202 Partners 'None of us is as smart as all of us'

Enterprise

Top 5 tips to mitigate phone and IoT device hacking in government and enterprise

Top 5 tips to mitigate phone and IoT device hacking in government and enterprise
Introduction
There is a growing need for cybersecurity tools to be more effective and for coverage to extend beyond older infrastructures to cover mobile and Internet of Things (IoT) devices.  Some of these tool vendors will be well-known veterans of the personal computer / data center era and others will be startups, springing up to cover gaps in the market. A recent report by Gartner quantifies the growing threat to mobile devices - “by 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today” [1].  
Architecturally, many IoT devices are similar to mobile devices but their lack of screens, alerts and frequent updating can leave them out of sight and out of mind despite their huge and growing numbers. Typically, Information Technology (IT) is well budgeted and visible in organizations but the Operational Technology (OT) that “runs the plumbing” with IoT devices is neither. The Target Breach is often assumed to have begun with IT systems but instead began in OT, with the Heating, Ventilation and Air Conditioning (HVAC) systems being the “weak link” in security.
Our top 5 tips to mitigate phone and IoT device hacking ranges from hardware, to management, to threat detection, people and processes.  Our tips are not simply a restatement of the well-known items found in Gartner reports, or in the quarterly updates of leading professional services vendors or data carriers, but instead focus on gaps in the market and new market entrants – skating to where the puck is headed, rather than where it was in the past.
Right tools for the job
Legacy cybersecurity tools such as Anti-Virus (AV), Firewalls, Intrusion Detection Systems (IDS) and a plethora of incident response systems were developed and deployed for the PCs, wired networks and data centers of the 1990s onwards.
Massive recent data breaches such as Yahoo, Equifax, OPM and even of buttoned-down Intelligence Agencies
[2] underline how attackers have evolved to bypass legacy tools, or at least exploit gaps in their coverage.
In general, older tools are less successful at closing stable doors (i.e. delivering risk mitigation or avoidance) than detecting and analyzing how horses have bolted (i.e. facilitating risk acceptance or transference).  Many vendors quietly admit that they cannot offer protection against so-called “zero day” attacks, i.e. protection covers only the types of attack that have been seen in the past
 A key question to cover is -- among vendors, who is stopping attacks and who is simply detailing them for after action reports? Which tools are static like a “hammer”, changing little over the years, and which are in a constant evolution of capabilities?
The best
tools are effective against a wide range of attacks, constantly adding capabilities, easy to use, automate and operationalize, with light infrastructure and personnel requirements.  The worst are the opposite, difficult to use, relatively static, narrow in scope, with challenging setup and on-going costs related to their complexity and cryptic outputs both in compute and personnel resources.
Mobile and IoT device attacks
The last fortnight saw reports of phone hacking of NATO soldiers [3] and the Whitehouse Chief of Staff [4], highlighting vulnerabilities in a newer generation of IT infrastructure – mobile devices, wireless communications and cloud back-ends. The DYN attack that took down a chunk of the Internet last year came from simple IoT devices. IoT devices were once air-gapped but are now commonly connected 24x7x365 to the Internet.
Potential harms more than just data loss
The harms associated with attacks to mobile and IoT devices can potentially extend beyond data breaches, to ransomware, Distributed Denial of Service (DDoS), physical damages, injury, death and disruption of critical national infrastructure.   It is unlikely those suffering one of these new types of harms can be fobbed off with a year of credit reporting to make them whole.
The poster child of potential new targets is the connected
and automated vehicle. While fully automated vehicles (SAE Level 5) may be two or three years out, many of the cars and trucks on the road today feature computer control for predictive cruise, overtaking, parking and other Automated Driver Assistance (ADAS) roles. Vehicles are connected directly to the Internet, or indirectly via mobile devices.
Researchers Valasek and Miller showed how such vehicles could be remotely controlled back in 2015. That demonstration prompted a 1.4 million vehicle recall, the first automotive cybersecurity recall in history. Those news reports opened the floodgates for fast followers, with vulnerabilities were then shown in commercial trucks, police cruisers and right across OEM brands and tier 1 suppliers, underlining a sector wide concern and generating thousands of articles. Car thieves have been some of the fastest to exploit weaknesses.
Unsecured supply chains
           The modern car, much like electric grid components, healthcare devices and smartphones, is also a great example of a complicating factor in mobile and IoT cybersecurity.  Over 80% of the parts in a modern vehicle come from tier 1, 2 or 3 suppliers [5] around the word. A modern car has up to 100,000,000 lines of code spread across up to 100 ECU computers – more than are present in the world’s most sophisticated fighter jets.
The vast majority of cybersecurity tools offer little or no protection where malware has been baked into third party executables, frameworks, middleware, libraries, hypervisors, containers, OS, firmware, boot loaders, boards or the processing, memory or storage components themselves. Malicious components have even found their way into the supply chains of missile systems where literal armies of warfighters and contractors had the mission of keeping them out
[6].
Return oriented programming attacks
This type of attack allow the existing code in a system to be repurposed and used as the attack itself. Return Oriented Programming (ROP) attacks occur where existing code is called out-of-order to then become a hacking script. Within a ROP attack, the text of the “Hunt for Red October” could be rewritten to become “Hamlet” by carefully “jumping” and “returning”. Many vendors offer no protection against it, or simply assume incorrectly that legacy tools like static or dynamic analysis (SAST/DAST), Address Space Layout randomization (ASLR) randomization and DX or do not execute flags alone are effective defenses for binaries.
Looking past “shiny padlock” solutions
Cybersecurity has an asymmetry of economics - defenders must defend everything but attackers need find just one-way in. If a mobile or IoT devices consists of a stack of hardware, firmware, OS, apps, communications and the cloud then all of them, “end to end” need to be protected. Security is not just the latest technology but also includes people and processes, including suppliers, the aftermarket and partners.
           If we consider security as a chain link with a big shiny padlock in the middle, the whole is only as strong as the weakest among all the links. The padlock is often a highly publicized peak or set of peaks in the Gartner Hype Cycle, for example, Blockchain, Encryption, Multi-factor Authentication (MFA), Intrusion Detection Systems (IDS), Artificial Intelligence (AI), Machine learning (ML), Enterprise Mobile Management (EMM) or Mobile Threat Detection (MTD). That shiny padlock may be strong in its own right but if one of the other links is
by comparison just a shoelace then it is that weak shoelace that defines the security posture of the whole system!
           There is an analogous situation in the physical world. If the front door is strong with a good commercial grade lock with a lot of “curb appeal” then robbers search for a window to open or break, a duplicate key hidden nearby, or dropped off with neighbors, who might fall for a bit of social engineering.
1 Hardware
Apple and Samsung have been the most prominent in meeting government and enterprise security requirements for devices, from the baseline of National Information Assurance Partnership (NIAP) certification, to secure booting through to offering enterprise configuration tools like DEP, Knox Configurator and Tachyon.
Outside of government certified configurations, device cybersecurity can be questionable – with many engineering teams able to deploy at least briefly a secure configuration for say a specific Android, Wi-Fi or carrier combination but then often struggle to keep that golden image and associated apps, communications and cloud back-end current.
Kryptowire last year identified several models of Android mobile devices that contained malware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers. Such built-in malware is not easy to detect since cybersecurity tools are typically run from user space and rely on trusting the device itself, which may be compromised. Only Kaprica’s Skorpion launched several years ago was able to verify devices externally, using a detection engine built into a micro-USB connected battery charger. Obviously, it’s not always possible to have a device checker for every device.
Many organizations are acutely sensitive to USB stick usage but ignore the potential dangers of other types of rogue hardware such as chargers, Wi-Fi access points, keyboards, mice and even monitors. 
Sepio’s behavior-detection software automatically detects rogue hardware connected into a network in the general case and mitigates its use.
Even legacy hardware can be improved without its having to be reconfigured or sunsetted. For example,
Packet Viper sits outside of existing firewalls, reducing traffic, logging and alerts handling costs, protecting systems from flooding and DDoS attack, mitigating risks from bots and proxies while speeding threat detection.  
Dark Cubed approaches the problem in a different way. It focuses on ease of use and operationalization for threat detection, side stepping the costs and complexities of traditional systems that confine their effective use to only the largest, well-staffed and well-budgeted organizations. This approach allows companies of all sizes to benefit from advanced analytics and threat detection techniques that have traditionally only been available to large enterprises.
2 Enterprise Mobility Management (EMM)
EMMs (previously known as MDM or Mobile Device Management) such as MobileIron, Blackberry / Good and IBM Maas 360 do a good job of maintaining specific configurations of whitelisted apps, major settings and data on a device where they are present.  However, they may not be installed on Bring Your Own Devices (BYOD) and in any case their focus is management rather than cybersecurity.  Along with Apple’s DEP, Samsung Knox Configuration and Tachyon, they are most useful in setting up and maintaining a baseline environment.  EMM tools have a long history and some are reviewed in Gartners’ well-known Magic Quadrant [7].
3 Mobile Threat Defenses (MTD)
           A newer generation of commercial tools marketed as MTD include SecureNow, Mi3, Zimperium and Lookout, focusing on cybersecurity that extends protection coverage beyond what is possible with EMM.  However, that coverage is limited by what is detectable to apps in the user space, for example, examining app and network behavior.
Some of these tools are reviewed in Gartner's market guide for mobile threat defense solutions
[8]. The latest and potentially most interesting development in this area is Apcerto, which offers a risk-based NIAP standard framework against which to test such tools beyond comparing market collaterals or having to setup a bake off whose effectiveness relies on access to a comprehensive set of test data and deep expertise.
4 People
           Perhaps the biggest bang per buck of cybersecurity risk mitigation and prevention is end user training. Cisco, for example, launches phishing attacks to its own staff as a training exercise [9].  Shevirah’s Dagah tools allow simulation of a myriad of cyberattacks, which can be used to launch attacks for awareness training. Which employees do not realize that they can be phished via Bluetooth, SMS or WhatsApp? Which IoT devices can be taken over? How many folks will scan a QR code for a free dessert in the break room?
           There are also specific trainings and qualifications around mobile devices. For example,
CMDSP or Certified Mobile Device Security Professional covers mobile operating systems including Apple’s iOS, Microsoft's Windows OS, and Google’s Android OS.
Threats can come from insiders. 
InLitics applies Neuro Analytics (NA), a cognitive computing profile to focus on the neglected people side of cybersecurity protection. NA extracts thought processes to identify cognitive fingerprints and ultimately the persona(s). The results of NA are interlaced with other human disciplines to further interrogate the metadata to determine future expected behaviors. For example, in an automated car, NA can know who is at the wheel. Each driver has their own unique cognitive fingerprint when they drive and the system can be designed to recognize those patterns. 
5 Process
Process begins with a methodology, whether a simple checklist approach like Center for Internet Security (CIS) Controls or a more thorough and risk-based framework like NIST’s Cybersecurity Framework (CsF). In the Software Development Life Cycle (SDLC), the most neglected areas are typically unit, integration and acceptance testing, especially for updating and upgrading.
There can be immense pressure to add features, functions and ship, with end users as beta testers and a reliance on bounty programs administered by tools like
HackerOne or BugCrowd to engage white hat hackers. Perhaps the worst case is where security executives and trade groups focus less on solving underlying issues than marketing reassurance to investors, lawmakers and customers.
More red teaming and pen testing is needed to supplement in-house testing. The secret is not more and more employee and contractor staff but better leveraging the people already in place with more effective tools and automation.  Tool such as
Shevirah’s can automate pen testing.  Tools such as CyVision’s Cauldron can automate visualization and modeling of cybersecurity assessments, allowing the highest priority threats to be quickly identified and remediated first.
A well-known weak spot in the mobile and IoT ecosystem is the vetting of the software that goes into mobile and IoT devices.  Legacy tools fall into two categories –
external and internal. External tools include AV, Firewalls and IDS.  Traditional internal tools are built into the code in Secure SDLC (SSDLC), featuring approaches like coding or re-coding best practices, secure libraries, instrumentation and layers of SAST and DAST inspection.
The challenges of external tools are numerous, from being by-passable, to their requirements for additional resources and monitoring personnel.   Internal tools are best applied in new builds or re-engineering where time, budgets and resources permit but even there they cannot cover all vulnerabilities, especially not those associated with ROP attacks or a compromised supply chain. The vast majority of developers do not have access to source code from end-to-end. Instead, they focus on the 20% of the code that is controlled in their group or company, which does not prevent vulnerabilities being present in the 80% that comes from the supply chain.
A new approach takes a third path.  
RunSafe Security is an example of Runtime App Self Protection (RASP). It was developed with DARPA specifically to address challenges in hardening the millions of lines of legacy code associated with DoD IoT devices from military vehicles, to drones and medical devices. It works automatically with binaries, protecting against memory corruption attacks, ROP attacks and a compromised supply chain.  Perhaps its greatest innovation is ease of use and operationalization with existing code.
RunSafe is simply a one-time transformation of binaries as part of the deployment or updating process, much like compressing or archiving files with Mac, Linux or Windows.  Were RunSafe applied to distribution of a document reader, say version 17.01, every copy would be logically the same 17.01 functionality but different and unique to hackers, destroying their economies of scale.
A similar approach is offered by
Virgil Security that provides cryptographic software building blocks that allow developers to add enhanced security (including password-less authentication, encryption, and cryptographic verification of data, devices, and identities) into their products.  Again, Virgil’s greatest innovation is the ease of use and operationalization of the tools.
Conclusion
Following points 1 to 5 will mitigate phone and IoT device hacking.  There is no magic bullet or shiny one-size-secures-all padlock.  A comprehensive solution will layer defenses from many vendors, with a practical approach that does not assume unlimited time, budget and resources for IT and OT but is risk-based and emphasizes effectiveness and automation.
Deployment and updating of devices will at its best will include RASP, signing and encryption, fitting into secure devices, with EMM, MTD or their equivalents, where people and process factors like Information Sharing and Analysis Centers (ISACs) are given equal weight. 
About the author
Simon is an industry recognized expert in cybersecurity, mobility and IoT, co-founder of Washington D.C. based cybersecurity startup RunSafe Security. He is a member of the Society of Automotive Engineers (SAE) IoT Cybersecurity Committee and a contributing author of their new book “Cybersecurity for Commercial Vehicles". RunSafe was developed as part of DARPA’s program of cybersecurity for military vehicles, drones and medical devices. Simon also worked with Apple and Samsung in hardening their mobile devices for DoD and government use.
Previously, he was VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and Director of Sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles in the US and Europe include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. He holds a BS in Physics from U-Manchester, England, a MS in Law & Cybersecurity from U-Maryland Carey Law, CISSP, CEH and CIPP/US cybersecurity and privacy certifications.
[1] https://www.gartner.com/doc/3789664/market-guide-mobile-threat-defense
[2] https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108
[3] https://www.wsj.com/articles/russia-targets-soldier-smartphones-western-officials-say-1507109402
[4] http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514
[5] http://automotivelogistics.media/opinion/last-mile-converging-on-the-future
[6] http://www.wnd.com/2012/06/u-s-missiles-infected-with-chinese-fakes/
[7] https://www.gartner.com/doc/3740018/magic-quadrant-enterprise-mobility-management
[8] https://www.gartner.com/doc/3789664/market-guide-mobile-threat-defense
[9] http://www.businessinsider.com/cisco-chief-information-security-officer-strategy-for-fighting-cyber-attacks-2017-9/#kill-your-click-throughs-1Russians%20and%20NATO
Comments

Why try to defend against new cyber threats with only legacy technologies?

AAEAAQAAAAAAAA0WAAAAJDViNTFmODlkLWUwYmUtNDE1MS04MTcxLWIzZDExMzg4NWE2NQ

Introduction
Cybersecurity has an asymmetry of economics - defenders must defend everything but attackers need find just one-way in … and it need not be one seen before. Attackers are updating methods more, attacking more and impacting more devices and people.
The harms associated with attacks are escalating from legacy data breaches, to DDoS and ransomware, to potentially physical damages, injuries, deaths or debilitation of critical infrastructure.
Likely you already have legacy solutions from FireEye, Symantec, McAfee and others, so already have in place the layers of defense that these established vendors offer.

Detailed below are a selection of 5 emerging tech partners that add to your security posture, complement existing infrastructure.
That these companies leverage automation is hugely important since even the most deep-pocketed DoD command, government agency, West Coast tech company or Wall Street Bank cannot simply keep adding cybersecurity staff or contractors to meet mushrooming cybersecurity needs.

CyVision Cauldron - Automated cybersecurity assessment visualization
New visualization and modeling technology
automates a key aspect of enhanced cybersecurity assessments, allowing highest priority threats to be quickly identified and remediated first.

InLitics - Automated cognitive analytics
InLitics applies a cognitive analytics approach to the neglected people side of critical infrastructure protection. It
automatically leverages and interlaces multi-discipline human dimensions for threat and vulnerability detection against such data as still photos, video feeds (images and/or voice), emails, text, or other data extractions.

Packet Viper - Automated network traffic control
New IP filtering technology sits outside of existing firewalls as an undetectable in-line bridge that can
automatically reduce network traffic, logging and alerts up to 70%, protect from flooding and DDoS, mitigate risks from bots and proxies, with faster threat detection.

RunSafe Security - Automated cyber hardening
RunSafe is a pioneer in automated cyber hardening with the ability to make embedded system and devices functionally identical but logically unique. Its patented binary stirring technology
automatically renders threats inert by eliminating attack vectors, significantly reducing vulnerabilities and denying malware the uniformity required to propagate.

Sepio - Automated detection of rogue and ghost hardware devices
Sepio works with the neglected physical side of cybersecurity. Its unique behavior-detection software suite
automatically identifies all connected hardware devices in a network — including nefarious ones that compromise IT infrastructure.

About the author
Simon is an industry recognized expert in cybersecurity, mobility and IoT, part of a growing family of Washington DC-based cybersecurity startups including RunSafe Security and 202 Partners. He is a member of SAE’s Cybersecurity IoT Committee and a contributing author of their new book “
Cybersecurity for Commercial Vehicles". RunSafe’s IP was developed as part of DARPA’s High-Assurance Cyber Military Systems (HACMS) program of cybersecurity for military vehicles, drones and medical devices. Simon also worked with Apple and Samsung in hardening their mobile devices for DoD and government use.
Previously, he was VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and Director of Sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles in the US and EMEA include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. He holds a BS in Physics from U-Manchester, England, a MS in Law & Cybersecurity from U-Maryland Carey Law, CISSP, CEH and CIPP/US cybersecurity and privacy certifications.
twitter.com/simonhartleyusa
linkedin.com/in/simonhartleyusa
Comments

Wake up call of week's cyberattacks ... how to avoid more

202 Partners Cybersecurity
The bad news is that the last week has seen an unprecedented number of ransomware attacks around the world which have hit some large organizations very hard.
The
good news is that these particular attacks are entirely preventable with some easy short term steps, which are cornerstones of a larger cybersecurity strategy that can prevent others.
The short term steps are
1) Install the latest updates for (in this case) Windows
2) Run backups and check that they are good
3) Keep doing the above steps and look at a wider cybersecurity framework.
The longer term steps are
1) CIS Controls
For a simple checklist approach, follow the "top 20" list of
CIS Controls.
It is mandatory in the State of California
2) NIST CsF
For a more nuanced and risk-based approach, follow
NIST's Cybersecurity Framework and the various standards that it embodies for your particular vertical.
It is mandatory for Federal Agencies, the preferred standard for US Critical Infrastructure.
The best news
The best news is that legacy desktop and server computers were the targets and not Internet of Things (IoT) systems where ransomware or malware targets infrastructure from traffic lights, to trucking fleets, to dams and the electric grid, with the potential to cause property damage, bodily injury, death and debilitation of national security.
Automation
Delivering todays's business outcomes requires hardware, software, services, processes and people.
In the past, many of these had to be procured and assembled separately, requiring armies of contractors
Today, the cloud and Software-As-A-Service (SaaS) bring together the hardware and software although their rough edges can still require armies of skilled staff to integrate, deploy and maintain them.
The best tools mitigate attacks directly, minimize their impact and facilitate analysis and response without also adding heavy expenses, long time lines and new staffing resources, or worse requiring re-engineering or rip and replace approaches.
Some emerging technology tools include:
  • RunSafe Security - automatically makes embedded systems and device functionally identical but logically unique, taking away economies of scale from cyber attackers
  • Packet Viper - sits on the network edge automatically reducing up to 70% of illegitimate network traffic, reducing loads on existing firewalls and network engineers alike
  • CyVision Cauldron - visually models environments automatically as part of cybersecurity assessments, allowing highest priority threats to be quickly identified and remediated first
Author
Simon is part of a growing family of DC-based cybersecurity, mobility and IoT startups including RunSafe Security and 202 Partners, and a member of SAE’s IoT Cybersecurity Committee. RunSafe’s technology was developed within the DARPA High-Assurance Cyber Military Systems (HACMS) contract, focusing on cybersecurity for military vehicles, drones and medical devices, and in testing with law enforcement, government agencies and commercial fleets.
Previously, VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and head of sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. Holds BSc (Hons.) Physics from Manchester University, MS Law and Cybersecurity from University of Maryland Carey Law, CISSP, CEH and CMDSP certifications.
Comments

Cyber unsafe at any speed

Cyber unsafe at any speed
Click for video

Had the privilege of presenting at the Society of Automotive Engineer's 2017 World Congress.

Was a pleasure to hear and meet so many of the folks involved in cybersecurity for cars, trucks and commercial vehicles from SAE itself, to Auto-ISAC, to manufacturers, suppliers, cybersecurity specialists, academia and Homeland Security.

Had the opportunity to go-over all the progress that has been made and also to highlight 3 areas deserving of more attention:

  • Systematically running pen tests with independent testers
Who has the most hacking expertise and motivation?
  • Updating for the forgotten ¼ billion vehicles already on US roads
No Model Year 2020 technology can avoid today’s ditches.
Fleets are the most vulnerable.
  • Reducing attack surface across the entire supply chain, mitigating weak links
Use DoD, Fed & LE learning by retrofitting CAN bus IPS, RASP & similar tools

Transportation critical infrastructure shares many of same vulnerabilities as energy, emergency response and other sectors when viewed end-to-end.
Comments

Kaprica Security’s Tachyon Software Acquired by Samsung Electronics

Tachyon
Techcrunch The Street Dark Reading DC Inno

North Bethesda, MD, October 27, 2016, 202 Partners, a boutique enterprise software sales consultancy for startups and mature IT companies, today announced that Samsung Electronics has acquired the Tachyon enterprise mobile device configuration software developed by its client Kaprica Security. Tachyon will be integrated into Samsung’s successful defense-grade KNOX™ mobile security platform. Financial terms of the deal were not disclosed.

Prior to the acquisition, Tachyon’s users included Federal Law Enforcement, the Department of Defense (DoD), leading hospital systems and vehicle fleets in the US and Europe.

Doug Britton, CEO of Kaprica Security, shared that “202 Partners were instrumental in putting the strengths of our Intellectual Property into a buyer’s context, closing deals and building an 8-figure sales pipeline over the last two years.”

202 Partners
• Developed Tachyon’s go-to market strategy
• Presented to scores of enterprise prospects and ecosystem partners, including integrators, managed services providers, vendors, carriers, resellers, distributors, analysts and investors in the US and EMEA
• Closed key accounts and partner relationships in government, healthcare, automotive and general enterprise
• Obtained GSA Schedule 70 listing, Samsung Gold partnership and coverage by Gartner
• Represented Tachyon at MWC, mHealth, CTIA, ATARC, AFCEA and other mobility events

As the Tachyon product is absorbed into Samsung KNOX ™, 202 Partners will continue to assist Kaprica Security with its next generation vehicle cybersecurity product, RunSafe Security.

Press Contact


Simon Hartley, Principal
simon@202partnersllc.com

202 Partners LLC
12007 Galena Road
North Bethesda, MD 20852
USA

About 202 Partners

202 Partners is a boutique enterprise software sales consultancy for startups and mature IT companies, focusing on product launches and growth hacking. 202 was founded in late 2014 by industry veterans Peter Laitin and Simon Hartley, together with decades of expertise and successful experience in cybersecurity, mobility and IoT sales hunting, marketing and product management. 202 specializes in emerging technology and early markets such as government, healthcare, finance and automotive. Customers include RunSafe Security, Kaprica Security, Spectrum Comm and others. 202 is headquartered just outside Washington, DC, in North Bethesda, MD. Learn more at 202partnersllc.com.


About Kaprica Security

Kaprica Security Inc. is an expert in mobility and security, providing hosted and on premise solutions. Kaprica was founded in 2011 by a team of cyber security experts from Lockheed Martin and Carnegie Mellon University, with the goals of delivering high quality cyber security services to a wide government and enterprise audience, and simultaneously developing easy to use and deploy software tools to support them. Today, clients range from DARPA, to the Department of Transportation, Lockheed, Intel and the University of Maryland. Kaprica is a Gold-Level Samsung partner and its enterprise software products include the Skorpion™, Tachyon™ and RunSafe™ lines and associated patents. Kaprica is headquartered just outside Washington, DC, in College Park, MD, with offices in Austin, TX. Learn more at kaprica.com.


About RunSafe Security

RunSafe Security is a vehicle cybersecurity company. RunSafe was founded in 2015 by a team of cybersecurity experts from Kaprica Security (kaprica.com), to focus on the delivery of high quality cybersecurity solutions to fleet managers across government, commercial trucking, law enforcement, rental agencies, taxi companies and developing embedded solutions for automotive OEM and suppliers. Clients and partners include DARPA, the US Department of Transportation and the Commonwealth of Virginia. RunSafe offers three levels of automotive security products, including Vehicle Guardian™, App Guardian™ and OS Guardian™, together with associated patents. RunSafe is headquartered in Washington, DC. Learn more at runsafesecurity.com.
Podcast
Comments

2017 - the year of vehicle cybersecurity

RunSafe_1000x
2016 ended with retaliation for nation state cyber attacks to the elections, attempted infiltration of the VT power grid and Yahoo setting yet another sad "new record" for consumer data breach at over 1-billion accounts.

Last year saw the first fatality associated with
automated vehicles but also promising milestones of AI winning against a human Go player and Google driving over 2 million automated miles.

With NHTSA statistics showing that 94% of vehicle accidents are due to
human error, full vehicle automation (and the steps on the way to it) offers the promise of delivering more societal benefit than harm, especially for disadvantaged groups like the elderly and infirm, as well as transforming our roads, cities, the sharing economy and rebuilding Motor City into a modern Software & Services City.

However, pressing on the negative side of the scales are the potential for vehicle cyber attack, with consequences ranging from simple distraction, to ransomware based on detailed profiling, property damage, bodily injury, or death, even reaching national security impact given the potential for gridlock leveraging commercial vehicles.

Gating automation / AI deployment in vehicles and IoT infrastructure in general are increased cybersecurity needs around people, process and defense in depth layers of technology.

The commercial driver is one of
legal liability and damages, with victims of crashes, outages and floods unlikely to be satisfied with remedies like a year's worth of credit reporting that were the weak market drivers for cloud, data center, PC and mobile security before the advent of IoT.
Comments

The need for law & policy expertise in an effective cyber workforce

CyberMD
The sixth annual Cyber MD conference was a success, bringing together customers, vendors and speakers including the heads of NSA, DISA and Secretary Chertoff.

The need to address people, process AND technology for effective cyber security was a recurring theme among keynote speakers and panelists.

One of the panels addressed the growing importance of
technical and non-technical skills in an effective cyber workforce with a special focus on the importance of legal and policy expertise in the cyber security field.

The panel was a lively one on closing the gap between lawyers and technologists.

Many questions were taken from the floor, especially around the new area of cybersecurity law and policy training, for example, in certificate, Masters, JD and LLM
programs from U-Maryland Law.

Another theme of the conference was the graver potential consequences of cyber attack to IoT systems with the potential for property damage, bodily injuries and even deaths.

Imagine the consequences of DDOS or ransomware attack on computers controlling medical devices, public or fleet vehicles on the roads, or industrial infrastructure, from power plants to dams.

Legal and policy questions in general and cyber security in particularly are especially important with
emerging technology and early markets.

Legal, regulatory and privacy concerns aren't simply business as usual compliance questions for companies like Uber, Airbnb or Google's Nest but potentially existential ones as society, cities, industries and lifestyles are transformed by new norms of transport, accommodation and living space management created by new technologies and the new types business models they enable.

In a recent
NPR interview, the head of AirBnB talked about legal push back being part and parcel of innovation, from ATM machines, to VCR recorders, to cars, all of which were strongly opposed in the beginning.

Even for mature companies in mature markets, geopolitical events such as the collapse of "Safe Harbor" or the UK's "Brexit" can upends business and technology decisions around cloud architectures.

The rise of end-to-end encryption and its effect on
law enforcement and national security is an ongoing societal debate that closely ties to law and policy, with even the WSJ now caveating reviews of new smartphones such as the Google Pixel with discussions of their data privacy handling.
Comments

Crawl, walk, fly

Pasted Graphic

From 1903 Flyer to NCC 1701

Kitty Hawk, NC, is an aviation shrine. It was the scene of Orville and Wilbur Wright’s first powered flight in 1903.

It has been an inspiration for generations of inventors, engineers, pilots, astronauts and writers such as Star Trek’s Gene Rodenberry.

That first flight was the culmination of three years of intensive R&D by the two brothers, between the then remote Outer Banks location and their bicycle shop in Dayton, OH.

The Kitty Hawk location was chosen for its combination of high winds, soft sands and relative privacy.

A piece of the 1903 Flyer’s wing fabric was later carried to the moon and back by another Ohio native, Neil Armstrong, in Apollo 11.

Standing on the shoulders of giants

The Smithsonian carefully describes the 1903 Flyer flight as "the first powered, heavier-than-air machine to achieve controlled, sustained flight with a pilot aboard".

That such a clumsy phrase is needed illustrates a truth in innovation – there are many groups around the world chasing the same goals, with the same inspirations and knowledge bases.

Many can legitimately claim firsts in various categories and sub categories from different approaches and cannot simply be dismissed as “me too” or “fast followers”.

The Wright’s themselves began by searching out existing information from the Smithsonian, the Weather Bureau, and aviation pioneers around the world, just as modern innovators search out information from peers, analysts, specialized events, journals and the web.

At the time, the Smithsonian was no impartial outside observer, itself in receipt of DoD-funding for aviation research in competition with the Wrights.

The situation is analogous today, where web information can be little more than advertorial and analysts’ framing is shaped by its vendor relationships as much as the marketplace itself.

Crawl-Walk-Run

The problem of practical flight rather than demonstrations consists of three areas – lift, power and control - all of which are required.

In 1900, progress had been made in all three areas but no one had successfully put them altogether.

The wing was known for lift, there were powered model planes, and 2 of the 3 modern control surfaces - the rudder and the elevator – were known (think of movement around the X, Y and Z axes).

The Wright’s R&D followed the classic crawl-walk-run progression, from tests on kites, to gliders, to generations of flyers.

Highlights of their innovations for the missing steps in the path to practical flight include:

  • Introducing wing warping as the missing 3rd control surface, a forerunner of modern ailerons
  • Building a wind tunnel to generate accurate data for efficient design
  • Understanding the propeller as a kind of wing rather than as a marine screw
  • Building an aluminum motor with high power and low weight, something COTS vendors were not willing, or able to share
  • Refining methods for controlled flight using wing warping, the elevator and rudder together

The Wright’s were uniquely gifted with
  • The skills, tools, time and money to invest in R&D, without partners or funding from government, academia, or sponsors
  • The mindset to persevere in an endeavor where 99% success was still crashing, the common attitude was “man was not meant to fly” and competitors were seemingly better appreciated in the press, funded and qualified

The next phase of the Wright’s career is much less well known.
  • They gained enormous press but also fueled competitors with teams better able to build on their innovations
  • After initial missteps, they sought professional advice around patents, which later assured their wealth
  • They turned to the US Government to fund further development, leading to the establishment of the College Park Airport, MD, as part of trials around Washington, DC
  • WWI massively expanded the market for airplanes, making it big business
  • The Wright’s withdrew from the scaling market, worn down by their single-handed struggles for funding, patent battles and the different skillset needed to grow large businesses

What can we learn

Dream big but realize that even engineering genius can benefit from expertise and experience in other “swim lanes” such as sales, marketing, finance and legal.

Startups and emerging technology is a different business from the business administration of mature products in mature markets.

Companies used to grow and IPO but many more are acquired for their IP, with their founders and backers able to go on and fund more R&D as serial entrepreneurs, or rest on their laurels.

Industry leaders from eBay, to Google, Microsoft and Apple bought in outside technology to kickstart some of their most well-known products from PayPal, to Earth, Android, Windows, Word, Skype, Mac OSX and iTunes from smaller companies.

Perhaps most famously, Cisco tried to formalize this approach with so-called spin-ins.

About us

Simon is a FAA registered pilot and recently made the pilgrimage to Kitty Hawk.

202 is a boutique enterprise software sales consultancy for startups and mature IT companies, focusing on product launches and growth hacking. 202 was founded in late 2014 by industry veterans Peter Laitin and Simon Hartley, together with decades of expertise and successful experience in cybersecurity, mobility and IoT sales hunting, marketing and product management. 202 specializes in emerging technology and early markets such as government, healthcare, finance and automotive. Customers include RunSafe Security, Kaprica Security, Spectrum Comm and others. 202 is headquartered just outside Washington, DC, in North Bethesda, MD. Learn more at 202partnersllc.com.


Photo Credit

First flight of the Wright Flyer I, December 17, 1903, Orville piloting, Wilbur running at wingtip.

John T. Daniels - This image is available from the United States Library of Congress's Prints and Photographs di

Comments

Software automation key to clearing gridlock from highways to cybersecurity

202 Partners Samsung FedScoop
I live in the Washington, DC, Metro area.  Every day, I drive roads choked with vehicles around the beltway.   Arriving at weekday destinations, I run into IT staff choked with manual tasks like configuring mobile devices, or sifting thru masses of false positive data from app vetting, to security logs.
If it’s not possible to keep on widening roads to accommodate more and more cars, or to keep on hiring more and more expert staff and contractors to deal with more and more cybersecurity threats then what is the answer?

Clearing gridlock

The answer is software automation.  Software is smart and can be affordably and reliably scaled, hardware is powerful and ubiquitous.  Peoples’ time is the most valuable commodity of all.   Automation isn’t about replacing people it is about enabling people to act more productively, to focus on proactive priorities, not simply miring them in reactive or busy work.

Tuning up trucks & cars

The writing is on the wall for the future of motor vehicles, with each model year adding more connectivity, as well as advanced driver assist systems (ADAS) from automated braking to parking, to crowdsourced traffic routing with tools like Waze.
The promise of full or even partial automation is more time for everyone, with efficient traffic flows, shorter commutes, less accidents, and a new freedom for underserved groups like those with disabilities, the elderly, or just ordinary people whose passion isn’t driving but their family and work activities.  Driving for pleasure will live on in rallies and race tracks, just like horse riding.


Catch 22 of auto automation

The catch for that automated future is that modern vehicles aren’t just tablets on wheels but data centers on wheels, with a lots of connectivity constituting large attack surfaces, as the FBI, DOT and NHTSA recently warned.
Cyberattacks whether individualized or generalized could put a severe dent in our commutes, or even be a threat to national security where Just in Time (JIT) deliveries for restaurants and grocery stores mean cities are just ‘9 meals from anarchy’.  A modern vehicle has 100-300 million lines of code and around 50 processors, the elephant in the room of Internet of Things (IoT) systems.
The old way of addressing cybersecurity issue would be armies of experts to inspect and re-engineer the code, libraries and examine the network logs (CAN bus or J1939) … arriving back at the IT gridlock mentioned previously.
The answer for auto cybersecurity is again automation – machine learning of what are good and bad traffic on the CAN bus network and automated hardening of embedding systems, along with all the defense in depth systems described in NIST’s CsF and the SAE’s cyber auto recommendations (J3061).

Tuning up IT cybersecurity

The story of the automated car is the same for traditional IT.
Need to setup 10,000 tablets or smartphones?  Automation is the key.   Gartner found that 75% of mobile security breaches weren’t about ‘shiny squirrel’ new security technologies on mobile devices but plain old misconfiguration.  This shouldn’t be surprising when the coolest, latest smart phones and tablets have 100s of settings and even the most basic enterprise rollouts integrate apps from half a dozen vendors.
Need to comb 1,000s of security logs?   Need to vet 1,000s of lines of code?   Once again automation and machine learning.  Smart software automation products are all about doing more with less.

What are
some automated solutions?

RunSafe Vehicle Guardian
– Automated Intrusion Prevention System (IPS)/Firewall for cars (Runsafesecurity.com)
RunSafe App & OS Guardian –  Automated hardening for apps & OSes (Runsafesecurity.com)
Kaprica Tachyon – Automated setup/updating for enterprise Samsung mobile devices (Kaprica.com)
Spectrum Comm Go-Box – Automated kiosk-based management of mobile devices (Go-box.com)
Exabeam – Automated user behavior analytics (UBA) for security (Exabeam.com)
Plurilock Pluripass - Automated interaction capture for unique biometric signatures (Plurilock.com)
MobiChord – Automated telecom expense management software (TEMS (MobiChord.com)
ViiMed - Automated healthcare tele-medicine workflows (Viimed.com)

About 202 Partners

202 is a boutique enterprise software sales consultancy for startups and mature IT companies, focusing on product launches and growth hacking.  202 was founded in late 2014 by industry veterans
Peter Laitin and Simon Hartley, together with decades of expertise and successful experience in cybersecurity, mobility and IoT sales hunting, marketing and product management.  202 specializes in emerging technology and early markets such as government, healthcare, finance and automotive.  Customers include RunSafe Security, Kaprica Security, Spectrum Comm and others.  202 is headquartered just outside Washington, DC, in North Bethesda, MD.  Learn more at 202partnersllc.com.
Podcast
Comments

Cybersecurity needed to reap benefits of IoT ... not the whirlwind

VSP Cruiser

We've attended some interesting conferences in the last month on the intersection of cybersecurity and the Internet of Things (IoT) - Auto Cybersecurity, TU Auto Cybersecurity in Detroit and  the National Labs on Critical Infrastructure Protection in Virginia.

The benefits of IoT are clear to everyone.

Hackers have brought familiarity with data breaches and identity theft to tens of millions of Americans, most of which are remedied with a year of credit reporting, a few fines and a payout from cyberinsurance.  None of this has much troubled company stock prices or their brands.

IoT cyber attacks, however, could be much, much more damaging, including property damage, bodily injury and even death, affecting insurance premiums and likely driving industry re-defining lawsuits and mandatory cyber regulations.

Both the benefits and
potential / theoretical drawbacks of IoT are most visible in the auto industry, where new IoT technologies once confined to concept cars or only the most deluxe models are  increasingly to be found in popular, attractive and mass market new models.

The software platforms that drive infotainment systems, Automated Drive Assist (ADAS) technologies and full automation make modern vehicles not just smartphones with wheels but data centers on wheels, with 100 to 300 million lines of code (
IEEE), on scores of processors from a wide supply chain tied to satellite, cell, Wi-Fi, BlueTooth and physical connections such as the OBD-II diagnostics port.

Both the insurance industry and regulators are responding proactively.

Cyberinsurance is one of the fastest growing categories in the insurance industry,  expanding coverage from just data breach remediation, to include property and bodily injury (per the
Betterley Report).

The FBI, DoT and NHTSA recently put out a
Public Service Announcement around cybersecurity related safety risks with motor vehicles.

NIST is at the forefront of voluntary standards setting, with the Cybersecurity Framework (CsF) , building on NIST 800-53 rev 4, along with industry groups such as the Society of Automotive Engineers (SAE) and J3061.

RunSafe Security is one of the
many US and international vendors working with IoT companies, suppliers and integrators to build defense in depth for systems, following best practices and standards to mitigate the risk of cyber attack.

RunSafe's Vehicle Guardian addresses cybersecurity for existing fleets of vehicles with a plug-in solution.

RunSafe's App and OS Guardian automatically hardens embedded systems in future model year vehicles, or in more general IoT systems, against the most common type of cyberattack -- memory corruption (per the
MITRE CVE database of vulnerabilities).

NOTE - The Virginia State cruiser pictured was protected by Vehicle Guardian in recent
tests.
Comments

'Uber for tablets' - multi device sharing from a box

Go-Box
The sharing economy
Sharing of individual cars, homes and other resources has exploded over the last few years, driven by the ease-of-use and ubiquity of mobile devices and web-based tools.
Surprisingly, that sharing model has not reached mobile devices themselves.
That is up until now, with a new Newport News, VA-based company called
Go-Box.
The emphasis of mobile device makers, has traditionally been “
one each”, much as for cars, PCs, or indeed any consumer goods.  Have 100 or 1,000 people?  Easy, buy 100 or 1,000 devices!

Is sharing appropriate?
In fairness, neither individuals nor organizations want to share private and confidential information, wait for potentially slow OTA profile syncing, or struggle with the overheads of complex on-device software.
In the majority of consumer and organizational use cases, “
one each” is the right answer. However, there are a number of use cases in government and enterprise where sharing is appropriate, for example, where
  • Work is divided into shifts
  • Data is sensitive and needs to stay in the workplace and be securely managed
  • OTA connectivity is limited, or undesirable

Go-Box makes sharing tablets easy, delivering on-demand tablets with the apps, data and settings that users need.
Management is web-based.  Data confidentiality and syncing are managed as part of the charging cycle rather than with on-device software or OTA syncing.  After all, even Uber cars need to be refueled, or Airbnb homes cleaned.

Mobile devices are different in kind than PCs
The issues of sharing were successfully resolved decades ago for PCs. 
PCs are plugged into fast networks and wall outlets.  When Fred logs in, he sees his environment, apps and data.  When Sheila logs in, she sees hers and so on. 
Built-in profiles, Active Directory, virtualized environments, or similar tools solved the issue for Linux, Mac and Windows users.  The same ideas have been applied to mobile devices, from built-in profiles, to EMM, MDM, container or virtualization approaches.
However, mobile devices are different in kind than PCs in a number of key ways:
  • Storage space and security may be too limited for multiple on-device profiles and data
  • OTA bandwidth may not be sufficient for timely syncing of the data around changing profiles
  • The overhead of sharing software cannot be so high as to mar the user experience
  • Devices need to be regularly plugged in to charge
  • A new kind of mobile device sharing in a box
Go-Box realized that mobile sharing was not just about software tools but the wider context of technology, people and processes.
It combines in a box the functions of charging and fast syncing with secure storage of data.  The box can be configured in a number of ways
  • A collection of USB charging ports, in its simplest form
  • A kiosk that stores tablets
  • A vault that securely stores tablets, in its most full-featured form
    (as illustrated)
Now, it is Go-Box that is plugged into fast networks and wall outlets at one or more locations.  When Fred logs in at the Go-Box, it dispenses a tablet with his environment, apps and data.  When Sheila logs in, she sees hers and so on.  The boxed approach also simplifies IT support, especially in remote locations.

Contact
Go-Box, 1 BayPort Way, Suite 300, Newport News, VA USA Go-Box.com  .  info@go-box.com .  +1 (757) 224-7500
Podcast
Comments

Federal - Why the 'left coast' often fails in Washington sales

202_Partners_Federal_698_400

Being a 20-year veteran of the federal IT sales market I have learned a few things about companies and what they think they can do by entering the Washington DC market. Great companies have come to DC and left DC. There is a reason some stay and a reason more go. In that time, I have seen many seasoned commercial software companies that wanted to get a piece of the federal purse. Unfortunately, it is not that easy for one person to take on that “tip of the spear” role alone, without ending in a less than stellar blowout.

Finding a willing, able and experienced federal sales person is easy. They all know someone who knows someone that can help to open a door, especially if armed with a “state of the art” solution that meets the criteria for success at the agency they are trying to educate. Most of the companies that come to DC forget that doing business with the feds is a different type of animal than commercial. A different game requires a different game plan.

“Must haves”

Staffs change with administrations and there are really no addresses to find the right people to go after, so if you are not a federal person then you will fail. The first thing all companies do is get a headhunter that deals with federal talent. Everyone uses the same ones and there are typically pools of people that make the rounds every time someone retires, moves on or gets the axe. For a small to medium sized company that wants to do business with the feds, there are certain “must haves”

1. Channel partners – you have to have them to get market share
2. GSA schedule – must have either a channel partner of a GSA schedule
3. Federal compliance - for example, in cyber-security, NIAP
4. Target federal organizations – civilian vs. DoD
5. Long sales cycles – 12 to 24 months before revenue, preceded by many meetings, proofs of concepts and trials
6. A unified pitch and collaterals that speaks to the marketplace

Companies new to the fed marketplace often count on just one person to accomplish all of the above, with a failure rate of over 85%. In truth, one person cannot set up all of the above effectively in a 12 to 24-month time-frame and companies cannot wait, especially where simply following the commercial game plan in federal, so they either fire the current salesperson, hire someone else, or leave federal altogether.

Formula for success

I created 202 Partners to offer a solution, an alternative to that cycle of failure. Team-based selling has always been part of my success and 202 was created with that in mind. As someone embracing humility from a young age, my successes over the years have been due to the collective power of the smart folks with whom I have engaged. In turn, all the people engaged share in those successes. 202 takes humility to the next level with the client’s mission always in mind. Each of the 202 partners has a mission specialty that helps drive the client’s overall mission. We call these “swim lanes” and when we engage a client, all the lanes are engaged in parallel, with no one trying to swim “widths”

202 is a team of specialists rather than just an individual. Our engagements are performance-based with “skin in the game”. Hiring 202 Partners allows you to have a 90-day window to validate whether or not your product and services are going to be embraced by the federal government, building on the general case of new products and new markets (previous blog post) in our specialty areas of cyber security, mobility and cloud.

What are some of our swim lanes?

Relationships – We have relationships in the DC area that are very deep and wide. C level execs with the federal government, the DoD and those of equivalent stature with companies and partners that support the missions of our federal customers.

Sales & Market Positioning – As seasoned federal sales leaders we know what the feds want to see and what they need to have. If the feds don’t understand the product or solution or do not have a need for it then your company is dead in the water.

Compliance & Architecture – Our team has all the expertise and certifications needed to touch and engage the fed infrastructure and make sure everything scales and meets SLAs, whether it be cyber-security, mobility, or getting a cloud environment FedRAMP certified.

About Peter Laitin

Prior to founding 202, Peter held executive sales and management roles at Thursby Software, Good Technology, Verisign and RSA Technologies, with a strong focus to security, DoD and Federal clients. He holds a BS degree in Marketing and Public Relations from Ashford University and also a BA in Political Science from Indiana University.

About 202 Partners

202 Partners is an American consulting partnership based in Washington, DC. We specialize in highly regulated enterprise software sales and business development in the areas of cyber-security, mobility and cloud for DoD, civilian federal, finance and healthcare enterprise commercial organizations. 202 was founded as way for seasoned and start-up IT companies to take advantage of mature tactical and technical advice in emerging technology, early markets and in dealing with the Federal Government. Learn more at 202partnersllc.com.


Comments

New product B2B software sales different in kind

202_Partners_Innovation_698_400

Hiring 202 Partners allows you to have a 90-120 day window to validate whether or not your product and services are going to be embraced by the market.

New products, new markets in enterprise software


Startups, and mature software companies launching new enterprise software products into new markets have a lot in common, especially where it’s emerging technology and early markets.

Examples include:

- Classic startups with strong ideas and engineering looking to launch, grow organically or get to or expand from a “series A”
- Mature companies looking to “pivot” or “restart” with a new direction
- Mature West Coast companies looking to launch into the Federal Space
- Mature international companies looking to launch in the US

By new products, we really mean new - new engineering work, or a disruptive twist or re-packaging of on an old formula, not simply the next update to an existing line of business. By new markets, we mean a market where your company is new, or if truly innovative where you are creating a new category and in all cases challenging “big box” incumbents and their partners, from journalists, to analysts, integrators, channels, customer executives, to staff with proprietary certifications.

Picking the right model

Just about everyone knows how consumer products are brought to the market, especially with crowdfunding, web sites and apps. It’s the stuff of movies, popular TV entertainment and get-rich-quick “click porn” across social media sites.

Many industry veterans are familiar with execution-focused sales models for mature products in mature markets, with visions of commoditized inside and outside reps with quotas, established collaterals and scripts punching data about X calls, Y meetings and Z closes into well-oiled CRM systems.

Many such veterans have worked at “big box” vendors like Microsoft, Oracle, Cisco or Symantec, completed business school classes with case studies around companies like GE or P&G, or they just googled it!

The challenge of all of this knowledge is that it doesn’t necessarily fit the new product and new market area. If it did, the failure rates of startups, folks trying to establish in Federal, launch in the US, or just get new products out the door would not be so high.

In truth, the Microsoft or Oracle of 2015 are nothing like the scrappy players they were two generations or 40 years ago, when they were struggling to compete with the giants of the day -- DEC, Sybase and Informix (DEC was the genesis of Windows NT, Sybase became Microsoft SQL server and Informix lives on inside IBM)! The mountains of data available for GE and P&G, easily amenable to number crunching and analysis, just aren’t always available in this specific arena.

In the business book industry, “In search of excellence” was great for the 1980s, the far more insightful “In search of stupidity -- 20 years of hi-tech marketing disasters” was already out by the mid 2000s and Kindles today are filled with “airport business classics”, from “0 to 1”, to the “Hard thing about hard things.”

In academia, Harvard Business Review, called it way back in 2006 in a great article called the “Sales Learning Curve”, making clear the important distinctions between launching and later managing the scaling of a product with an en established product-market mix.

The proof point that many companies confuse these distinct sales scenarios can be seen every day with the same outfits hiring and then firing sales and marketing VPs, directors and reps every 6-12 months, quietly missing goals, or having product management as an afterthought, not realizing that they weren’t hiring or leveraging bad or lazy people, just not getting the right types of people in (and the wrong types of people out of the way) for the specific needs of new products and new markets.

To use a military analogy, special forces are small, elite teams that can get a specific job done, or soften up hard targets so that conventional forces can move into to carry out bigger tasks like holding towns or airfields. Similarly, it takes specific skills to launch new products that are different in kind than simply executing an established sales model.

Once the product-market mix is there and the chasm is being crossed, conventional models begin to come back into play.

How can 202 help me?

We aren’t business professors, with deliverables of classes and papers, or consultants looking to maximize billable hours and write reports, instead we focus on execution within the specific niche of new products and new markets, especially in the areas of cyber security, mobility and cloud.
Rather than bringing book learning and theory to the table, we bring specific expertise and experience, with a performance-based and deliverables focus, typically in the areas of:

- Review positioning and roadmap
- Review pipeline, sales process and tools
- Review existing customers, proofs of concept, pilots and success criteria
-Focus on feedback

- Create or update marketing collaterals and engage media partners
- Web, documents, videos, white papers, ROI calculators, social media, marketing campaigns, conferences, events, analyst and investor briefings

- Build prospects and partners pipeline from our existing networks
- OEM, Carriers, Managed Mobility Services and Systems Integrators
- Government, Healthcare, Finance & International Customers
- Channel Partners for GSA, 8A and access to specific markets
- Emphasis on logos, usable quotes, referrals and most especially feedback, not just P&L
- Assess compliance with relevant security standards and ability to scale

About Simon Hartley

Simon is a founder of 202, a specialist in enterprise software sales, marketing and product management, focused at the confluence of cyber security, mobility and cloud for DoD, civilian government, finance and healthcare verticals with seasoned and start-up IT companies. He is a veteran of four startups and four multinationals.

About 202 Partners


202 Partners is an American consulting partnership based in Washington, DC. We specialize in highly regulated enterprise software sales and business development in the areas of cyber-security, mobility and cloud for DoD, civilian federal, finance and healthcare enterprise commercial organizations. 202 was founded as way for seasoned and start-up IT companies to take advantage of mature tactical and technical advice in emerging technology, early markets and in dealing with the Federal Government. Learn more at 202partnersllc.com.
Comments

202 Notes from Mobile World Congress 2015

Galaxy S6 Edge
MWC is unbelievably huge, 10 or 20 times larger than any of the DC area shows. There’s a dizzying amount to look at and the show guide itself is like an old time phone book. Luckily there was an app to direct attendees, complete with a mapping function!

The main highlight of the show was, of course, the launch of the beautiful new Samsung Galaxy S6 and S6 edge devices.

Samsung isn’t just focusing on consumers. MWC had a Samsung Business pavillion, featuring enterprise software partners such as SAP, FireEye and Kaprica Security. Mobile CEO, Mr JK Shin, was on stage presenting the new devices and later in the week at the booth meeting with partners.

202 had the privilege of being at the launch and meeting the CEO at the Kaprica booth. Kaprica’s Tachyon product makes it easier for carriers, integrators and enterprises to quickly, accurately and affordably configure and deploys 1000s of Samsung mobile devices at once. It’s not a sexy consumer-oriented product but does directly effect the experience of enterprise users. Also at the booth were SEAT, the Spanish arm of the Volkswagen Audi Group (VAG), demonstrating their tight integration of SEAT cars with Samsung mobile, underlining the convergence of the two areas.

In the US, autos such as the Tesla have wireless software updates for the vehicle itself just like mobile phones.

The EMM vendors (AirWatch, Citrix, Good, IBM and MobileIron etc.) were present at the Samsung S6 booth, focusing on the new devices, all clustered next to one another, signaling both their ubiquity and the challenges enterprises can have in picking between them.

Also of interest at the show were Blackphone, promoting smartphones and tablets solely on the basis of security and also Ubuntu, launching a mobile OS for the low-end of the market.



Comments

Why are startups like "in the heart of the sea"

A colleague recently recommended to 202 the book and soon to be movie “In the heart of the sea”. It is a great tale of whaling from the Massachusetts of two centuries ago, the true life basis for the novel “Moby Dick”. It’s a lot more fun to read and adventure-filled than Melville’s classic, more like Treasure Island or Robinson Crusoe.

So, why is whaling a lot like a startup? Sailors didn’t have salaries and nine to five jobs, as folks do in big box businesses, instead they signed on for a perilous voyage of 2 or even 3 years for a share of the value that the ship could fish from the sea. The successful moved up the ranks of whaling and the captains could move up in ships or retire and become backers of multiple ships, diversifying their risk. Leadership, teamwork, staying in swim lanes, getting the right folks in and the wrong folks out, a mix of audacity, good seamanship and a dash of right place and time lead to success and wealth, just as it can do with todays startups in hi-tech, bio-tech and the myriad of financial backers. For those scared of shipwreck, scurvy or marooning then the sea and perhaps startups are not for you!


Comments

"Renaissance" v's "Coin Operated" sales

Always Be Closing (intelligently)

HBR has a great paper on the “
sales learning curve” and the kind of “renaissance” sales required for emerging technology and early markets v’s the more “coin operated” sales of mature products in majority markets — “here’s your sales formula, 20 enterprise accounts and $2 million quota’”.

202’s focus is squarely in the “renaissance” category of sales, marketing and product management, building offerings up to a point that traditional inside and outside reps can be brought in to work an established and constantly updated go-to market formula with success.

HBR Brief
When a company launches a new product into a new market, the temptation is to ramp up sales force capacity immediately to gain customers as quickly as possible. But hiring a full sales force too early just causes the firm to burn through cash and fail to meet revenue expectations. Before it can sell an innovative product efficiently, the entire organization needs to learn how customers will acquire and use it, a process the authors call the sales learning curve: The company--marketing, sales, product support, and product development--and its customers transfer knowledge and experience back and forth. As customers adopt the product, the firm modifies both the offering and the processes associated with making and selling it. The more a company learns about the sales process, the more efficient it becomes at selling, and the higher the sales yield. As the sales yield increases, the sales learning process unfolds in three distinct phases--initiation, transition, and execution. Each phase requires a different size--and kind--of sales force and represents a different stage in a company's production, marketing, and sales strategies. Adjusting those strategies as the firm progresses along the sales learning curve allows managers to plan resource allocation more accurately, set appropriate expectations, avoid disastrous cash shortfalls, and reduce both the time and money required to turn a profit.
Comments