Thoughts on Box’s S1 and Opportunities to Drive Growth

It has been a couple of days now and everyone seems to be piling on Box about its S1 filing. Many (myself included) have been waiting for this to post to get an inside look into the freemium-based business model that Box is depending on to propel business revenue and a peek at just how successful the company has been in getting business users to climb aboard. The burn rate of this model is high, and seeing losses of $168 million against revenue of $124 million, it is easy to point fingers and call it questionable. But can this model work? Yes, over time and with the right investments. It is important to understand what is behind these numbers and what Box can do to drive revenue up and costs down.

Topics: Storage IT Infrastructure

Looking Forward to Interop 2014

Only a few days ‘til I head out to the glittering lights of Vegas to attend Interop. If you are interested in networking, this is one of the highlights of the year for you as it marks one of the major events for announcements. So many in fact that you may have a hard time keeping up with all of them! Keep in mind that is a good thing.

As one might expect, SDN will continue to be a major theme. However, as the market matures, expect to hear about how many of the SDN announcements of 2013 are materializing into working products with actual customers testing them. So, most likely this means that 2014 will be a really busy year for proof of concept testing and pilots. Not only are the building blocks for SDN materializing, but we are also witnessing more SDN “applications” coming to market as well – for the data center, campus and branch. A big part of some of the announcements last year in SDN related to ecosystems and how the collection of vendors would work together to develop end-to-end solutions – this is a good check in point to find out how those are developing. To use an iPhone analogy, this allows us essentially to find out how many SDN apps are in the app store. The SDN finalists include Cisco’s ACI APIC, VMware’s NSX and the OpenDaylight Project Hydrogen release. HP has an SDN app – a network optimizer for Microsoft Lync, as a finalist in the network category.

Topics: IT Infrastructure Networking ESG on Location

Lessons Learned from the Target Breach

Anyone involved in cybersecurity (practitioners, managers, researchers, vendors, etc.) should make sure to read and internalize the Senate report released yesterday titled, A “Kill Chain” Analysis of the 2013 Target Data Breach. The report takes readers through each step of the well-established Lockheed Martin “kill chain,” illustrating how the initiation of the Target attack, how it progressed, and what Target should have done to prevent, detect, and respond at each phase. (Note: In addition to the Senate report, there is an excellent synopsis of the Target breach in this BusinessWeek article).

These two publications lay out the whole enchilada – from the initial incursion, through the breach, to the public announcement on December 19, 2013. In fact, Target CFO John Mulligan testified before the U.S. Senate Committee on Commerce, Science, and Transportation yesterday (March 26, 2014) to update the Feds on the breach itself and its aftermath.

Topics: Cybersecurity

Endpoint Themes

Here are some trends to keep an eye on (in no particular order):

Topics: Cybersecurity

Software Defined Everything (SDM) Includes Management

I find it fascinating that when new technologies are invented that are designed to improve efficiency and drive down costs, they end up having the reverse effect – especially the more disruptive ones. Let’s take cloud computing as an example. On the one hand, it provides an enterprise this wonderful ability to offload all of the basal tasks of ordering, installing, and configuring server/storage/network stacks with virtualization and potentially guest OSs on them. This alone is non-trivial and time consuming. For some of the more advanced clouds, you can actually change the size of (virtual) memory, processor, or storage sizes on the fly! What about patching? Hot patching anyone? Automated patches and updates for the core technology such as the guest OSs? These are additional, great benefits found on some cloud providers. And this is just the easy stuff. What happens when a VM becomes a zombie? Who finds, kills, and restarts the zombie? The list goes on …

Now what happens if you realize that one cloud platform was really great for development and scale testing, but when it came to the operational standard that has come to be expected in the enterprise, it can’t be easily replicated on that provider so you decide to build and test on one cloud and deploy on another? Oh and wait … what if you also want to be able to standup just enough to get by on-premises for a last resort, disaster recovery location?

Topics: Cloud Services & Orchestration

Security Vendors Are Racing Toward a New Anti-malware Technology Model

While the calendar still indicates that we are in Q1 2014, the security industry continues as a nexus of M&A activity. The year started with FireEye grabbing Mandiant, and proceeded to Bit9’s merger with Carbon Black, and yesterday’s announcement that Palo Alto’s intent to acquire Cyvera.

These are the most recent deals but similar M&A activity is well established. In 2011, Sourcefire acquired cloud-based AV startup Immunet. Just last year alone, McAfee purchased ValidEdge in February, IBM snapped up Trusteer in September, and Blue Coat grabbed Norman Shark just before the Christmas holiday.

Topics: Cybersecurity Enterprise Mobility

If I Were the Next CEO of Symantec

As you’ve probably noted by now, Symantec just announced that CEO Steve Bennett is out and is being replaced by board member Michael Brown on a temporary basis. The board will now conduct a search for a permanent CEO.

Under Steve Bennett, Symantec announced a new strategy called, “Symantec 4.0,” intended to streamline the organization, cut costs, and push organic innovation. A good plan, but my guess is that things weren’t moving forward as fast as the board wanted so it decided to make a change. As an outsider, it did seem like Symantec circled the wagons, focused on internal operations, and kept its eyes off the market. Thus, the company now looking for its fourth CEO in the past five years.

Topics: Storage Cybersecurity IT Infrastructure Data Platforms, Analytics, & AI Enterprise Mobility

Are Enterprise Organizations Ready to Use Free AV Software?

Last year, ESG published a research report titled, Advanced Malware Detection and Protection Trends, based upon a survey of 315 security professionals working at enterprise organizations (i.e., more than 1,000 employees). In one question, ESG asked security professionals whether they agreed or disagreed with the following statement: “Commercial host-based security software (i.e., AV) is more or less the same as free security software.”

It turns out that 36% of security professionals either “strongly agree” or “agree" with this statement, while another 25% are sitting on the fence (i.e., they neither agree nor disagree with the statement).

Topics: Cybersecurity

How to Plan your Data Protection Spectrum [video]

Continuing on the theme that we started last year that “Data Protection” is the umbrella theme that encompasses a broad range (spectrum) of IT behaviors, including “Backup, Snapshots, Replication, etc.”:

Topics: Data Protection

Cloudera's Vision for the Enterprise Data Hub

Yesterday marked the first ever Cloudera analyst day, held at the Omni Hotel in sunny San Francisco, and judging by the agenda and attendance they are attracting a lot of interest as a thought leader in big data. The speakers were engaging and passionate about answering three of my favorite questions:

Topics: Data Platforms, Analytics, & AI

Impressions from ONS 2014

Last week I attended the Open Networking Summit and was able to listen in on a few keynotes, talk to a number of end-users and vendors, and even manage to host one of the panels. Overall the time was well spent as industry buzz is still very high around SDN and this show provided some good examples of how organizations were evaluating, testing, or even deploying SDN solutions. Here are some of my takeaways.

Topics: IT Infrastructure Networking

Cybersecurity Skills Haves and Have Nots

I’ve written a lot lately about the cybersecurity skills shortage. For example, 25% of organizations claim that they have a problematic shortage of IT security skills. On an industry basis, 36% of government agencies say they have a problematic shortage of IT security skills, followed by 29% of manufacturing companies, and 28% of financial services firms.

ESG often builds a segmentation model as part of its research projects to further analyze survey data. The segmentation model divides the total survey population into 3 distinct groups: Advanced organizations (i.e., those with the most cybersecurity resources and strong security policies and processes), progressing organizations (i.e., those with marginal cybersecurity resources and adequate security policies and processes), and basic organizations (i.e., those with fair/poor cybersecurity resources and inadequate security policies and processes). Typically, advanced organizations make up around 20% of the survey population, progressing organizations represent around 60% of the survey population, and basic organizations account for the remaining 20%.

Topics: Cybersecurity

Who Can Design and Deploy Big Data Initiatives?

No doubt big data is experiencing massive growth today. A soon-to-be published ESG research survey of IT decision makers has found more than half of respondents will be increasing their spending by 11-30% over last year. There are many reasons why this is happening with tangible benefits applicable to most lines of business across industries. So, good news as big data initiatives gain momentum in 2014!

Topics: Data Platforms, Analytics, & AI Cloud Services & Orchestration

Has Mobile Computing Had a Positive Impact on Cybersecurity?

I’ve heard the same story from a multitude of CISOs: “As soon as we agreed to support BYOD and mobile devices, all hell broke loose!” How? All of a sudden there were hundreds or thousands of new devices accessing the corporate network. Many of these devices were employee-owned, unmanaged, and full of questionable applications. What’s more, users were now working on multiple devices and moving sensitive data between Windows PCs, iPads, Android phones, and a slew of online file sharing sites like Box, Dropbox, and iCloud. Holy threat and vulnerability, Batman!

Most enterprise organizations are now way past this early period of mobile security chaos. Yes, there are still plenty of challenges associated with mobile computing security, but did preliminary mobile computing anarchy have any positive impact on information security in the long run? In other words, did the initial mobile computing fire drills actually help CISOs recognize risks and address systemic weaknesses?

Topics: Cybersecurity Enterprise Mobility

Do you need an Oracle to see the Cloud?

Last week was an interesting week where I started out in New Hampshire in single digit weather with promise of 2 new snow storms and ended it in Palm Springs, CA where the temperatures were "unseasonably" warm in the 90s. Personally, I’ll take unseasonably warm anytime anywhere. The reason I was in Palm Springs was for an Oracle Cloud Summit. The summit happened to be right in the thick of the BnP Paribas Open – a pro tennis event held at the Indian Wells Tennis Garden that has two large stadiums, a ½ dozen small ones and several dozen courts. Needless to say – about as 180 degrees in every way from freezing, snowy New England.

And speaking of 180 degrees – Oracle has come a long way since their CEO’s 2008 proclamation about the cloud. Take Oracle’s acquisition of assets like Nimbula, which they are leveraging to help them manage and orchestrate cloud resources – public and private.

Topics: Cloud Services & Orchestration

What CISOs Can Do About the Cybersecurity Skills Shortage

I had the opportunity to present some of my research on the IT security skills shortage at last week’s RSA Conference. This is a serious issue that doesn’t get nearly enough attention.

According to ESG Research, 25% of enterprise (i.e., more than 1,000 employees) and mid-market (i.e., 250 to 999 employees) organizations claim that they have a problematic shortage of IT security skills. Furthermore, of those organizations planning to add IT headcount in 2014, 42% say they will hire IT security professionals. This is also the highest percentage of all. In other words, more organizations plan to hire IT security professionals than any other role within IT.

Topics: Cybersecurity

2014 Cloud Spending Intentions – Research, Trends, and Analysis

It’s that time of year again when we publish our IT buyer outlook for the coming 12-18 months. This year, our 2014 IT Spending Intentions and Public Cloud Computing Trends research has some really interesting new twists to it. Here are a few insights …

What got me most excited this year were two new things. We usually collect a tremendous amount of demographic data about the companies who are surveyed – company size, industry, etc. -- but this year we also capture the age of the company itself (i.e., for how many years the organization has been in existence). No big deal right? Well, I can assure you that the data for pre-Internet companies was a lot different when compared to companies born in the web age. We also looked at all of the data by the individual respondent’s age group. Once again, we found some fascinating differences. What’s more, this really gets interesting when it is compared and correlated to the age of the company.

Topics: Cloud Services & Orchestration

Google Glass, Wearable Tech, and Big Data

Despite working in tech for nigh-twenty years, I’m not a classic early adopter. I’ve certainly played regularly on the bleeding edge, but also prefer technology that works reliably and has real lasting value.

Some ways I’ve been early:

  • First programmed on a TRS-80 with a phone coupler and audio cassette storage
  • Had a Compaq portable and an Atari 2600
  • Read Neuromancer when it came out
  • Played online games on BBS forums as early as 1990
  • Used e-mail regularly since 1991
  • Ran phone lines between dorm rooms to network Macs via 2400 baud modems
  • Got a cell phone in 1996
  • Moved to SF in 1997 for the dot com boom
Topics: Data Platforms, Analytics, & AI Enterprise Mobility

Final Thoughts on the RSA Conference

The RSA Security conference 2014 has come and gone, and based upon my experiences in San Francisco, it certainly appears like we are in an “industrial revolution” as information security activity, innovation, and investment continue to grow. Early indications are that this was the biggest RSA Conference of all time.

Here are a few of my final thoughts on the show and the current state of cybersecurity:

Topics: Cybersecurity

RSA Conference Recap: Positive Direction for Security Industry

Last week’s RSA Conference was a whirlwind of meetings, presentations, and unusual west coast rain storms. I’m not sure about the attendance numbers but it seemed especially busy – not surprising after the many cybersecurity events of 2013.

I met with around 40 different security vendors throughout the week and heard some encouraging news. Rather than crow about the latest technology fad or threat Du Jour, many security vendors are now focused on:

  1. Integration. In the past, vendors tended to push a bunch of point products on a one-off basis but enterprise CISOs are now resisting this onslaught as they don’t have the time or personnel to manage an army of security widgets. Smart vendors are responding with more integrated product suites and central management. For example, Trend Micro is aggregating all of its endpoint elements into one product offering while FireEye is extending its protection across the enterprise. Similarly, Cisco is adding Sourcefire technology into traditional Cisco security and networking, while Symantec has consolidated a number of products into a data center security suite. Finally, Palo Alto Networks has externalized integration with a number of proof-of-concept projects with VMware NSX for virtual network security in large data centers. These efforts aren’t simple bundling and marketing spin, there is actual R&D going on to make products work better together.
  2. Ease-of-use. Security professionals don’t have the time for complex product deployment, customization, or lengthy training classes on product administration. Fortunately, some vendors are addressing this by making their products much easier to use. Newcomer TraceVector is designed to identify and apply risk scores to malware with a simple but thorough graphical interface. Click Security uses visual analytics to help security professionals see the relationships associated with malicious traffic patterns between various internal and external hosts. LogRhythm’s new 6.2 release is designed to advance and improve how security intelligence gets delivered to security analysts. Given the IT security skills shortage, this trend is very encouraging.
  3. Middleware. Once you start integrating security piece parts, you need middleware to act as the software glue between them. McAfee announced this type of architecture as part of its Security Connected and Threat Intelligence Exchange (TIE) announcements. In the short term, McAfee will use its middleware to integrate its own products and threat intelligence but it plans to extend these capabilities to 3rd parties over time to support heterogeneous environments.
  4. Automation. Given the scale of network traffic and malware, CISOs want intelligent technologies to take some of the risk management and remediation burden. I hosted a panel discussion on security automation that featured speakers from Boeing, NIST, and JW Secure (sponsored by the TCG) around this topic. All agreed that we need to instrument security tools and provide standard enumeration and protocols so we can share information more effectively. Many vendors are using the DHS/Mitre TAXII and STIX standards along this line to automate and integrate threat intelligence sharing. Aside from standards discussions, new security products from companies like Proofpoint, Tufin, and vArmour, are designed specifically to automate today’s complex security tasks. Once again, the security skills shortage makes automation a necessity.
Topics: Cybersecurity RSA Conference

A Solid Feel to SolidFire

Last week, SolidFire held its inaugural Analyst Event. Such activities tend to be the preserve of larger organizations, so the fact it happened begs both a comment and a question. The comment is to give the SolidFire team kudos for pulling off a well-executed and insightful day…it certainly punched above its weight. The question is to wonder what made the management team at SolidFire decide to undertake this exercise? And the two main answers to that – well, at least my two main answers to that – are what makes this particular startup interesting right now.

First of all, “things” (that means the basics of engineering, sales, recruitment, customer implementations – all the important things) are of course going along pretty nicely…you don’t tend to hold your first Analyst Day otherwise! There’s money in the bank, the company is functioning well, users like what they are getting (we had full, easy access to the three guest users), and the product is performing admirably. As a Colorado-based company, growing like a weed (!) is encouraged! That said, SolidFire feels like – indeed, has always felt like - a very measured management strategy and approach – and that leads us to the second answer.

Topics: Storage IT Infrastructure Networking Cloud Services & Orchestration