I got my first CTO promotion at the age of 29, and though I was very strong in technology, it’s shocking how little I knew back them in terms of process, communication, presentation, leadership, business, and a dozen other important things. However, I was fortunate to learn one management lesson early that really helped me define the role. It turned out that my personal productivity was no longer relevant in the big picture. Intead by taking the time to communicate vision, intent, process, and tools – and to educate my fellow development team members – their resultant rise in productivity dwarfed anything that I could produce. Even on my first small team, making every staff member 10% better, in productivity or quality, the power of leadership and communication was demonstrable in lines of code produced, reduced bug counts, reusable code, and other ways.

The role evolved as I did, from pure technologist, to engineering leader, to outward market evangelist, customer liaison, and ultimately supporting sales, product, marketing, and PR efforts at large. With age and experience, being able to communicate technical complexities in a simple way to a larger external audience magnified my positive impact on the company. Being able to pick the right message, communicate the value a product has, and express how technology addresses business challenges in a meaningful way to non-technical audiences is a very powerful thing. You can literally watch as marketing, PR, and sales teams align themselves – becoming more efficient and more effective – and customers who were not interested now open the door for you. Between two companies with equivalent products, communication can be the difference between efficiency and disorganization, motivation and apathy, commercial success and failure.

And it’s clear to me why I need both in this role as analyst.

During the RSA show I interrupted two different presentations at two different vendor booths because the presenter was failing to capture their product’s value. The audience members may have been disinterested tchochke hunters, or they may have been potential customers, but just in case I did not want to see them lose a sale. One of them was Secerno, whom I feel comfortable picking on because I know them and I like their product, so I was an arrogant bastard and re-delivered their sales pitch. Simpler language, more concrete examples, tangible value. And rather than throw me out, the booth manager and tchochke hunter potential customer thanked me because he got ‘it’.

Being able to deliver the key messages and communicate value is hard. Creating a value statement that encompasses what you do, and speaking to potential customer needs while avoiding pigeon-holing yourself into a tiny market is really hard. Most go to the opposite extreme, citing how wonderful they are and how quickly all your problems will be solved without actually bothering to mention what it is they do. Fortune 500 companies can get away with this, and may even do it deliberately to force face to face meetings, but it’s the kiss of death for startups without deeply established relationships.

On the other side of the equation, I have no idea how most customers wade through the garbage vendors push out there because I know what value most of the data security products provide and it’s not what’s in the marketing collateral. If their logo and web address was not on the web page, I wouldn’t have a clue about what their product did. Or if they actually did any of the things they claimed to. It’s as if the marketing departments don’t know what their product does but do know how they want to be perceived and that’s all that matters.

Another example, reading the BitArmor blog, is that they missed the principal value of their product. Why should you be interested in Data Centric Security? Content and context awareness! Why is that important? Because it provides the extra information needed to create real business usage policies, not just network security policies. It allows the data to be self-defending. You have the ability to provide much finer-grained controls for data. Policy distribution and enforcement are easier. Those are core values to Data Loss Prevention and Digital Rights Management, the two most common instantiations of Data Centric Security. Sure, device independence is cool too, but that is not really a customer problem.

Working with small startup firms, you desperately want to get noticed, and I have worked with many ultra-aggressive CEOs who want to latch onto every major security event as public justification of their product/service value. This form of “bandwagon jumping” is very enticing if your product is indeed a great way to address the problem, but you have to be very careful as it can backfire on you as well. While their web site does a good job at communicating what they do, this week’s Acunetix blog makes this mistake by tying their product value to addressing the SQL injection attacks (allegedly) used by Albert Gonzales and others. I have no problems with the claims of the post, but the real value of Acunetix and similar firms is finding possible injection attacks before the general public does: during the development cycle. It’s proven cost effective to do it that way. Once someone finds the vulnerability and the attack is in the wild, cleaning up the code is not the fastest fix, nor the most cost-effective, and certainly not the least disruptive to operations. Customers are wise to this and too broadly defining your value costs you market credibility.

Anyway, sorry to pick on you guys, but you can do better. For all of you security technology geeks out there who smirked when you read “communicating value is hard”, have some sympathy for your marketing and product marketing teams, because the best technology is only occasionally the right customer solution.

Oh, once again, don’t forget that you can subscribe to the Friday Summary via email.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences

• Rich’s awesome article on Peering Inside Snow Leopard Security, hot off the presses.
• Network Security Podcast, Episode 164, wherein Martin and Rich interview Greg Conti.
• Rich’s MacWorld article on Super-Safe Web Browsing.

Favorite Securosis Posts

• Rich: We Know How Breaches Happen.
• Adrian: I have been working on this stuff for four years, so Vulnerability and Security Assessment Policies gets my vote.

Other Securosis Posts

• Some Follow-Up Questions for Bob Russo, General Manager of the PCI Council
• Database Assessment Solutions, Part 5: Operations and Compliance policies
• Burden of Online Fraud
• The Ranting Roundtable, PCI Edition

Project Quant Posts

We are close to releasing the next round of Quant data, so stand by…

Favorite Outside Posts

• Adrian: I already talked about Brian Krebs’ post this week, so next up would be PaulDotCom’s review and podcast of Daemon. Not saying it was life changing, but Rich lent me the book last month and it was awesome.
• Rich: Rob Graham’s excellent analysis of the Free Software Foundation’s flawed criticism of Windows 7.

Top News and Posts

• New WiFi attack. It’s even more busted than we thought.
• Heartland just the tip of the iceberg.
• I have not verified this, but Yahoo! vulnerable to SQL Injection is news.
• Defensibility and Recoverability
• Hackers Charged with TJX breach. Think I covered it last week, but it came out late Friday, so excuse the duplication.
• Cisco’s comments on VLAN Vulnerability.
• Decrypting Oracle Passwords through dictionary attack.

Blog Comment of the Week

This week’s best comment comes from Jim Ivers in response to the We Know How Breaches Happen post:

Your analysis is spot on. Why should a cyber criminal go through the laborious effort to build a zero day attack when it is simple to spin up an exploit that picks off the multitude of unpatched and misconfigured endpoints available? Conficker used a known exploit as have many of the well publicized attacks. It is more glamorous to think of cyber criminals as evil geniuses building exotic attacks, but the collective lack of security discipline creates a path of least resistance that is easily taken. I would suggest that there is some proof to support the customized malware vector when you look at the reports and blogs posts from Symantec and McAfee in regards to the geometric growth they are reporting in the context of number of signatures written. Both report writing more signatures in 2008 that they had written through 2007 and McAfee noted that they wrote twice as many signatures in the second half of 2008 than in the first half. But it is very likely that these were variants of known attacks with just enough difference to evade the signatures rather than markedly new attacks.