Microsoft to Lead Security Best Practices

Posted on February 3, 2007 by Simeon Simeonov

“My name is Microsoft and I have a problem.” That could be the introductory statement of the company at the group meeting of ISVs With Legacy Systems Full of Security Holes Anonymous.

In a recent article, eWeek talks about Microsoft’s push into application security and security best practices.

In the process of building its newly launched Windows Vista OS, the Redmond, Wash.-based software maker employed a new vulnerability detection process labeled SDL (Security Development Lifecycle), that claims to have greatly reduced the number of holes in its products, and which will also serve as a foundation for the firm’s nascent applications security business.

I’ve written that we’ll see more and more of this type of behavior from large ISVs as they realize security can be a competitive advantage.

Other examples from large vendors: Oracle gets behind Common Vulnerability Scoring System (CVSS), followed by Cisco. Oracle is getting great feedback from customers about this move, according to the Oracle Security Blog.

Tagged | 1 Comment

Precious

Posted on February 2, 2007 by Simeon Simeonov

Gates gets personal with Steve Jobs/Apple in a Newsweek article.

I must agree on one thing with Bill–most PC users don’t look like John Hodgman and most Mac users don’t look like the cool kid in black. In fact, nearly half of both Mac and PC users are women so there really isn’t any truth in advertising. 🙂

Posted in Uncategorized | Tagged , , , | Leave a comment

Long Tail Aggregators

Posted on January 31, 2007 by Simeon Simeonov

I’m at the AlwaysOn Media Conference in NYC today. At breakfast, Esther Dyson (who just recently left CNet), Chris Dobbrow (now at GoingOn, the platform powering AlwaysOn), Melinda Gipson (GateHouse Media) and I had an interesting discussion about how to build long tail aggregator businesses. This type of business does not have access to the head and torso of the distribution–it only works with the tail.

The basic premise is to aggregate the value under the tail. Revenue per unit (of whatever you’re measuring on the X axis) will be small on the tail portion but there are many units, hence the opportunity to build a big business, provided you can keep costs low enough to make great margins/unit.

It was impossible to build these types of businesses in the real world–costs are simply too high. You need the draw of the hits to bring an audience in and support fixed costs such as rent. On the Net, the early wisdom was that you cannot launch without the hits–what would Amazon and Netflix be if they had tried to launch without the bestsellers and blockbusters? Things have changed in a decade. Search and social discovery mechanisms have made niche content much easier to discover, bringing customer acquisition costs down enough to make a meaningful difference.

At the highest level, to become successful as a long tail aggregator, you have to be very easy to do business with at every level: how you’re discovered, how customers and partners engage with you initially and over time. If you’re not, there will be increased sales, marketing, account management and support costs, which directly affect margins. Part of being easy to do business with has to do with you providing a whole solution (in a Crossing the Chasm sense) to your customers and partners.

The obvious, Business 1.0 approach is vertical integration. That’s the Apple way. If you can execute it with near perfection over time, it’s a fantastic way to go. It’s also very expensive and very risky. iPod/iTunes couldn’t have launched outside the shadow of a large company such as Apple.

The Business 2.0 way is orchestration and clean APIs. You need to orchestrate the solution because you must control your customers’ experience. You partner with best-of-breed providers to fill out the areas where you need help. By itself, that’s no different than what Geoffrey Moore preaches. In a Web 2.0 world, the difference comes through clean APIs, which allow you to maintain efficient, fluid and broad partnerships while keeping costs low.

Posted in Advertising, Digital Media, Web 2.0 | Tagged , , , , | Leave a comment

Tech vs. Life Sciences Investing

Posted on January 31, 2007 by Simeon Simeonov

My partner Alan Crane and I were talking recently about the differences between technology (IT, HW+SW in particular) and life sciences (LS) investing as driven by the inherent differences in the target markets. Two key points rose to the surface: market stability and cost of entry.

The target markets for LS companies, generally speaking, are the flora and fauna. They change very slowly. If you are developing a cure for cancer you can be confident that if you succeed in creating one, there will be a big market, even many years into the future, even if one of your competitors has beaten you to market by some years. In the high-tech world, markets are rarely stable over time. By the time you are ready to deliver your solution, it could be obsolete. Some examples: great client-server products that were made irrelevant by the Web, supercomputers whose target markets were overtaken by Linux clusters, etc.

To get in the life sciences business you need smart PhDs, labs with expensive equipment and bags of money for the IP attorneys. This is perhaps more true for biotech companies and less true for medical device companies. The closest example in high-tech is custom hardware, where you need some millions of tooling just to get started. Still, no match for the capital that a biotech startup needs. Software is on the other extreme where a cool kid can bootstrap the next killer Web 2.0 startup. Also, IP matters in LS much more so than in IT. LS is driven by the laws of physics, chemistry and biology. Solution sets are rather constrained and can be precisely described in detail, leading to strong patents that are difficult to get around. IT is virtual. Software creations are fundamentally unconstrained. Hardware is software in a different form and is only constrained by process capabilities. (Because of that, HW IP tends to be stronger than SW IP.)

The net result is that life science entrepreneurs and investors can make long-term bets and are willing to raise huge amounts of money in expectation of huge returns (for a platform biotech, an IPO is an investment round). Further, because of the strengths of LS IP, big pharma is willing to pony up big bucks for partnership agreements well ahead of drugs being ready for market. IT investing, due to the vagaries of market instability, weak IP protection and the threat of competition, increasingly requires a tightly managed approach to risk management with faster iteration between investment and the risk reduction / opportunity maximization it enables.

I wish more of my companies operated in stable markets with high costs of entry so that management can feel more comfortable making bigger bets. Alan wishes more of his companies took less time and money to exit and had more than a handful of big pharma players to do big deals with.

Posted in VC, Venture Capital, Web 2.0 | Tagged , , , | 2 Comments

Snowmobiles and Cell Phones

Posted on January 30, 2007 by Simeon Simeonov

I’m at the Polaris Digital Media Summit in Deer Valley, UT. It’s great event with a good mix of portfolio and industry execs. Since snowboarding is not allowed in Deer Valley, a few of us went snowmobiling yesterday. The weather was great and it ended up being a lot of fun. No broken bones in our group, though there were some close calls and one snowmobile will need extensive repairs.

With all the fun over, I had to figure out how to get the pictures off my old Nokia 6660 on T-Mobile. That turned out to be a lot more complicated than snowmobiling:

  • An initial annoyance was that I couldn’t send several messages at a time.
  • I couldn’t email them because there was no GPRS connection.
  • I tried MMS to my Verizon Berry (8703e), which doesn’t support MMS. I ended up getting an SMS to visit a Verizon WAP site where I could see a thumbnail image but couldn’t do anything useful w/ it from the Berry. I didn’t even attempt to go to the site with a browser.
  • I tried Bluetooth exchange between the Nokia and the Berry + my computer. The devices paired well but couldn’t figure out how to transfer the files. The Berry doesn’t support the right Bluetooth profile. The default MS Bluetooth stack on XP doesn’t either. You can download better Bluetooth SW but last time I tried this on my old Thinkpad it wasn’t easy to configure everything right.
  • The final solution was to use infrared between the Nokia and my laptop, one image at a time. That’s pathetic.
Posted in Digital Media, Mobile | Tagged , , | Leave a comment

Bigger May Be Better for Secure Scripting

Posted on January 23, 2007 by Simeon Simeonov

On the topic of security as a competitive advantage, a recent Evans Data survey of scripting environments puts ActionScript and Adobe Flex on top. ASP.NET AJAX (Atlas) is in second place.

The open-source projects are, unsurprisingly, rated lower. It’s hard to get as excited about security as it is about flashy features. It’s going to take some time for open-source projects to mature and for contributing developers to start taking as much pride in quality and security as they do in functionality.

“Developers know that strong security is the foundation of great user experiences, and an increasingly important selection criteria for rich Internet application development technology,” said Jeff Whatcott, vice president of marketing at Adobe. “It’s wonderful to see Flex recognized as the security leader.”

Posted in Adobe, Flex, Microsoft, Web 2.0 | Tagged , , , , , , | Leave a comment

Flipping the Ad Model: Consumer Choice == More Money

Posted on January 23, 2007 by Simeon Simeonov

Talk to a grizzled broadcast TV exec and he’ll lament consumer choice: the choice of many cable/sat channels, the choice of spending time online or in front of the TV, the choice of whether to watch ads or fast-forward through them, etc. In short, consumer choice == less money. In the old TV world you’d make the most money if you could just turn all the TVs on in every household, tie people to their couches and prop their eyelids open. Hmm, I wonder why we’ve moved away from that…

To online businesses–both the majors and those serving niche content–choice is good and the Net’s ability to support infinitely many discoverable “channels” is the key enabler for segmenting the audience into ever smaller, better targeted, more engaged, higher margin groups.

The Holy Grail is true targeting at the level of the individual consumer. Lots of personalization + ad targeting tech has been built that more or less doesn’t solve the problem. The targeting groups keep getting smaller, the margins go up a little but the individual consumer remains an elusive target.

In the days of Web 2.0 and UGC, some have taken the low-tech approach of just asking the consumers themselves. The latest high-profile entrant is Flip, CondĂ© Nast’s attempt to capture the disposable entertainment hours of teen girls. MediaWeek reports that teen girls will be able to populate page real estate with their own art as well as traditional branded images.

There are traditional banner ads in some parts of Flip, including on individual profile pages. But even on those pages, the girls themselves decide which brands’ ads will appear during the setup phase.

It sounds like a good idea. Our own WeatherBug has done very well with having users pick the sponsors of the free WeatherBug product. It’s a win-win. Users are happy because they can exercise choice. Sponsors are very happy because they only pay for users who self-select.

Posted in Advertising, Digital Media, Web 2.0 | Tagged , , , , | 3 Comments

Madison Avenue Subsidizing Mobile

Posted on January 20, 2007 by Simeon Simeonov

Thanks to Bill Wittenberg for this pointer to a NYT article looking at how advertising can subsidize some advanced mobile services for consumers. The article mentions Xero, Blyk, Virgin’s Sugar Mama I’ve written about before, etc. 

Link to Madison Avenue Calling – New York Times

Posted in Advertising, Digital Media, Mobile, startups | Tagged , , , | Leave a comment

Integrated vs. Best-of-Breed Security

Posted on January 19, 2007 by Simeon Simeonov

There has always been a tension between integrated and best-of-breed approaches to software solutions. Much of the software industry has moved in the integrated direction, from OSs and platform runtimes to integration suites to ECM to application suites. The holdouts typically have been in complex, fast-moving markets.

The prototypical example of a space where best-of-breed wins is security because of the many niches within it and the quickly evolving threat landscape. Even that is going away. In the network space it started with the arrival of the managed security service providers (MSSPs) such as Guardent (now Verisign MSS) that tied together a number of best-of-breed pieces into an integrated, outsourced solution for enterprises. Product vendors have not stayed still either. Security has been one of the most active M&A markets recently and the pace is likely to continue as security capabilities become a by-design facet of all SW/HW. To this point, a recent comment by Morgan Stanley analyst Peter Kuper (who has a deep expertise in security):

Cisco’s acquisition of IronPort represents more than a basic consolidation play. In our view, this transaction marks a new vector for Cisco’s commitment and involvement in security and perhaps software overall. Take notice pure play security providers; Cisco just moved deeply into the realm of communications security leaving even less space for existing vendors to squabble over. Moreover, this latest transaction further cements our industry view that security, in most cases, is contained if not embedded within any hardware, software or service. In other words, this acquisition increased our conviction that the best days of the point solution providers are behind us.

Here are some M&A stats from my friends at America’s Growth Capital and Jeffries/Broadview:

  • 61 transactions in 2005 with median LTM revenue multiple of 4.5x. 33 transactions over $20 with median multiple of 6x. It pays to be bigger.
  • 60 transactions in 2006 with multiples remaining in the same range. 27 transactions over $20M with median multiple of 6x.
  • 2007 starts with a bang–Cisco’s $830M acquisition of IronPort at a nice 10x revenue multiple.

Symantec leads the charge w/ 20 acquisitions in the 2002-06 timeframe. Can you say “let’s figure out how to diversify before Microsoft destroys our cash cow?” McAfee and Cisco are next with 8 and 7 deals, respectively. Then Microsoft (they know they have a problem) and Verisign w/ 5 each.

Tagged , | Leave a comment

Security as a Competitive Advantage

Posted on January 16, 2007 by Simeon Simeonov

There are certain aspects of software such as security and overall quality that exhibit a very non-linear value curve. Vendors get punished for low quality/security but rarely get rewarded for doing a good job at both. With such a kinked evaluation function, it’s no surprise that most vendors are not spending enough time and resources to get security and quality right. 

This has been the status quo for decades. It’s about to change in the next few years quite significantly. And, strangely enough, the largest ISVs, rather than being obstacles, will play a key, proactive role in making the change happen because they’ll seek a competitive advantage in doing so.

Let’s take Microsoft as an example. For years, one of the way the giant has competed is by raising the bar on features. Raising the bar raises the cost of doing business for everyone else. It’s a time and money calculation. It’s the software industry’s version of the Cold War armaments race. MS, being the largest SW vendor, has the ability to both fund and cross-subsidize the buildout. Most others can’t follow. And now MS has figured out that security and quality can be positioned as a competitive advantage. It certainly took them a while and they surely have a huge legacy problem to deal with but the resources they are deploying are mind-boggling. An MS exec I talked to about this in 2005 estimated the annual spend (encompassing developer education, added steps in the SDLC, etc.) to be over $1B per year. At those rates of investment, eventually they’ll meaningfully start impacting the problem, especially since MS has finally changed it’s stance on the willingness to inconvenience end-users (see Schneier’s post on why it may not be a great start but it’s a start nonetheless).

The same applies, to varying degrees, to all other large vendors who have the resources to implement significant changes in the way they build software. None of them want the negative publicity associated with known and, worse, exploited, vulnerabilities. Sometimes, guilt comes by association. For example, see the risks associated with hosting PDFs. Adobe is one of the companies that is most at risk and, hence, most likely to lead the change together with MS. (In fact, given MS’s legacy, Adobe may see a competitive advantage is pushing a stronger security/quality message.) The Flash player is the single most distributed human-made piece of software in the Universe (more fun to say it that way). The PDF reader is up there also.  RedHat is another obvious choice and has been exploiting MS’s security weakness for quite some time.

The large buyers of software will have a role to play in this also, but it’ll be a secondary one. They’ve never been happy about the limited liability associated with SW. “Buy the SW, pay maintenance, spend resources deploying and managing it, deploy countless patches and get stuck will all the risk caused by poor quality and security vulnerabilities.” Doesn’t sound like a great pitch, does it? Given the inherent complexity of software, we’re a very long time away from software vendors assuming liability. (When building software becomes as predictable as building bridges, it’ll come.) Whenever big software buyers such as GE rumble about liability, it’s a codeword for extorting some concessions, e.g., free services, from a vendor. In the meantime, it’s business as usual.

What can change the dynamic on the buyer side is a consistent framework of measuring the risk inherent in a piece of software given the environment it’ll be put to use in. Once that becomes available, buyers will have a way to more meaningfully take security and quality into account during the procurement process. Right now it’s more of a binary decision–either the software is deemed fit for use or not. That’s a gross oversimplification which furthers the vendor bias towards just clearing the bar but going no further. When the evaluation metric switches from a binary to a continuous scale, the last obstacle to security and quality being taken seriously by software vendors will be removed. Software cost may go up but TCO should go down and everyone will be better off.

Tagged | 3 Comments