Building on a prior post, with an admittedly arbitrary number that seems to be about right as far as the number of reasons, and more in this series coming in the future…
This is a quick story to give readers an idea of just how bad our industry really is. This is not anecdotal either, I was present for this one as it impacted Risk Based Security. In addition to regular customers who consumed our vulnerability and data breach intelligence, we had a number of partners and resellers. We were always looking for more as they could be considerably more profitable for not much extra work.
This is from 2014 when we were talking to a mobile security company that did nothing but forms of security around the base operating system, patch level, and the installed applications. I’d bet they did the base system and patches just fine as that was not difficult to track. You’re talking dozens of vendors, not the thousands we covered directly. They were definitely interested in our vulnerabilities around third-party apps, as a way to supplement their offering.
The contract wouldn’t have been worth that much compared to other partners, putting it more inline with a regular customer actually. I mention this because the spend for them would have been pretty low for a comparably big gain in capability.
They liked what they saw initially and opted to do a full evaluation, meaning they could access all of our data. After a few weeks we had a follow-up call to see what they thought. During that meeting they were impressed by our data and said several times how comprehensive it was. We took that to be a good sign, expecting this to lead to contract and them signing on.
Toward the end of the call, someone from our side suggested they send over the contract and licensing information to move them to the next step of the sales pipeline. That’s when the CTO or CEO (I forget) said something that left everyone on our side utterly dumbfounded. This is a paraphrased quote based on my admitted sub-par memory, but it does 100% accurately convey the intent and gist of what he said.
We really like what we see. You have a lot of vulnerabilities that would be great for us. But, our customers aren’t asking for better vulnerability data.
With that, they said “no thanks” and moved on. Hopefully you are already feeling the anger like I did. I waited a long time to tell this story, even anonymized, to be safe. If you aren’t feeling that anger, let me break it down.
This is a company that sold “mobile security” to their customers. They were profitable, people obviously liked their solution. They had the chance to expand their vulnerability coverage and offer better security to their paying customers; ones that were not experts on mobile security or vulnerabilities. Their customers did not know to ask for more, because they assumed that’s what they were paying for already. If asked, I am sure 100% would have responded “yes, we want better security!”
Watching a company that claims expertise in a domain come up short on the coverage they were providing, evaluate our offering, compliment it in glowing feedback, then say they wouldn’t pay a small amount to offer better data, and more coverage, for their customers is not just absurd, it is negligent in my opinion.
When security companies refuse to look out for their customers after having that opportunity, and choose a tiny sliver of extra savings instead, then the technology world is certainly doomed.
Leave a Reply