Last week I attended the RSA Conference (RSAC) Innovation Sandbox for the first time. Not only was I an attendee, but I also was fortunate enough to host a CTO panel during the event. For those that aren’t aware, the Innovation Sandbox is one of the more popular programs of the RSAC week. The highlight of the Innovation Sandbox is the competition for the coveted “Most Innovative Company at the RSA Conference” award. This is basically the information security version of ABC’s Shark Tank. If you want to learn about the up-and-coming vendors and technologies, this is one place to do it. To participate, companies had to meet the following criteria:
The product has been in the market for less than one year (launched after February 2013).
The company must be privately held, with less than $5M in revenue in 2013.
The product has the potential to make a significant impact on the information security space.
The product can be demonstrated live and on-site during Innovation Sandbox.
The company has a management team that has proven successful in the delivery of products to market.
January 28th was the anniversary of the Space Shuttle Challenger disaster. The Rogers Commission detailed the official account of the disaster, laying bare all of the failures that lead to the loss of a shuttle and its crew. Officially known as The Report of the Presidential Commission on the Space Shuttle Challenger Accident - The Tragedy of Mission 51, the report is five volumes long and covers every possible angle starting with how NASA chose its vendor, to the psychological traps that plagued the decision making that lead to that fateful morning. There are many lessons to be learned in those five volumes and now, I am going to share the ones that made a great impact on my approach to risk management. The first is the lesson of overconfidence.
In the late 1970’s, NASA was assessing the likelihood and risk associated with the catastrophic loss of their new, reusable, orbiter. NASA commissioned a study where research showed that based on NASA’s prior launches there was the chance for a catastrophic failure approximately once every 24 launches. NASA, who was planning on using several shuttles with payloads to help pay for the program, decided that the number was too conservative. They then asked the United States Air Force (USAF) to re-perform the study. The USAF concluded that the likelihood was once every 52 launches.
In the end, NASA believed that because of the lessons they learned since the moon missions and the advances in technology, the true likelihood of an event was 1 in 100,000 launches. Think about that; it would be over 4100 years before there would be a catastrophic event. In the end, Challenger flew 10 missions before it’s catastrophic event and Colombia flew 28 missions before its catastrophic event, during reentry, after the loss of heat tiles during take off. During the life of a program that lasted 30 years, they lost two of five shuttles.
We are now less than two weeks away from our annual sojourn to the RSA security conference. RSAC is a great time for learning, meeting and making friends. (Please hold cynical remarks; RSAC is what you make of it.) As the date grows near and my excitement grows, I am preparing my mind and patience for the ubiquitous silver bullet marketing that is predestined to appear.
One of these silver bullets will be the term "actionable intelligence." You will be surrounded by actionable intelligence. You will bask in the glory of actionable intelligence. In fact, the Moscone expo floor will have so much actionable intelligence per capita you will leave the conference feeling like the threat landscape challenge has been solved. Achievement unlocked, check that off the list. Woot!
Well not so fast. I frequently talk to vendors that espouse the greatness of their actionable intelligence. Whenever I hear the term actionable intelligence I want to introduce them to Terry Tate, Office Linebacker. Terry Tate first appeared in a 2003 Reebok Super Bowl commercial.
Security is the No. 1 impediment to Cloud Service adoption. Forrester’s research has shown this over the last three years. Cloud Service Providers (CSPs) are responding to this issue. AWS has built an impressive catalog of security controls as a part of the company’s IaaS/PaaS offerings. If you are currently or considering using AWS as a CSP you should check out the following new research.
Mobile device management is a fully commoditized market. In the strictest definition of MDM, the available functionality is limited to those application programmer interfaces that are made available by the operating system vendor (Google or Apple). There is very little that traditional MDM offerings can do to differentiate themselves from the other 100+ vendors in the market. This causes significant price pressure on the offerings. Value for MDM is rapidly approaching zero. As we have seen over the past year-and-a-half, core MDM component offerings have been continuously lowering their prices in an attempt to maintain market share. There is a transition by the major MDM players to expand well beyond the traditional "wipe," "lock," and "locate" concepts available to them into more advanced technologies such as content and collaboration systems, security components at the network and application layer, as well as partnerships and integrations with secondary market offerings. These features have value. MDM at its core does not.
I think it's about time someone came out and said it. Just like Dobby from the Harry Potter books, MDM should be free. I've been telling all of the vendors that I work with that if they don't put out their MDM offering in a freemium model very shortly, the other vendors will beat them to the punch. Traditional MDM offerings are a land grab for enterprise market share and should be used as an upsell or wedge into more advanced and differentiable offerings. I predict that in the next 6 to 9 months we will see most, if not all, of the leading MDM vendors giving away their core functionality.
It's hard to believe that a company could burn through $225 MILLION dollars in 11 months, but it looks like that may have been exactly what AirWatch did. According to data released by AirWatch and written by financial analysts (links to all data sources at bottom of post), AirWatch likely had burned through nearly all of its available cash in record time. Based on an assumption of $120K burn per employee (fully loaded) per year and an assumed removal of $50M in equity at the time of the venture round, AirWatch would have had somewhere between 5 and 6 months of runway left as of January 2014. These assumptions are corroborated by the fact that VMware has contractually extended AirWatch an offer to provide a bridge loan if the acquisition deal does not close in the next 6 months.
What did AirWatch do wrong? It sounds like they may have made some over-assumptions with regards to their growth rates for 2013. It could have possibly been the adoption rates in countries outside of North America. It may have just been bad luck. Or it could even be a cooling off of interest in mobile device management technologies based on containerization. We won't know exactly why they were getting near the end of the runway, but what we can say is that VMware may have overpaid in multiple. Based on the data provided by VMware of AirWatch bookings for 2013, VMware paid somewhere around 16x bookings for AirWatch. Man, that's a lot of bread!
My esteemed colleagues Renee Murphy and Nick Hayes joined me in a fully collaborative, marathon evaluation of 19 of the most relevant GRC platform vendors; we diligently pored through vendor briefings, online demos, customer reference surveys and interviews, access to our own demo environment of each vendor’s product, and as per Forrester policy, multiple rounds of fact checking and review. The sheer amount of data we collected is incredible.
On January 22, 2014, a new mobile security player was born. This is the date that VMware announced its intention to purchase the mobile device management (MDM) firm AirWatch. With a price tag of $1.5 billion, this acquisition confirms that the mobile security market is scorchingly hot. This news comes on the heels of the November acquisition of Fiberlink by IBM. I expect additional mobile security market consolidation to occur throughout the remainder of 2014. This acquisition is a shot across the bow of any other major vendor looking to play in the mobile security market. If you don't step up and spend now, you might just be left holding the bag.
Privacy is on trial in the United States. Legal activist Larry Klayman asked US District Judge Richard J. Leon to require the NSA to stop collecting phone data and immediately delete the data it already has. His argument was that US citizens have a right to privacy and this is a violation of the Fourth Amendment of the Constitution protecting citizens from illegal search and seizure. Monday's ruling that this practice is unconstitutional has privacy activists cheering in the streets, but it will not be a lasting victory.
In the United States, there is not a single privacy law on the books. (You can argue that HIPAA is a privacy law, but nuances exist that can lessen its impact.) What is protected has come from judgments based on the application of the Fourth Amendment regarding search and seizure. US citizens were given "privileges,” thanks to Richard Nixon, which say we have an expectation of privacy when using a phone, which basically means that the government has to get a warrant for a wiretap. (It’s worth noting that in the UK, they don’t get that privilege.)