PAN is not the first to try this strategy. Cisco, Symantec, and McAfee all tried, and all failed at building a platform of security products. Microsoft (MS) is well on their way toward a single security platform as well.

PAN’s strategy may be flawed, but the idea is not.

PAN correctly identifies that companies can benefit from a single, unified interface for security monitoring and management. However, their execution is the problem. PAN and MS are both building a Platform for Products. The PAN platform only manages other PAN products, and likewise for Microsoft. This makes these platforms limited and constrained.

What the security industry really needs is a Platform of Platforms (PoP).

What is a Platform of Platforms?

In an ideal world, cybersecurity teams would have a single portal where they could go to interact with their entire information security environment. This is a Platform of Platforms. A PoP would not necessarily manage every aspect of all those disparate products, but rather provide a simplified way to see their status, access key data, and perform routine functions. A PoP unites the entire security infrastructure into a single portal.

With a PoP, security teams could integrate any security product, whether it is PAN, Cisco, Wiz, MS, Crowdstrike, etc. into the platform. Those products would then publish a set of capabilities to the platform.

For example, the PoP would not manage an endpoint security product like Sentinel One. Yet, it could show a list of endpoints not secured along with other useful reports, such as malware blocked. It might also perform some common management functions, like kicking off a network-wide scan or search for a specific file-hash value.

The PoP is a window into endpoint security, but does not replace Sentinel One’s native management tools.

Now before you dismiss this idea, have you looked at ServiceNow or SalesForce lately? They are essentially PoPs.

PoP Drop

Naturally, you are shaking your head saying this is impossible. Ten years ago the management portals companies built for their products were completely closed. Now everybody uses an API, and those APIs are published (some publicly.) APIs are insanely powerful. They open up a product’s possibilities in ways most vendors cannot even imagine.

PoPs could use these APIs to interact with each product, to obtain data and execute functions. SIEM and XDR platforms have been building huge databases of functionality to accommodate a vast library of third party tools. This effort would only be slightly more complex than those efforts. Moreover, this is exactly the kind of problem AI could help solve.

Sounds like a SIEM

SIEMs are the closest relative to a PoP. The challenge with SIEMs is that they are focused exclusively on managing data from products. A PoP would go a step further to actually interact with a product’s native API. However, a SIEM would make a logical starting point to build a PoP. Some of the larger SIEM products are rapidly approaching a PoP-like functionality.

Who Runs PoP Town?

Naturally, the question is who owns or runs this PoP. No single security vendor could do this. Building a PoP would require a company with vast resources and a reasonably neutral position to the vast set of security products on the market.

This is why PAN’s platform is unlikely to succeed. It demands you buy completely into the Cult of Palo Alto Networks. PAN has made it clear they are not going to sell a platform that manages non-PAN products.

The obvious answer to who could do this is the cloud service providers: AWS, Microsoft, and GCP. They have the resources and are reasonably neutral to security products. AWS is already partially there with their Security Hub product. Azure has a security console now, but it is a clunky mess. And GCP has not been acquiring security companies for fun. They obviously have big ideas as well.

A PoP was part of my own vision for a product years ago. I envisioned a platform that could not only build itself but configure a disparate set of tools and provide a single management interface. My vision was too big for my funding, so I downgraded it into a compliance product.

PoP Benefits

The single greatest challenge in cybersecurity is and always has been complexity. The more complex a system is, the more difficult it is to protect it. Modern enterprise environments are insanely complex and insanely complex to secure.

The ultimate purpose of a PoP: create a simpler, more streamlined way to interact with the security architecture. Provide a single place where a diverse group of people, from leadership down to operations can access and interact with the security environment.

A PoP would not replace existing management consoles. Those would still have a place in a PoP environment. There are plenty of use-cases where administrators would need to drop down into a native console to perform administrative functions.

I fully admit that a PoP is a bit of a pipe-dream at this point. The effort necessary to build a viable, working PoP is extreme. However, this is yet another way that cloud providers could continue their consumption of the security industry (see Cloud Eats Security.)

NOTE: Since writing this blog in February of 2024 I have started seeing actual products making a run at this concept. Google’s acquisition of Wiz and Zscaler’s acquisition of Red Canary are two prominent examples of consolidation in the pursuit of an “all in one” style platform.

The post Platform of Platforms appeared first on Zenaciti.

You bought a froduct, a product that is really a feature or collection of features. Froducts are everywhere, but they are particularly pervasive in cloud and security market. Free flowing funds has fostered fertile field for founders flaunting froducts.

What is a Froduct?

For something to be a froduct, it must meet two criteria:

1. Limited Use. Security and cloud froducts target specific needs, such as compliance, data replication, or incident response.
2. Dependencies. Froducts depend on other technologies, systems, or people to work properly.

Froducts are not necessarily a bad thing.  In fact, many innovative technologies begin their life as a foduct.

One example of a successful froduct was Portshift. This Israeli company made a Kubernetes security product. Their product, like many container security products, was really a collection of existing Kubernetes and cloud capabilities. You could do almost everything Portshift did with existing open source tools. You also had to have a containerized application environment — limited uses, critical dependencies.

Portshift brought these features together into a product, racked up some wins, and got acquired. Investors put in $5 million and Cisco paid approximately $100 million for the company (the actual amounts remain undisclosed.) That is a 20x return on capital. A fabulous froduct finish.

While froducts are great for founders and investors (when they work), they are not always so good for customers. Froducts can create as many issues as they solve. Yes, you have security mesh on your containers, but who is going to define, manage, and monitor that? Container security mesh, like many other security froducts, is a great idea that is difficult to implement successfully. Froducts often make lofty promises of efficiency, security, and reliability, that are difficult to fully realize.

So where do all these froducts go?

Cloud Eat Froduct

In my recent analysis article, Cloud Eats Security, I described how the Cloud Service Providers (CSPs) such as AWS or Azure, are gobbling up security capabilities.

For example, consider Web Application Firewalls (WAF). A decade ago, WAF was a thriving market, with multiple big players like Imperva and F5. Now, WAF is a few clicks on your AWS, Azure, or Cloudflare console. There is really no reason to buy a WAF anymore.

Cloud providers are slowly gobbling up froducts. Bundling them up into their offerings and making them easier to implement. While their versions of these technologies may not be as good as the stand-alone ones, it does not matter. They are good enough. Like it or not, that is all most buyers want.

Go to Froduct Market

For every froduct that clocks in a 20x return, there are hundreds that merely burn investor cash. The core problem with these places is they have their go-to-market efforts completely wrong.

Security and cloud froduct companies keep struggling to solve security or cloud problems. They put out endless marketing fluff about hacking, peace of mind, and attack surface areas but fail to address the real question that buyers want to know: what business problem do you solve?

Security problems are small, nuanced, esoteric pixies that require lengthy explanation, education, and endurance to comprehend. In contrast business problems are lumbering leviathans that even the most clueless investor can understand. For example…

Business problem: we need money.

Security problem: we need to restrict access to specific users, with approved session tokens.

A security froduct might be innovative and effective, but if it creates any kind of impediment to revenue, then who cares. Startups with froducts need to look way beyond the cool thing they do and think about what those cloud service providers are doing.

Froduct Packaging

The reason AWS can get away with a subpar WAF is because the totality of AWS is more valuable than the individual components. AWS’s value is not in their security or compute capabilities, it is in the platform.

Or another way to say this, AWS does not solve compute problems (or security ones for that matter), they solve business problems with computing products.

Startups can use this same technique to make their languishing froduct more useful and valuable.

For example, which one of these product pitches do you think work better on a C-level executive with limited budget?

Our cloud deployed IAM product integrates with your on-premise Active Directory to synchronize user identities across cloud environments. It can reduce unauthorized access and protect data.

Our product keeps your people working earning revenue.

Do not sell the froduct, sell the better future the froduct (on some big platform) delivers. Froducts, packaged together, to solve large scale problems are irresistible to leaders who want to contain costs. Moreover, they alleviate pain.

So, what are some of these large, business problems? There are only a few of them.

1. People: expensive, fickle, smelly, hungry
2. Money: never enough of it
3. Time: never enough of it

If your froduct platform can replace people, save money, and/or reduce time to success, then you have a winner. If your froduct requires a company to hire more people, pay more money, or consumes more time, you have an uphill battle ahead of you.

Conclusion

When you go shopping for new security products, take the time to consider the dependencies.  You may be buying a froduct.  Likewise, products that integrate with existing platforms, like AWS or Azure, are naturally more effective since they can work on existing environments.

If you are a product company, then you must be able to place your product into the context of a customer’s environment.  Stop talking about the security challenges you address, and start talking about how you will improve the customer’s experience. You can still talk about those security benefits, but only after you and the customer are clear on the business problems you solve.

The post Rise of the Froduct appeared first on Zenaciti.

These are all reasonable explanations, yet they ignore the most obvious one: outlandish valuations. Is a startup with $5M in revenue worth a billion?

No…and to think otherwise is outright delusional insanity. However, I do not fully understand the absurd valuation math of Silicon Valley. It seems that if an investor believes a valuation is true, then it is.

Keep in mind, this is the place that minted valuation absurdities like Theranos, Webvan, and (here is an oldie but a goodie) Cue Cat. Yes, that Cue Cat. In fairness, for every Cue Cat that Silicon Valley funded, there are dozens of genuinely innovative companies that contribute to the forward progress of humanity.

Whether it is absurd valuations or the lack of baby formula, a reset for startups seems inevitable. So, what kind of evasive maneuvers can startups take to weather the coming dark times?

Vision

To paraphrase the great philosopher Freewheelin’ Franklin: vision will get you through times of no customers better than customers will get you through times of no vision.

Vision is a description of the future. A well-defined, well-articulated bright future inspires hope. Hope that the company will successfully navigate through the darkness. Hope that rewards are attainable. Hope that all the struggle, toil, and stress will be worth it and have meaning.

To paraphrase Jyn Erso, startups are built on hope.

To promote a brighter future, startup leaders must emphatically promote the company’s vision. To do that, answer four questions:

1. Why does the company exist?
2. What problem(s) does the company solve?
3. What are the values of the company and its people?
4. How can people find meaning and relate to those values?
5. Where is the company going?

Do not make your vision about money — ever. Money is a weak motivator. Moreover, nobody cares about making money for the investors or founders. Vision must be about something people can genuinely care about. Money must be the result of staying true to the company’s vision, values, and mission.

Vision gives people purpose. Without purpose, employees invariably ask themselves “why am I here?” It does not matter how smart you are, or how many big shots you know, or how much money you have in the bank, without purpose people have no reason to stick with the company.

Vision will get you through the downturn. However, words alone will not solve everything. There are some other ways to stay on target.

Automate

One of the many ways we sap meaning from people is to put them into roles with repetitive, boring work. Automate repetitive tasks and promote the people into more meaningful work.

The mere act of shifting people’s focus from performing a repetitive task to automating that task, provides a more satisfying job. Moreover, one a task is automated, your products and services become more reliable, scalable, and valuable.

Put that Coffee Down

Maybe you need Alec Baldwin to yell this at you: Always Be Closing. You need to sell, sell, and sell some more. To do this, you must arm your sales team with the resources they need to effortlessly demonstrate your company’s value.

For example, all salespersons must be able to expertly demo your products at a moment’s notice. If you sell services, you must have a library of sample output (reports, content, etc.) that demonstrate your capabilities and expertise. Demos and samples are effective ways to communicate your company’s competitive advantages.

In my experience, the only way out of a hole, is to sell your way out. There are only so many cuts you can make to staff or spending before the company becomes ruined. Investing in sales and marketing is the ticket out of the dark times.

However, before you charge ahead, be clear with your sales and marketing teams that results are the only metric that truly matters. Effort is expected, but results are what they are measured on.

Product Improvements

You know the next valuation is going to be low(er). So why not actually improve your app and have something more valuable? Downturns are an excellent time to clean up all the crap in your app that is holding you back. Quit dickering around with every dumb customer feature request and go back and fix the big stuff.

Emerge from the darkness with products and services that are more valuable, and therefore can command reasonable valuations.

Repackage

When times are tight, buyers go bargain hunting. They expect every app, service agreement, and subscription to go farther, offer more, and solve more problems. If you are a special little unicorn app that only works in a narrowly defined set of requirements, then it is time to repackage yourself and broaden your appeal.

Build packages that solve entire business problems all in one. Moreover, reprice everything into monthly subscriptions, usage-based billing, or extended terms to make payment easier on customers.

Partner Up

Rather than be a lone sinking ship, partner up with other sinking ships. This also can help with repackaging. If you can bring partners to the table that fill gaps in your offerings, then you have more to offer.

However, before you sign up a bunch of partners, make sure you understand how each partner makes money. Each partner must be able to see how they can benefit, otherwise it is not a real partership.

However, be honest with your scale. A $5M startup is not going to have the market reach of a titan like Cisco or Microsoft. If you partner with a bigger player, then you need to accept the inherent unequalness of the partnership.

Be Brutally Honest

Unfortunately, tough times mean doing more with less people, resources, and time. Layoffs, cutbacks, and delays always feel bad.

Do not sugar coat the unwelcome news. This only makes you look foolish and desperate. Also do not make it about you. Be honest about the changes. Show remorse but show resolve as well.

The intent is to show you care about people, but you are committed to staying the course and seeing the bad times through. This is why vision is so desperately important in bad times. Layoffs and lost deals are the ideal time to double down on the company vision, values, and mission. It pulls everybody back together and recenters them on why the company exists.

Conclusion

Do not give up. Downturns are inevitable. Yet, nothing bad lasts forever. Startups can survive (even thrive) in bad times. Moreover, as the Wired article points out, troubled times can mint stronger companies. The key to coming out of this storm is keeping your eyes on the prize.

To quote one of the greatest philosophers I knew: perseverance furthers.

The post Surviving the Startup Crash appeared first on Zenaciti.