The End of An Era: ArcSight Goes to HP

The era has ended: the last independent software SIEM [worth buying] is bought. The biggest SIEM game “winner” (ArcSight) is acquired by HP for about $1.5b. As people are already calling me en masse to comment, here is the post with a random sampling of conclusions, predictions and “lessons learned”:

• Do something better than everybody else and you can win big – even if you start late like ARST did (this comes direct from the Cap’n Obvious, of course :-)) For example, focus on a good UI usable by your target audience as early as possible!
• Appliance SIEM battle was - until now-  a sideshow to the SIEM “classic” battle (IMHO). Yes, despite the volume of appliance sales, distributed software SIEM was still seen by many as “the real thing” and appliance SIEM was seen as “maybe for SMBs?” And now appliance SIEM guys get to fight the main war!
• Will HP screw it up? Hmmmm..... with their record in security.... oh, wait, they have a record in security? :-) No further comment.
• It is official: SIEM market again has no leader (at least until HP figures our what to do with ARST). Will anybody else stand up and take the reigns while HP is “sorting things out”?
• What is the fate of the appliance SIEM (Express) and log management appliances (Logger)? Well, the answer lies deep inside HP, but my guess is that they will not fare better than they fare now. HP “the home of OpenView” will probably like big messy software more than the boxes.
• Q: Can I please say something related to the news with the word “cloud”? A: Sooooorry, nothing cloudy about it whatsoever.

Winners:

• ArcSight, of course. Big congrats to the crew!! I competed with you a few times, but that does not mean you are not awesome :-)
• Kleiner Perkins with about 20x on the investment; even CIA made some money (via In-Q-Tel), I guess.
• SIEM players close to the top of the totem pole. All will now claim “ah, we are the leader now!”

Losers:

• Whoever was on the shortlist with ArcSight to be acquired by HP. Oops!
• Current HP “SIEM” partner - this vendor now gets to add their own name to the list of failed SIEM vendors :-) Bummer!
• Whoever else wanted to buy ArcSight. Oracle?
• SIEM players close to the bottom of the totem pole. Even fewer people will buy your wares now, especially if HP discounts Express aggressively.

More would be added as I think about it and talk to people. Other fun coverage of the matter would be added below as well.

Skills for Work vs Skills for Getting Hired

Given the amount of attention my previous security career post gathered (“A Myth ….”), it is time for a new one. Some of it is inspired by Source Boston 2010 mentoring panel, a gift that just keeps on giving (BTW, I signed up as a mentor with that new project, InfoSecMentors).

So, let’s talk about security skills that you can prove, skills that you need for a job and skills that will pass HR filters. It shocks me – to put it mildly – that these three are often completely different – and not even overlapping.

Which ones do you need to develop? Should you spend time writing papers, hacking code or reading up on 10 domains of “see-bee-kay”? Should you get good at something that will not be immediately obvious to everybody (like reversing malware) or spent time doing something visible (like writing papers about malware without having first-hand knowledge of how it works)? Should you choose sexy esoteric area of security, get really good at it – and then notice that nobody wants to hire you for that – with the possible exception of a Russian crime syndicate? :-)

While it is extremely tempting to bark “All of them!” and stop right there, the reality seems more complex to me, as it almost always is.

• Skills that help pass HR filters (and especially certifications like “see-sssss-ph”) sure seem important as you won’t even have a chance to get to using your other skills aka be hired – unless you are a master-ninja-networker! By the way, buzzword - loading your resume is not about skills - it is about a socially acceptable form of lying: TCP/IP, UDP, ICMP, BGP, IDS, IPS, W3C, CIFS, WAF, DLP, GRC, SIEM, NAC, IAM, SNMP, SMTP, POP3, HTTP, NASL, IPv6 … ASS :-)
• Skills that will help you do the job obviously vary depending on what job you have in mind. For most entry- and mid-level security roles, these skills are technical (sorry, Mssrs Security Policy Writers). From log analysis to IPS tuning to firewall management to web application scanning, the range is broad and you need to choose.  You can pick an area and then go really deep; however, it is worthwhile to try not to pick “typewriter repair” as an area of specialization :-) Fortunately, since none of the security problems we ever faced have been solved yet, choosing wrong is very hard. If you are still lost, pick application security or pentesting. These are not going away – EVER!
• Skills that are easy to prove - typically via a multiple choice test - is another interesting set: some technical skills (such as knowledge about what is in TCP/IP header) are easy to test, while others (such as an ability to do web app penetration testing) are extremely hard to validate. I guess social engineering is an ultimate “unprovable” skill, while knowledge about how to configure a Cisco router is easier to prove. BTW, I’ve met some “Cisco Gear Master Magicians” whose skills bordered on divine – they can literally get that box to do anything.

And if I were to give some advice on this that I wish I received when I started in security, I’d say focus your energies like this:

1. Put most of you energy in developing skills that will be most useful at work – work you do at your current job or the one you dream about (aka your next job :-)) As I said above, it is more likely that these skills are technical.
2. However, balance the time you spent practicing technical skills that are simply fun for you with the ones that are easy to prove to potential employees. Let’s call them “visible skills.”
3. Severely limit the time you spent on developing skills just to pass HR filters – instead get better at networking! Darn, even Twitter skills are better than practicing your daily laps in alphabet soup like the mess above.

To figure out that point, I once asked my wise mentor “Why do you still run /bin/bash, awk around and install Fedora, after you wrote three books, sold a company, gave a dozen keynote speeches and run a profitable consulting business for many years?” He – wisely, of course – said: “So that I can be a sysadmin if shit hits the fan.” This line is still stuck in my head after many years!!

Otherwise, you risk being of those types who respond to an ad for “firewall admin, must have CISSP” and end up crashing the network, which is kinda sad. For example, for many years I’ve had this bizarre unconscious skepticism towards people whose main skill is to write security policy. Writing this post cleared my head as to why: a well-written security policy does EXACTLY nothing for security … unless it is implemented.

Finally, some folks reading this will say – “screw the skills, I just want to be an expensive loudmouth for hire.” OK. There are indeed a few who rose to such noble occupation… First, you have to slave away for many years doing something else – and then hope that eventually people will want to pay to listen to your rants. Second, you can join Gartner, still slave away for a few years – and then maybe people will pay for your “loudmouthery.” In both cases, you’d still need some “+5” to Luck :-) And then maybe you can be “a mercenary loudmouth.”

But this is likely a subject of another post.

Possibly related posts:

• A Myth of An Expert Generalist
• Source Boston 2010 Conference Notes
• All posts labeled “career”

When “Solutions Before Problems” Approach is OK?

So, they say that dumb overeager salespeople push “what they have” no matter “what the customer needs” – and, more often  than not, end up with BOTH an annoyed customer and some damage to their employer’s brand (yes, it might be all about his/her personal sleaziness, but it DOES damage the employer’s brand!) On the other hand, it is said that a smart salesperson will always inquire about “what problem does the customer have?” and then position/describe his wares accordingly, IF they are indeed a fit for his needs.

I happen to agree with this and think that problems should be visible before solutions are unpacked. Other people mention it as well (recent example from Andy’s blog and its continuation, and then here and again here; read it – its fun!)

However,  what happens when a customer insists: “tell me what ya have!”  There are, curiously, many versions of that, when a customer confronts you with something like this:

• “You guys are experts; tell me what I need to be doing ‘to be OK’”
• “Please tell me which options I should enable”
• “Just give me a document explaining how I can “be secure” using your product”
• “You tell me which one is the best!”

(all above examples are fictitious, but “inspired by true stories”)

I can fight it (and I did fight it on a few occasions in the past, actually, insisting on problem description), but it creates a bizarre paradox:

“Customer is always right” + “problems before solutions” + “customer wants to hear about solutions first” = ?

Just sharing an observation… 

To All Strategists!

Penelope wonders "Do you think you’re a strategist? You’re probably wrong."

Required reading to those of my colleagues who just coined new strategist titles for themselves...

Fun quote: "Most people I have managed have told me, at one point or another, that their strength is strategy. For the most part, I hear this as “I don’t know how to execute what you’re asking me to execute.” "

Security Companies 2 Watch - 2007

Everybody already looked at it, I am sure, but why not: "10 IT security companies to watch." Now, some might check it out and say "Come one, this is 'Network World'! How dumb can that be?" Well, I think it is worth looking at anyway: the fun part is the common themes. And they are:

• Authentication (What?!)
  
• Smart traffic sniffing (A yawn? Maybe)
• DLP (tooooo f late...)
• Behavioral anti-malware (one more? nooooo...)
• Identity risk-management (WTF?)
• Database security (well, maybe)
  
• Encryption (what a novel idea?)
• Code review (finally time?)

Still, check out the list!

What is a CTO?

This has one of the most succinct definition of a CTO role, that I ever saw: "the great CTO’s usually can’t manage their way out of a paper bag, but

• have huge vision,
  
• the ability to pull an all-nighter and crank out a rough prototype of the thing they are thinking about,
  
• have the unique ability to translate complex / abstract thoughts into simple English that a non-technical end-user can understand, and
  
• a willingness (or even desire) to get up in front of 1,000 people and talk about the latest greatest thing they are working on / thinking about."

On "18 mistakes that kill startups"

Very cool list of startup mistakes; many (painfully many, I'd say) apply to some of the security startups I've seen.

Some fun examples are:

#3 Marginal Niche – choosing an obscure niche to avoid competition might be fatal
#6 Hiring Bad Programmers - most of the e-commerce business in the 90s died because of bad programmers
#10 Having No Specific User in Mind – sometimes startups assume that somewhere there must be someone interested in their product. Somewhere…
#18 A Half-Hearted Effort – the lack of commitment towards the startup is not that rare ...

On Competitive Differentiation

This paper has some enlightening info on innovation and competitive differentiation. Specifically, it covers three ways one can achieve competitive differentiation

"1. Operational Excellence aka Cost Leadership
Provide middle-of-the-market products at the best price and the least hassle.

2. Product Leadership
Provide the best product, period. Continue to innovate year after year.

3. Customer Intimacy
Provide unique solutions to customers by virtue of intimate knowledge of their needs. "

So, which one is your company doing? :-)