fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry 
« Back to blog
Viewed 9972 times
Favorited 0 times
December 18, 2009

FUD and Other Sales Errors

Security product testing criteria have always struck me as quite odd.  Why *just* focus on the product or even the vendor financials?  I mean, the product is wrapped up in a sales cycle, a marketing program and sometimes, an entire belief system.  Then there is the on-going relationship...

Vince Tuesday has been around the block.  He's heard what you have to say my dear vendor.  He knows your script, in fact, he's probably reading ahead.  The sad truth is you already lost his attention 5 minutes into your sales pitch.  He did briefly perk up as you enthusiastically sprayed your enthusiasm towards him - but this was merely to avoid getting his suit wet.  As you posture to impress him, he's figuring out whether to eat the left over Chinese food for lunch or go down the pub.  He's already decided if he's going to take you up on your offer of lunch.  Sharing food does not mean you are any closer to a deal.  It merely means he is more likely to fall asleep when you insist on using up more of his precious time by ordering desert as a tactic to "keep him in play".

Vince makes purchasing decisions that sales people would die for.  But to get to the sale, the path is narrow...and winding as you'll see below.  Thanks Vince - I owe you a beer!

By Vince Tuesday

I am a security manager with a secret identity, Vince Tuesday. He comes out when I have things to say that it would be inappropriate under my work identity. You may also know him as a 2003 East Coast Region ASBPE Silver award winner for “The Strange Case of the Phantom Intruder”, no? You surprise me. When KingCloud (as I like to call Craig) approached me about FUD I dithered but the promise of international fame and fortune was hard to resist, so I’d like to talk to you today about more than just FUD (although FUD will be a part of it). I’m going to do a top ten of “Things I never want to hear from my vendor”. It may be when I get into the flow I go beyond 10…

  1. "You can write your own templates/scripting language"

    2. Not only great for your professional sales organisation but I also can extend my vendor lock to you in by forcing all my team to learn your stupid re-invention of perl/bash and better yet you can hide behind the fact that you haven’t incorporated decent features by claiming I can add my own. I can even pay extra for training from you – so be sure to change the scripts on a regular basis so you can make that a recurring revenue stream. Also, when you release the new version of the product then make sure my scripts stop working and don’t dare give me things like import/export and change control.

  2. “We wrote our own crypto”

    3. Sure, you did an MSc from some European country, maybe you even read “Applied Crypto”, you might even own the Brucie action figure – what could possibly go wrong? I’m sure there is no reason that the solution to every software problem from a security point of view (see Gunnar Peterson’s excellent critique) is Network Firewall and SSL. Why would we like SSL? – sure it has problems but they get fixed. Your own implementation is never going to have any problems and even better if there was then you’ll never know and never fix them – less patches, love it! Better yet are those security products that don’t even include authentication or confidentiality in their own connections and therefore add security risk to the environment. That kind of stuff is just hard to configure and adds overhead, doesn’t it? No better way to convince me your security tool is a must have if it lacks any security over the features it offers.

  3. “Sorry, We forgot to encrypt the laptop”

    4. Along with not bothering to embed security features in your security product it is even better when security vendors and consultancies don’t take security seriously in their work and own infrastructure. I’ve found vendors with my staff and clients’ personal data stored in their environment without full disk encryption on their laptops and thank goodness – no pesky keys to protect if you don’t bother to encrypt. Also it would be a waste of time to have some modicum of physical security for your office and your data centres – you’ve a mission to spread the knowledge of your product to the world so what better way than having my data stolen and published? It’s like cheap advertising, no?

  4. “We have a great console”

    5. When start-ups build in their environment they make a nice whizzy front end that they use for a few minutes on a local network link to the back-end and with a small set of test data from a few end point systems. In our enterprise environments we have WAN links between desktops and backend, sometimes over satellite from remote areas, we have hundreds of admins, 100ks of endpoints and terabytes of data flowing through our systems. We also have hundreds of security systems to integrate and limited analyst time in the SOC. So I’m dying for a new front end that I can’t integrate with my existing management framework and toolset – then I’d never see your badly rendered pie charts that I can’t cut and paste into my other reports.

  5. “The front-end is web based”

    6. Oh great, slow Java pages that don’t load and work properly on the ancient version of IE we get on our desktops. Lovely,

  6. “The front-end is thick client”

    7. Oh great, a patching and update nightmare that also means I get some painful licensing and DR site version errors and have to pay extra to get the client packaged and deployed. I’m an easy customer to make happy, aren’t I?

  7. “It's in the cloud”

    8. Thank goodness because if you hadn’t mentioned cloud I might have forgotten it is 2009. Either you are using this as a marketing buzz word in which case well done for firmly sitting on that bandwagon or you are not building out your own data centre so you can respond to demands of growth – you’re probably using mains electricity and have an office near public transit – why not include that in your sales pitch as well?

  8. “It has an alerting tool for the desktop”

    9. If I thought having a management client for my desktop wasn’t enough of a thrill ride then I definitely want an alerting system –something proprietary and heavyweight or extremely configurable like a hard coded email address (and just one, why waste time supporting multiple addresses?) in every end point for where the alerts are forwarded. Don’t worry about throttling or summary – I love getting 9000 emails/minute when your system has a hiccup as it provides a useful replacement for your failure to include a heartbeat in the communications protocols.

  9. It works via "secret sauce" or "magic"

    10. That reassures me that they don’t waste valuable time and money training pre-sales staff to actually understand or be able to communicate the details of the product. Why would I want that? If you did that and your sales team had integrity you might actually tell me when the product wasn’t a good fit rather than sell me any old nonsense and then were would your IPO be?

  10. "The next version will support that."

    11. Good, let me give you my money for all the things it doesn’t do, in fact why not show me the same 5 year roadmap for 2 years running but just slip the start date each time, that convinces me to invest exactly as much in your product as you are and saves you time and thinking bothering with a decent plan.

  11. "Dave at XXX is one of our reference sites"

    12. Wicked, when I do buy your product then I’m going to be keen to be a reference site – to feed my own ego and try to convince more suckers to deploy it so I look like a visionary (call it twisted skin in the game) so I enjoy knowing that you bandy your highly confidential client contact details to entirely un-validated prospects.

  12. "Here is a picture of our head office"

    13. I bet your VCs loved having this in their pitch, and it certainly makes exactly as much sense to show me the picture of the outside of a managed office in a business park. You may be very proud of your move out of your carport or your ability to search on google images but with only 20 slides you’ll definitely not get closer to a close if you tell me about the product so better to show me stuff I just don’t care about but that looks pretty.

  13. "Here are our key clients and customers.”

    14. I love a page of badly cut'n'paste logos, mostly at web quality dpi so they look ugly and old versions that break brand guidelines as much as anyone. A particular pleasure is when people pitch with our own logo on the page, sure we are a big company but you’ve got to be gutsy to attempt to get us to pay for your licenses twice – let’s face it, if I’m going to buy it’s all going to be because you spent a long time on the graphic design and look and feel of that page, isn’t it?

  14. "It has no CPU impact"

    15. It’s great to come with a hardware upgrade but isn’t that going to be expensive to deploy, oh hang on, what you are really saying is “we don’t bother doing stress tests in a range of circumstances to be able to give you meaningful capacity planning information as you might realise it’s a bloated pile of crap that doesn’t scale beyond 5 users if we published anything like that”. I agree the other wording is better.

  15. "It automatically updates"

    16. Great, I do enjoy troubleshooting problems on a Monday mid-morning at peak business hours because all your agents decided to use some insane Hawaiian time zone to schedule their updates. And change control is for companies who don’t really bother with availability, isn’t it?

  16. "It doesn't automatically update"

    17. Marvellous, I do love a steadily increasing TCO based on dedicated teams of people packaging, and deploying new versions containing features I don’t want but some big prospect in Japan wanted. For bonus points make sure old agents don’t work with new central servers so I have to do a big bang high risk upgrade or add gaps in coverage if I want up to date versions. Also great to have updates work only from scratch so I have to uninstall the old version and install from scratch so I can lose all my configuration and customisation work each time

  17. “No, I don’t think it is covered by any export restrictions”

    18. Yes, I’m certain your intuitive grasp of State Department rules and regulations is spot on because they are instinctive and clear and spending any time or money understanding them and making your product workable isn’t going to be helpful to a global buyer.

  18. “Let me do a demo…I just need unfiltered, broadband connectivity right now”

    19. Absolutely, I’m going to allow you to connect your ropey laptop to my corporate network and thanks for not bothering to tell me so I could have got you a wifi guest login or god forbid you bother to set up a WebEx demo or bring a 3g card rather than make it my problem for you to be able to do the demo.

  19. "It's common criteria/ITSec certified"

    20. Spiffy, I do enjoy it when you meet some outdated self-defined model rather than actual business needs. Also good to spend your limited funds with certification agencies to chase a government market rather than add features and improve the product. Even better for you to have a strong incentive not to issue substantial security updates to your product because they would invalidate your certification.

  20. "It can log everything"

    21. Just make sure you do it in your own proprietary format and ensure all the logging is done locally, we all need to drive a bigger security market so everyone needs to do their bit for log aggregation tools. Also make it so you spread alerts over several lines and change the headers of your data layout between versions. I don’t have any desire to automate this stuff, my SOC teams can’t get enough of this as it really uses their skills in the right way..

  21. "It has a very granular access control database so you can control exactly which menu items each user can see"

    22. Brilliant, more professional services, I can see your IPO going better and better, I am visionary to have selected your product, just make sure you don’t add any sensible roles so everyone gets to be admin under a shared account. And as a large enterprise I don’t have enough different stores of user credentials so don’t integrate with any of them. I want a whole new username and password and a system of groups. Who wants all their eggs in one basket?

  22. "It scales without limit"

    23. I’m glad the laws of physics and 60 years of IT experience don’t apply to your product. Clearly you tested it on 1, 2 and 3 users so by proof by induction means it scales without limit and make sure you confuse “XXX company was stupid enough to buy a 100,000 user license that now sits on a shelf” with “XXX company has 100,000 users using it”.

  23. "Company X has tested it and found no security holes"

    24. You paid someone to say it was brilliant, and they did. That _was_ money well spent. There is nothing as independent as paying someone to say you are lovely, might I suggest you get your mother to test it next time as she’ll be cheaper and I bet she thinks it is really secure as well. Even better if you save money by picking a name of someone I’ve never heard of or go for a big name but a very limited scope so it comes with so many caveats that the testing is worthless.

  24. "We ran a contest to show it was hack proof"

    25. Even better if you make the prize be a pile of gold or don’t pay the people who win the contest. I like your gutsy approach of either a) nobody breaks in as organised crime thinks it can get more out of exploiting your product in live or b) some script kiddie owns you entirely and then you have to whine on about how they didn’t follow the rules – because attackers are always following the rules!

  25. "It solves/prevents problem X"

    26. Yep, you are actually selling a combined magic beans/silver bullet that will also make coffee. Nothing convinces me you are a well researched and sensible sales organisation as when you convince me it will solve a problem it can’t. PGP ran some great ads about how important full disk encryption at border crossings was after customs accessed data on disks. The fact the customs agents have the legal right to demand the keys doesn’t make that advert bizarre at all. A nice 20/20 hindsight variety is "If only so-and-so had had it then <big bad thing> wouldn't have happened!"

  26. "It fixes HIPAA/Sox/BASEL II"

    27. All the better if I’m not in healthcare/listed company/regulatory capital regime. And won’t it be great for me to look down my nose at those companies hiring hundreds or thousands of compliance staff and running holistic programmes across technology and the business when all I needed to do is buy your one niche security product – cost saving!

  27. "It's much better than product Y"

    28. I love it when you competition bash because clearly you have many great bits of your product if you use your time trash talking other products. Nothing adds to your credibility if you used to work for product Y company and only a few weeks ago were trying to sell that to me.

  28. "Do you like Golf?"

    29. Now we are stepping towards the inducement and bribe approach to selling product, nice. It’s not like I’m well paid and successful so a day of golf is more than enough to make me change my mind and risk my integrity and job. I was going to make a joke about a certain company here but I actually don’t even want to risk my integrity and job for a joke.

  29. "Vince, Vince, blah, Vince"/ NLP

    30. It is true that people who trust each other use their first names more frequently in conversation, however you’ve delightfully confused symptom with root cause and I love your cargo cult-style approach of repeating the symptoms in the hope of reaching the cause. Add a little mirroring of my body language and we’ll build so much rapport that I’ll pile my entire budget into your in-tray.

  30. What is your no. 30? Add it in the comments below.

Loading mentions Retweet

Comments (6)

Dec 18, 2009
cpswan said...
30. Your competitor bought it to solve xxx compliance problem. You HAVE to buy it too, or you'll not be compliant!
Dec 18, 2009
jason said...
I have the Bruce action figure too. The one with the Helix grip.
Dec 18, 2009
Jack Daniel said...
I can't believe you missed "placed in the Mystical Corner(tm) by AnalystX" so it has to be good, and a fit for your unique environment.
Dec 18, 2009
Vince Tuesday said...
Jack Daniel is a wise man, but I was saving my vitriol for the AnalystX problems for a whole other post in a year.
Dec 29, 2009
anton_chuvakin said...
Anti-9. It LACKS any "secret sauce" or "magic"; works just the same as everybody else's.
Dec 29, 2009
Chris said...
"It's an appliance"

Which obviously makes it superior, since your people can't be competent enough to know how to install and harden an OS. Obvious other features include a management interface consisting of a 1x4 inch LCD display and a form factor which is 13/17ths of standard rack width.

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter