My friend Michael Farnum had a great post late last week. Basically, what I took from it was that in a commoditized product market, choosing the right technology goes way beyond a feature discussion. I agree, but I wanted to expand on a couple of things here.

First, traditional IDS/IPS can be considered a commodity – again, I agree. As with any commoditized technology, your choices become more limited than complex. I mean, if Gartner’s Magic Quadrant is crowded with a bunch of players, what’s next? How do you choose? Or do you expand your horizon? Do you blindly follow the incumbent or the analyst’s recommendation because it’s easier? Or do you challenge yourself to think outside the mainstream?

Second, he leaves out a key ingredient here – and that’s the evolvement of technology. In our case, the way we deliver IDS is significantly different from any of the other traditional products out there, but it is in essence, still doing the same thing – intrusion protection. To use an analogy, the computer you bought back in the 80’s didn’t come standard with many great applications and features that are available on every single computer today. The standards evolve. Things get better and easier to manage. Users get used to new ways of doing things and eventually ditch the old ways.

I greatly respect Farnum, but I have to ask – aren’t you doing your customer a disservice by restraining yourself to one type of (traditional) technology when you are trying to be consultative? And why? (Okay, I know the answer to this, but still.) If you know there is something out there that can make it easier for them to handle and still address their business requirements, why not point them in that direction?

It’s kinda like selling 56k baud modems. I’m sure there are some folks out there still buying ‘em (and there are plenty still using ‘em), but it’s certainly not a growing market. On that note, anyone want to buy my old P200MMX Presario? It’s got a 56k modem and 64MB RAM.

And Michael: Let me know when your company is ready to talk – we have a great partner program for you here!

Sometimes I just can’t take it any more. Tired of mulling over regulatory compliance, control mappings, security versus compliance, and why we can’t get decaf in the fancy office Starbucks machine, I head over to TED Talks to expand my mental horizons. The history of mathematics being a favorite subject of mine, a superstring theory talk by Brian Greene looks just perfect…until I realize that he and I are in the same business. Not the security business per se, but in the business of finding that one equation, theory or risk model that will explain and merge all other risk models.

In today’s security parlance, we call this GRC or Governance, Risk management and Compliance; fermion meet PCI-DSS v1.1 req 11.3.1. Other terms that surround this unifying effort are security taxonomy and enterprise risk management. The entire purpose of these overarching risk frameworks is to effectively communicate and quantify how security controls (physical and information) affect business risk; hopefully proving that the controls are worth all the bother.

While attending RSA, I attended a peer-to-peer session on the topic of risk management hoping to hear how more advanced beings than me are effectively communicating to their business leaders how valuable security is. Apparently, we are all too human. Of the 25 folks in the room, no one felt they could even define the common denominator that all business leaders could use to translate control costs to business value.

In the past decade, compliance has given security practitioners the leverage needed to motivate business folk to spend the money on security, however it usually requires a large amount of FUD to do it. Frameworks such as ISO 270001 and NIST have provided the groundwork for creating security metrics for larger companies, although integration into the overall business risk framework is still lacking.

What worries me is that those frameworks were too complex and costly for the middle market; instead we have highly prescriptive “one size fits all” regulations like PCI to keep us in line. If we could find that unified theory of risk management, one that translates value through the entire model from business risk to security control value, we could apply it to large, medium and small businesses, giving security practitioners a “seat at the table” by proving that security value is an integral and valuable part of generating business value.

Unlike the superstring theory, I hope we don’t have to create a blackhole to prove it!

This week, I’ve seen a few really interesting articles about IT spending that almost contradict themselves. An eWeek Channel email newsletter I received had links to two interesting articles (one placed directly on top of the other) “IT Distributors Say Economy is Hurting” and “MSP Sales Getting Easier” which made me laugh, given the placement (I assume it wasn’t intentional). But they both reflect a trend I see rising in the channel – the maturation of managed services and the lack of participation by big box manufacturers like Cisco, Dell and HP. Where I think each of these companies do have some sort of story to tell (or perhaps strategy being formed as we speak, as is clearly the case with Dell), it is not geared towards the channel. And given their large enterprise roots, they are all having their challenges addressing the small to medium enterprise space (one reason: price doesn’t scale backwards very well). That’s exactly why the smaller, more personal regional MSP’s and MSSP’s will continue to find success in their respective markets.

As for the distribution article, Ingram Micro’s Justin Crotty and the Seismic program have proven they are ahead of the changing landscape (full disclosure: we are an Ingram Micro Seismic vendor partner). For the past several years, there has been talk about VAR’s moving into more service-oriented business models, but no real movement – it was just too costly and many people were spending way too much time overthinking the model. I believe some of the softening we see on the hardware/software sales side is actually being picked up on the services side and we’ll continue to see that grow. After all, in tough economic times, when a company starts tightening the belt, are they going to spend more capital or reduce costs? I hate to use the word “outsourcing” (I like “cosourcing” better) but in this case, I have to. If you outsource anything, what comes to mind? Well, technologies and tasks that require a high cost of overhead and investment would take a pole position if it were my business. Why waste time on doing mundane tasks that can be done by a qualified partner at a much lower cost to my business? Why not leverage my existing resources more strategically than having them do dirty work like helpdesk, printer management or (beware, shameless plug follows) sifting through false positives and watching your security posture 24×7? Can you afford not to get the most out of your employees?

In the most recent VAR Business issue, the cover story “How To Navigate the New MSP Landscape” basically talks about differentiating oneself in a competitive market. For the most part, that’s nothing new. But it brings up some great points when it comes to any business, especially a smaller player in the market. Things like selling the value of your services (not the price!), finding the right partner and not trying to do everything yourself, moving beyond the fundamental mainstream services (like break fix) and not forgetting the personal touch with the customer. How can the big boys realistically compete with that?

In my last post, I eluded to my disappointment in Google’s lack of a good message around security at RSA this year. And at the Venture Tech Network (VTN) Invitational in New Orleans last February, they had a breakout session for VTN members “by invitation only”. Ooh, how top secret of you, Google! You do realize that the objective of VTN is for open communication and networking with all of its members, right? Keeping a secret at this venue is probably not going to happen. Funnily enough, the folks I spoke to who were there were unimpressed and did not seem to have any plans to partner with Google. Many were there just because of the “top-secret” factor – but apparently, curiosity killed that cat. It wasn’t a security message, by the way – which is flabbergasting to me, because their email filtering/SaaS play is probably one of the best solutions they have to engage the channel.

I guess I just find it hard to trust a company whose revenue is largely derived from a search engine to be experts in providing security solutions – especially given the fact that they track everyone’s searching habits. Looking at it from a privacy perspective, I already have an issue with cookies, let alone my search engine of choice tracking my web surfing habits. (By the way, Google, I don’t really collect My Little Pony myself, I was just looking for my nieces.) How are they protecting that information? Do they have insight to malicious content in the World Wide Web? Absolutely. Do they have an impressive and complex infrastructure to protect with perhaps some unique issues they face? Certainly. Can they communicate the business side of security? Maybe. But do they understand the channel? Obviously not.

And besides, in my not-so-humble opinion, email and content filtering does not equal security. It’s only a very small piece of a solid defense-in-depth strategy. Just because they bought Postini does not make them security experts. But it could be a great path into the channel for them. Proof: MX Logic does it and they do it right. Just look at their channel success.

I know I am not being totally fair to Google, because I love their search capabilities, the whole Web 2.0 personalized dashboards and the cool widgets like Picasa they put out there. These things drive other technologies as well. But Google doesn’t seem to be business or security ready (okay, I’ve seen some of their yellow search boxes in a few very large datacenters, but that’s about it). SaaS is such a compelling story for the channel and they clearly have some unique insight – you’d think they would have a bigger, better story to tell.