The vendor who is upset with you for bringing in his competitor in a deal.  Of course he is.  You would be too.  In fact you are upset by it and you even say that your dander was up because the vendor admitted he wanted another reseller in there.  You wouldn’t mind the vendor suggesting another reseller? See the point.

Well Alan, I see the point you are TRYING to make, but you actually miss it.  Read my paragraph again:

 But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends - we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

Go to the end.  I wasn’t upset because he suggested another reseller.  I was upset because the vendor was dishonest about saying that he had brought me to the deal when he had actually suggested another reseller first.  That is what makes me wary of vendors.  I have seen that kind of dishonesty time and time again, both from the reseller POV and the client POV.

Another Alan quote:

As long as you are getting paid to put products in at the customer, whether you make and sell them or just sell them, you still sell.  As long as you sell, you are as guilty or innocent, moral or immoral as anyone else in the food chain.

This goes back to my original question.  Why does selling make me guilty or innocent or immoral or moral?  That makes no sense.  It is not the act of selling that makes a person bad.  Guilt and immorality come into play when the sales person or the marketing department or whomever makes false statements to make a sale, and that applies to the VAR or the vendor.  And I know plenty of VARs who sell based on the best spiff that month.  But everything I have seen from Accuvant since before I worked here and after I have been here 9 months tells me that we don’t follow that kind of crap.  Have we had people collect on spiffs before?  Hell yes.  But it was not the driver behind the business.  And if you don’t believe we are on the up-and-up, just ask a customer (thanks again, LonerVamp).

Alan again:

First of all Michael assumes that only someone like a VAR would tell the customer that a case study or lab result are “done in pristine situations”. Why would a vendor be disqualified from saying that?

They’re not.  But do they?  It is not in their interest to do so.

Mr. Shimel again:

Then he talks about telling the customer the truth about how long it takes to install the product. Do you think a vendor is going to lie about this?  Especially if the vendor is selling install professional services along with the product.

Because it is often a bait-and-switch.  Alan, I have seen this so many times it is impossible to name them all.  In fact, one of your competitors in the NAC space does this very thing.  In all honesty, I don’t think the sales person is actually lieing.  However, when he says the product installs in 30 mintues (OK, I exaggerated by saying 5 minutes), he is not telling the full truth.  Does the product physically install in place in that amount of time?  Yes.  They are specifically trying to counter Cisco NAC because they have seen the uber-pain people have gone through trying to implement CleanAccess.  But it takes time to determine the business behind the need for the product, create the policies to fit those needs, get the agent installed on all the workstations, etc.  And yes, a security manager or administrator worth his salt will know the intricacies involved and will know that is a shortsighted claim.  But the fact that he says it and uses it in every sales call creates the need for me to manage the customer’s expectations and let them know all of the other details if installing a product like this.

And if you don’t believe that this is a problem, let me tell you that I have had to convince customers numerous times that getting this product (and others whose salespeople make similiar claims) installed is not just plugging in a couple of patch cables and letting rip.

Anyway, in the immortal words of Forrest Gump:

And that’s all I have to say about that.

I’m going to bed.

Vet

One of the biggest things I have learned since I have been in IT is that you have to develop the skill of managing customer expectations (to clarify, the term “customer” means the people for whom you are doing your job - clients, users, etc.).  If your customer believes you can perform a service that you cannot, then you have not done a good job in managing expectations, and you will likely end up dissapointing him and hurting the professional relationship. 

From the sales POV, if a customer believes that a certain product can perform functions that it cannot, then the customer’s expectations have not been managed.  The customer has to know what a product is capable of and how it will fit and perform in his network.  If this is not fully explained, then the sale can turn into a disaster.

This is a hard thing to do when it comes to sales since customers often do research when looking into a solution, and the marketing departments of companies typically make it sound like their product can cure world hunger and make you a sandwich at the same time it is keeping your network totally secure (and it does all that in a nice little 1U appliance that takes five minutes to install and configure).  And whether we like it or not, customers will often believe the claims because they want the claims to be true.  They need a widget that will cure their ills, and many are short-sighted enough to try to find that widget.

So as the sales person and sales engineer (often the same person), it is imperative that the expectations for a product are managed up front.  If the customer calls you in and says that the brochure for XYZ Security Widget says that it can perform a certain function, you have to be able to explain if the claim is true or not.  You have to make it clear that often case studies are done in pristine situations.  And you also have to clarify that the “setup” of the widget (yes, the one that takes only five minutes) in a network often means that it was simply screwed into a rack, plugged into the network, and assigned an IP address.  There is usually little to no configuration done on the widget, and it is absolutely worthless in this state.  You have to enlighten the naïve customer by telling him that trade rag product reviews are often rigged (it sucks, but it is true).  You have to do all of this because you want to maintain the customer as a customer.

You also have to elucidate and educate because you will be trying to sell professional services to install the widget for the customer, and they are going to balk big time when your statement of work says 40 hours instead of five minutes.  And they are going to balk again when you try to sell a training class that takes 4 days and costs $2000 a head.

So if you want to keep your customers, manage their expectations.  Make sure they know what the real deal.  You will help them avoid many unpleasent situations (also, be sure to let them know, in a non-braggy way, what unpleasant situations you helped them avoid - they will appreciate it more).

Vet

Steve Hunt at Security Dreamer recently posted a quick test for knowing if your network is vulnerable. The test: well, there is no test. You can take for granted that your network is vulnerable. Steve’s point? You don’t need a security consultant to perform a $30,000 security assessment to tell you that.

I see Steve’s point, but let’s take a step back here. I really think Steve is too narrowly defining the term “security assessment” (he never actually uses the words “security assessment”, but it is easy to determine that is what he is talking about). The type of assessment he is talking about is designed for those that have a somewhat solid security program in place and need to find the flaws with it. If you fall into this category, then you can benefit from this type of assessment because it will be an overarching, far-reaching, and deep-digging look at your systems, policies, procedures, etc. with the express purpose of telling you where your vulnerabilities lie.

But I think Steve is assuming you don’t fall into this category and you don’t have a good security program in place. If that is so, then you need to listen to Steve. Why? Because a huge assessment is probably going to give you a bunch of stuff you already know (or should know). You really don’t need anyone to tell you that you don’t have enough policies when your policy manual only has two sheets of hand-written notes. You don’t need someone to perform password auditing when you have a universal password for everyone that is, you guessed it, “password”. Essentially, you will be no better off than you were before you spent $30,000 for a deliverable thicker than War and Peace with no remediation plan included.

What you need is a whittled down security assessment to give you more of a “tell you what you need” approach rather than a “tell you what you don’t have” approach. There’s a fine line between those two approaches, but the gist of it is the first approach is a positive type of assessment that is designed to build a security program rather than tear into one. However, it is still an assessment because there is most definitely something in place for security, so it has to be assessed to create a starting point.

So if you are in the shape that Steve thinks you are, then you don’t need a full blown assessment. What you need is someone to help you build your security program. Steve is correct that you can probably do a lot of that building yourself and not pay some firm to do it for you. In fact, I would say the building of the program will be more expensive than the testing of the program, so it might be a good idea to do it yourself if you have the time to spare or don’t have the money to get help (I find the latter is generally the issue - if you have time, then you are among the few lucky ones).

But DO NOT forsake the idea of a full blown security assessment. It is a totally legitimate course of action to have a third party assess your security program once it is in place. However, you need to be discerning in who you choose for your assessment. Have them show you sample proposals and deliverables. Have them introduce some of their team to you. Check out resume’s. Don’t just throw a dart.

One more thing. You can tell me I am biased because I work for a security consulting firm. And you would be half correct. Yes, I am biased, but it is not because I work for a security consulting firm. I am biased because I believe a security assessment is a good security practice. I had an assessment performed when I was an information Security Manager (no, my current company did not perform the assessment). Though it was not the best done assessment, it still was valuable.

Vet

Everyone seems to be commenting on the Counterpane acquisition by BT.  But unlike most of the “analyst” type comments out there (here, here, and here), I want to comment about this acquisition from my not-too-long-ago viewpoint of a security manager.

First all, with all respect to Mr. Schneier, I was never impressed with Counterpane.  They pitched to me about a year ago, and I was singularly unimpressed to say the least.  The sales person talked like she had been on the job about a week.  I don’t mean to be nasty.  Maybe she had not been there very long and was just learning the ropes, so I this might not be a fair critique (another thought - maybe she was just too stunned by my dashing good looks to get her thoughts collected - hmmmm).  But no matter what the case, she really seemed to have zero clue as to what she was saying.  And I expected a little more from Counterpane.  That was my first clue that they were not doing too well. 

Also, about a week after our meeting, she called and basically went through the whole sales pitch that she should have gone through when she was face-to-face with me.  So one of two things was happening: 1) either my suspicion about my stunning good looks is correct and she had no problem when she didn’t have to see me (though my voice is nothing to sneeze at, I tell ya’!), or 2) she didn’t receive any sales training before she was thrown to the lions.  If the latter reason was the case, then that also did not show positive for Counterpane.

And while the engineer she brought along seemed to be knowledgable, he also could not tell me what exactly brought Counterpane to the forefront in the field besides some reference to them pioneering the field (and what I talk about in my second point).  They just didn’t have anything that floated to the top.

The point is that an MSSP is an MSSP is an MSSP.  In the finer points of the trade, that statement is probably not totally true.  But in general, they all do the same thing.  So you have to have some fine point that makes you different, better, or just cooler.  And they did not have it.  By the way, I also met with LURQH and Solutionary.  They all had somewhat the same stuff.  Honestly, of all of them, LURQH had the best sales pitch and seemed overall better than the other two.

Second, as to Alan Shimel’s comment that “Counterpane was not a professional services company”, I would say that I think he forgot to tell them.  First, just look at this page from their website.  Second, when they talked to me, they seemed to want to push their professional services down my throat.  They seemed to focus on that during a great part of the meeting, maybe even more so than their MSSP services.  This is what they seemed to think gave them the edge (I alluded to this above in point 1).  And I honestly got the feeling that was was a key area that they were trying to develop heavily and on which they planned to spend some focused resources.  Maybe I put too much stock in what a couple of sales types were pitching.  Maybe they just picked up on something and thought they should pitch that side heavily.  But they way they spoke of it, I was literally waiting for an announcement with them changing focus.

Before I go on, I have to admit that this next point is a little bit “analyst-ish”.  I ask forgiveness from the people in the trenches.  OK, here goes…

Third (and this is again with all due respect to Mr. Schneier), you cannot bank your business on a hero figure, even one such as Bruce.  Yes, he is a security master and a legend.  Yes, he is brilliant.  Yes, he could whip Chuck Norris in a fight (uhhh, went too far - sorry).  But that really can only carry you so far.  You have to produce and keep producing.  You have to differentiate, especially in a field where most of your competitors are offering essentially the same services.  A name just is not enough.

So, that’s my take on the deal.  I honestly was not at all surprised to see this happen.  I think BT is basically doing what the market is demanding, and they went the cheapest route possible.  No more, no less (crap, another analyst comment - I need to watch that).

Vet

I have decided to start putting down some of the day-to-day events with this new job.  I think it will actually help stir my mind to blog more since I have not been writing near enough lately.  So here goes.

I have actually been kinda bored since my recent job change.  Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.  I really want to get thrown into the fire. 

Part of the reason I’m not out there yet is we do not have a sales person dedicated to the Houston market.  We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.  However, he finally got down here today, and it got crazy quickly (be careful what you ask for).

The sales guy flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.  For those of you who know Houston, IAH is on the far north side of Houston, and Houston is BIG.  I made the trip in about 25 minutes, which I was proud of.

Anyway, the talk was basically an introduction to Accuvant and what we could offer.  This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).  But to be honest, I think of the term “sales pitch” as negative.  What we did today was, technically, selling Accuvant.  However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.  I have talked about it before, but Accuvant just seems to do things right.  Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.  We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.  We want to partner and grow with our clients, and this is no BS.  I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.

OK, sorry.  Anyway, the meeting went well.  We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).

The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.  Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.  I have seen the box and how it works.  It is very simple.  Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results. 

The next client was a partial introduction - I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.  They are a property-management company who delas almost exclusively with apartments.  They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.  Suffice it to say that they want a lot for little.

So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).  We are putting Network Intelligence in front of them for the scalability and sheer EPS (events per second).  To put it simply, I like this product.  I might get into that at a later date.

Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.  Not a good time in Houston.  The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.  However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.  Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.  I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.

So, that’s my day.  It was very busy and crazy, but I finally got in the mix.  I have a lot of ”action items” from these meetings, so that is going to help me get even more familiar with the products we sell.  These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).  Things are starting to pick up, so I got out of the house, and I am glad for that.  I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!

More later.

Vet

Karn Griffen over at the the Information Security Gurus blog mentions my post about getting out of security management.  He has a good post today about how we should all be getting out of the front lines when there are so many possibilities with outsourcing.  He also commented on that same post, where he said the following:

If I can turn on secure networking services, complete with IPS, Virus, Spam filtering, etc. and the company I outsource this to will provide me an SLA that guarantees the service parameters I’m looking for, why would I bother with a full-time person (or more) to do these things.

While I agree with Karn on this point, the question that comes to my mind is if you can’t convince an exec that security is needed at all, then why would he  / she do either?

The big problem is that execs often cannot justify security at all as a cost.  The ramifications to not spending money on security are still so light.  Much of the legislation out there still does not have teeth.  The media is getting tired of printing stories about this stuff because readers are tired of it.  Some non-governmental regs like PCI are starting to get somewhere, but that is not anywhere close to where it needs to be.

So unless you can convince your execs that security is needed, they ain’t gonna spend money on it, no matter if you outsource or insource it. 

But let’s play devil’s advocate here and assume that all exec’s get smart and buy off on security.  Then, the SMB exec’s get even smarter and see Karn’s point that they can outsource.  Where does that leave guys like me getting out of operations and trying to sell security?  Should I be selling to SMB’s now when I know they would be better served by outsourcing?  Do I sell to MSSP’s?  Better yet, do I have to start working for MSSP’s, sitting in a chair watching packets go by?  Do I lose even that job to ever-more sophisticated UTMs / IPSs / heuristic filters that can figure this stuff out better than I can?  Does the UTM take over for those MSSPs where there are only 2 or 3 viable options for them to filter traffic for their clients, essentially killing much of the security market?  Are the enterprise-type clients enough to hold up the market?  Does the technology get so good that even enterprise clients can use it?  Does my job just go POOF in 5 - 10 years?  AAAAAAAHHHHHHHHH!!!!!!!!!!!

Karn, you are on to something, but I’m not sure it’s good.  But good or not, is it inevitable?

Vet

When I was looking to make a move out of security management, I knew I had a few choices as to what I wanted to move into.  I knew I wanted a pre-sales type of position, but I wasn’t sure about the type of company I wanted to work for.  Should I go for a vendor, or should I get back into the channel?  A few things came to mind:

1. Working for a vendor would force my hand on what products I could recommend.  So, if I knew of a solution that was a better fit for a company, I couldn’t suggest it and stay loyal to my employeer.  That was a negative for me.
2. Working for a reseller could possibly force my hand to some degree on what products I can choose, but at least I would have a bigger pool of products from which to work.  That was a positive for me.
3. A negative that comes from number two, however, is the fact that many resellers are nothing but vendor sluts and will sell anything to make a buck.  I am not adverse to making money, but I believe that if you are a reseller, you should be able to support the products that you sell.  I really did not want to get into the whole “we’ll take you to a ‘Stros game if you put our box in front of your client.”  I’ve been there, and I don’t want to deal with that again.  It just ain’t ethical.
4. I wanted to work for a company whose focus is security, but I wanted an organization that was diverse enough in that field to offer other opportunities in the future.
5. Another negative that often comes with vendors and resellers is high pressure sales.  I did not want to work for an outift that constantly called the client asking when they were going to cut a PO.  That reflects bad on everyone that works for that organization, no matter if you are a sales guy or an engineer.
6. I wanted to work for an outfit that had a good reputation, plain and simple.

Taking these factors into consideration, I looked for a company that could pass muster on most (preferrably ALL) of these areas.  I also preferred that I had done work with in the past since I would have a good feel for them and would not haave to rely solely on others’ opinions.

The first factor would be the hardest to pass if I went to work for a vendor.  That is because I don’t know of ANY vendor whose products fit every company in every situation.  There just ain’t no such animal.  And even though I interviewed (and ALMOST got the job) with a big vendor, I still had some hesitation because of this.

So that left me with a reseller.  I wanted a company with higher standards, who didn’t sell every possible product, and who could support what they sold.  That led me to Accuvant.  I had worked with them in the past, and to be honest, I never bought a single prodcut from them.  To be clear, that was not because they lacked the skill to sell or didn’t have any products I wanted.  It almost always came down to timing (I met them when I was looking at outsourcing some security tasks, then they came in with a possible SEM product after I had already purchased another) and their lack of full time staff here in Houston.  But their sales guys and engineers were always willing to help out, and they NEVER pressured me to buy.  They were diverse in their offerings because they could do security consultation and implementations of technologies.  And to top it off, they also had a great reputation in the industry, both from vendors that they partner with and with other security managers that I dealt with.  So, they basically fit all my criteria. 

Now this may sound like a commercial for Accuvant, and to some degree it might be.  But because this is such a big thing for me in my career and this blog, I wanted to explain the decision of the company for which I decided to work.  Also, many of these reasons for choosing them as an employeer also work when you are looking for a reseller or consultant, so many of you security managers out there who need a quality security company to help out, they might be a good choice.  And if you are in Houston, you will get me as your top notch security engineer!

Vet