First Convergence Casualty

June 1, 2007

Business and security executives want innovative solutions to help them be more competitive, to meet policy and regulatory requirements more efficiently, and to mitigate risk more effectively by promoting collaboration between physical security, IT, compliance, business continuity, and privacy teams. So what can an executive learn from the demise of an innovative service provider that tried to bring these groups together?

The first startup to pursue the security convergence dream – and fail – goes down in history as either an idea ahead of its time, or a good idea with bad execution – or maybe just a bad idea. The first sign of the looming tragedy came when the company selected its name.

Ahead of Its Time

The idea behind the business was to provide hosted, managed security services – basically outsourcing event management and surveillance from the command center to a secure facility in Colorado where SCO was based. The idea had merit – and strong backing. Mega-integrator SAIC had tried unsuccessfully a few times in the past to build a private sector-focused business to complement their tremendous government client base. This time, SAIC supported the 3rd party company, making SCO a SAIC premier reseller and even endowing the new company with a few key SAIC employees.

SecConOne went belly up this spring despite having the technical competence to deliver solutions, a solid business partner, visionary investors, and pretty darn good sales folks. The website links no longer work and there is only a static homepage with no available contact information – also, no executives have responded to my requests for comment. The company failed, I believe, because it was disconnected with the customer. The security director, the IT security manager, the CIO and the facilities head all could see value in the services that SCO offered. The ROI was plain enough – using outside contractors instead of maintaining a command center facility with multiple headcount – but SCO could never communicate the value proposition in a way that ALL the players could embrace. Pitching a “convergence” service doesn’t fly unless the customer already has a “convergence” attitude.

Business Case First

Security directors should always seek a compelling business case when considering new products or services just as IT managers and compliance directors do. But each executive will want the story to be customized and for the ROI to measured against his or her own budget. Selling “convergence” is therefore a tricky art.

Here are the criteria I look for when evaluating a security vendor selling any product or service related to identity management (people and their privileges) or event management (what’s happening and how to respond) utilizing software or networking.

Technology – Utilizes a common, standard software platform and communications protocols (such as Linux, .Net, Java, XML, SNMP, etc); Common and reliable CPUs, standard IP networking equipment.

Management – The product lends itself naturally to IT best practices regarding work flow, policy compliance, and change management.

Interoperability– Integrates well with standard IT processes and policies regarding memory, storage, backup, etc. Interoperates with TCP/IP network equipment and/or business software platforms

Integration – Integration personnel or partners have IT skills and/or certifications. Utilizes standard interfaces (web services, XML, USB, Ethernet, etc), with published APIs or open source software as appropriate.

Documentation – Written in a style familiar to IT personnel.

Marketing – Oriented toward the IT buyer as well as the security buyer. Sales and marketing staff are familiar with standard IT management requirements and preferences. Sales may be made directly with IT departments.

Security– Stable and internally secure. Not prone to crashing. Coded with standard error handling. Not vulnerable to hacks, memory leaks, buffer overflows.

Customer Satisfaction– Existing customers actually utilize the IT-friendly features.

Integrators and technology manufacturers that think convergence is a goldmine of new opportunity are not mistaken. It certainly is. But yesterday’s sales pitches and last century’s technologies are not sufficient to strike gold in these hills.

Steve Hunt is founder of the Chicago-based research firm, 4A International, www.4ai.com. Contact him at info@4ai.com or visit his blog, www.SecurityDreamer.com.

SecurityDreamer is growing up fast. Since lauching Security- Dreamer in November 2006, readership has steadily grown. According to Hunt, he has recently added a daily email with recent updates. The site will soon feature more IT and IT security content -- especially information that relates to collaboration and communication across the lines of physical and homeland security with IT.

SecurityDreamer will host forums, or discussion boards, for topics like intelligent video, PSIM, security management best practices, endpoint security, FIPS 201 and needed technology standards. Watch for a Wiki, too. We are even going to list more than a hundred vendors and invite your comments on each.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.