John, I know you are fond of the "controversial headline", but this is just a good example of a case where security is involved in part of what the company offers, and so the CSO or Security Director can easily be involved in promotional or business development efforts. There’s nothing wrong with that. And although it is harder to do at some companies than others, it can almost always be done in big or small but worthwhile ways. In my comments I’m not addressing the PSIM or any other product aspect. I’m addressing the example factor in what you wrote.
Security Business Value is Real
One of these examples involves a direct role in sales; the others contribute value a little differently.
I know a Director of Security for an information systems services company, who was required by 48 potential clients in just a one-year period, to participate in final sales meetings. They wanted her to explain how their own company applied security to the systems that they were selling, based upon their own use of such systems. They wanted to make sure that the company had a practical understanding of information security, and that they were actually “walking the walk”, not just talking about it. No security director meeting—no deal. She was the key factor in closing many big deals.
I know a Security Manager (now Director of EHS and Security) at a pharmaceutical company, which had started making products to be marketed under the brands of others. Because it is a highly regulated environment, and because security is a very critical aspect of such facilities, his mission was to “Very visibly reduce security risks to acceptable levels at an acceptable cost.” The visibility factor meant that prospective customers would walk the facility and decide that they were much better off contracting out the manufacturing to this Security Manager’s company, than to try to establish the same caliber of Quality and Safety programs in their own facilities. At the closings of many deals, the customer explained that the impressive Security program was one of the key decision factors. Additionally, the use of video cameras in manufacturing lines saves the company over $1 million annually (I have seen the numbers).
For another company, personnel safety and security for the afternoon and night shifts is critical. The security program was upgraded in many ways to enable the company to hire and retain a higher caliber of individual for these shifts, and it was successful in creating a highly awarded (“Top 50 Best Places to Work”) business climate with a number of business metrics proving it.
I have many other examples, but I think these are sufficient for this discussion. “Security adding business value” doesn’t always mean a direct impact on sales, but it does mean improving the value of the company in one measurable wayor another.
Of course the visibility and status that comes with a high position in Microsoft is not going to be available to the majority of security practitioners, and often the most valuable aspects of security programs are highly confidential. But that doesn’t mean they don’t add measurable value to the business.
And I am very familiar with some organizations where executive management still considers security nothing but a cost center, and I have met security managers and directors who have low on the job self-esteem relating to that situation. But if you don’t hold up some examples of security adding value to the business, how can you inspire anyone to look in that direction?
It is very true, as Mike Howard said, "Security must be integrated into the core mission of the enterprise and receive a seat at the table." What that means is different for each organization, but that doesn’t at all mean that Mike’s detailed explanation of it is worthless to other security directors. It does let them understand how they are in a similar or different position, and keeps them from getting false expectations that would result from purely generalist assertions.
In the past Microsoft has established bad reputation on security for itself in several ways. Apart from the sales aspect, the CSO’s visible efforts help correct a part of that situation, and visibly so.
And so I take issue with your very last statement. I don’t think any one CSO could provide an example that all other security directors could copy in rote fashion. Companies are too different one from another, even in the same industries. The underlying implications of your statements about the worth of Mike’s stories are flawed.
Disservice to Security Practitioners
However, in the mix here is another factor, which has plagued security practitioners—most of whom are not aware of it. It’s a disservice that the security industry has unwittingly perpetrated for so many decades that even security practitioners who know better still make statements like, “I’ve been in the security industry for 25 years.” WRONG! There is a huge difference between the Security Profession and the Security Industry, as I have written about before. A Director of Marketing is not in the “Marketing Industry”, but is a “Marketing Professional” in the automotive industry, or hospitality industry, or some other industry. Failure to make such a distinction is an oddity of security practitioners.
One of the reasons for the low status of security practitioners is that they consider themselves part of a product and service industry (i.e. a commodity position), rather than a critical middle or top management part of the organization in which they hold their position. There are historical reasons for it, including contracted security services, but that’s another story.
So don’t be so quick to write the value of Mike’s work off for other practitioners, who certainly don’t need to become sales people to provide measureable business value to their companies. Yes, the bottom line is important, and there are many ways to contribute to it. None of them are worthless.
My strongest objection to Microsoft / Howard's approach is the vagueness about Microsoft's role in the industry and the security department's role in selling / generating commissions on sales. Goal #1 of the post is to make it clear to the industry that this is occurring.
Microsoft has built its sales and marketing efforts in security all around their CSO, which, as I noted above, I think is tactically brilliant, but also very misleading / confusing to the community, especially the security directors who are receiving these demos / shielded sales pitches.
If Avigilon's CSO was saying he generated business value by replacing 95 cameras with a single 29MP or if Arecont's CSO was saying he was a leader because he achieved the highest PP$ in the industry, we would easily laugh it off, recognizing that they are simply shilling their products. What Howard is doing is the same, though with worse products.
While there are many ways for CSOs to contribute value, doing so by promoting one company's own products is of questionable value and not common.
As for your examples, like improving safety and security for afternoon & night shifts and using cameras to reducecost on manufacturer lines, those are great operational examples that vast numbers of security directors can emulate, unlike selling one's security devices/service, which are only open to a few.
I don't really think this is a case where a savior is needed on behalf of "the community". I think most folks would hear the words "Microsoft" and "software" and "security operations" and think that at least a part of what they are going to be getting is a promotion of Microsoft products.
It's Not Uncommon to Promote and Make Referals and Benefit
I have met a number of end users who made special deals to be a "showcase" site for a period of time after installing some new product. One was a 10% discount on a significant investment.
Another made referrals and got additional VMS camera licenses for free.
The promotional aspect of what you're writing about would not be lost on the consultants and end users I know. Integrators, having been burned too often one way or another on product claims, are rightly a very suspicious group can sniff out a promotoinal slant a mile away. So I don't think it's that big a deal.
The CSOs and security directors I know wouldn't for a second consider their companies to be the same as Microsoft.That doesn't mean they wouldn't want to know what Microsoft is doing. It is hard to get much insight into what large companies do, because it's usually highly confidential.
That's one big clue to the fact that there may be a promotional aspect involved in Microsoft's providing a look into internal operations.
There was a video posted online some years ago by a big name company that showed how they use their own communications technology to respond to a duress situation in a reception area. I sent many clients to view that video while it was up, because it was a very good example of how technology should be used in that kind of situation. We all knew that it was promotional, but that in no way detracted from its value. I wish it was still online.
As I mentioned before, I'm not getting into product discussion here, I just disagree with the blanket personal derision of a CSO and his company's operations in this way. Mike is one of a number of top-notch security folks at Microsoft. People who do know Mike and the range of his knowledge and experience would take one look at the article title and lower their opinion of the writer and IPVM, not of Mike.
As you know I am a big supporter of IPVM,and it disappoints me to see this king of thing because it smacks of crude internet bloggery rather than professional journalism or industry analysis. Yes, I know that for decades magazines in the IT world have used this kind of headline to grab attention. But those were almost always from columnists who were well known for exaggeration and mockery, and were generally not written by the editor or someone in a senior position in the publication.
Bottom line: I'm in favor of things that elevate IPVM, and opposed to things that have the opposite effect.
But when you target an accomplished security professional, put his picture in the posting and link to his LinkedIn page, you have made a strongly personal attack.
Regardless of the fact that most would readers would consider it to be a a sensationalistic gimmic, the personal attack aspect is in poor taste.
I'd like to think that this is out of character for IPVM. If that's not a fully accurate thought looking back, I sure hope it will be going forward.
Ray, you are certainly entitled to your opinion, but your continued allegations that I am doing this to 'grab attention' is unfair and ad hominin. It would be like me claiming that you are making a public defense to curry favor with Microsoft and their powerful allies for future consulting work.
We have criticized dozens of large corporations for their marketing practices for years. This was not the firstand it will not be the last. Sometimes people agree with our critiques, sometimes they do not. That's life.
As for mentioning Howard personally, the whole marketing campaign is centered upon him personally. Take away Howard and Microsoft promotional efforts in physical security are essentially nil (little tabletop booths at the back of shows, etc.). As I said, I genuinely think it's an amazing sales and marketing effort, and he should receive kudos for designing and executing it.
That said, I also believe that Microsoft, and specifically Howard's marketing campaign, is hypocritical and disingenuous and therefore, full of it. You do not. That's fine. You've made your case. I've made mine.
The postives and negatives of the article content aside, I agree the title is pretty sensationlist. I think a professional publication could sound a little more professional and less emotional charged.
Yes it is good sales technique. Take whats been built with the resources that are easily available and use the big machine to advertise. Can't go wrong when your own company is the biggest software house in the world.
It's simply sound business practice to integrate the corporate risk management or asset protection programs, leaders and services deeply into the larger mission and business of the corporation. At Microsoft the core business is selling the corporations products and services. Security directors who believe they're in the protection business (called white soxers, as white sox & blue suits were the dress du jour for the recently retired who moved from gov't into security director positions in the '60's) have for the most part been shoved aside by those who become students of the business, understand key mission integration and forge deep partnerships by delivering real value in expense reduction, sales maximization and facilitation across the board. Microsoft's GSOC is a bit of flash that impresses clients and also adds to Security's partnerships with the active selling departments whose clients it impresses.
As for being predominantly masochistic and plagued with low self esteem, my experience is exactly the opposite. I guarantee no one ever thought that of me nor of 95% of my brethern in the profession. If they had that mistaken impression on the front end, the loss of a few fingers or toes corrected that mistake early on. :-)
Well from where i stand, i appreciate the article. I think this whole sceanrio has been called for exactly what it is. Its refreshing to get a the non populist, non rewarded view of things.
This is a no BS site - things are what they are and they get called out for what they are. Its often not popular to be the whistle blower - yet this is a highly needed service. A lot of people just dont have the spine to stand and be counted and call things for what they are. On this site you can COUNT on getting the critical review - if there are a few lose threads to a story, John will pick it apart. I dont know of any other site doing this in a professional and non emotional way. We need this - really.
That he is a "top executive at one of the largest companies in the world" does not excuse him from criticism. Indeed, if anything, such individuals and companies must be held to a higher standard.
IPVM is not here to critique bouncers at biker bars from taking bribes. We go after the most serious issues. And Microsoft's grossly misleading campaign here is one of those. You can certainly disagree, but we are going to continue to call out issues of major players in the security industry.
I think what we may be looking at here is a Chief Security Officer here who has looked for the right avenues and paths to earn himself a seat at the big boy table. As a higher level security manager myself, I identify with a lot of the steroetypes and the frustration with being a 'non-profit center' manager. Often times Securoity can segway into LP, create value and become more of a profit center, but pure security and liability won't show that as easily. As a CSO or higher level security officer in this continually more numbers driven economy, you have to find innovative ways to capture the attention of the C-Suite and stakeholders. How this guy chose to do that was wise given his company's market, but the real lesson here is that to build credibility and power as a CSO, you have to play the game. Mike Howard's played this games well. I think if we looked under the hood though, we would very liekly find that the increased budget and visibility he's brought to Microsoft's Security program has led to better security and funding for core security competencies. Perhaps you could consider his methods marketing, advertising, but in the end I'd wager he's leveraged his successes to invest back into the core elements of security programs and make them better for it. Bravo Mike, well done.
Given how insignificant security's revenue contribution is, it is hard to imagine that he has "a seat at the table". Microsoft generated $73 billion in 2012 revenue. Howard mentions millions of sales but letss be generous and say their security demo program brought in $50 million last year. Unfortunately that is still less than 0.1% of Microsoft overall revenue, hardly a level that would make any material impact to the corporation.
As for better security, is it really better to constrain yourself to technologies that Microsoft develops or that they can generate a comission on? Just look at their PSIM (video above) that could not directly connect to cameras and had to generate individual web pop ups for each camera? There are best in class 3rd party offerings that can do far better.
With the minimal overall revenue upside and the potential technology limitations, strategically, in the big picture, this does not make much sense.
However, for personal brand building, this is dynamite and, for that, I certain appluad Howard's achievement!