Mark Curphey – SecurityBuddha.com

What a week. Our first full week in the driving seat. We took yesterday off, went to Albi (hung out in a “salon du the” and gouged on fresh nougatine and hand-made chocolate) and still managed to knock up 80 + hours by Friday night.

Influencers and Interesting Early Stage Business Models

We have pitched our ideas to a number of companies this week ranging in size from a few thousand employees to 350,000 employees. A few came from the blog posts, others were contacts and people I have worked with before. I think its fair to say everyone has been incredibly positive and encouraging. Not a single negative comment or pushback so far. Words like ”that’s cool”….”just what’s needed”….”that’s refreshing”…..”build it and well buy it”…”ambitious but I definitely want to know more”. More importantly for us we are learning a huge amount about the types of problems people are struggling to solve with today’s solutions and the fabric that makes up our target clients. This is of course from simple conversations and before we have signed NDA’s and formerly entered into our SourceClear Influencers program dialog. Every single pitch so far has resulted in mutual NDA’s which is a good sign. We also learnt a good deal about another company and how they are not meeting the needs of their customers from a business and technology perspective. The resounding advice seems to be to focus on building a flexible and scaleable platform and let the applications follow. 

An interesting thing also happened to us this week. Three of the potential customers that we pitched to have started to build their own systems in house. This is great market validation but it turned out to be much more. Information security departments don’t want to be in the business of building software and two hinted there is an opportunity to redirect some of their current development resources to us in return for the ability to significantly influence the design and convert their current platforms early. One specifically wants to make sure our release one will work with some specific business infrastructure they have. One possible deal will require significant thought if it will to bear fruit but the other moved swiftly to a detailed term sheet. This is potentially one of those true great win-win scenarios where someone with a need will get influence the design, make sure it fits like a glove into their business and in return for a small initial capital outlay will get a free perpetual license (minus the support) and a bloody good deal. We get some bootstrap cash, a reference customer and ensure we are meeting real world requirements. Of course there are risks to consider on both sides. The potential customer is putting faith in us and to an extent taking a gamble. We can mitigate some of that risk with the term sheet by outlining scenarios in the event of non-performance or failure etc. We of course have to make sure we don’t become contract developers, build something specific for one customer that is not suitable for others and that the intellectual property we are creating is not tainted or diluted. We have set ourselves some ground rules for working through these deals but all in all if we can get cashflow and the customer gets what he wants for little cost then there is a great “win-win”. Effectively we are cannibalizing a big potential sale down the road for a very small one now. Its an interesting trade off. Of course we now need to find more talented architects / developers but that’s a nicer problem to have than no interest or no sales.

Mind your P’s and Q’s

I think it’s safe to say that I had the worst hour of my startup life so far on Thursday night. I am sat there installing the Microsoft Small Business Server and after a few hours of shuffling 5 CD’s I get Exchange working, DHCP is peachy and DNS is resolving. Its 1am. I figure its time to go change the MX records for SourceClear.com to point to the new network and see if we can get mail operational. I login to my Register account and to my horror SourceClear.com is not there. I ponder for a while and grep through old emails looking for the confirmation from when I moved it from a cheap domain park service called Gandi to my main registrar. Sure enough the mail is there which says words to the effect of “if you don’t act on this email the domain will be transferred”. I start to panic.  Did I really transfer the domain to my account or was this someone snarfing my domain and my religious spam rules means I missed a very important mail? Alex was sat at his  desk dreaming in code but saw I was panicking. We look at it and pulled up the whois records.  Holy bull-shitake batman, some bastardo has snarfed my domain and the records show dummy, dummy, dummy as the new owner. We googled and others had been conned by the same trick. How could this happen? How could Gandi let someone transfer a domain without positive acknowledgement. Oh cricky, I really screwed up by being strict on spam. I fire up the Skype phone and call Register.com support. I explain the scenario to the guy  on the phone: I started a transfer it to myself, it hasn’t come over and now looks like it is registered to a dummy and that dummy should be me. I am the dummy! He put me on hold for what seemed like an eternity. It was long enough to start irrationally thinking about new company names, the blog posts with SourceClear, the graphics, the pitches the…..Alex kept his head down and I chugged on my glass of Fronton. After what seemed like 15 mins but I am sure was only 2, the support guy came back and explained that he spoke to the admin folks and it seems when the transfer happened their systems couldn’t match it to my account and so pre-populated it with effective nulls and orphaned it. I wanted to virtual kiss the guy, tongues and all despite the stupidity of using dummy for null. He of course calmly “up-sold me” extending some of my domain names with a few months left. While the domain still isn’t in my account and I can’t update my DNS I checked back and am told it’s on its way. The moral of this story is that you pay for what you get and free often means free because the level of service they can offer for free is touchless. This leads me seamlessly onto the next topic.

Software as a Service Business Models

Don Dodge makes some great points about the bargains users make when using free software on the Internet. The markets for consumer and business software are very different. Consumers trade free software in return for being advertised at; businesses want reliable advert free software. As an example he quotes Microsoft as having 260 million Hotmail consumer users and over 500 million Outlook business users. At SourceClear we see a wide set of security people that may reside outside of our classic corporate business arena. These are our consumers if you will and we will be releasing some free software for them. Our model is very much that we hope they will love what we are providing and some of them will give our enterprise software a shot when their needs arise and we have it built. We will not use fee based advertising to support it. Its a model where if you get hooked on our software you can pay for upgrades.  

Security Group Management Applications

We plan to release an “alpha” of a mini-application next Friday to help security groups manage face to face meetings and local chapters. We will initially deploy on the ISM-Community next Friday but security groups of all kinds will be free to use it for free from product user groups to community projects and even corporate groups and training providers. I guess we should have a spiffy name. Ideas welcome! Full details can be found here. We will see what the adoption / interest is. There are lots of cool things we can do with this to make it a really useful service for the security industry.

Learning from Other Big Success

Long late nights and wine lead you to good conversation. A few glasses between mid-night and 2am keeps you going. This week we have made some significant architecture decisions that have big impacts on our technology and our business. I posted before that we truly are doing the right thing with the ISM Community and want to create a open and free repository of content and knowledge that we and anyone can consume without restrictions. We think content and our platform and applications should be separate. This allows me to sit infront of a potential customer and say we work on your infrastructure, your security program and your security technology. No lock-ins (subtle or subliminal), no re-engineering your information security program to work with our technology and no more stove pipes. Conversations about this lead us to think about other technologies that have taken this approach and were successful. Take the example of iTunes and the iPod. Sure you can buy DRM content from the iTunes store but most importantly you can import all your MP3′s and CD’s with a single click. Would iTunes and the iPod ever have caught on if it only operated on iTunes content? Hell no. Is this why Rhapsody and similar systems aren’t getting the uptake they want even though they offer all you can eat licenses for a very reasonable cost? I think so.

We also learnt about a wide variety of workflow/BPM systems in play at organizations from some influencers this week and so BPEL / PML interoperability to the likes of HR and trouble ticketing systems is critical. Same is true for things like document management systems and enterprise dashboards. Again it would be easy to try and build a security department / stove pipe in a box but it doesn’t scale for the type of businesses we are taking to and one of the big reasons current solutions seem to be failing.

Thinking Big

We are thinking big. What we are building is ambitious and creative and we know it, we are under no illusions. We are interested in solving hard problems (and are solving those hard parts of the hard problems first).  

Some people may question why we are using Visual Studio Team System for a very small development team. Its a big overhead for a few people and initially will no doubt slow us down. Its similar to the Ruby on Rails versus .NET decision we made last week. We are building to scale and it’s much better to build on something that will scale from day one than to have to throw away something that wont scale for us in a few months time. This same mantra is true of how we are designing the platform code itself.

Note we are not acting big; that’s the story for next weeks Diary of a Startup when I will talk about our corporate web site design and our messaging.

Release and Infrastructure Naming

To end on a light note we have decided to follow a James Bond theme for internal naming. The VSTS is called QBranch (where the cool 007 toys are built), the main dev server is called OddJob and so on. I guess that makes Alex Q and me…I am still 007 Our prototype is being referred to as Dr No (the first bond film of the series). If nothing else it will make for great release parties!

The week ahead is busy with paperwork, corporate web site, the first release of the alpha for the Security Group Management Application at the ISM-Community and more work with the influencers. We may also need to raise some angel funding earlier than we thought due to demand which is a good thing. I have been working behind the scenes on the options although not approached anyone to date. This will make for good reading when we go that route.

Now lets see if Lewis Hamilton can get in the podium again!