SourceClear Diary of a Startup - Week 6
This week focuses on the frustration of small agile development projects and thinking about the competitive landscape.
Last week I posted a very simple Diary of a Startup blog that summed up exactly the week we had.
You can have software that is Fast, Cheap and Good but you can’t have all three at once.
To say the last two weeks have been frustrating is a gross under estimation. We had originally planned for Security LinkUp to be released on Friday 4th May. We did have a build complete, however when we sat down and reviewed things we just didn’t have the warm and fuzzy feeling we expected. Many business gurus and modern software development folks promote the concept of releasing early and often. Some even say “Don’t worry, be crappy”. While I buy the virtues of getting early feedback and early adopters there feels like something unique about our situation and security related software in particular. We made a decision to push back the release by two weeks to this Friday and spend two more weeks of precious development time on LinkUp. For us it was about usability and security or “eating our own dog food”.
Security and Usability
Usability - If it’s your first baby you don’t want anyone to call it ugly. If you are a usability freak you definitely don’t want anyone to call it ugly. We were sharply reminded that when you are developing projects in an agile manner, you must expect scenarios will unfold that you need to also deal with in an agile manner. That means the dice maybe kind or the dice maybe mean.
We are using the Windows Virtual Earth SDK to allow people to setup face-t0-face meeting locations. Virtual Earth is much like Google Earth. While working through a use case scenario the dice were mean to us. The simple use case went like this: If Joe Blow says I want to get my security peers together for a chin-wag at the Zoo Bar, he sets it up a meeting at a location and publishes it. A cool feature of Virtual Earth is the ability to search for a location based on a business name like “Zoo Bar”. We had designed the system to allow users to store locations for recurring meetings as many people will go back to the same location for each month. What we didn’t expect was for Virtual Earth to not give you a push-pin to store the location if you searched by business name. Under the hood Virtual Earth uses geo data (longitude and latitude) to store locations. If you search for a street name by zip code or postal code it gives you something to store. If you search by business it gives you the map but not something to store. There was a workaround but when you factor in the additional step to then drag a pin onto the map the usability went from slick to somewhat painful. We discovered this when trying to locate a business in Bangalore by the way.
Security - Alex has been doing security code review, pen testing and generally building web apps for years. I have been involved for a while as well and we like to think we know a thing or two about building and testing secure web apps. We also know anything that anyone puts out there will be “pounded on” from day one and that no one is perfect and its all about risk management. CSRF in Web 2.0 apps is well…… As we went through the build we knew some potential issues existed. This is software and bugs will always exist. We have built an extensive data validation framework that encodes all output, validates input (this allows us to facilitate a better user experience) and we have data access layers and other architectural features that really help. The bugs we were left with could essentially be described as perception issues. The perception of something being a security problem could be as bad as if you had a real issue in the first place. There is something that made me uneasy about having to explain a perception issue and we decided to take the extra time and make sure that both perception and reality matched. Will it now be perfect? No its software.
I posted screen shots of Security LinkUp™ here and we will be deploying this week. Lucky for us I spent the first 3 months of this year writing specs and so apart from any more “on the fly” free apps we decide to do we shouldn’t have to face quite the same dilemmas again. But I think its worth reiterating a truism. You can software that’s cheap, fast and good but you can’t have all three together.
Note: We may release our validation framework as an open source library if there is demand.
Competition
I have been spending a lot of background time thinking about competition and positioning over the last few months. Maybe too much time. Here are some things I have learned and why I continue to think we are in a great position.
Niche Thyself -
Guy Kawasaki says “niche thyself” in the Art of the Start.
Jerry Garcia says “You do not merely want to be considered just the best of the best. You want to be considered the only ones who do what you do.”.
For the last few years as the SourceClear Oxygen Security Platform™ and SecurityLife™ applications have been crystallizing in my head I have suspected that we would see a plethora of players entering the market we intend to serve. If they didn’t there wouldn’t be a market. I want competition. Today we are seeing that plethora of players start to appear. Luckily they are taking a fundamentally different approach. It seems many are playing what’s called the monkey strategy; copying existing products or an existing approach and trying to be a little better. Its called the monkey strategy because the monkey sits on the shoulder and jumps off at the right time; usually acquisition. I learnt early on by talking to potential customers who are running and spending a lot of real money on existing products what they really wanted and what would make them switch. There was no magic, I just listened. We are now building something that is based off of those requirements. We have niched ourselves and continue to strive to be different.
This same thing happened in the web application firewall market. I suspect before long there will be 20 plus players all fighting over the same product dollars. This will not be nice to watch and we don’t intend to be in the fray.
Look forward, not backwards (or sidewards) - I was fortunate enough to work with the Chasm Group in the past. They are headed by Geoffrey Moore, author of the famous technology adoption curve and the book Crossing the Chasm. It was an enlightening experience. A key thing I learnt was to look forward towards companies you want to compete with and not look backwards (at those chasing you) or sidewards (at those who compete with you today). If you waste time focusing on what others are doing around you you loose sight of your real threat that can get away. Daily positioning is of course critical but its a product management / sales / marketing job. Well that’s my job as well but you get my point.
As an example I stopped taking as much notice of one company I used to view as a competitor a few months back. I first saw a demo of their technology three years ago and was not impressed. They have a good market share in the financial services industry which in itself is a good reminder that the best technology rarely wins. They are certainly not to be dismissed but over the last few months we have seen several of their users approach having started seriously looking for replacements. It seems they just don’t scale and are not flexible enough yet if I believed their press I would think every customer is blissfully happy, they have grabbed the market and we should pack up and go home.
If I have learnt anything about monitoring the competition it’s this. Monitoring the competition via rumors and the press is an interesting diversion, but monitoring the competition by talking to customers is far better. Knowing who your real competition is really matters.
As a side note Alex Hutton sent me an a link to an interesting web 2.0 start-up called Competitious. I wonder if they have built in social networking to allow me to get customer feedback or if its all press based. I guess I will play and find out. Maybe it can replace my google alerts!
