Thursday, 29 November 2007

More mainstream by the minute

I'm not going to spend long on this because I'm having a break from all things work related, and that includes my blog, but Hoff deserves a special 'hoorah' for this article.

It's nice to see people sitting up and listening to data security. Chris, this is for you: "Hoorah!"

Tuesday, 27 November 2007

Taking a break

The rent on my flat in Barcelona is nearly up, and I've still got a few cupboards full of trinkets, and books. An unbelievable number of books. My wife is a reader, not in the sense that normal people are readers, reading maybe a book a week - which until I got married I thought was going it some. No, she will read a book a day, sometimes 2 or 3 if I'm neglecting her and working. I know Spain must have been hard on her (didn't understand the TV, and no-one else spoke English) because I now have to import the equivalent of the British Library back across Europe in a couple of suitcases.

Rather than making a few trips over and trying to ram it all in suitcases, which would take a thousand trips anyway, I'm going to take it easy and have a break. I've been in San Francisco, Paris, London, Manchester, Trowbridge (yes, there!) in the last couple of weeks, and I'm shattered. Frankly I don't want to take another flight, but I'm still paying for the flat in Spain, so I may as well make use of it. I'm still on call, but I'm going to tune out and drop off for a few days, try and recharge my batteries.

I've got to go to Norway and Gibraltar before Christmas (not to mention Runcorn) anyway and I need some sleep right now. Not sure Barcelona is the best place for it, but it's either that or imploding at Christmas, and I did that last year after an operation which left me open to infection and what felt like food poisoning - only without the pleasure of food beforehand. I'd rather chill out for a bit and gear up for January. Now that's going to be exciting - more business than ever and hopefully a new member of staff - hooray, half the number of back breaking plane trips, half as many support calls and only one salesman to deal with each.

What's the betting it doesn't work out like that?

Thursday, 22 November 2007

What's happening to Data Security?

It's been a bad week for Data Security. First of all, on Tuesday, Alistair Darling, our illustrious Chancellor of the Exchequer, had to stand up and apologise to the entire country for losing 35 million records from HMRC (Her Majesty's Revenue and Customs), our version of the IRS, and the NAO, or National Audit Office. Apparently it was down to 'junior staff' walking out with names on disks. Isn't it always?

Secondly, and I'm allowed to talk about this now, because, like EVERYONE knows already, NeoScale are in big trouble having put all their financial eggs in one MTI-shaped basket. Doh. Rich Mogull covers this better than I will even attempt to, and I'm slightly uncomfortable in knocking them, being as I am, in the same industry and working for a major competitor.

Things were looking up after Vontu were acquired, and I thought data security was in for another golden age, but maybe the message is still too bloody slow in getting across the Atlantic. Bad government in the UK is a given these days, it's why I left in the first place, sadly I had to come back. However, bad business management on the other side of the pond is really surprising to still see. I guess some tech companies are led by techies, and some are led by businessmen.

Saturday, 17 November 2007

Channel vision

I've talked before about Cisco and how they hit the market at exactly the right time with the right product. But these guys never needed distribution networks like the UK channel, they created the UK channel. The world NEEDED Cisco kit. There was nothing else, computers were booming and networking was king. The channel sprouted up out of nothing almost overnight to cope with demand, pure and simple economics.

I've mentioned Juniper and a million other "second phase" technologies as I will now be referring to them as. These are the ones who took advantage of the newly created channel of distributors and resellers to sell a whole new set of technologies, built on the holes in the existing ones. Now the economics began to work differently, the channel had to get smarter, employ people who understood the technology and 'add value'. How many distis and resellers are now called 'value added distis or resellers'?

Many of the people driving these sales from the US had been responsible for at least part of the first phase too. This is where they cut their teeth, watching the millionaire being made, and doing it for themselves in the second phase. The second phase is now mature, many technologies are being acquired, resellers and distis too as everything amalgamates into a giant Googlemonster. However, this leaves us with an interesting development.

When I left the channel some months back, despite some great people and reasonably interesting technologies, I felt as though the brakes were on. I thought there was more value in being a technology leader. I aimed way over the top as it happened, too visionary for the UK market right now at least. All this did was confirm one thing, the channel was too 'safe', or as I said back then, stagnant.

The problem is, the people who have come in under the value added generation have been led to believe that there is a set way of doing things which just works. And to an extent it does. Juniper did very well out of the current distribtution model for example. However, Juniper are now the Cisco of yesterday, becoming self sufficient. There is very little value that the old-style channel can add.

So what happens? The channel gets bloated and filled with marginal value adding, carrying already fat technologies because the status quo isn't being changed.

My friend wants to change that, and so do I. They are bringing new technologies in in the old way, helping small companies to grow, not already established ones. The new way is just the old way in a new hat, but it took it being waved under my nose to recognise it.

Friday, 16 November 2007

Computer Weekly article

The title wasn't quite what I'd put, but I guess journalism is sensationalist these days.

Here's the article I've been promising for a couple of weeks, and fits in with a lot of what I've been writing the last few days.


Security goes mainstream

Who saw Dilbert today?

Just call me Mordac.

Wednesday, 14 November 2007

A moment of clarity

I was having lunch with an old friend the other day when I mentioned what a great response I'd had to the recent articles I've been doing on US and UK sales. The friend in question just happens to be the man who employed me in my last stint in the UK channel, and he was interested to know more. He has since left the same company that I worked for and started again, doing it his way.

He mentioned to me that the channel seemed to be getting very stale for a lot of the smaller technologies, which is why he started small again. My mind flashed through a thousand posts at once and suddenly everything seemed to make sense.

I've bemoaned the fact that security is stagnating here before. Richard Stiennon took me to task for it, and even compared me to Mike Rothman, which was very hurtful (joke Mike!). I remember thinking at the time it was unfair, because whereas Mike had been pontificating a bit, I was genuinely struggling to see where we would go next as a reasonably sophisticated market started to dig its heels in.

I spoke to another friend of mine from the same distributor not long ago, and he practically whined that no-one was buying anything. He blamed everything from sub-prime mortgages to the exchange rate to Gordon Brown, which no doubt all have their faults, but I'm pretty sure stuff is still being sold. I'm so busy personally that I can't even arrange a doctor's appointment to fix my DVT. We have a great product and a really good team in the UK, but that doesn't mean we created a market from nothing. The opportunities are out there, you just have to stand out from the crowd.

Tomorrow I'll be covering what we talked about in more detail, and yet another view of the channel.

Pitfalls of regional sales

Yesterday I started talking about the pitfalls which sales based organisations coming into foreign regions often fall into, and in doing so uncovered that it is not just US companies coming into the UK and Europe, but UK ones moving into Europe as well. The good news is, it's salvageable.

Not everyone loves a 'have a nice day', 'thank you sir', 'right away ma'am' attitude to sales. My skin crawls when I listen to some sales people on calls. Sorry, I know that's the way it works over in the US, but over here, people are not only numb to it, but resistant. We need to think that people are interested in us, and in their own product. Insincerity seems to be a way of not being rude in the US (when was the last time "Have a nice day" actually MEANT anything?).

In Europe it comes across as vacuous and disengaged. Try that with a German and they will politely leave the call as quickly as possible. A Spaniard will probably not be quite so polite. I know there's at least one Frenchman reading this, so I won't go into what he'd do, needless to say I've experienced it and it wasn't pretty for the guy on the other end of the phone.

I'm probably making myself unpopular here, so moving on...

Will cold calling cover enough ground, are there are lists of contacts available, etc?

Quite simply, there is no replacement for having a man on the ground in a country. If you can't be in every region, make friends with your resellers, give them discounts, be good to them, don't whine at them, don't tell them they aren't achieving enough, just be nice. Which brings me to my next point.

People need a good whipping to get performance.

OK, most people don't do this, it's pretty 80s after all, but it is something many US CEOs and sales directors have been guilty of, so worth mentioning. If you incentivise responsible people, you will get results. If you kick responsible people, they will put up barriers. If you incentivise irresponsible people they will either take advantage of you or do nothing. If they take advantage of you, your incentives are set up wrong, or they are guilty of fraud (I've seen this too, on a massive scale - more later...). If they do nothing, they get nothing. Be nice, get results.

Once it's all set up, it still needs running.

The difference here is micromanagement and proper handing over of responsibilities. You can say 'I don't micromanage' all you like, but if you don't even know what your people are doing, you aren't managing at all. On the other side, if you have your fingers in every decision in every country, you are not only a pain to your employees, you are a bottleneck to your business. Be clever, empower people, give them boundaries, not just "you're responsible for this, you do it, or else" - that's poor management, and you will lose their buy in.

"You're the Product Manager, you do X, Y, Z, if someone comes to you with anything outside this, pass them over to me or the Sales Manager" for example. "If you get a complaint, if it costs less than $1000 to put right, you have absolute permission to do whatever it takes. If it's getting more expensive than that, get me involved." should take care of 90% of issues. It empowers.

These are just the views of someone who has dabbled in these areas, with a little help and advice along the way. I don't pretend to know everything, but I do listen to what I'm told. And that's all I'm reproducing here. My father quotes Sir Isaac Newton in his book Sales Strategies - "If I have seen further than others, it is because I have stood on the shoulders of giants." Which loosely translated means "I didn't do any work, I just read a load of stuff and put it in a sensible order." Clever chap.

*** many thanks to Sam Van Ryder of AlertLogic for his guiding hand and proof reading of this piece, who also deserves a mention purely for having one of the coolest sounding names ever (although heaven forbid he ever marries Minnie Driver, or anyone called Laurie) ***

Monday, 12 November 2007

Not on your doorstep - selling into 'other regions'

I've been asked by a few people to expand on my post of last week about US companies moving into the UK and other regions. I only touched lightly on the 'other regions', the reason being that although I have worked extensively in Europe, there are many people more experienced in each country and separate region. The only country I have only ever lived in other than the UK is Spain, although I have worked extensively in Ireland, Germany, Italy, and France too. I am currently embarking on work in the Nordic region, and Ingrian has accounts in South Africa and the Middle East which I will be working on soon.

Again, much of what I've noticed about sales in these regions is common across them all, but there is still a channel setup in each country which needs to be understood on an individual basis. By far the best way to address this is to find resellers in each country who do what they do day in and day out. You will never be able to cover the ground they do, get the contacts, understand the market , and most important of all, speak the language as they do.

This brings me to the additional assumptions which US businesses typically make in trying to break foreign markets. Everything I wrote previously still stands, and stems mainly from the fact that these countries are not on your doorstep. And I'm sorry if some of this offends, but many countries are not as friendly towards the US as the UK is. Hell, many countries are not as friendly towards the UK either. The biggest barrier of all is our inherent arrogance, which we should be forgiven for once we realise it.

English is the international business language.

Wrong. English is the international language of the boardroom. The international decision making language if you will, but the language of business is the language of sociability - and that changes whichever region of whichever country you are in. If you can mix with the people you are selling to, you stand a far greater chance of getting your product accepted, simple as that. I have sold some relatively weak products to people just by being friendly, and missed out when younger just because I was scared of socialising with people who I assumed knew more than I did. (They undoubtedly did, but they rarely find out in my experience.)

If you think English is the international business language, try selling something in France. Go on, try it. Didn't work did it? Because you don't speak French. I am currently in a deal with a very large service provider in France, I have never, and will never meet the person paying for the kit, and so it shall remain. We have a reseller talking to a systems integrator, who is talking to the end user. In French. The reseller speaks French to the SI, I speak English to the reseller and sometimes we misunderstand each other. However, by the time it gets to the end user, everything is as French as can be. Just the way they like it.

Language and culture can be intimidating, but need not be. Whenever I go to a new country I always find someone who is prepared to tell me everything about their little corner of it. Most people are happy to show off their knowledge of a place, the more cosmopolitan the better. I have a host of people who can show you the back streets of Barcelona just a phone call away, likewise Paris, Munich, Stockholm and Oslo. Just be interested and they will come to you.

There are many more pitfalls that can come from this ignorance/arrogance that we find ourselves unwittingly a part of, just because we speak English - and yes, English people are just as bad as Americans, in fact often worse because we are busy gloating about how bad the Americans are in the UK to realise how bad we are abroad. I'm guilty of it myself in the first post for not covering any other region than the UK (even though that's obviously the most important :0)

I'll cover the pitfalls tomorrow, and apologies in advance for having to generalise the rest of Europe into one region, but one post per country would take a little longer than I have free.

Saturday, 10 November 2007

Flying away

San Francisco is obviously sad to see me go, it's been miserable all day and shows no sign of letting me take off without giving me the bumps. For someone who spends a large amount of his life in airports, I am not the most comfortable of flyers. It doesn't help that I'm 6'6" (my wife will delight in telling you that this is a lie, I am in fact 6' 5 3/4") and seats are built for traveling dwarves. Fortunately I have been 'upgraded' to seats with more 'legroom' on both the inbound and outbound flights, but I still feel like a battery hen. It doesn't help that I always find the moron on every plane who sits in front of me and puts their seat back, ignoring the fact that my knees are already up around their ears.

I asked about upgrading to business class on the way back this time, as even if the company wouldn't cover it, I would happily part with a few hundred dollars for some comfort. Apparently this isn't possible on a code W ticket from United Airlines, and that's that. No explanation, no offer to buy a completely new ticket even. When I asked, they said no, the plane was too full, but they'd put me on a list. Great. I have a feeling that in about 12 hours time I'm going to be walking off the plane in London and having a massive thrombosis related coronary. Still, maybe then I can sue United and get upgraded to 'monkey' rather than 'chicken'. At least I'm not in the 'pondslime' economy class still.

Really I don't understand why airlines can't just sort their act out, take out a few rows of seats, put the prices up another $50, we wouldn't even notice. I stopped short of throwing a hissy fit because the English have a bad enough reputation abroad as it is. My wife may not be able to hold back for as long. The seats we managed to get in the end are not together, and not on an aisle. All this we turned up 3 hours early for. What a waste of life. I hate airports and I hate flying, so to examine my life you might think me some sort of masochist. Sadly, to get to meet interesting people, you can't stay housebound, hell, you can't even stay in the UK for long before you run out.

This month I will have taken 13 flights from 1st to 30th:

Southampton to Manchester and back, 3 times = 6
Southampton to Paris twice and back once totals 10
San Francisco and back totals 12
Out to Barcelona (coming back in December) grand total 13.

These are all the ones I know about so far... of course there are still 2 unbooked days in my diary so far and I could easily end up in Patagonia for an afternoon. My carbon footprint is matched only by my actual footprint (size 13 UK - I think this is around size 26 US with the current exchange rate?)

So, despite taking a flight on average every 2-3 days this month I have remained relatively sane. How? Well, it sure as hell beats working.

Friday, 9 November 2007

5000 miles and counting.

I mentioned in a previous post that US companies trying to break into the UK make the same mistakes over and over again, and that there are a few things which 'they' just don't seem to understand. I have an article coming out in Computer Weekly on this very soon, so I need to be careful I don't repeat myself too much, but basically there are a few pitfalls:

The UK market is not an extension of the US market.

Just because a product has worked in the US, does not mean it will automatically work in the UK. The laws in the UK are different, compliance isn't taken as seriously yet, there is a different attitude towards legislation and whilst less technology savvy in general, people are less easily led by advertising and will need something proven to them before they part with their hard earned cash.

If you don't know the UK market, you are destined to fail.

Many US companies will happily send an experienced sales guy out to the UK in an attempt to kick start things. Many will succeed, but in the meantime poor old Mike (all American salesmen are called Mike, don't tell me any different) is having triple bypass surgery at the age of 35. Many others will use a recruitment agency to find them an experienced sales person in the UK, at great cost, to help them out, without doing any market research.

Unless the product you have has such a high price point that you only have to have one or two accounts to become viable, sales needs to be done locally, and with local talent, people who know the market, and how to exploit it. This is the area which distribution tries to exploit.

The UK channel (distribution and resellers) exists because of the US attitude towards the UK market.

Very few people looking out from the US understand this. This is because the channel has grown up from the state of the market, it is not there to serve, but to feed from the US. Because no US company can set up a UK branch with any clear knowledge of how they are going to fare, they use agents, these agents pitch to resellers who are offered large discounts. When the resellers have made the solution viable, they can pitch to distribution, who will get even larger discounts to bring in even more resellers. Then the product becomes much more widely distributed, but the product is tied to a distributor unless the company becomes so large and successful that they can start manufacturing in the same region.

The channel is not as reliable as they would like you to think.

Some resellers and distis are better than others, in fact the quality of work is extremely variable. Not only that, the turnover of staff inside these places is staggering. A company who did well for you 6 months ago could be staffed by entirely different people now. Are you doing your checks on them from 5000 miles away?

The channel is not as exclusive as they would like you to think.

At the risk of incurring the wrath of a few resellers and distributors, what they do is rarely unique. Many of the top distis and resellers are now so close in their offerings that it is only acronyms that differ, not the service levels or support.

Incentives work differently in the UK.

Try starting a Beta program on the West Coast and you can easily come up against issues. People expect more out of your product, and they expect it to work. Not so in the UK, but you have to warn them. Beta programs can be much more successful, people expect discounts, but are very pragmatic in relation to the quality of code if warned in advance. In the US they expect perfection and immediate service. Britain grew up on British Rail. However, running a Beta program from 5000 miles away is not possible.

The UK market needs to be built again.

Just as you had to build up awareness of your product in the US, so we have to build awarenesss in the UK. If that took 4 years in the US, it will take 4 years in the UK. You may have seen me refer to the 4-6 year market lag between the US and UK before. This is why it happens. Those which take 6 years usually had a false start somewhere along the line, or a hard technology to punt in the first place.

This last point broadly covers a lot of issues. Think about business drivers, they are not the same. Think about the sales message. Think about the marketing message. Think about the support. SLAs, maintenance, delivery, replacement, etc. You can't just do it from 5000 miles away and expect it to go right just because you managed to do it in the US and you're really angry because it's failing.

I've seen a successful company lose momentum and practically disappear because of it's lack of vision in this area. I've seen a very small company make itself look like a huge corporation because of their clever use of ideas. I've seen some very intelligent people look like lost children when faced with the UK channel and disbelief when the product failed to make a dent in sales. I've also seen people embrace and empower their staff to go ahead and do what they think is best in the region. So far these are the ones who are doing well, but I still can't help thinking that this is an expensive way to do it.

Thursday, 8 November 2007

Security City

San Francisco is an amazing city, fewer than a million people living in a town which has everything you could possibly want. Like Barcelona, the city centre is a couple of miles away from the beach. Unlike Barcelona, they speak English here, so I'm able to get around much more easily.

I've impressed myself by driving everywhere in a car which I can only just squeeze into, and on the wrong side of the road. It takes a lot of getting used to and I'm still reaching for the door handle when I should be changing gear. Fortunately it's an automatic, so I'm not changing gear that often, or San Francisco would be a much more dangerous place.

I've also been fortunate enough to meet up and chat with some great security guys whilst I've been here. On Tuesday Walt Conway took a detour on the way home to meet me for a glass of wine and an hour or so of generally quite silly talk, which I enjoyed immensely. Yesterday I finally got my phone call with Rich Mogull having missed him in the morning due to a Daylight Savings Time mishap. We spent another hour or so talking variously about encryption, DLP, DAM and all things datacentric, including the new blog, which I am hoping will contain some of his wisdom soon now I've activated his account.

Sadly my stomach turned late yesterday afternoon and having arranged dinner with Mike Dahn and his wife Amber, I had to cancel at the eleventh hour. I then hit my bed like there was no tomorrow. Fortunately there was and I was able to meet Kevin Rowney from Vontu today - a happy man with a lot of very interesting things to say. Happy because Vontu have just been bought, interesting because he is in the same line as me, but also very considerate to my wife who came along and was equally charmed by him. I'm really pleased to have him contributing to the datacentric blog too, he says there are 'a thousand people cleverer' than him, but I doubt it. And if there are, they certainly don't have the ideas per minute rate that Kevin does.

A bit of insider info here, and sorry Kevin if this is kiss and tell. Kevin told me that he set up Vontu after a company he was with in 2001 went down the pan after the dot com bust, and Kevin, not wanting to "seem like a loser" to the woman he was with at the time, started his own company - Vontu. I didn't like to pry into whether he was still with the aforementioned woman, but seeing as it was all explained in the past tense, I rather thought not. I'll bet she's kicking herself now. :)

*** CORRECTION *** Kevin contacted me today to let me know that the woman he was with is now his wife and the mother of his child. Apparently he made a subtle gesture towards his wedding ring as he told me the story, which just goes to show that subtlety and jet-lag don't mix. Sorry Kevin, and more to the point, sorry Mrs. Rowney.

So tonight I'm hoping to catch up with Mike and Amber again, to prove that I'm not an ungrateful bastard and that I really want to see them. Well, I really want to see them anyway. Tomorrow I've promised my wife that I'll spend the day exclusively with her, but I just had an email from Anton Chuvakin...

*** Further additional comments *** Finally got out with Mike and Amber for a lovely Thai meal last night. Anton was in Chicago, so maybe next time I'm in town.

Monday, 5 November 2007

What Security Man did next...

I'm very interested in start ups. I like the idea of the geek inheriting the earth, an intelligent idea and some hard graft being enough to pave the future with gold. I like the business side, the deals that are done by being normal, nice, not smarmy or aggressive (salesmen please note). I like the technologies, the ones I've followed for years, Vontu being the most recent example, seeing them turn from unusable ideas into well marketed, coherent messages.

I hate being pressured into things. I hate my time being wasted. I hate worthless crap being peddled as the next big thing. Poor marketing, poor sales and boring technology is easy, I could do that on my own (and most probably would).

There is still one area in which I feel I have had experience that few others have. Not just in data security, although I'd like to meet one other person who has qualifications in nCipher, Ingrian, Vormetric and RSA. I also have qualifications from F5, Network Intelligence, Bluecoat, Infoblox and probably some others I've forgotten about along the way. In short, I find it all pretty simple to understand. Before I was a product manager however, I couldn't have told you whether one was more valuable than another, whether one would take off and another fall flat.

Having worked as hard as I ever have done as a PM, I now know what it takes to produce a winning product, and it isn't just hard work. Communication is a key factor of course, as in any business, but knowing your market is vital. Many US companies don't understand the UK and EMEA markets. I'm back now helping yet another US company break the UK, and the patterns are always the same. It seems to me that there is a market for this amongst other US technologies. If only I could bottle it once and repeat it over and over.

7 Stages of Security Man - Part 7 - Making it my own

Now I don't pretend for a second that I am at the end of my career, or even at the peak of my abilities, but I am at an important and crucial stage, and from here on in I get to make choices rather than decisions.

Let me put it another way. I have the experience of being a reseller, distributor, security admin for a finance house, an SE, a Product Manager and a Director. I'm currently in a job I really enjoy, basically in charge of 'technical stuff' for Ingrian in the EMEA region. People are queuing up to offer me work, and I am happy to turn them down. I get flown out to San Francisco with my wife in tow. I am honoured to count some security heroes of mine amongst my friends. In short, I have everything I want right now.

I sent a message to my wife this afternoon saying "The bloke we're having lunch with on Thursday just became a multi-millionaire, I am still not one" in an attempt to curb her over-enthusiastic embracing of the beneficial exchange rate. She sent one back saying "Oh, did you want to be one, I'm sure you'll manage" which I took to be encouraging, or wishful at least. Thinking about it, I'm not sure I do, it must be an awful lot of stress. Having what you like and liking what you have is much more important I think.

I think maybe the time is coming where instead of being Security Man, I become something else entirely. I'll never tire of security, but it's taught me so much about business that it seems a shame to ignore it.


Well well well. What have we here then? It appears that everyone's favourite DLP company (apart from EMC/RSA of course) has been and gone and sold themselves to Symantec for $350m.

Sometimes fate deals you a good hand as a blogger, and it just so happens I'm in SFO for the week. Even more fortuitously, I'm meeting Kevin Rowney - founder of Vontu and newly christened multi-millionaire - for lunch on Thursday. I think I'll let him buy.

I have to say I think Symantec have got a pretty good deal, hopefully now Kevin will take some time to contribute more to our new venture, the datacentric blog. I also need to apologise to Rich Mogull for saying that he was wrong when Kevin denied all activity with Symantec last month. But I'll do that on Wednesday when we finally get to speak on the phone as I'm in the 'right' timezone for a change.

7 Stages of Security Man - Part 6 - Direction

Luring me to Spain was not difficult. Barcelona was sunny in January, Basingstoke was wet and miserable. The MD was a passionate and intelligent Frenchman whose energy and pure drive to succeed would have had me join him in an exercise to sell ice to eskimos. Kinamik as a company is small and friendly, with various highlights (most of whom will be reading this, so to avoid pampering their egos I won't mention them by name). The salary to join was less than I'd had in the UK, but this was a minor inconvenience when weighed up against the cost of living in Barcelona and the kudos of being a company director at the age of 30. Director of Product Management that is.

I had always promised myself I would achieve this, and it is remarkable how little it seemed in hindsight. However had I NOT achieved it, I would have been quite disappointed in myself. I guess this is what people mean by life affirming? Whatever the case, it certainly didn't mean as much to anyone else. After all you can set up your own company tomorrow and be Vice President and CEO of Global Operations, but this was a personal thing, an achievement which meant something to me.

Work was hard. I spent long days in the office, often 12 hours or more, just to try and turn a small piece of software into a going concern. After about 3 months of this, things started to happen. More investment, interest from a large application server company, more employees. It was great, and it felt like we were achieving something very hard - to start a successful tech company from Spain.

Plans were afoot to expand into the UK, with me at the helm, and into the US, which we deemed absolutely necessary for survival. Things were looking brighter than ever. Then 6 months in, I received a devastating blow, a death in my immediate family back at home left me knocked for six. Despite the support of some fantastic people I felt the pull back home permanently stronger than ever. So after 8 short and exciting months I sadly packed my bags and returned home. No-one was more disappointed than I to be going. I am still in regular contact with the great people there.

The only thing which softened the blow for me was the position I now hold with Ingrian Networks. I had worked with Ingrian at each of the stages mentioned so far, we resold at the reseller, distributed at the distributor, competed at Vormetric, partnered at Kinamik, and finally they thought they'd grab me to see how I fare...

Sunday, 4 November 2007

7 Stages of Security Man - Part 5 - Management

I had craved a management position for some time, and getting it was somewhat of a coup for me. I was very quickly fast-tracked through an organisation where there were engineers with higher qualifications than I, but none with the breadth of experience, which was what was needed.

The security distributor I was employed by was being acquired by a much larger IT distributor, and the bigger we looked from the outside during due diligence, the better. I was made very high profile in a very short time. I wish I had started blogging then in hindsight, I had access to some of the best security engineers in the country, sales guys in every large SI, reseller and corporate in the UK worth talking about and all of them wanted to talk to me about security. In short, I had my finger on the pulse, and could even influence where security was going in specific and general terms. I loved it, and then we were acquired.

Acquisition is uncomfortable at the best of times. When you are a newly incumbent manager of people with more history in a company than you, it quickly becomes painful. When the overall manager who has employed you leaves, and then the MD, it becomes impossible to stay. I was offered a new position as a Product Manager in the newly formed company. It would have been easy, saying 'I think we should keep this and lose this' sucking up to vendors and resellers, etc. Real security easy-street, but it was not for me. I was losing the buy in of the engineers rapidly as more and more people left, and the new company wanted to use me as a figurehead which I was not prepared to be, it would have just pissed off too many people.

Luckily for me then, I was offered a job as a Product Manager in Barcelona at the same time. The choice was relatively simple, but with wide ranging implications for a newly married and settled man.

7 Stages of Security Man - Part 4 - Settling down

Working at Vormetric was fun, but I was never particularly mentally stretched. Whereas my previous job had been a constant learning experience I now had one product to learn everything about, or at least as much as I needed to sell it, which it turned out wasn't that much. However, I did start travelling, a lot. My particular most painful memory is flying to Munich for a 10am start, which meant leaving my house at 4am. I finished around 7pm in Munich and finally got back home to my cold damp flat in the UK at 1am the next day.

There wasn't much business coming in to be honest, and I had to take what I could, where I could, often at short notice. The market for file encryption in Europe is limited, it isn't really driven by PCI like database encryption is. It is very much event driven, and that is like looking for a needle in a haystack. Vormetric is a fantastic technology, but I think it is better suited to becoming a feature of something else as this is a much easier sale. Symantec (Veritas) would be the perfect acquirer as it is something they need and can't do as well themselves.

There was a lot of down-time between engagements, so around this time I decided to do something to keep me focused on security. Working at a vendor can make you very blinkered in one direction and I wanted a broader view. I studied for, took and passed my CISSP in 2 months. I wouldn't say it was easy, but I was in the right position to do it. I was very focused and knew what I wanted from it.

I had just moved into a new flat, a bachelor pad I suppose you could call it, although my ex-flatmate's sister was increasingly there, cramping my bachelor style. I suppose it's my own fault for proposing to her. It was around that point that I decided if I was to be a responsible married type, I would need to be a bit more home-based.

So, when I got a call from a local recruitment agent saying that there was a management position coming up at a distributor near me, I was really interested. When I went to interview to meet the Director of Client Services, I was immediately interested further. He was another genuinely nice guy, I knew I would get on with him from the second we started talking.

Saturday, 3 November 2007

On your doorstep...

I am. If you live in San Francisco that is. I'm staying at the Chancellor Hotel in Union Square all week.

More of my life story tomorrow, and maybe I'll pick another technology to write about now I'm here.

I was sitting on the plane opposite someone from Centrify, which is a technology I like very much, but he was too far away to strike up a meaningful conversation and I didn't like to say "I've been reading your PowerPoints over your shoulder" as an ice-breaker.

Maybe if someone from Centrify wants to get in touch I'll do something on them, but I'm meeting Kevin from Vontu on Thursday, so that might be a good one to follow up on too.

In San Francisco, the possibilities really are endless... but for now - I've just landed after a 10 and a half hour flight from London and an hour of driving around town looking for a way to the hotel. It's now 4am UK time. My head hurts. I need sleep.

Friday, 2 November 2007

7 Stages of Security Man - Part 3 - Confidence

I didn't particularly enjoy my time with the reseller, despite learning a lot about security. In fact, I think the fact that I wasn't enjoying myself was only saved by the fact that I really enjoyed the things I was looking at. The management was bad, I disagreed with the sales approach and my father ailed quickly. I was happy to get out, and planned to go traveling with my sister for a while, but as a last act of disappointment I was made to serve out my notice until the very last possible moment and missed the chance to join her in Monaco.
Thoroughly dejected, but full of interest in security and technology, I took a job as a network security administrator at a local MSP in Winchester, where I lived close to my mother who I had obviously worried about being on her own. The work was simple enough, but a fantastic ground for learning more about networks, security and most importantly, trusting people who I worked with. My boss at the MSP was a true friend, and has remained close ever since. He and his wife were at my wedding last year and we are still in regular contact.
I also had time to myself. I was doing shift work which allowed me to use the local gym in the mornings when everyone else was at work, or in the evenings before everyone got out again. I lived with a friend I had known for years, and we lived like students for a few months before we both stopped drinking. Neither of us has drunk again since for the good it did us! I also married his sister... last year sometime.
All of this lead to me becoming increasingly more confident with myself and in my abilities. My knowledge of the network became very broad, and my depth of knowledge in security meant that I was prepared for another challenge in the same area. I was beginning to get calls from recruiters (which now never stop), and when I got a call from Vormetric to be their SE in the EMEA region, I jumped at the chance.
They were interested in my previous experience with Ingrian of course, I was interested in the money. I'm still interested in the money of course, but now I also get to do a load of other stuff I picked up on the way too.

7 Stages of Security Man - Part 2 - Sentience

Having been in London for my first dismal job sufferance, I returned home to Winchester when my father became terminally ill in 2000. I was job-less and feckless (I didn't have a job and didn't give a feck) having lost all faith in human kindness at the bank, and didn't really want to do anything having had the news of my father's ill health.

My aunt was a careers officer for the local University at the time, and regularly sent me ideas of what I could try. I think she thought rather more of my abilities than I, or indeed any of my tutors had. One day however, I put my name down on the University jobs board, and received a handful of replies.

One such reply was from a guy who was setting up his own reselling business, and needed a technical person to help out. It turned out I had been at school with his wife and brother-in-law, and that was all the reference I needed. In the main we sold RSA SecurID and nCipher cards. We also dabbled in RSA Keon (urgh), Cleartrust (argh!) and various other minor annoyances. I quickly set up the network, saw in and out in rapid succession of around 10 sales people, learnt SecurID inside out, and got to grips with nCipher. At the same time my father became increasingly more ill and finally passed away in December of 2001.

Around this time however, we landed a large deal with nCipher, to install 20 cards at a large broadcaster in the UK. A company named Ingrian Networks (more of them later...) were using their cards in their new whizz-bang SSL device. They needed a strong reseller in the UK to help them conquer the market, and chose our little 4 man shop as it was at the time. I worked with the American SE very closely for some time, and we all thoroughly enjoyed ourselves. However, Ingrian did not see the sales they were expecting from us.

The relationship did not continue, but I was already out of the door by that time and on to pastures new. With my new found confidence in the network and now hooked on security devices, I joined an MSP, controlling financial websites across the world. Time to get my own back on the bankers...

Thursday, 1 November 2007


Interspersed with my 7 Stages of Security Man posts I'm going to be talking a bit about new technologies which I'm looking at at the moment. In fact, now that I have 'Data Centric' up and running, I'm moving all my sensible, well thought out, pure security thought over there, and keeping all the ramblings and opinionated rantings over here. I wonder which will get the more subscribers?

I like little west coast tech companies, especially those who go on to become big global ones, if I have stock options. I don't (yet) have stock in PacketTrap, but who knows how well this write up will go?

I had a call from a company called PacketTrap tonight, based out in San Francisco, where I am flying on Saturday, but sadly I'm probably too busy at Ingrian corporate to go and visit them this time around. I've said I'll catch them at RSA instead, by which time they will be launching the Pro version of what I've just seen.

When I first saw PacketTrap, I had to ask myself why anyone would buy it. It has a number of tools, ping, portscan, DNS queries, whois, WMI scan, etc. built in to one device which you can sit on your network - but when I was a network admin (more on that later) I had all those tools on my laptop.
Aha, and there's the rub.
Just as routers became necessary to take the load off machines in a network, now a completely separate and distinct device is needed to investigate and manage the network. It's actually quite neat, and that's what you want in a complex network, some tidiness.

Every customer I've ever been in to has asked 2 questions (amongst others of course, just 2 would be silly):
"How do I manage 'it'?"
"What kind of reporting does it have?"
Nowadays of course we have silly devices which collect all the logs and make them into pretty pictures, just because the CFO needs something to put on his wall. We have devices which report in real time and send emails to the CIO about who's doing what with whom, where and for how long, with which instrument, because he needs something to show to the CEO when he's asked what he does all day. Reporting and management are king, they will always be king because the C-suite don't give a monkey's about what the techies are doing, they just care that something is being done and they can see the results of that. If they can then use that data to make something more efficient, or to show the shareholders that they aren't wasting money printing off reports all day, then it's gold stars for everyone.

In Silicon Valley, with a great sounding team of people on board, this start-up should do well. I think they will get some useful feedback and if they take it into consideration when producing the next 'Pro' release, we will start to see them at shows and in a network near us. The messaging will need to be right, but as long as they remember that no-one cares how much work the network admin has on, and he can automate it himself, but the CEO, CFO and CIO have all the power and money in the company, they have every chance of making this work as a product too, then maybe we can slip in something useful for the poor admin too.

PacketTrap launches on 7th November 2007, go visit their website for more info. My work here is done.

7 Stages of Security Man - Part 1 - Emerging

I've been suffering from 2 complaints which I have since found out are called 'up to my eyeballs in alligators' and 'Blogger's block' - thanks to Brian Honan for that one. shrdlu has suggested I get around it with Primal Scream Podcast therapy, but I'm not sure anyone's going to download that. Brian came back with the suggestion that I write about how I got to be where I am today, and I wondered if it might be kind of therapeutic, cathartic if not chaotic. I've had quite a few jobs, so I'm going to serialise them and pull out a few of the security and life lessons I've learnt along the way. Enjoy.

I've been in security for about 7 years now, and in networking before that, so 'IT' for nearly 10 years, since I left University with a quite useless degree in Physics which I vowed never to use. That's not to say Physics in useless, quite the opposite, that is to say that I had given all I had to spare to Physics by the time I left, and the loss to both parties was not great. Einstein I am not, but you probably realised that by now.

In the early days of my career I worked for an investment management bank in London, with a million legacy systems and every new piece of equipment you could possible sell to an idiot in a suit. Investment bankers are a vendor's dream, rich and stupid, unbelievably arrogantly stupid beyond belief in the main. They are the helpdesk monkey's nightmare for the exact same reasons however. I was shouted out day and night-shift for various reasons such as WHY ISN'T MY PRINTER ON? Er, try the plug mate. CHANGE MY PASSWORD, NOW! I just did fella, you just locked yourself out again because your cAPS lOCK's stuck on. Et cetera.

I rapidly got bored of the arrogance, I can't abide being pushed around, especially when it is by people more stupid even than I. Banking was not for me, much like it isn't for the vast majority of people who have any self respect. Clever people, great: push me around mentally and I'll bow to your superior brain, but idiots beware. And so on to my second job.