The Challenge of Being a Russian Security Software Company

Passwork. Password manager for teams. Collaboration and password sharingI came across Passwork today and was really impressed with the presentation as well as focus of the product. This is the kind of product that I would instinctively sign up for and test drive… but for an unrelated reason I started poking around on their site to find out more about the company.

It became clear that the company is Russian and this fact alone represents a major impediment for any company in the security software space. In all fairness I am making this assumption off factors like domains and language… the company itself provided no contact information on their website, which is itself kind of weird.

There is obviously a lot of good tech that comes out of Russia but there is an intractable problem when going global and that is the ambiguity about the extent to which Russian government activities encroach on the activities of commercial companies. The same can be said of China and in the interest of being fully objective about this topic, the same can be said of the U.S.A. as more attention and disclosure was put on NSA, FBI, and other government agencies. Selling globally I know this is the case, companies not based in the U.S. have significant objections about domiciling data in U.S. datacenters.

The problem for companies in Russia (and China) is that of the perception of egregious bad actors, including overt criminal activity. It’s one thing to have the government accessing your data, it’s another altogether to believe you would be exposed to criminal industrial espionage. I simply would not try to build a security software company in Russia if I have an aspiration of selling to a global enterprise market. Kaspersky Lab is a notable exception here when it comes to endpoint security but it’s clear that the company is aware of this and also the rising tensions between the U.S. and Russian governments.

Passwork is also, apparently, aware of the obstacles and goes to lengths on their website to highlight open algorithms, data security and privacy. In addition to addressing these issues up front, they also offer a version of the software that is on-premise. I’m not sure any of these measures really overcome the perception of risk, which in many ways is a binary condition.

As much as I liked the marketing for Passwork, I didn’t sign up.


Flipboard Becomes an Enterprise Collaboration Tool, They Just Don’t Know it.

Flipboard launched a private magazine capability this week.

With today’s release, there’s an exciting new way for people with shared interests to unite on Flipboard: private group magazines. Now you can collect stories together, and comment on them, in a closed setting.

At Ping I used a Flipboard magazine to collect industry news along with competitive information. The intended audience for this magazine was everyone in the company, with a focus on the sales teams, and I was successful with that goal with close to 100% of the staff getting the magazine on their mobile devices (everyone at Ping has an iOS or Android smartphone, it’s essential for 2 factor authentication).

View my Flipboard Magazine.

However, I have been limited in the commentary I could attach and I was reluctant to post competitors-sponsored content that was directed at the company. Why would I promote competitive content that was not educational in nature?

The Flipboard format is really compelling for internal corporate communications. Visual and mobile centric, it is also easy to manage with the tools that Flipboard provides. The lack of commenting is not an issue because the sharing tools allow for dropping of content into full blown collaboration systems.

Private magazines resolve the biggest limitation for enterprise usage, good move on their part. I can see many consumer applications for this but the ability to use Flipboard as a communication tool for businesses is the bigger opportunity for the company.

Let’s Stop Badgering Companies for Trying…

NikeLabI gotta give Nike credit for this, it’s edgy and pushing a boundary of what athletic apparel for women should be.

Predictably, the outrage factory spun up and without a hint of irony this BI piece (well it is BI) has decided to represent all women in the headline. I have no doubt that Nike has access to women athletes, so I would put strong odds on the idea that not ALL women are outraged.

“The Sacai collection is undoubtedly a vanity project for Nike, but its premise — that female athletes prize style and appearance over functionality and performance — is completely tone-deaf,” writes Megan Wiegand for Slate.

Yeah, I’m sure all that LuLuLemon stuff is being bought on the basis of performance alone…

Let’s imagine a world where companies play it safe and design to the lowest common denominator of what every segment of a demographic wants; in that scenario are women consumers better served than one that caters to individual preferences? No. Fashion is personal and women – outraged or not – will simply vote with their dollars.


Starbucks As Race Uniter: Piss Everyone Off Equally

Starbucks found itself in hot water this week after encouraging baristas to write “racetogether” on coffee cups and discuss race relations with customers. And of course their is a #racetogether hashtag campaign. Sigh.

I give you Starbucks leadership team… you can’t blame them for being so white, there aren’t many sunny days in Seattle. I can’t explain why they are predominantly men.

It didn’t help when head PR honcho at the coffee purveyor, Corey DuBrowa, deleted his Twitter account after the deluge of negative reaction. This only reinforced the perception that this was little more than a marketing gimmick and the company really wasn’t interested in a “conversation”. Euphemistically or not.

No matter how you spin it, this is not a good day for Starbucks, which to it’s credit does have real diversity programs that throw business to minority and women owned businesses. These are the kinds of programs that companies like Starbucks should be investing in, because most people don’t want and won’t accept being talked to about serious issues through patronizing slogans written on coffee cups and 140 character missives anchored with a hashtag.

Outrage in America has itself been elevated to a cause, and there may be an element of that here but the critics seem to have a valid point by highlighting the hypocrisy of talking about diversity in a company led by old white guys. Fair or not, Starbucks can’t ignore that fact. This leads to an important threshold that companies wading into social commentary have to meet, which is your moral authority. It would be hard to argue that Starbucks has any moral authority to lead this debate given their leadership and customer demographic (break down the stats on store locations for further evidence of this). Of course you could also argue that no one is uniquely qualified to talk about race just because of their skin color… I could make the case either way but what I won’t defend is the idea that corporate sloganeering will lead to positive change.

Another element at work here is that most cause marketing that isn’t linked to explicit act is in itself a sham. Hashtag campaigns have jumped the shark and I believe that people are actually a lot smarter than advertisers give them credit for. People pick up on the cues and can call BS on these activities even if they don’t do it explicitly. Advertisers should do themselves a service and ditch the hashtags and calls for “conversation”… it’s the kabuki theatre of going through the motions without doing the work.

Look no further than the kidnapped school girls in Nigeria. #BringBackOurGirls may have made people feel good but a year later the girls are still missing and their fate a mystery… Boko Haram was, apparently, not impressed by a hashtag campaign.

Companies can be a force for social good when their good intentions are coupled with policies and hard work. Marketing slogans and diversity officers that are little more than paper tigers won’t qualify nor improve the standing of companies when called to stand up for diversity as a cause.

PS- If Starbucks is serious about race relations in America, put a Starbucks in Ferguson Missouri and contribute generously to the rebuilding of that city where white and black residents are paying the price for shameful yellow journalism built on a hands-up-don’t-shoot lie. There is no Starbucks in Ferguson, I’m sure the residents would appreciate the jobs.

smart +/- watches

So it’s been a long time since I last wrote and I don’t have a good excuse for that… family life has been busy, work is hectic, I’m too heads down, my vitamin D is low, yada yada. Truth is, I just haven’t felt like writing.

However, that does not mean I have stopped thinking and experiencing. Like many of you I have been following the wearables category with great interest, in part because it represents a huge growth segment for end user devices and infrastructure to support them. The bigger reason for my enthusiasm is that these devices have the capacity to greatly enhance our experiences with technology.

Moto-360_Map-820x420Last year my wife got me a Moto360 and despite being kind of particular (snobbish) about watches I have to say I was looking forward to this device. It looks like a traditional watch and has nice build quality, including a well made leather strap. It looks and feels nice on my wrist.

I used the watch for over a month straight and came to some conclusions that I believe apply to the entire category. Smartwatches are inherently limited in capability because of form factor (you can only pack so much hardware in one), the telecom infrastructure that limits the ability to have multiple devices paired to one mobile number, and battery capacity. As such, the majority of vendors who are putting these out have opted for a paradigm of the watch being an extension of the smartphone for notifications and voice activated engagement.

The way these interactions work is actually pretty cool, in the case of the Android at least. The basic operating mode is that you do something on the phone and the phone will react to the watch with the full UX of the smartphone. For example, “ok google…. navigate to 650 Townsend St.” and the phone will pick up with the maps app loaded with the desired address and navigation underway.

This is actually a really useful interaction providing that the voice function on the watch works as it should. As anyone who has used Siri or Google Now on a busy street or with your kids chattering away in the car knows… voice is good when you have a low noise environment.

The limitations of voice commands impacts many of the other functions of the watch where the smartphone is playing a background role, such as note taking. We’re in the early days of wearables but we’re not in the early days of voice technology and the latter just needs to get a lot better.

There are apps for the phone and aside from the magic 8 ball app I did not find much to be interested in. The fitness app trend seems to have peaked but it may be that the first generation of these apps has peaked an we’ll have a big leap forward in the next iteration. Sending SMS is cool but you have to double check the voice-to-text so it’s not a convenience… same with email. Timers and other watch functions, as you might expect, are useful but not enough to compel anyone because that’s a basic watch function and in some respects my smartphone is just better at this.

After using the watch for more than a month I lost interest in it and put it on the shelf. The primary reason for this is that I simply prefer the feel of a mechanical watch and I’m of the generation that has more invested in the tradition of timepieces. However, another big reason is that the smartphone just got annoying… I felt spammed with notifications when I just wanted to see what time it was.

We really need to develop a better solution for notifications and I’m not alone in voicing this frustration. If wearables and IoT means I’m going to get 10x the number of notifications that I already get on my phone, count me out.

Now on to the Apple watch, and in the spirit of self-deprecating full disclosure, I’m not your guy for apple predictions.  I will say that the Apple watch looks pretty clunky but that in itself will become a compelling aspect of the design language… and if they sell watches as a precursor to selling iPhones they will still win.

I am pretty interested to see how other devices interact with smartwatches for authentication and user engagement. Given enough development of the platform and supporting apps, smartwatches could end up unlocking an entire new wave of device proliferation and things like in-vehicle services. With a “guest mode” capability smartwatches could also serve as a really compelling interface to public services and facilities.

UPDATE: I neglected to highlight one really annoying aspect of the Moto360, which is that it only charges via NFC. It has a very stylish dock that the watch “sleeps” in to recharge but what are you supposed to do when you travel. I try to minimize the crap I have to carry with me so when I saw that I could only take it with me if I hauled the special charger around (because who carries an NFC base station with them?) I ended up leaving it at home every time I traveled.

SaaS Status Pages and “Trust”

logo_okta@2xOkta has a status page called Trust, and because I compete with them I pay attention to it. At Ping Identity we also have a status page on our IDaaS service and our team makes this a focal point for the service, ensuring that we have realtime data and that it is broken down into the component services along with response times. It is this level of automation and granularity that I think is the underpinning of “capital T” trust.

okta mistrustIn reviewing the Okta page last week I noticed something interesting, well 2 things actually. The first is that the minutes of uptime didn’t correlate to the number of minutes in the year to date, it was off by 6 days. I didn’t think much about it until I went back to the page this morning and noticed that the number had jumped up by a large amount.

With the help of EpochConverter, I calculated the number of days in the year to date, multiplied by 24 and then by 60 to establish the number of minutes. Today is Day 251 in the year and that translates to 361,440 minutes will have elapsed at the midnight tonight… which is pretty far off the “minutes up” reported by Okta today, at 393,120.

Reversing the math on the 393,120 number gives me 273 days, and EpochConverter dutifully reports that day to be September 30, 2014. In other words, Okta is reporting the full month of September as being 100% uptime even though we are only on September 8th. So we know they aren’t automating the calculation of uptime, which also means the number is only as good as the incidents that are reported.

Which brings me to the second observation, there are no definitions of what each unit of measure means. Okta reports “100% global service uptime” for 2014 (rolling forward to the end of the month), but in the “infrastructure” and “features” uptime there are incidents that have impacted uptime.

For 2014 there are 770 minutes of infrastructure and features incidents that affected uptime, which calculates to almost 13 hours of service time (12.83 hours to be exact). How can you acknowledge you had 13 hours of incidents this year and then confidently assert that your service was 100% available and therefore meeting SLA promises? That’s just playing lawyer-ball using a synthetic measure of the service being reachable for 100% of the customers as opposed to the reality of that at various times during the year the service was not available for at least some of the customers.

Where this gets meaningful is that 770 minutes of incident time against the actual minutes to year of 361,440 means the service was 98% available and that is a material amount off the 99.9% SLA guarantee.

Trust is a truth between a company and a customer and when that truth is impaired, so goes the trust. Realtime data is a wonderful thing and in the world of on demand systems there is no reason for not offering a realtime perspective on system status.

UPDATE: I called them dishonest but have since deleted that because it was unfair. I really don’t know what their motivation is, and it could well be that they simply put up a page that doesn’t have the necessary systems connected in the backend.

About Me: I work at Ping Identity, a competitor to Okta. Obviously that means I’m not an objective observer here but math is a stubborn thing nonetheless. Hopefully you will read this objectively and make up your own mind… but needless to say, this is my personal blog and these are my personal opinions. 

Broken Cloud

icloudTrust is a cornerstone of the Apple brand… the company that pioneered the notion of “the stuff just works”. The damage the brand has suffered this week is yet to be calculated and the “hey it’s not our fault, users should manage passwords better” statement didn’t help. All this a week to the day before 3 major new product announcements that hinge on using more of iCloud. Payments depends on iCloud, it’s hard to see how they don’t rewrite their presentations for next week to address the news this week.

What also isn’t helping is that when people dig into the details they find out that Apple implicitly acknowledged a fatal flaw in Find My iPhone, implicitly acknowledged not by talking about it but by patching it hastily. Secondly, 2 step verification doesn’t work with all elements of iCloud, like backup. Despite a lot of assertions that security is unrivaled in Apple products, the truth is turning out be be less definitive and the fact that they left a login API exposed to a brute force attack is pretty damn negligent.

Compounding matters is that Alexey Troshichev notified Apple before the breach that Find My iPhone was vulnerable (there was a killer presentation on this that was on Slideshare from Blackhat, but it has since been pulled).

Sales Tactics: A View from the Receiving End

On average I get 10-15 vendors calling me each day to sell me stuff (marketing is a services, content, and systems heavy business these days). I pay a lot of attention to the details of how people sell and try to incorporate effective tactics into our own SDR function.

Here’s my rundown on the most common tactics I find myself on the receiving end of:

1) Blunt Force Trauma: “Jeff, I was wondering if you had an opportunity to read my last email”. Surprisingly effective, I get 2-3 of these from someone and I feel guilty enough to actually respond. Probability of closing something is still low but it is a lot higher than giving up, right?

2) Puke it Out: The intro email is nothing more than a recitation of all the stuff they offer, nothing about why I should care about it. I never respond to these because they are not much more than professional spam.

3) Me Too: This conversation features a bunch of “$10 dollar words” that are just like what I hear from every other vendor. It is evident they are reading from a script, if they are leaving a voicemail, and there is nothing personalized about the interaction, and worse, they have not even taken the time to go the website to learn our basics. Promised benefits are hollow in the absence of proof points that validate the claims and connection to my needs.

4) Social Selling: This is something I always respond to positively – always. If I get a linkedin connection request that reflects an intention to connect at a human level, not just because they want something from me then it’s clear that they care enough about winning our business to make the personal connection. Jill Rowley was a pioneer in this approach to selling and was instrumental in growing Eloqua through the acquisition by Oracle… before leaving in the face of traditional and outdated enterprise software selling tactics that are part of their DNA.

It would be easy to say “yeah just embrace social selling” but that oversimplifies the issue. The tactics are only part of the equation, the ability to connect with me at the problem and solution intersection, as well as form that basic human connection is much more than just a sales tactic.

Wingz – Airport Rides and One Bad UI Issue

I’ve been using Wingz to get to/from the airport. The idea is simple, black car service like Uber but exclusively for airport transportation, and a big advantage is that you can schedule the rides in advance. With a web-based and mobile app, it’s alway available and convenient.

Wingz is aggressively priced, about 40% less expensive than a typical black car service, and so far my experience with the drivers has been exceptional. With the price of long term parking at SFO now $18 a day, paying $82 for airport transportation for my typical 3-4 day trip is a wash and because it’s door to door I save time. The convenience on the latter point is not insignificant, I take a 5:55am flight to Denver and come back on a late flight, the last thing I want is building in extra time for the parking structure shuttle.

wingzHowever, not all is well with Wingz, one specific UI issue is horribly ill-conceived and it bit me the last time I booked a ride. The scheduling app departs from the typical pick-a-date/time and the am/pm radio button. I noticed this the first time I used the web-based app and thought to double check to make sure I scheduled the right time. However, despite double-checking each time I booked, I managed to schedule a 4:30pm ride when I needed a 4:30am pickup… which left me scrambling when I realized what I did when I was standing in my driveway at 4:35am a few weeks ago.

In my conversations with the driver who normally takes me, I asked her about this and she said I was not alone. I sent an email to the company with feedback but did not hear anything back. I still like the service.

UPDATE: Well I just love it when companies pay attention to feedback and actually do something about it. Wingz changed the UI and they deserve credit for doing it. Thank you!


Turn the Tables

adhesivo fight the powerThis week the crazy internets have been abuzz with the story of AOL executive Ryan Block, who attempted to do something rather mundane, cancel his cable, and was subjected to an excruciatingly long ordeal with the customer service representative at Comcast. This is well covered, I don’t need to relive it… and more to the point, we’ve all been there.

What makes this story, and others like it, catch fire is that there is a recording to go with the narrative. The call experience comes alive with the voice recording.

This is a relatively recent phenomena and one that is a result of powerful digital technology shifts that have driven the communication revolution that has swept the globe. This is the part of the story that makes me absolutely giddy because it’s technology as a great democratizer of power against monopolistic corporations that don’t care about us until it blows up in their face.

It’s no surprise that the more power companies have in the market the worse their customer support becomes and they know it. While giving lip service to customer satisfaction, the fact remains that these companies know that customer service is ultimately a cost center, not a profit center. The people hired into these roles may be well meaning, but they know they are a cog in a machine and, ultimately, replaceable. The incentives and measurement systems prioritize retention above all else, not problem resolution, and they practically beg you to provide a good score in the post call interview.

As a result of the perennially poor customer service environment I have opted to turn the tables. I never make a customer service call that isn’t recorded, using an app called MP3 Call Recorder. It is also possible to record the call through Google Voice but this only works for inbound calls so use to have the company call you back to your gVoice number.

In California, where I live, there is an explicit legal requirement that 2 party consent is granted before recording voice calls, but I figure that call centers routinely notify me that my calls are being recorded for “quality and training” so I figure that consent has been granted. Besides, this is a criminal statute and I think that odds of a prosecutor bringing a case against me for recording my customer service experience at, for example, Visa to be 0%… 0.00% probable. Bring it, I’d love to be that person.

Social technologies continue reshaping how brands interact with customers, and it’s good for customers when everything is out in the open and public. What Block did, and I wish I had his demeanor and patience in such a situation, is something that brands should pay attention to because their well cultivated brand images suffer real setbacks when their bad behavior, driven by perverse employee incentives, become public. Comcast has spent years telling the market that they are different now and care about customers. The countless dollars on advertising, speeches, and public proclamations evaporated as a result of a 20 minutes customer service call. Imagine that multiplied by thousands.

Bonus: This calls for a Monty Python clip