computerwoche.de

Archiv

ISS is dead -- long live ISS

29.08.2006
When I heard that Internet Security Systems Inc. was bought by IBM, I thought, "Finally." I was, ironically, talking to an analyst friend (yes a do have a few of them) a few days before that about what I thought would happen to ISS. It was no secret that ISS had lost its way, for lack of a better term. It was a true pioneer in the industry and was responsible for making some of the staples of security programs available to the masses. But things had changed.

I was one of ISS's first customers, and I knew Tom Noonan and Chris Klaus soon after they began the company. I was happy for them when they became multimillionaires at their initial public offering (and mad that I had turned down a job with them years earlier). However, it's no secret that, at least as of a few years ago, something just wasn't right.

Some of their better long-term employees started to move on around then, always a warning sign for observers. But I saw more concrete evidence of trouble while I was reviewing potential business partners during my time at Hewlett-Packard, when an ISS sales rep with no clue as to who I was set up my visit as an introduction to security technologies and monitoring. While I am not delusional as to believing I am a household name, I have keynoted most major industry conferences and write extensively in the field. I've even been told that a well-known industry analyst, who is not a fan, sarcastically referred to me as one of the "one-named people in the industry." I'll take that as a compliment. If nothing else, my title at the time was chief security strategist for HP Consulting -- a clue that I didn't need to waste my time or theirs on why security monitoring was so useful. Do research? Check Google? Ask his boss? No, this guy was lazy, and he felt that was acceptable for ISS work.

The news also started me thinking about the reports and predictions for which analysts haven't been held accountable. For example, one analyst predicted a cyber Pearl Harbor by the end of 2003 or so. Hasn't happened. Gartner made lots of news by predicting that there would be some sort of public billion-dollar loss as a result of Y2k. Didn't happen (though as I mentioned in a previous column, that doesn't mean Y2k preparations were in vain). Likewise, if you review Gartner's so-called magic quadrants, you will see that many of the companies placed in the magic quadrant over the years have gone out of business or have been liquidated into other companies. Even Gartner backed off of its own report of the demise of intrusion-detection systems.

On some level, it's impressive that people care about what analysts think. They have visibility into many companies, and the companies pay them so that they are visible. This is important for buyers to understand. Companies want to get on the radar screen of analysts because a lot of IT executives pay a lot of attention to what the analysts have to say. Analysts are supposed to do the research for potential purchasers of technology. Buyers therefore pay analyst firms for their industry reports in order to cut down on the research that companies have to do.

The problem is that the vendors also pay the analyst firms for their advice. They want to know how they should in theory approach the market, and what their competitors are up to. A lot of vendors believe that they have to "buy the research" so that they are covered by the analyst firm's research and that potential buyers will read about them in it. The term conflict of interest comes to mind.