10 Habits of Highly Effective Security Vendors #4-6

The previous installment of this blog series covered the first three habits in the top ten of highly effective identity security software solutions. These next section delves deeper into the canon with more of a sales and business strategy focus. We'll get back to tech again next time.

HABIT #4: Stop whining about security budgets.

I read a blog post from a "shall go unnamed" vendor at RSA who stated (and I paraphrase) that the way to combat shrinking IT security budgets is to strong-arm the sale with your reputation. Epic fail. I hear many vendors complain that their customer always has budget for compliance, but never for security. The inside strategy (not one they share outwardly, of course) is to scare the customer into buying based on threat of hack, legal repercussion or pure ignorance of what might happen to them if they don't buy and implement. See my earlier post if you want to know how that fails to tick any of the security vendor reputation boxes.

Ironically, these customers always find money for salaries, marketing or new customer acquisition strategies. Why is that? The answer is those efforts MAKE them money and BUILD their business. Security solutions could be thought of in the same fashion if developed, pitched and packaged correctly. Security solutions should not be considered merely IT overhead, wasted "insurance" coverage, additional cost per user, and so on. Hear me on this: SECURITY SPEND SHOULD BE A NET GAIN ALL AROUND. That's right. The sale and implementation of identity security solutions for web, cloud and mobile applications should net value for both the buyer and the seller, period. If this approach became the default posture of security vendors, the customers would follow suit.

An innovative model by which security should be sold or provisionedis as a utility, i.e. the most efficient deployment and most cost-effective consumption paradigm. Customers only pay for security when it actually secures them and their users - within the context of an actual money-making or business-building transaction. They don't have to "pre-spend" on layers and layers of professional services, seat licenses (for users they may not even have met yet - see last blog), additional support costs, upgrades, infrastructures, etc. Even the so-called "cloud" security vendors I see who tout their wares as SaaS Security are merely shovel-waring their traditional 2FA solutions onto a server and selling seat licenses, support and other hidden costs. Being in the cloud does not make one of the cloud.

So - rethink your sales model. Things like true SaaS provisioning and utility or performance-based pricing will erase the objections that often stymie traditional "security solution" sales efforts. If you are truly adding value or freeing customers from risk, they will buy.

HABIT #5 Think before you federate.

Not everything should be federated. However, everything should be interoperable, open, standard and connected. I take great umbrage at the vast misunderstanding amongst the market players as to the difference between identification and authentication. Identification is the passive acceptance of a self-reported similitude as evidenced by the matching of those self-reported credentials against a cached and previously accepted version of them. Authentication, however, is the active effort of independently validating and ensuring that the identity, the credentials, the manner in which they are presented and the sources (including oneself as the validator) are authentic for a particular context. The latter is usually only achievable through proper triangulation, or via a third party with no "skin in the game" as to the validity or falsity of the context.

Identification is a fantastic candidate for federation, or sharing among parties from disparate sources and destinations. Solutions like OpenID, Google, Twitter or Facebook logins, and the host of clone SSO wrappers are wonderful for making the act of identification a smooth, usable and scalable. It's a win-win - users don't have to retype and re-present credentials over and over and sites don't have to store them. But this is NOT authentication.

PCI compliance and other regulatory rules (as well as common sense) require a 2nd factor (2FA) or additional layer of verification on top of those identification credentials (see above) to ensure they are valid for the context in which they are given and tested. This is where authentication comes in. Authentication must be context specific, accurate and independent. Without this, a local breach of identity becomes a global threat applied. Sites and apps who consume federated services are unable to approve or deny the "identity" presented as true or false if they do not possess their own tools to authenticate. Therefore, solutions that federate or "manage" identities (as they are now called) are great, but they are only part of the solution. Rethink your federation strategy - be you the provider or consumer.

HABIT #6: Stop making the same thing over and over.

I chuckle as I read the steady stream of pre-conference press releases - touting this and that breakthrough technology or how the industry had "come together" to solve the ills of identity theft, digital security and data protection. If you actually click through the links and brochures to read the science behind the announcements, you find it's the same old thing in a shiny new wrapper. Same tools, new names - something you regurgitate, download and install or carry in your pocket. The user must recall or recognize something, the site must match it with what they've got, and both parties retain 100% control over screwing it all up. A few novel solutions reverse the process - where the user has to generate a one-time thing to be remembered, matched or seeded, but it's the always same result: just type it into the browser.

The problem is the identity security market is littered with a lot of the same thing. Customers are confused about what the security product does, where and how to get it, and how much it really costs. I did a small research project on how to actually accomplish those three tasks in a short period of time with several of the top vendors. Needless to say, I spent hours on the phone and in email, getting car-salesmen like fluid pricing "bands" and hard minimums to become a customer at all. There were layers and layers of product versions, specializations and configurations, reseller channels, etc. - all of which left me as the faux consumer completely confused and frustrated. Forget it. I'll stick with username and password.

The other irony is due to the voodoo of security technology, the market does not prune itself and separate wheat from chaff as easily as other tech industries do. How many web-based email providers are left? Which browser is the best? Which music player do you listen to? Those questions are all pretty straight forward. But security is like healthcare - it's a myriad of case-specific flavor-of-the-month solutions that the customer (patient) must navigate with the help of the web or their trusted integrator/advisor (doctor). Security software marketing reminds of those annoying drug ads on television. Each symptom has a bevy of possible cures (and side effects), coming from inside out, outside in or between the endpoints. However you slice it, we as security vendors should start enforcing some type of "truthiness" to our collective menagerie of wares and start to make some sense of it all for the good of the consumer/user - lest we collapse under our own weight.

For instance, as vendors we approach the market in exactly the opposite fashion as the hackers do. First, consider the agile virus or trojan innovation and deployment model. Then, think about the typical mega-vendor security product development, release and marketing cycle, sales process, conferences, awards ... oh my. It behooves us to innovate, promote, celebrate and integrate real security solutions - at the speed and mass of crowd-source and social wildfire - not churn out copycat token and commoditized SSO solutions like some out-dated auto factory. We need to employ the customer and user base in the new model, not broadcast to them.

Am I promoting a single massive vendor with one universal solution? Absolutely not. I am the biggest proponent of separated concerns, distributed processing and healthy competition. But, for new entrants into the field, I implore you to have some skin in the game and truly innovate - don't just add salt to the same old sauce. There are already too many of those cooks in the kitchen.

Next up - Habits #7-10 with some bonus thoughts on the "cloud."