An Information Security Place

OK, Armageddon is officially here.  Alan Shimel has made the comment that security marketing might not be "worth the paper it is written on".  Holy crap.

Though I am just having some fun with Alan, this still makes me wonder if the comments from Greg Ness (quoted in Alan’s post) are right.  Are the days of "entrapment marketing" over?  I am not in the position of getting a thousand calls everyday as a security manager anymore, but I do see a lot of those whitepapers still out there.  I still get a lot of email asking me to download them.  But Greg is also right that social media is taking over a lot for this.  That is why I created a talk / presentation where I talk about how to use security blogs as research tools.

Marketers MUST recognize this trend.  I still see a lot of old school marketers out there trying the old ways.  These people are either not adaptable, or they just have been under a rock for the last few years.  I get too much info on new products and trends from blogs for it to be worthwhile to download whitepapers that some vendor wrote.  Just doesn’t make sense.

Thanks for the post, Alan.  I am in Heaven!

Vet

I had a long talk with a client yesterday regarding IPS.  They were setting up a nice sized extranet infrastructure to serve their clients, and they needed to build some security into the design before they implemented.  They had already thought of a lot of pieces, and now they were looking at putting in IPS.  They were already being courted by one IPS company, but they wanted to know about others and what the strengths and weaknesses were.

So as I started into the discussion, I diverged a bit from the pure technical discussion and talked about the view of the network as a whole.  Basically, I tried to get them to look at the big picture of what they were buying versus just an IPS as a single silo.  What I talked about was how the one IPS they were looking at was an excellent IPS, but I also told them that they really had no big advantage over any of the other big IPS vendors in the market.  If you look at the Gartner chart for IPS, there are about 5-7 vendors in the magic quadrant.  Basically, the product is a commodity, just like anti-virus and other mature products.  Though some boxes have advantages over others, they all really can do the job.  Most are able to protect multiple segments and can handle multi-gig speeds.  Most have a default set of policies that are not very noisy and protect against the big threats.  Most are HA capable.  Most have fail open or fail close options. Etc, etc, etc.  Some people might disagree here, and I understand that.  One IPS might have a feature that another one does not that may fit a certain need.  But I contend that in a general sense, none of the big ones really have a huge advantage.

So in that light, what are the factors you have to consider?  Well, it really comes down to the intangibles.  Let’s look at a few of those:

Is the company diversified in their product line?  In today’s converging security market, that tells us whether the company is likely to be snatched up or simply disappear, depending on product quality and whether there is someone out there who has money and has a whole in their product line. 

Product diversification may also mean that the company is trying to take a look at the network as a whole versus just one piece.  If they have developed or bought different products that compliment each other and are trying to bring them together in a way that gives insight into the network and allow collaboration, then that type of company is likely planning on sticking around for a while.

In this light, also look at management of the product.  Though this is not exactly an intangible, it is still something that many companies don’t think about.  What about the learning curve for you employees?  Do you already have products from this vendor?  If so, does this new technology fit well into that console, thus lessening the time the your employees need to learn it? If a company fits the diversification example above, they might have a problem in this area.  Of course, if they are serious about making it work, they might very well have an EXCELLENT console.  Take a close look.  You also have to consider the talents of your employees with this factor.

Another intangible is support.  How well do they support their product, keeping in mind that the company with one product may be better at this versus the big one with multiple products?

There are probably many other factors to consider here, but the basic point is that when you are looking at a mature, commoditized product (this does not just apply to IPS, obviously), a decision should not be made on technical issues alone.  Look at your business. Look at your risk.  Look at your employees.  Look at the vendor as a whole.  Compare their position in the market to other vendors.  How do they stack up?  Do they seem to have tunnel vision, or are they trying to diversify?  Make sure you don’t let your technical folks make the decision by themselves and then hand you a PO to sign.  They may like the product in the short term, but you have to think long term.  You might piss off the team for a bit, but you can use the decision as a lesson to help mature your staff.

Vet

I took a class a couple of weeks ago on DLP (data leak/loss prevention).  it was specifically the Websense Content Protection Suite (former PortAuthority).  The class was very good because the instructor spoke a lot about how to position the product as well as the technical workings (good stuff for an SE to know).  One question that arose was whether DLP was a security product.  Now I have a very large definition for the term “security product” because I don’t believe that security can be stove piped like it was in the past (even a switch can be a security product because of its role in availability).

But the point of the conversation was this: do you implement DLP for purposes of protecting data from malicious activity, or do you implement DLP for purposes of protecting against inadvertent data leakage?  Basically, are you protecting against the smart bad guy looking for stuff to steal or the dumb good guy who doesn’t know it is a bad idea to send credit cards in plain text?

I was a little mixed on my opinion on this one.  I understand that you have to protect against the biggest risk.  Most companies are going to experience much more inadvertent loss via SSN’s, CC numbers, customer info, etc. going out through email or some such method.  And because of this, it makes sense to position this type of product in such a way that you are most likely to get a sale.  If you go into a medium-sized shop that has a lot of customers but little-to-no intellectual property, then you are better off positioning the product in this way.

However, let’s look at a few other scenarios:

• Client A is a B-2-B company with no CC numbers, a little customer data, and a huge software app that they developed and is bread and butter to them.
• Client B is a publishing firm that has a new book coming out from a best seller and is afraid that someone will try to steal the manuscript before publishing.
• Client C is a law firm that has all its client data in a SQL db and has not setup any encryption tools yet.  They also have an application that builds legal docs for them and holds the data in a flat file.

Here is where I see DLP having problems, at least from what I have seen so far (PLEASE correct me if I am wrong, especially Mogull).  You might consider positioning it in such a way that shows it can protect against data theft rather than something protecting against inadvertent loss.  Then it IS a security product in that sense of the term.  But the problem I have seen thus far from DLP is that unstructured data is very hard to protect.  It is just not as simple as making a hash of the data and looking for that in a signature.  That type of data just changes too much, and the hash would get broken all the time.

Let’s take Client A.  They are trying to protect their application, so they are protecting against their source code getting out.  Source code is very unstructured, so it is the hardest for a DLP solution to protect.  So Joe Programmer gets paid off by a rival company, and he starts shipping out the code.  If he grabs the source code and just starts dumping it, then any good DLP solution will stop the dump.  But what if he starts breaking it in to pieces and puts it out a bit at a time?  With some experimentation, he can figure out how much gets stopped and how much gets through.  It will be time consuming, but he can get it all out without getting stopped.  Of course, you hope someone notices the dump while he is experimenting and goes to see what is going on, but it is still a feasible scenario.

The same is true for Client B.  A book is also a very unstructured document, and the same problems will arise. 

Now look at Client C.  The first part of the problem is a SQL database.  That can be fingerprinted fairly well and prevention can be done very well.  However, the second part of the problem is unstructured data, which leads to the same issue.

The other problem I see is protecting against streaming protocols.  Store-and-forward protocols are very easy to protect against, but protocols like FTP stream data out, so by the time a solution picks up on the data going out, much of it is already gone.  So if it is not some malicious insider but is Joe Hacker who got in and is stealing your stuff, then you will have lost some data and will likely not have anyone to go after to recover losses.

Anyway, these are some thoughts.  I am sure Rich and a few other people have written about this, but I wanted to get those thoughts out that have been on my mind since I started working on this product line.  I DO know that data, being the crown jewels, is what we have to protect.  I also know that many people forget to look at permissions to data as well as where the data resides, which I see as a flaw in the armor many times.  One of the products out there that can help with that in the Active Directory world is Varonis.  Very good stuff.

Also, Accuvant is starting a data security practice, which tells me that we are taking it VERY seriously.

Vet

I had a discussion the other day with one of the sales guys I support.  His contention is that it is the sales person / account manager that matters most in the customer relationship.  Basically, SE’s come and go, but the important thing is if the AM stays the same.  They are responsible for the relationship.

While I tend to agree with that, I also know that when I was in the trenches, I was particularly interested in the engineer because I needed to know that he / she could provide a sound solution and back it up with support (or get the support I needed).  The AM was good for lunch, and there was the occasional AM that was fairly technical.  But on the whole, I had problems if an engineer quit one my VARs because I would essentially have to retrain the new VAR so they were knowledgeable about my environment.

So what do you think?  Answer the poll on the right bar if you get a second.  And I consider this poll entirely scientifically accurate, by the way.

Vet

I have worked for three consultant / VAR types over my career, but I have never been pure pre-sales until this job.  And because of that, I am always working very close to the sales people and even our regional director of sales.  So I am getting very familiar with the end-of-month / quarter / year sales dash that happens.  But up to this point, I have never been close to our VP of Sales during this time.  Well, today I get to be in the same room as one of our sales guys, our regional director, AND our Eastern VP of Sales.  And I have never laughed so hard (internally) in my life.

Calling sales people, telling them to go smack our customers and get them sign PO’s.  What’s our number now?  Hey, just got another one for $7000 in GP!!  WOO HOO!!  Bob just got a last minute deal!  Add another $3500 in GP!  Damn, Susie’s account just pushed to next month!  That sucks!

I swear, it is like being in a cat herding contest!

Of course, it is instructive for me as well.  I have never been this close to the sales side of the house, so I need to soak this up so I can use it later in whatever job I end up in.  If I ever go back to the trenches, I will definitely have more ammo to get better deals.

Vet

I was at a client site the other day…  Wait a minute.  I just realized how often I open posts with that line now.  I feel like Snoopy: It was a dark and stormy night!

Anyway, I was visiting a client the other day (yea, that’s better ), and I was accompanied by my sales guy and a sales guy from a vendor with which Accuvant partners.  My sales guy had invited the partner on the call, and then let me know a couple of days ahead of time that this was going on and that I needed to be there because the vendor’s sales guy was not going to have an SE available from his company.  I am fairly familiar with this particular partners products.  I have used them a lot in the past.  But during the meeting, the conversation turned specifically to a particular product line, and it just so happens that I am not as familiar with this product. 

So long story short, I basically had to admit in the meeting that I did not know the product line very well and I would have to do some research.  Now the customer had no issue with that at all, but I could tell that the partner was none to happy. 

Now generally, I could not care less about what partners think of me.  I have been in trouble before with vendors, and I will be in trouble again I am sure.  But in this particular incident, I felt like I had not done enough prep before hand and had done a disservice to the partner.

Anyway, the meeting went forward and turned to more security-centric talk, such as where they should place IPS, etc.  The sales guys got bored for a while because we got to whiteboarding a bit, but it turned out real well, and the customer ended up giving me some kudos because I pointed out some issues he had not considered.  And several times during the technical talk I pointed out products that the vendor had that could help with certain problems.  So me and my sales guy left feeling like the meeting went well, and I am pretty sure the customer felt the same.  But I still am not sure what the vendor’s sales guy thought.

As a pre-sales engineer, I am expected to know product as well as have in depth security knowledge.  Now I know which one I am better at (three guesses), but I realize the reality of these types of situations.  But as a VAR pre-sales engineer, I am expected to know a BUNCH or products.  It can be a little crazy at times.

So really this is just some thoughts on my blog about this.  I don’t know that I have a specific point.  But for some reason it just struck me to write about this.

Vet

OK, I am officially depressed.  Here’s Richard Bejtlich’s impression of the state of security after one day at BlackHat:

My overall impression from the first day of briefings can be summarized in this manner.

• Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
• Detecting current attacks in “real time” is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by “rich Internet applications” and frameworks. I realized that the “rich” in “RIA” refers to the money intruders will make by exploiting Web clients.
• The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get “ahead of the threat” here.

Holy crap.  What in world am I doing then?  I guess making money off some poor, ignorant bastards who have no idea that every effort we are making is totally useless.  Well, I guess in order to maintain my integrity, I should just quit.

Sheesh.

Vet

OK, now that I am settled in my hotel room in Dallas, I have some time to respond to Alan’s post calling me a hooker (like I said to Alan, at least he called me high-priced).  I will also be responding to a comment left by a reader who goes by the name of Shaneo.  You can read that comment here.

The first thing that strikes me about Alan’s and Shaneo’s comments is that they seem to think that selling products is what makes a person bad.  Either that, or they think I was making that implication.  Alan says:

To me Michael sounds a bit like an expensive call girl talking down on a lowly street walker.  At the end of the day they are both working girls, who work hard for the money, but they are what they are.  As long as Michael is putting the food on the table by selling products to customers, whether they be from a line card that Accuvant offers or from a specific vendor, he is selling nevertheless.

Shaneo says it like this:

You make me laugh! A VAR is still always a VAR - a sales engine. If you were an Independent consultants and didn’t sell any product, then I could support some of your statements.

…don’t put yourself so high and mighty above all the rest…When your a part of the food chain.

I seriously do not get why they think that because I sell products that I am a whore.  My point was never that selling a product was a bad thing.  In fact, my point in the original article wasn’t even to attack vendors, though I’ll admit I was harsh on the vendors (not apologizing, just admitting ).  My point was that I, as the trusted adviser to the client, need to make sure that their expectations are managed so that they can make the right decisions.  I made that point by saying that vendor marketing departments often try to make their products look like they can solve all ills and the client often buys what the marketing department says because they WANT to believe it. 

When Alan asked me in a comment what I would do if I worked for a vendor, I told him straight that I would have to look hard at the vendor before I made a decision “because of the situations I would be in that would require me to sell a product that was not a good fit”.  Do I think every vendor will try to sell something even if it is not a good fit?  No.  And I believe Alan when he says, “It is not some sort of pump and dump scheme over here.” But I also know that it is extremely hard for a salesperson (VAR or vendor) to turn down a sale, and it makes it doubly difficult when you are feeling pressure from above.  So the temptation is there to push the product whether it is a good fit or not.

Now where Accuvant comes into play is that we look at the product that the client is asking about, and since we are the trusted adviser in the situation, we have the leeway to tell them the truth.  If we don’t, then we can lose that status.  Not a good idea for a company that leads with services, not product.  And Alan, you asked, “if Accuvant did not have a product that was a good fit, would you send the customer to EnPointe, Cadre, Fishnet or another VAR?”  Actually, yes, I would.  And I can speak for most, if not all, of Accuvant when I say that they would as well.  That may be hard to believe, but I think you know me well enough to know that I ain’t jerking you around.  In fact, we have contracted with competitors before for stuff that we could not do because of lack of resources or whatever (and no, we did not make them wear Accuvant shirts and not tell anyone where they were from).  We have done that because we place our customers first.  If the competitor gets in and steals the business, then obviuosly we weren’t doing our job in the first place, and we deserve to lose the customer.

Alan also says:

Michael here is another example you site.  The vendor who is upset with you for bringing in his competitor in a deal.  Of course he is.  You would be too.  In fact you are upset by it and you even say that your dander was up because the vendor admitted he wanted another reseller in there.  You wouldn’t mind the vendor suggesting another reseller? See the point.

Well Alan, I see the point you are TRYING to make, but you actually miss it.  Read my paragraph again:

 But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends - we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

Go to the end.  I wasn’t upset because he suggested another reseller.  I was upset because the vendor was dishonest about saying that he had brought me to the deal when he had actually suggested another reseller first.  That is what makes me wary of vendors.  I have seen that kind of dishonesty time and time again, both from the reseller POV and the client POV.

Another Alan quote:

As long as you are getting paid to put products in at the customer, whether you make and sell them or just sell them, you still sell.  As long as you sell, you are as guilty or innocent, moral or immoral as anyone else in the food chain.

This goes back to my original question.  Why does selling make me guilty or innocent or immoral or moral?  That makes no sense.  It is not the act of selling that makes a person bad.  Guilt and immorality come into play when the sales person or the marketing department or whomever makes false statements to make a sale, and that applies to the VAR or the vendor.  And I know plenty of VARs who sell based on the best spiff that month.  But everything I have seen from Accuvant since before I worked here and after I have been here 9 months tells me that we don’t follow that kind of crap.  Have we had people collect on spiffs before?  Hell yes.  But it was not the driver behind the business.  And if you don’t believe we are on the up-and-up, just ask a customer (thanks again, LonerVamp).

Alan again:

First of all Michael assumes that only someone like a VAR would tell the customer that a case study or lab result are “done in pristine situations”. Why would a vendor be disqualified from saying that?

They’re not.  But do they?  It is not in their interest to do so.

Mr. Shimel again:

Then he talks about telling the customer the truth about how long it takes to install the product. Do you think a vendor is going to lie about this?  Especially if the vendor is selling install professional services along with the product.

Because it is often a bait-and-switch.  Alan, I have seen this so many times it is impossible to name them all.  In fact, one of your competitors in the NAC space does this very thing.  In all honesty, I don’t think the sales person is actually lieing.  However, when he says the product installs in 30 mintues (OK, I exaggerated by saying 5 minutes), he is not telling the full truth.  Does the product physically install in place in that amount of time?  Yes.  They are specifically trying to counter Cisco NAC because they have seen the uber-pain people have gone through trying to implement CleanAccess.  But it takes time to determine the business behind the need for the product, create the policies to fit those needs, get the agent installed on all the workstations, etc.  And yes, a security manager or administrator worth his salt will know the intricacies involved and will know that is a shortsighted claim.  But the fact that he says it and uses it in every sales call creates the need for me to manage the customer’s expectations and let them know all of the other details if installing a product like this.

And if you don’t believe that this is a problem, let me tell you that I have had to convince customers numerous times that getting this product (and others whose salespeople make similiar claims) installed is not just plugging in a couple of patch cables and letting rip.

Anyway, in the immortal words of Forrest Gump:

And that’s all I have to say about that.

I’m going to bed.

Vet

One of the Accuvant founders (Dan Burns) sent out a link to this little video gem.  It comes from CRN.  I watched it, and I promptly blew OJ out my nose.  So here’s the prize, CRN.  You earned it!

Vet

Judging by Alan’s comment to my Managing Expectations post, I think he is a little aggravated with me for picking on vendors.  It probably had something to do with this comment:

…the marketing departments of companies typically make it sound like their product can cure world hunger and make you a sandwich at the same time it is keeping your network totally secure (and it does all that in a nice little 1U appliance that takes five minutes to install and configure). 

Or maybe this:

So as the sales person and sales engineer (often the same person), it is imperative that the expectations for a product are managed up front.  If the customer calls you in and says that the brochure for XYZ Security Widget says that it can perform a certain function, you have to be able to explain if the claim is true or not.  You have to make it clear that often case studies are done in pristine situations.  And you also have to clarify that the “setup” of the widget (yes, the one that takes only five minutes) in a network often means that it was simply screwed into a rack, plugged into the network, and assigned an IP address.  There is usually little to no configuration done on the widget, and it is absolutely worthless in this state.  You have to enlighten the naïve customer by telling him that trade rag product reviews are often rigged (it sucks, but it is true).

I was going to respond in the comments, but it got long, so I thought it was worth a post. OK, here goes.

Alan,

To answer your “what would I do working for a vendor” question, I would honestly have to look long and hard at a vendor before I would go to work there.  Not because they are all a bunch of ” lying no-goodnicks”, but because of the situations I would be in that would require me to sell a product that was not a good fit.  I have interviewed a few times with vendors.  One interview stands out because they asked me what I would say to a client if our product was not a good fit.  I said that I would tell the client it was not a good fit, and the interviewer’s jaw almost hit the floor.  He couldn’t believe I would say that.  But how could I not and stay true to my morals?

I know I give vendors a bad rap, but I have a good bit of experience with them on the customer side and reselling side (this is not my first go ’round as a reseller).  And many, if not most, push their product on everyone, no matter if it is a fit or not.  And then they get aggravated at me for telling the customer the real deal.  Since more often than not Accuvant is the trusted adviser at clients, I am not going to listen to grief from the vendor when I step in as a reseller and try to protect my customer.  I just can’t afford to let a client buy something that is not a good fit.  If I do that a couple of times, I am no longer a trusted adviser.

As an example, I spent 30 minutes on the phone with a vendor sales guy a couple of weeks ago on this very thing.  He was griping at me because I was bringing in a competitor of his into an account he thought he had brought me in on.  The reason I was bringing someone else in was because my client has an internal policy that they have to bring in at least three vendors of any one product before they can make a purchase.   I explained that I could not refuse the customer, especially if he was specifically requesting that I do all the work.  Again, if I don’t help my client, then my status as a trusted adviser gets hurt or lost.

But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends - we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

I am not saying that all vendors are dishonest.  And I know that vendor product sales make up a huge amount of our revenue at Accuvant.  But I would rather not be put in a situation where I have to choose between making my boss angry by not selling the product or convincing the customer that the product is what he needs when I know it is not.  I just don’t know if I can work in the situation.

Having said all of that, I would really love to hear your deeper opinion on this matter.  Obviously you have had a lot of experience working for vendors, and I want to hear your side on this and how you handle this kind of thing, what you teach your sales people, etc.  I have heard that the vendor side of the house is great, so I want to know what the argument from your side is so I can keep from limiting my options for future employment.

Vet

One of the biggest things I have learned since I have been in IT is that you have to develop the skill of managing customer expectations (to clarify, the term “customer” means the people for whom you are doing your job - clients, users, etc.).  If your customer believes you can perform a service that you cannot, then you have not done a good job in managing expectations, and you will likely end up dissapointing him and hurting the professional relationship. 

From the sales POV, if a customer believes that a certain product can perform functions that it cannot, then the customer’s expectations have not been managed.  The customer has to know what a product is capable of and how it will fit and perform in his network.  If this is not fully explained, then the sale can turn into a disaster.

This is a hard thing to do when it comes to sales since customers often do research when looking into a solution, and the marketing departments of companies typically make it sound like their product can cure world hunger and make you a sandwich at the same time it is keeping your network totally secure (and it does all that in a nice little 1U appliance that takes five minutes to install and configure).  And whether we like it or not, customers will often believe the claims because they want the claims to be true.  They need a widget that will cure their ills, and many are short-sighted enough to try to find that widget.

So as the sales person and sales engineer (often the same person), it is imperative that the expectations for a product are managed up front.  If the customer calls you in and says that the brochure for XYZ Security Widget says that it can perform a certain function, you have to be able to explain if the claim is true or not.  You have to make it clear that often case studies are done in pristine situations.  And you also have to clarify that the “setup” of the widget (yes, the one that takes only five minutes) in a network often means that it was simply screwed into a rack, plugged into the network, and assigned an IP address.  There is usually little to no configuration done on the widget, and it is absolutely worthless in this state.  You have to enlighten the naïve customer by telling him that trade rag product reviews are often rigged (it sucks, but it is true).  You have to do all of this because you want to maintain the customer as a customer.

You also have to elucidate and educate because you will be trying to sell professional services to install the widget for the customer, and they are going to balk big time when your statement of work says 40 hours instead of five minutes.  And they are going to balk again when you try to sell a training class that takes 4 days and costs $2000 a head.

So if you want to keep your customers, manage their expectations.  Make sure they know what the real deal.  You will help them avoid many unpleasent situations (also, be sure to let them know, in a non-braggy way, what unpleasant situations you helped them avoid - they will appreciate it more).

Vet

Well, I am back from our annual sales kickoff meeting. The week was rough, but the content was great, especially the last day (we had a three of our top SE’s teaching our processes and how to be a more effective SE - the sales people were in there as well, so they got a good idea of what we have to deal with). I am more jazzed up now about working for Accuvant. The people I met were great. Everyone is stoked about 2007. I am convinced more than ever that this was a good move for me.

I know. Everyone is highly motivated by these meetings, and it will probably wear off. I agree to a point, but what you have to understand is that I have never worked anywhere that I felt like a part of something good. This is the first company that I am proud of being a part. It is a good feeling. Maybe that’s a little cheesy, but that’s the way I feel.

It was held at Copper Mountain in Colorado. Very nice location, but we never had any time to get out and enjoy it since we were in meetings the whole time. Oh well.

I could barely breath up there. I think it is somewhere around 9,500 feet where we were staying. Since I live in Houston, which is about 6′ about sea level, I was completely unprepared for the thin air. I had a headache the whole first day and was gasping for air all night when I was trying to sleep. That REALLY sucked. I got about an hour of sleep that night.

I got used to it the next day, but I was so friggin’ tired that I still don’t remember much of the day. I slept like a baby the second and third night, and I was fine just walking around. Next time I will be taking as much of this advice as I can.

Vet

A while back, when I was in the operations side of security, I wrote a series about how to be a good security admin / manager.  It was fairly successful and got some good play out there in the blogosphere, so I figured that I would write something akin to those posts in a blatant attempt to drive more traffic to my site. 

Oh yeah, and I, ummm, want to make a difference in the security industry, or something… whatever.

So, how to be a good SE.  First, let’s define the term “SE”.  In many to most cases, that term means System Engineer.  In my case, it means Security Engineer.  Both perform the same function, however.  At least they do in what I am referring to here, and that is in their pre-sales role.

A pre-sales SE is often perceived as the salesperson’s lapdog, to be ordered around and told where to go and when to be there.  This may be the perception, but it is almost always not the case.  The real truth is that the SE is the one who follows the salesperson around and makes sure the salesperson is telling the customer the truth.  For example: “No, Bob, this product cannot call down lightening and destroy hackers attempting to break in to the website.” 

If you can’t tell, I have been reading “The Dilbert Principle”.

But in all seriousness, the reality is that the SE’s number one job is to protect the customer from making mistakes and buying the wrong product for their needs.  That is also the salesperson’s job.  And though I can say with all seriousness and honesty that all of the salespeople I have met at Accuvant truly are honest and try to protect their customers, this is not always the case out there.  A salesperson has a quota, and they have pressure to meet that quota, and they don’t always have their customer’s best interests in mind.  So the SE has to be that buffer.  And when an SE meets with customers, he is EXPECTED to be that buffer that the technical people at the customer need.

In case you didn’t get that, I’ll type it again.  The SE is EXPECTED to be the buffer.  That means that the SE is expected to be honest in his appraisal of the situation.  He is looked at as the guy who works for a living, just like the technical people in the trenches.  He is supposed to be the guy who knows what the technical people are going through day after day, dealing with users, management, etc.  Even if the SE has never held a true operations type job, he still will be perceived as such.  That perception is what garners trust in the SE, and that trust CANNOT be broken.

What many people may not know is that pre-sales SE’s typically get bonused on sales (they don’t get the same compensation as salespeople, but they do not have as much at stake either).  And just like salespeople, SE’s with VAR’s (like me) are often approached by manufacturers with incentives to push their product (these are often very good - money, electronics, etc.).  This is called a spiff.  These two things together can cause serious temptation for the SE to not make the customer’s needs the number one concern.

But if you are and SE, or are considering a move to this type of position, you MUST be able to resist this type of temptation.  Notice that I am not saying it is wrong to accept these types of rewards (most of the time, you cannot take an SE job without the bonus, and I would personally think you are a little crazy if you didn’t take it - and taking a spiff is not wrong if you made an honest sale and kept the customer’s need on the forefront).  But you must be able to look long term.  The desire for an immediate reward must be superseded by the customer’s needs. 

And when the SE does resist the immediate gratification, he will almost always see a long-term return that comes from a relationship with the customer because that customer knows he can trust the SE.  It is often the case that once a relationship is established with a customer, the SE is the person who is contacted most.  That is because the SE has direct knowledge and contacts with people who can solve the customer’s problems.  So creating that bond of trust will lead to dividends for the SE’s employeer, and the SE as well.

So all that in a nutshell is this: create REAL trust with the customer by keeping his / her needs first.  You may have to wait a little longer for your reward, but it will be a greater reward after all is said and done. And just so you know, I do not mean only monetary reward.  The reward of being trusted and held in high esteem is also a reward, and it can be more valuable than any earthly possession.

Vet

I have decided to start putting down some of the day-to-day events with this new job.  I think it will actually help stir my mind to blog more since I have not been writing near enough lately.  So here goes.

I have actually been kinda bored since my recent job change.  Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.  I really want to get thrown into the fire. 

Part of the reason I’m not out there yet is we do not have a sales person dedicated to the Houston market.  We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.  However, he finally got down here today, and it got crazy quickly (be careful what you ask for).

The sales guy flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.  For those of you who know Houston, IAH is on the far north side of Houston, and Houston is BIG.  I made the trip in about 25 minutes, which I was proud of.

Anyway, the talk was basically an introduction to Accuvant and what we could offer.  This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).  But to be honest, I think of the term “sales pitch” as negative.  What we did today was, technically, selling Accuvant.  However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.  I have talked about it before, but Accuvant just seems to do things right.  Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.  We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.  We want to partner and grow with our clients, and this is no BS.  I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.

OK, sorry.  Anyway, the meeting went well.  We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).

The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.  Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.  I have seen the box and how it works.  It is very simple.  Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results. 

The next client was a partial introduction - I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.  They are a property-management company who delas almost exclusively with apartments.  They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.  Suffice it to say that they want a lot for little.

So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).  We are putting Network Intelligence in front of them for the scalability and sheer EPS (events per second).  To put it simply, I like this product.  I might get into that at a later date.

Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.  Not a good time in Houston.  The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.  However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.  Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.  I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.

So, that’s my day.  It was very busy and crazy, but I finally got in the mix.  I have a lot of ”action items” from these meetings, so that is going to help me get even more familiar with the products we sell.  These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).  Things are starting to pick up, so I got out of the house, and I am glad for that.  I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!

More later.

Vet

In my previous stint for a reseller, I was in the trenches doing implementations with very little pre-sales work.  But now, in an almost pure pre-sales engineering role, I get the benefit of seeing things from a reseller’s point of view and the manufacturer’s point of view.  Instead of having my head down letting all the sales people play their games, I get to be right in there with ‘em.  And I am getting to see a world that I have never seen.

I knew there were a lot of things about the IT and security world that I did not know.  I know there still are.  But the distinctions I find between the end-user world (security and IT management) and the reseller and manufacturer world are spectacular.  And to be honest, even though the differences are obvious, it is hard to put a finger on it.  Really defining it is difficult.

I guess it may come down to the basic pressures of the job being different.  A security or IT manager has day-to-day pressures of taking care of a network and the staff that runs it.  A sales person (even a sales engineer) does not have that constant pressure.  So the intensity in the look just doesn’t seem to be there.  Yes, the sales folks have to meet quota, but that’s not a constant, daily driving force.  Deals usually come in bits and spurts.  Thought the sales person always wants that next deal, the over-arching responsibility of a day-to-day operation is not there, and it shows.  Even the sales engineer, who many times has been in the shoes of a security or IT manager or admin and has dealt with those pressures, knows that the anxiety of operations is not there, and it shows there as well.

I know I will learn more differences over the coming months as I get used to the job.  And I know that I will not be able to share some of those differences (I can’t give away all the secrets - my boss reads my blog sometimes).  But if I ever do get back into security management, I know the knowledge will serve me well.  Not that I plan on leaving any time soon.  This is too much fun!

When I was looking to make a move out of security management, I knew I had a few choices as to what I wanted to move into.  I knew I wanted a pre-sales type of position, but I wasn’t sure about the type of company I wanted to work for.  Should I go for a vendor, or should I get back into the channel?  A few things came to mind:

1. Working for a vendor would force my hand on what products I could recommend.  So, if I knew of a solution that was a better fit for a company, I couldn’t suggest it and stay loyal to my employeer.  That was a negative for me.
2. Working for a reseller could possibly force my hand to some degree on what products I can choose, but at least I would have a bigger pool of products from which to work.  That was a positive for me.
3. A negative that comes from number two, however, is the fact that many resellers are nothing but vendor sluts and will sell anything to make a buck.  I am not adverse to making money, but I believe that if you are a reseller, you should be able to support the products that you sell.  I really did not want to get into the whole “we’ll take you to a ‘Stros game if you put our box in front of your client.”  I’ve been there, and I don’t want to deal with that again.  It just ain’t ethical.
4. I wanted to work for a company whose focus is security, but I wanted an organization that was diverse enough in that field to offer other opportunities in the future.
5. Another negative that often comes with vendors and resellers is high pressure sales.  I did not want to work for an outift that constantly called the client asking when they were going to cut a PO.  That reflects bad on everyone that works for that organization, no matter if you are a sales guy or an engineer.
6. I wanted to work for an outfit that had a good reputation, plain and simple.

Taking these factors into consideration, I looked for a company that could pass muster on most (preferrably ALL) of these areas.  I also preferred that I had done work with in the past since I would have a good feel for them and would not haave to rely solely on others’ opinions.

The first factor would be the hardest to pass if I went to work for a vendor.  That is because I don’t know of ANY vendor whose products fit every company in every situation.  There just ain’t no such animal.  And even though I interviewed (and ALMOST got the job) with a big vendor, I still had some hesitation because of this.

So that left me with a reseller.  I wanted a company with higher standards, who didn’t sell every possible product, and who could support what they sold.  That led me to Accuvant.  I had worked with them in the past, and to be honest, I never bought a single prodcut from them.  To be clear, that was not because they lacked the skill to sell or didn’t have any products I wanted.  It almost always came down to timing (I met them when I was looking at outsourcing some security tasks, then they came in with a possible SEM product after I had already purchased another) and their lack of full time staff here in Houston.  But their sales guys and engineers were always willing to help out, and they NEVER pressured me to buy.  They were diverse in their offerings because they could do security consultation and implementations of technologies.  And to top it off, they also had a great reputation in the industry, both from vendors that they partner with and with other security managers that I dealt with.  So, they basically fit all my criteria. 

Now this may sound like a commercial for Accuvant, and to some degree it might be.  But because this is such a big thing for me in my career and this blog, I wanted to explain the decision of the company for which I decided to work.  Also, many of these reasons for choosing them as an employeer also work when you are looking for a reseller or consultant, so many of you security managers out there who need a quality security company to help out, they might be a good choice.  And if you are in Houston, you will get me as your top notch security engineer!

Vet