I poisoned the fish . . .

Too many years ago now, I had the most unusual professor teaching my freshman marketing course.

He was unusual, not simply because students could pose a silly question to him at the start of the class and he would talk about it for the duration of the class, thus avoiding any possibility that he would actually lecture on the course topic or spring a pop quiz. He also had a very unusual way of solving problems.

One Friday about midway through the school term, he spoke to the class about a problem with which he was ‘struggling’. He told us that he owned a large farm in eastern North Carolina, and on this farm he had a pond (e, i, e, i, o) teeming with large-mouth bass. Notwithstanding the fact that he didn’t fish, nor did he have any family members who fished, nor friends who fished, he erected a fence to prevent people from fishing and posted “NO FISHING” signs in prominent view all around the pond perimeter.

Despite his best efforts, however, each time he went to the farm and visited the pond, the “NO FISHING” signs were gone and there were people happily pulling large-mouth bass out of his pond. He would shoo them away, of course, (the people, not the fish) and put up new “NO FISHING” signs. This went on for months, and the silly question “Have you solved the problem of people fishing in your pond” became one of the most popular ones used each Friday to divert his attention from teaching the class  or giving pop tests. Until one Friday, when he announced “Class, I have solved the problem of people fishing in my pond . . . I poisoned the fish”.

An effective approach? Most definitely! Draconian? Uh, yeah. Optimal and forward-thinking? Hardly.

At this point, you might be thinking, why are you recounting this true (hand-over-my-heart), yet discomforting, story?

Simple, really . . because as the CEO of a company that operates in the security industry – more specifically, mobile security for the enterprise – when I see what competitors are doing to address the issues of enterprise mobile security, I can only think “They’re poisoning the fish”. They are taking the “traditional”, draconian approach to mobile security – lock up, lock down, tightly wrap, brick the phone, deny access, bury it in a sandbox, put stuff in a container and don’t let it out! What I call the “I poisoned the fish” approach.

So, rather than ask me “why are you telling me this”, you should be asking “why is this the case”.

It’s because the “fish poisoners” (who will remain nameless but their initials are MDM), are selling legacy solutions, originally built to configure, manage and support devices and were never intended to provide control over the mobile apps or data on those devices. Information Week said it best in their October 2012 article 40 BYOD vendors, One Confusing Market – “Vendors hate being told that (their) marquee product is not a great match for customer needs. But that’s the reality today in the growing mobile device management market, as IT teams try to use software meant for managing mobile devices to secure the data on those systems”.  The article went so far as to accuse MDM vendors of “slapping new names on existing products, without adding a whit of new functionality as they scramble for advantage in the market”. I see evidence of this regularly as I chat with customer prospects about what we do versus MDM vendors – a state of confusion that the MDM players happily promote in their marketing collateral.  Dumb ole fish poisoners!

But, enough about them. SpydrSafe has created a unique approach to the problem of protecting sensitive enterprise data on smart phones and tablets  – an approach architected using a clean sheet of paper (actually a white board), one we thought very long and very hard about before we wrote a single line of code, and one that was purpose-built for mobile security. We manage how mobile apps access, use and share data on Android and iOS smartphones and tablets. We are the only company in the market that can manage any app, but use a finely-crafted, granular approach to security that addresses ONLY those apps that are important (as defined by the enterprise security manager) – the ones that enterprise IT care about, the ones that obtain access to their sensitive data.

Thinking back on the time I spent in marketing class with my most unusual professor, I can’t help but believe he would be proud to know that not only did I learn a bit about marketing, despite my and his best efforts to the contrary, but I was also able to make a present  day connection of his “I poisoned the fish” problem-solving methods to the goings on in my market. Hmmm . . . I wonder if there’s a way for me to do the same with his often told anecdotes about his “two-ton limousine” – but, that’s another story completely.

Take a look at what we’re doing at SpydrSafe . . . we’re Mobile Security for the Enterprise . . . I promise we won’t poison the fish.




Malware, Schmalware!

For those Shakespeare aficionado’s out there, the quotation “The lady doth protest too much, methinks” comes from Hamlet.  The phrase has come to mean that when someone insists so passionately about something being “true”, people suspect exactly the opposite.  As an aside (something Shakespeare loved to do in his writings – and, before some wise guy tries to invoke the Lloyd Bentsen “gotcha” as in the VP debates of 1988, no, I am NOT likening myself or my writing to Shakespeare), the word “protest” in Shakespearean days did not have its current day meaning but, rather, meant “affirm” or “avow”.  Substituting either of those words into Shakespeare’s famous quotation actually makes its current day interpretation more understandable, doth it not?

Fast forward from Shakespearean days to the present where ‘doom and gloom’ pundits feed us with a constant, overwhelming stream of warnings about how corporate America or our national security system or, heaven forbid, “the internet” will be brought to their respective knees by a massive attack of malware from Android devices.  The FBI and the National White Collar Crime Center, in the form of the Internet Crime Complaint Center, have now gotten into the act with their (poorly written) “Intelligence Note” issued on October 12th that warns against Loozfon and FinFisher malware which “are attacking Android operating systems for mobile devices [sic]”.  To those ‘chicken little’s” I say “Thou doth protest too much, methinks” or, as I like to put it, “Malware, Schmalware”.

If one digs into what IC3 reported, we find that Symantec has documented less than 50 instances of the Loozfon program, and FinFisher has been ported to all the major mobile devices, including Android, Blackberry, and the iPhone.  So why is IC3 characterizing Loozfon, with less than 50 reported instances, as an Android problem and FinFisher as an Android-ONLY problem?  Because Android malware is “in the news”, and both the media and companies that sell ‘anti-malware’ software, like to sensationalize issues that either generate readers of their media or buyers of their software (I know, I can hear you now saying “media companies and marketing execs who sensationalize issues that benefit their agenda, go on!”).

I note with some degree of amusement that one of IC3’s “Safety Tips” suggests that If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.  The problem is, factory reset doesn’t erase the SD card and that’s where most of the data is stored on an Android device.

So, why am I, the CEO of a mobile DLP and app control company, blogging about malware being a totally over-hyped problem?  Doesn’t this add to the FUD in the marketplace, thus making it easier to sell our mobile DLP solution?  In a word, “no”.  What the hype and FUD does do, however, is to create a huge distraction from the important things that an enterprise IT security person should worry about.  As Joshua Corman, director of security intelligence at Akamai, said: “I do think the hype is a huge distraction. It’s hard enough to spot the right priorities.  Just because something is sensational and headline grabbing doesn’t mean it’s the most important thing for you.”

I couldn’t agree more.  According to a Symantec study, the average organizational cost of a data breach is $5.5 million (or $194 per compromised ‘record’).  The study also shows that ‘negligent insiders’ remain the number one cause of enterprise data breaches.  To be fair, the study also ranks malicious attacks as the 2nd leading cause, and malware is one of the many ways (in addition to viruses, Trojans, worms, malicious insiders, device theft, phishing, SQL injection, web based attacks, and social engineering) that malicious attacks are orchestrated against the enterprise but, again, the preponderance of the evidence shows that malware instances on mobile devices is simply not currently a significant issue.

Or, put differently, Malware, Schmalware!


Time for some Fact Checking in the Mobile Security Space

One can’t have watched (suffered through?) the Republican and Democratic National conventions without having heard the term “fact check” used over and over and over again by every television, radio and print journalist reporting on what was being said by members of both parties.

The Daily Show, Jon Stewart’s fake news program, had a regular spot during the conventions on what facts had been checked each day.   And, during Tom Brokaw’s guest spot, Stewart (FINALLY!) made the inciteful comment “didn’t we used to call these people (fact checkers) ‘journalists’?”, correctly pointing out that the job of an investigative journalist is (or used to be) to get to the facts – NOT to simply report what someone had said and then delegate the pursuit of truth to “fact checkers”.

It is against this backdrop that I concluded that it’s about time to do some “fact checking” on claims being made by companies in the mobile security space related to their products’ DLP capabilities.  As the CEO of a company with the ONLY true mobile DLP solution in the market, it is with much interest that I continue to see marketing press from companies who claim to solve the mobile DLP problem.

So, let me steal a line from Dragnet’s Sergeant Friday (Jack Webb, one of my favorite character actors of all time), and say that when it comes to Mobile DLP claims I’d like “Just the facts, ma’am, just the facts”.

CLAIM – Mobile Device Management (MDM) companies say “We do DLP” (data loss prevention – the ability to protect corporate data on smartphones and tablets).



       MDM companies do exactly what their name suggests – they manage devices, not the data on those devices.

CLAIM – MDM protects corporate data on smartphones by sending a remote wipe command to the phone in the event it is lost or stolen.


     Remote wipe (actually, a factory reset command sent over the air to the phone) will erase the data stored in the device’s memory. However, in the case of Android devices, most data is stored on the phone’s SD card, and the SD card is not erased by the factory   reset command.

CLAIM – So called “app wrapping” companies protect corporate data on smartphones.


    This is true ONLY if the corporate data you want to protect just happens to be on those apps that are “wrapped”.  Otherwise, it’s not protected.  And, app wrapping has inherent limitations – for example, app wrapping doesn’t work for pre-loaded apps, like native email, or third party apps downloaded from commercial app stores and, you run into problems upgrading wrapped apps (to be clear, you CAN’T upgrade them without re-wrapping).  Besides, we at SpydrSafe are “ROCKERS”, not “WRAPPERS”.

There are a number of other claims out there – and like much of what we heard during the National Conventions, many are downright false or at best partially true.  So, what needs to be done is to look at all the available solutions on the market and choose the one or ones that provide the security you’re looking for.

FINAL CLAIM – SpydrSafe Mobile Security’s Mobile DLP solution protects sensitive data on smartphones and tablets by controlling the apps on that device – any app, whether pre-loaded, commercial or developed “in-house”, with no app or OS modifications and with no OEM or ISV relationships required.


      Of course, don’t just take my word for it, check the facts.