Amrit Williams, BigFix CTO, discusses the outlook on the economy for 2010 with Jack Phillips, co-founder of IANS, the Institute for Applied Network Security.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Jack Phillips, who is the Co-Founder and CEO of IANS, the Institute for Applied Network Security. Jack, thanks for joining me today.

Jack Phillips: You are welcome.

Amrit Williams: So Jack, I want to switch gears a little bit. I know that historically you have a background in investment banking. You are clearly an entrepreneur. You are definitely smart financially and business-minded. You were new to information security, at least to some of the advanced concepts that I am sure you have been exposed to and are able to consume and digest and articulate quite well now.

Is there anything that really surprised you when you got into information security as you started forming this business? Were there assumptions you had that had been shattered? Was there anything that you just said, oh my God, that is incredibly shocking and I can’t believe it’s done that way? Any thoughts on that aspect of your experience?

Jack Phillips: I think probably my biggest shock has been on the enterprise side. What I have learned over eight years is that security sees everything. Information security, unlike any other function I believe in an organization, knows every skeleton in the closet. It knows every nook and cranny of an enterprise.

One of the things that we have tried to encourage our leaders to do in the recent years is take advantage of that. In other words, in order to raise your profile, take advantage of the fact that you know so much.

But really, I guess, the glaring aha has been how executive leadership, for some reason, largely ignores that asset until it’s too late. The knowledge base that sits just beneath the surface, just I guess beyond the reach of the Board of Directors is so vast within this group, and yet so frequently overlooked, and instead it’s belief, for example, that the CFO or the Finance or the Risk Management Office knows more than the Tactical Information Security Team, and it’s commonly that mistake, I think, that gets many organizations in today’s environment in trouble, because they get high level information instead of the real tactical information that really articulates and, I think, sharpens a threat. So that’s probably been my biggest surprise as I have worked mostly with security leaders and executives on the user side.

Not much has surprised me on the vendor side. I have watched software for a long time. There is a nice constant innovation curve and, I think, that has stayed around regardless of the economy, and the vendor community, the folks that create services and offerings, there’s been a fair amount of M&A activity, and it’s a space that’s grown quite nicely. So nothing really of any surprise on that side.

Amrit Williams: That’s very insightful what you mentioned about the misunderstanding about executives in terms of security, and the body of knowledge that doesn’t seem to be very well-aligned at the tactical level and the strategic level. And certainly it’s something that security professionals deal with and constantly struggle with is, how do they align themselves with the business, and how do they articulate those very technical issues that need to be understood at the CFO level, so that dollars in budget can be allocated to solve real problems that the enterprise is going to face, as opposed to just waiting for an attack and responding to it. So very insightful.

I wanted to touch on the innovation question, because as we went into this economic crisis; I guess it’s sort of ending now, there were some comments around the impact it would have on innovation. I completely agree, the markets are cyclical and innovation is currently happening. Money is like energy. It needs to flow somewhere. It doesn’t just stop and get blocked up. So money goes somewhere. If it doesn’t go to security, then people start looking at virtualization or Cloud Computing, or they just try and keep the lights on.

But I did want to touch on — there was a thought that folks had around, well, if VC funding is drying up, and enterprises themselves go into capital preservation, or at least in the short-term, that would have an impact on those underdeveloped companies that were sort of either coming just out of stealth and really had 12-18 month run rate to try and get something going before they get into real trouble. Do you think that they were able to weather the storm, or do you think that there was a lot of companies that were pretty badly impacted? I mean, I am not sure myself which way it went.

Jack Phillips: Yeah. We have seen a few companies pretty badly impacted, but I think that the real impact is ahead of us. I think you can’t generalize too much. I think you have to go sector by sector. So we definitely believe that — I guess the reaction is always that investors and entrepreneurs tend to over-judge or overcompensate for these cycles. So I think the venture community has overreacted now, and it has basically stopped everything.

You are going to see a couple of spaces, I believe, in the next six months see some pretty significant consolidation because of that. But if the sun comes out midyear 2010 or toward the end of 2010, I think the opposite is going to happen, and there is going to be a knee-jerk overreaction on the top side that matches essentially what we have had on the downside.

I don’t know quite what that’s going to look like yet, but I will pick one space. The SIMs and Log Management space is just — there’s just too many companies, and there are too many names in there, and they are fighting CAPEX dollars. You are right, OPEX, CAPEX, that ratio inside of enterprises has really turned obviously to favor OPEX, CAPEX has essentially gone.

So in that space there are, I don’t know, maybe four to six names who we believe shouldn’t be in business in this environment, can’t believe they are still making it in this environment. If they can see through to the end of the first quarter, perhaps the middle of the year next year, I think they will be okay, but I can’t see that happening. I think it’s definitely a buyers market and we are going to continue to see the Ciscos, the Symantecs, the McAfees, the CAs, really pick some of these companies off basically for nothing, just to at least get the venture investors a couple cents on the dollar. So that’s how I view it.

I think there is a lot of activity right now, and some of it’s very negative, but at the same time, I do see that there’s going to be a pop backup here, and we are sort of waiting for that. And I think that the companies who did put shackles away in a sense and really cut spending in the first quarter of this year, and hunkered down, I think, will weather that storm.

Amrit Williams: Yeah, I agree with you. I think the companies that have come out on the other end are going to be much stronger than they would have been had we not gone through a little bit of turmoil. I also think that it’s going to weed out some companies that probably would have eventually died out anyway, which is good. I covered the SIM space, it was one of my main coverage areas at Gartner.

Jack Phillips: Then you know better than I do.

Amrit Williams: No, but what you said is absolutely correct, and on target. I remember, I think, the very second MQ we worked on, I think there were 19 vendors in that space, all vying for like $380 million or something. It was just obvious. It was untenable. Which you realize, in a lot of ways these new markets as they mature like DLP or NAC, which will eventually 00:08:03 build, or SIM, whatever they are, they almost serve as R&D wings for large companies.

You wait for these markets to get some momentum and some velocity. You see a bunch of startups come up and do some innovative things, and then the big vendors come in and swoop the ones they want. Then they take it mainstream, and it becomes commoditized and part of their portfolios. I don’t anticipate any of that is going to end.

You said something a couple of minutes ago, and I may have misheard you, I thought you said the worst is ahead of us.

Jack Phillips: Yeah, I don’t think we are done going down here. I rely heavily on our faculty member, Peter Cooper, who really anchors more of our financial and kind of M&A and due diligence side of our research. With unemployment going above 10%, even though the stock market, although choppy, has been on an upswing, if you look at all the economic indicators that he is pointing our members to, I think, that we have got through the first quarter of 2010 yet to go here.

So I certainly don’t see our enterprise buyers behaving in a way that says, CAPEX comes back. From a purely software and hardware buying capacity, I do think that the worst is still ahead, although the time frame on that is say four months, but I just think it’s that last arrow in the room here.

Amrit Williams: Yeah, it’s still very delicate, I would agree. What about IANS itself, where you guys impacted positively or negatively? I could see both scenarios occurring in an economic crunch. The positive would be, people are trying to be much more diligent and much more focused on how they spend money, so they want really a quality information, and the other being, well, but you can’t afford any information. So what is IANS seeing?

Jack Phillips: Candidly you are correct. So we have certainly seen our enterprise subscriber base, beginning with the renewals that we had in the early part of this year, hesitant. So essentially that line item in an information security team’s budget essentially evaporated, so that was the research, what they might sometimes call training, continuing ed, strategic, that line item was the first to go.

Now, that however, beginning in about May or June of this year was replaced by what I will call a need for extended or almost consulting services, extended research or consulting services. In other words, when the stock market came to bottom out and executives said to their teams, okay, let’s get going on the projects that we have put off last fall, our security subscribers were caught short. In other words, they had either stopped hiring or laid off team folks, and all of a sudden they had a manpower shortage. So that vector has caused a bit of an uptake for us.

But, in general, as we finish third quarter, and we look here to the fourth quarter, we just put out a press release two days ago announcing hiring. So we have hired another research member full-time here on our staff, as well as two new partnerships: one an events partnership with an interesting company out in Portland, Oregon, called Eventa, and the second is a content feed partnership that I think helps to bolster our service offering.

So our strategy really has been that while things have come down, that’s a great time for us to bolster for the future. So we have added on, but candidly, when we started the year — we will finish the year below plan, but above last year. And I hear a lot of other entrepreneurs saying the same thing. I am disappointed because I had a plan for growth, guess the good news is, at least I grew the company.

Amrit Williams: Yeah, no, that’s absolutely fantastic. Folks looking to get more information on IANS, the IANS website is ianetsec.com or .org?

Jack Phillips: It’s actually ianetsec.com.

Amrit Williams: Okay. Thank you very much. Jack, thank you for joining me today. It was a pleasure speaking with you, and I wish you guys the best. I will talk to you soon.

Jack Phillips: Thank you.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.