Mydoom and securing the perimeter

As I said before, if you want to stop blended threats like Mydoom and others, the best way to do so is to secure the perimeter by preventing an attack before it has a chance to infiltrate your network. That is best done on the edge, IN FRONT OF THE ROUTER, but for a number of reasons no one has attempted it. Of course, if you tried to do it on the router it would degrade performance 60-70% which is not a good solution. One other big issue is having the scalability to inspect every packet entering and leaving a network (router) with minimal latency. Finally, being able to effectively detect and prevent anomalous traffic from entering a network requires sophisticated algorithms. You have to have minimal false positives and no false negatives. In other words, the last thing a Chief Security Officer wants to be blamed for is screwing up a large multi-million dollar transaction for a business unit by blocking it from entering or leaving the network. Therefore, many CSOs are willing to just have the detect function turned on instead of solely relying on technology to make decisions about what is good and what is bad traffic. Of course, given the proliferation of complex viruses and blended threats, we are seeing more and more security teams moving from detection to prevention.

Before we dive further into securing the perimeter, let’s first understand how Mydoom works. Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and also tries to randomly generate or guess likely email addresses to send itself to. It also leaves a backdoor wide open for hackers to take control of the machine to steal user information or start spam campaigns or DDoS attacks. The kicker is that these new viruses typically send email messages using a built-in messaging or SMTP system bypassing the normal messaging host on a computer and therefore bypassing any antivirus software you may have installed. This sounds pretty nasty, doesn’t it? The amount of inbound and outbound email traffic can easily bring your network down leading to lost revenue and lost productivity. The fact that it leaves a back door open for nefarious uses could be even more damaging. For example, someone could use millions of infected computers to launch a DDoS (Distributed Denial of Service) attack on you bringing down your transactional web site.

In my opinion, an effective security solution would sit on the edge, prevent anomalous traffic and malformed packets from entering or leaving a network, and provide capable antivirus technology. In other words, you would buy an integrated security solution that includes a firewall, intrusion prevention, DDoS, and gateway antivirus technology that can sit in FRONT OF THE ROUTER. Therefore the only data that should be traversing your network is good, clean data and all of the bad stuff, ingress and egress, is left behind and dropped. I have spent a fair amount of time during the last few years looking at this problem. During the last 3 months, I have been working closely with one company that can offer customers all of the above. Please check back in the near future to learn more about it. Of course, if you have come across any companies that fit the bill, I would love to hear from you.

Reading the tea leaves-correlation between employment growth and IT capital spending

As you know, I like to stay abreast of the economy and IT spending, searching for leading indicators of how the markets and my companies may perform in the future. It is clear that given the current market, people are quite excited about the prospects of IT spending growth in 2004. Given that backdrop, I found an interesting graph in this weeks Goldman Sachs Software Scoop report


showing the linkage between employment growth and IT capital spending. According to Goldman, this graph shows “companies are likely to view tech capital spending the same way they do employment–add when you are confident of the sustainability of the recovery and only when you have to.” As you can see, there is pretty close correlation between the two sets of data. What it tells me is to keep a close eye on employment data and potentially use that as another leading indicator for IT capital spending. When companies are feeling good about themselves and the economy, they spend more. It will be interesting to see how this graph looks in the future as more companies look to outsource non-core capabilities and continue to cut costs and improve earnings. For example, will capital IT spending begin to spike above employment growth in the next 5 years and by how much?

Sales Forecasting-a blend of art and science

I was quite frustrated recently when one of my portfolio companies presented the board with a 2004 revenue forecast which was not based on reality. While I am not a sales expert or spreadsheet jockey, there are 2 important factors to consider when building a sales forecast-ground it in reality and use a handful of simple assumptions so you can manage your key resources, people and cash, appropriately. Yes, there is always a mysterious aura about forecasting sales, and it is alot of art, but to the extent you can bring some science and process into it, the better off you are. Many companies subscribe to certain methodologies to better quantify a sales pipeline such as Solution Selling or Targeted Account Selling. What I do not like are percentage closing numbers randomly assigned to prospects where a number like 80% probability of closing has no defined criteria and differs deal by deal based on feel. Here are a few simple assumptions I like to see that drive the sales forecast:

1. Number of sales people
2. Quota per sales person (usually overassign 10-15%)
3. Average Selling Price (ASP)-in today’s market, you may see a small pilot deal followed 3 months later with a much larger sale (model this appropriately). If you take 2/3, you get an approximate # of deals you expect each sales person to close annually
4. Sales cycle-how long does it take to close a deal
5. Time for a sales person to be productive (usually around 4-6 months depending on maturity of product and market)
6. Lead generation-how many new leads per month and what % becomes qualified leads

Too many assumptions and drivers in a model make it too complicated and too hard to use as a management tool. It should be easy for you to add a sales person, change the ASP, etc. and see how it impacts your sales. To ground it in reality, I like to take a step back from the bottom-up approach listed above and take a top-down view. For example, does this company have the resources to go from $1m to $4mm of revenue or from $5mm to $10mm? Is the market ready for this? Where will it get the leads? Is a $2mm quota for a missionary sale and market realistic based on past history, looking at other markets, and using public company comparables?

One experienced VP of Sales told me that he likes to have a 3-4:1 coverage in his pipeline of 80% and above deals going into a quarter. Of course, the definition of 80% depends on what sales methodology you use, but the point is you should have quantifiable criteria where 80% could be defined as deals where you have had multiple meetings, identified a real pain and a decision maker and a budget, defined a decision making process, and feel a strong probability of closing by the end of the quarter. That way, if a potential customer delays a purchase for whatever reason, you have 2-3 others that could potentially replace it. In addition, you have some good visibility for the next quarter. While many early stage companies rarely achieve pipeline coverage like that, the important point is to run the numbers and ground them in reality. Also, be realistic and harsh about your pipeline. Throw out the garbage, the deals that have just hung around for a long time and have no momentum.

More often than not, management teams tend to put an overoptimistic pipeline in front of the board thinking a larger pipeline is better. I would rather have a higher quality, filtered pipeline that is well scrubbed than a larger pipeline with no meaningful criteria to move deals along in the sales process. With the former, we all have a real tool that can help us better manage our resources.

Great web-based news aggregator

Like many of you, I suffer from information overload. I have a hard enough time keeping up with email, let alone the increasing volume of news and blogs. During the last 6 months, I have been experimenting with a number of RSS readers to aggregate my news. Some of the products include client software like Amphetadesk, FeedDemon, and Newsgator. FeedDemon was a nice product and was quite easy to use. Newsgator integrates with Outlook which on the surface sounds great but it ends up creating more email for you to review on a daily basis. The problem with the software downloads is that if you have multiple machines or travel frequently, you may not be able to access your daily reading. Lately I have used Bloglines and love it. It is web-based so I can access my information from any browser, it is free, has a great UI, makes recommendations based on my current feeds, alerts you when feeds are updated, and even allows me to add email subscriptions. With the email subscription feature, Bloglines gives you a one-time email address to subscribe to sites that do not offer RSS feeds while at the same time reducing your daily volume of email. It is great to see how many sites are offering RSS, and that we are all getting closer to the vision of having our own personalized newspaper. Even Yahoo has recognized this as it has been working to integrate external RSS feeds with MyYahoo.

CES-Show me the money!

There has been lots of buzz at CES this past week. Trust me, I am a huge fan of all of the new consumer gadgets that are coming out in the market this year. I still, however, ask the question, “where is the money for the tech industry.” From a profit perspective, should we be getting excited about selling commodity products in markets characterized by heavy competition? According to Barron’s, Rick Sherlund from Goldman Sachs issued a report last week saying that “he doesn’t expect Microsoft to see any profit from consumer electronics over the next several years.” So if Microsoft, known for its high gross margins from software, cannot even generate a profit how are other technology companies selling Plasma TVs and other consumer electronics going to make money? Yes, I know I may be oversimplifying, but the point I want to make is that revenue does not equal profit, especially when many of the new growth areas that technology companies are pursuing have single digit margins as a starting point. In the same Barron’s article, Pip Coburn goes on to say, “There’s tremendous hype. The IT companies, with no growth in their current market, are pretending there’s a digital consumer revolution. But it’s very early, and a small part of the whole pie.” In my opinion, there is a digital consumer revolution-just look at the falling prices of plasma tvs and wireless networking gear to figure out who the beneficiaries are.

One further thought to add is that Intel Capital announced it was setting aside $200mm for funding new digital home companies. I certainly applaud Intel for its efforts and am a big believer in the digital home. From a strategic investor perspective this makes a ton of sense-more Intel chips in the home. So no matter what Intel Capital invests in, it is hard to go wrong if at the end of the day more Intel chips are sold. The digital home already has and will continue to be an area where VCs invest. That being said, we must go in with our eyes wide open as it is extremely difficult to make money selling consumer-oriented products. Sure, there will be lots of great innovation from new startup companies in home networking, but it will be difficult for these companies to truly scale as they will be entering markets traditionally dominated by large, global companies with established brands, channels, and cost advantages. Tivo is a great example-it is a great product with cult-like customer appreciation, yet it is still not profitable after raising about $200mm from its first round of capital in late 1997 to its IPO in late 1999.

Impact of Outsourcing/Offshoring on IT

Ephraim Shwartz of Infoworld has a great piece on offshoring and implications for IT shops in the US. I couldn’t agree with him more that while there are cost benefits there are also other factors to consider when moving development offsite. In the end, it will require IT shops and professionals to redefine their roles. While the number of coders may go down in an IT department, there will be ample opportunity for developers to move up the value chain into design, architecture, and product management. This is definitely what many of my companies that outsource development have experienced (see an earlier post). As an investor, I want to make sure that whatver my companies do, that we own the core IP. In my mind, this means we have the design, architecture, and specs laid out onshore, the core engine or secret sauce developed in-house, and any non-core items offshored to the extent possible. Rather than worry about losing jobs offshore, let’s assume it will happen and focus on how we can get better and further move up the value chain on product development. From my perspective it is a pretty nice place to be-to architect, design and own your core IP and at the same time get product out the door much faster or much cheaper.

Companies are bought and not sold (continued)

Fred Wilson has some good commentary on an earlier post. We seem to agree that at the end of the day if you build a real business with sustainable cash flow, the exit will take care of itself. I seem to have oversimplified the “IPO potential” comment for the sake of keeping my post short. To further explain, my only point regarding “IPO potential” is that using pre-bubble metrics a company cannot go public (for the most part) unless it has already been profitable for at least 2 quarters, have a diversified customer base, and be a leader in its market. In other words, it must be a real business with sustainable cash flow. When I look at making new investments, being able to look like the above within a reasonable time frame is a prerequisite for me. Those are the types of businesses that can be bought and not sold.

VOIP/Messaging in 2004

So I was at a New Year’s party recently and overheard a great grandmother and grandmother waxing poetically about the wonders of Net2phone and VOIP. Both of them happened to also have children/grandchildren living abroad and the cost savings from using VOIP is tremendous. While the penetration of VOIP is still quite modest compared to the traditional phone system, it really got me thinking that 2004 could be the breakout year for the technology. As the New Year brings about predictions, I have included some from Voxilla regarding VOIP.

I am also currently researching the use of VOIP for my office. My team is in the processs of moving from Greenwich, CT and back to NYC, and I have unfortunately been designated CTO for the transition. My first goal was to outsource as much as possible, particularly our phone service and email requirements. For a small office, it really makes no sense to build and maintain Microsoft Exchange onsite or to buy a huge PBX. Regarding VOIP, I found a number of interesting companies that only serve businesses and host the VOIP infrastructure in their own data center where all of the phone equipment, gateways, and interconnects would be located. VOIP equipment is more expensive than PBX so this way we could reduce the upfront capital cost of equipment by sharing it with a number of other customers. All we would have to do is get a direct T1 connection to their data center and buy some VOIP-enabled phones. On the messaging side, I came across a handful (not alot) of companies that offer hosted Microsoft Exchange for monthly service fees.

In general, most of the VOIP business service providers and the hosted Microsoft Exchange companies seemed to be pretty small players. What I did look for and did not find was a company that offered small and medium sized businesses an outsourced messaging platform for both VOIP and email (sounds like a big opportunity for me having just researched the build/buy decision for my office). It would be great to get all of my messaging handled through one vendor where all I really had to do was plug and play to get my office up and running. AT&T recently announced that they will offer VOIP, and rumors are that they will soon introduce a hosted Microsoft Exchange play. Trust me, I am not going to be running to AT&T any time soon for my business needs. If any of you know of reliable companies that offer both of the above services, please do let me know. Until then, my office will be one of many that take the plunge into the world of VOIP in 2004.