Three Ways to Lose a SaaS Customer

driving SaaS renewals A recent hack of my Web site led me to sign up with a security as a service (SaaS) vendor to monitor my site. A month in, they emailed to ask if I was pleased.

I don’t know, and that is bad. The updates they give me are so unclear, and their service so hard to navigate, I’m less sure about my security status than before.

When it comes time to renew my subscription, I’ll either cancel or find another SaaS provider whose value I can assess. If you’re a SaaS vendor, are you alienating your customers like this?

Dumb SaaS Mistakes

This provider seems to lack any understanding of my business. I make money by talking to clients, marketing myself, interviewing experts, and writing and revising marketing content. I lose money every hour I spend deciphering cryptic security messages, reading FAQ’s on arcane security topics or fiddling with complex WordPress files.

Whatever application or service you’re providing over the Web, your customers pay you to handle the IT plumbing so they can make money. Here’s what this vendor got it wrong, and what you should avoid with your customers.

Failed to properly set my expectations. Their Web site promised to “clean your site of malware with one click.” They may or may not have done this. But even after my site was supposedly clear of malware, it didn’t look and run right. It took many, many more hours and a lot of money with a designer fixing what the malware broke. A “one click” fix implies I’ll be good as new after that one click. If that isn’t so (and a customer will need other help beside yours to get back to business) tell them up front.

Bombarded me with jargon. This security provider tries to tell me what they’re doing, but fail miserably. Their weekly security alerts are full of techno-babble (see below) and provide “alerts” which turn out to be routine notifications I don’t need to take action on. This is a waste of my time and of theirs.

Error message one

Are hard to work with: Rather than ask questions or get help via email, I have to log into this provider’s Web site to create my own trouble ticket. The site is crammed with tiny type and technical jargon. The “trouble ticket” option is hidden under other buttons, and requires me to submit my FTP log-in info to proceed. (You do have your FTP log-in credentials on the tip of your tongue, right?)

How to Get My Business 

  • Build your service around on my needs, not your technical specialty. In the case of a security monitoring service, I’d love it if they partnered with WordPress experts to take ownership not just for cleaning my site, but returning it to its original look and feel.
  • Communicate effectively.  Only contact me when I need to take action. Don’t tell me about routine security updates or “alerts” about which I don’t need to or don’t know how to respond to. (One exception would be a clear weekly or monthly report telling me how many infections/attacks you stopped, and the effect they would have had on my business, to help me measure your value.)
  • Make everything easy. Large type, attractive icons and plain English terminology on Web sites, please. I work in email, not trouble tickets – let me ask questions and get help without logging into your site. And give me one or two click access to information about the most recent issue, without forcing me to go through a list of service requests. This is user interface 101.

I know security is devilishly complicated and requires safeguards and extra steps to work through customers’ Internet Service Providers and WordPress sites. But it’s comparatively easy to:

  • Not promise a “one click” fix if you can’t provide it.
  • Make it easy for me to understand what you’re doing, and most importantly…
  • Remember the problem I’m paying you to fix isn’t fixed until I’m back earning money.

Need more help selling cloud services? Check out this sample content plan you can adapt to your own needs.

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Pokémon Go: Why IT Marketers Should Care

Pokemon Go security When I was assigned a story on the security risks of Pokémon Go, I groaned. What could be interesting about a game where players chase comic book characters superimposed on the real world on their smart phone?

It turns out the enormous popularity of Pokémon Go IS the story. It’s so engrossing players are tumbling down hillsides and reportedly being lured into ambushes while glued to their screens. That means enterprises that can latch onto Pokémon Go (or create similar apps that go viral) can tap huge marketing opportunities – but face equally large security risks.

Let’s start with the downsides, as those were the focus of my reporting.

Risky Business

The initial security scare focused on reports that Pokémon Go vacuumed up too many details from the Google accounts of players. By all accounts, the developer and Google quickly fixed that, and the game may never have actually used all the information it asked for. But one source hinted darkly that even one-time access to email or other accounts could give a game developer valuable information they could use later. He also asked whether, as Niantic (the game’s developer) frantically ramped server capacity to meet demand, it could possibly put the proper security precautions in place to protect any user info it did gather.

Even if the legit game doesn’t snoop too much info from your phone, my sources described cleverly disguised malware variants that can. Another possible channel for malware are unofficial guides to games that help users improve their scores, or “hacks” that promise a short-cut to extra rewards. “jailbroken” or “rooted” devices, in which users bypass the manufacturer’s built-in security safeguards, are an especially prominent risk.

Then there are the broader (and even more story-worthy) societal concerns. If someone hacks your application and sends unwary players into traffic to chase a character, are you liable if they are it by a car? One source who does a lot of work for defense clients raised the specter of “crowd spying” in the form of a game that sends hundreds of players to catch a character the spy agency placed in front of a sensitive military base. Before authorities can chase the players away, their phones have already captured and transmitted images of the base from multiple angles.

Sound crazy? There Indonesian army has reportedly blocked service members from playing the game while on duty for just that reason. And how much of a leap is it to port such a game from ground-bound smartphones to drones, adding a new dimension (literally) to the privacy, security and liability questions?

The Upside 

The story angles don’t stop at the dark side. McDonald’s is reportedly first into the “monetization” game, sponsoring Pokémon Go play sites at its restaurants in Japan. But using games to draw foot traffic to a specific location is only a baby step.

Imagine a toy retailer creating an AR/VR game that lures kids into their stores and puts the most popular characters near the highest margin toys, giving them an instant discount as they “capture” the character with a tap on the screen? The next step, of course, is to combine real-time information about a player’s location with their past purchase history, credit worthiness or other factors to pop up real-time offers within the game. (This raises the challenge of securely combining corporate data with that from customers’ devices I tackled in my story.)

Senior Vice President Nagaraja Srivatsan at Cognizant Technology Solutions* has a whole raft of other ideas and examples.  They include restaurants giving diners a discount if they drop “lures” to get other customers to drop by, or offering “contextual” ads based on where a player is and what they are doing.

Finally, think of the opportunity to use AR/VR games to train or motivate employees. How about a Pokémon Go-type app that rewards hotel employees with bonuses or time off for finding and capturing not characters, but dust spots or trash in public areas? Or that gives field service reps points for sharing maintenance tips through an AR app on their smartphones? (In that case, how do you protect sensitive data about the failure rates of your components, or those from your competitors you see on your customer’s premises?)

 Get Pitching 

Any or all of these scenarios may, or may not, pan out. Pokémon Go itself will undoubtedly fade (maybe sooner than later) as just another fad.

But its blockbuster popularity, however short lived, shows that everyday consumers will download, play, and spend huge amounts of time with the right VR/AR app. And where eyeballs and interest go, money and opportunity follows. Pokémon Go is the tip of a lot of fascinating icebergs we’ll all be innovating around, writing about and pitching about for years.

Got any clients who are trying to ride the Pokémon Go bubble, or facing security threats as a result?————————————————————————————-

*Cognizant Technology Solutions is a client but did not reimburse me for this mention.

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

How Much IP Should You Share?

Businessman Keeping Protective CaseDragging real insights out of subject matter experts (SMEs) for white papers can sometimes seem like pulling teeth. One of the most common excuses I get is some variation on “We don’t want to give too much of our solution away.”

In other words, if you share too much of your intellectual property (IP) with the customer about how you can solve their problem, they won’t call because there’s nothing left to talk about. That never made much sense to me. When it comes to software, the more completely you describe the problem and your solution to it, the more likely a customer is to buy. (Are they going to go off and re-code your software themselves?) And if you’re selling services, every customer is unique enough that even the longest white paper won’t teach them how to do what you do.

I’ve always urged my clients to go big with the details describing how they’re so smart and their competitors are clueless. Here’s how a recent white paper from security vendor Cybereason (no, not written by me) did a brilliant job of promoting their expertise by going deep into the details.

Dirty Rotten DGAs

Cybereason provides a “real-time attack detection and response platform that uses endpoint data to detect and remediate simple and complex threats.” To showcase the specific skills they bring to this somewhat generic area, a recent white paper shared what they learned about a specific type of attack called Domain Generation Algorithms (DGAs.)

DGAs get around conventional security software that blocks down malicious domains by, as the name implies, generating as many as a thousand fake domains per day. Here, in my view, is what Cybereason did right in educating its prospects about them.

If You Know It, Flaunt It

If your internal experts are good at their jobs, they’re the best source for compelling content. In this white paper, Cybereason relied heavily on its own work finding and fighting DGAs. You may not have an in-house security lab, but you probably have:
Field engineers who see common configuration errors customers make with your hardware or software.
Salespeople with insights into what tools, technologies or issues are most important to customers and why.
Your own engineers who have creative ideas about what new capabilities customers might like and could use a reality check by blogging about them and asking for feedback.

Lesson: Don’t underestimate the amount of valuable insights within your own organization and don’t be afraid to share them.

Grisly Details, Please

Just like in a movie or book, it’s the details that make your story real. Rather than cower in fear it was giving away proprietary goodies, Cybereason dove deep into the workings of eight DGAs ranging from “Necurs” to “Pykspa” to “Unknown Punycode-like.” It shared everything from screenshots to examples of fake domains and the associated country codes, including .ga (Gabon), .im (Isle of Man) and .sc (Seychelles). Note this is detailed information you could argue a customer could use without buying their product. But in reality, this level of detail does more to describe the urgent need for a solution like Cybereason’s than eliminate the need for it.

Lesson: Share the real-world details that show you know your stuff.

Don’t Forget the Newbies

Before the deep technical details, Cybereason set the stage with a review of where DGAs fit in the overall security picture (by establishing command and control over the affected system.) It also explained why DGAs are so hard to detect with traditional security methods.

This context and background is essential because not all of your prospects (or everyone involved in the purchase) will have a deep background in security. SMEs are often so close to their subject matter that they dive right in with acronyms, formulae and frameworks before telling the reader why they should care.

Lesson: Write the white paper so your significant other, spouse or parent could get the point.

A Real Screen Turner

Overall, this white paper felt almost like a news story and kept me reading. If anything, it could have been a bit more promotional with more details on how Cybereason fights these pests. But that can be the hook for the next white paper.

Have you found “more is better” in sharing your smarts or did you get more follow-ups by leaving prospects wanting more?

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Do We Need An Edward Snowden for Security?

hackerSome people are grateful to former National Security Agency contractor Edward Snowden for revealing massive detail about our government’s intelligence activities. Others think he’s a traitor who’s harmed our national security.

One thing you have to admit: He’s gotten us all thinking about the proper balance between privacy and national security. He’s also changed behavior and attitudes, judging by recent Congressional moves to curtail (for the first time since the 2001 terror attacks) the government’s ability to monitor citizens’ phone records.

Snowden changed the game by fearlessly (or recklessly, depending on your viewpoint) tearing away the veils of secrecy to reveal something he felt was endangering his fellow citizens. Do we also need an Edward Snowden to expose the number, and severity, of security breaches to finally force CEOs and CIOs to make security a top priority?

Denial on Denial

One argument in favor is the tendency of corporate management to focus on security in the wake of a highly publicized attack, but then quickly lapse back into complacency.

It’s easy to shrug this off as clueless C-level executives. But software developers and network administrators who should know better are equally to blame. A chief technology officer at a global IT services firm recently told me programmers still routinely fail to build in protections against common attacks such as buffer overflows.

Security experts routinely say 40 percent or more of successful attacks exploited security vulnerabilities that have been known about for years, and could have been prevented by following known, straightforward processes such as patching software and turning off unused services. Even when security officers or vendors quantify the risk vs. the cost of security, management will often vote for “I’ll accept the risk” rather than pay more for security.

Needed: Harsh Light of Disclosure?

In an era when software controls critical infrastructure such as power plants and dams, medical devices such as medical pumps, and aircraft (one of which was brought down by incorrectly installed software recently) this lax attitude towards security could cost lives.

While an event such as fires in the batteries in Boeing’s 787 prompts the FAA to ground the planes until the problem is solved, one security expert I spoke with recently complained there is no “Federal Power Security Authority” to force action if the national power grid were hacked. And in the absence of an outside authority, any company or government agency will always have more to lose than gain by fessing up to a dumb programming or network management mistake.

Such a government agency would, like the National Transportation Safety Board for aviation and rail accidents, be responsible for an impartial review and disclosure of all the facts to tell the public about the risks they face and what is being done to resolve them. After all, a dam that floods a river or two trains that collide due to a software failure kills people just as effectively as an airplane crash caused by a mechanical failure. The hidden dangers will only increase as billions of devices, ranging from self-driving cars to autonomous valves in oil pipelines, join the Internet of Things.

Given our tendency to act only after a disaster, creating such an outside “security review” agency (whether governmental or run by private industry) will probably require a horrific event. Could we get there more quickly if one or more Edward Snowden spills the beans, hurting companies and agencies in the short run but helping us all in the long-term by showing us how vulnerable we are and forcing corrective action?

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Should We Really “Think Like Publishers?”

Just when we all got used to the idea that “every vendor should be a publisher” comes word that, indeed, they shouldn’t. They instead need to be marketers who publish content to achieve specific business objectives.

It’s one of a number of good points in a very useful presentation “Yeah, it’s content, but is it marketing?”  from the PJA Advertising + Marketing agency.  It’s aimed at marketers who aren’t getting the return they need by content marketing efforts that cost too much or deliver too few leads.

Maintaining, promoting and monitoring an ongoing stream of great content takes too much effort not to tie it to concrete business goals, they point out. I like their advice to shift from a focus on “What (content) will we produce?” to “What are we trying to achieve?”

 Doing It Better

Among their specific tips:

  •  Tie branded content to business value by “understanding a conversation your buyer is interested in—and defining a valuable role for your brand to play in it. “ At each stage in the buying process, the role you play as content provider should change. (See next tip.)
  •  Make “the buyer journey your roadmap” In the awareness/education stage, teach them about why they might need a product or service. As they move into consideration, start talking about what features to look for in such offerings. As they move closer to product selection, start offering detailed implementation tips.
  • Think as hard about promoting content as creating the content. By simply using the scheduling feature in Hootsuite to schedule a series of promotional Tweets for each new post (instead of just at the original post) has boosted retweets of my posts, and my Twitter followers. Even simple steps to promote and target readers can pay off big.
  • Add a specific call to action to each piece of content, and track the uptake on them to measure the ROI of the hard work that went into it. Consider asking for something more specific than a generic “click here for more information” by asking for something that drives further engagement, such as subscribing to a newsletter, providing contact information, filling out a brief survey or registering for a Webinar.
  • Be flexible about formats. Coming from the long-form journalism world, it’s easy to think that every question needs a long, text answer. I’m finding that shorter Q&As, checklists, videos or podcast sometimes work better. An edgier format that’s more fun to produce is also likely to generate more interest.
  • Finally, and not surprisingly, the agency suggested to “grab a partner” that can handle some of the content marketing load better than you can. This isn’t as self-serving as it sounds. There’s a lot of moving parts involved in marketing automation and they’re changing quickly. By outsourcing what you don’t excel at, you can spend more time making sure you have a solid business goal for your content marketing.

Getting Started

Check out my sample content sequences for selling cloud services, security response and DevOps. And let me know what other IT products or services you’d like to see a sample sequence for.

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Selling DevOps? Don’t Forget Security

using security to sell DevOpsWhen we think about DevOps (you are thinking about DevOps, aren’t you?) we usually think about speed. By combining what used to be separate application development and operations into one continuous cycle, companies like Facebook and Netflix can instantly  tweak their Web-based offerings based on the latest usage feedback.

But in a “DevOps State of the Union” dinner hosted by a several cloud hosting and software companies the other night in Boston, security was a bigger topic than speed. One prong of the conversation was how DevOps could make it even harder to secure corporate data and applications. The second was how DevOps could instead be, in the words of Jerry Skurla, vice president of marketing of security management software vendor Firemon, the “last, best hope for security.”

Needed: Security Smarts

Either way, security makes for a relatively little-known area where you can prove your smarts as a provider of DevOps tools and services.

Let’s tackle the end-of-the-world scenario first.

Change, or so the conventional wisdom goes, is inherently bad for security. That’s because any time you tweak application code, update a driver or reconfigure a server or firewall you could create a security gap.  A recent HP report, for example, claims that nearly 80 percent of application vulnerabilities are caused not by poorly written code, but improper file settings, outdated software versions and misconfiguration.

Many DevOps devotees boast of rolling out not one new code package per week or month, but hundreds every day.  Consider that many of these updates might require links to new databases or legacy (read: outdated) corporate systems, or through the corporate network out to third-party data sources? It only makes sense that so much rapid, continuous change could create a security nightmare. And if you put every change through rigorous security checks, aren’t you slowing the rapid code releases that DevOps is all about?

The flip side of the coin is that real-time visibility into application performance will let developers find security vulnerabilities more quickly, while rapid code refreshes will let them fix those vulnerabilities more quickly. In this scenario a vulnerability found at 8 a.m. could be patched as part of a routine code refresh that contains other application tweaks before noon. In fact, says TK, DevOps could make it possible for smart companies to make strong security a competitive differentiator.

 

Insights Wanted

So will DevOps wind up being good or bad for security? Probably both, depending on how the industry tackles some pesky implementation details. For DevOps marketers, tackling these real-world questions provides great fodder for “thought leadership” blog posts, white papers, newsletters, and the like.

  • How do you enforce security-related coding and configuration standards without slowing code releases? (Skurla says this can be done by adding “built-in checks/processes” to emerging DevOps tools.)
  • How do you perform regression testing to ensure your latest release doesn’t open a security hole, again without slowing code updates?
  • How do you provide for code rollback so you can quickly withdraw a release that caused a security problem?
  • If you need an audit trail of who made what changes to which code and systems, how do you provide this in a DevOps environment without bogging everyone down in paperwork?
  • What balance do you strike between spreading the authority to quickly make needed code changes, and the need to control administrative access to your most critical systems?
  • How do you create a culture where your people speak up about a security problem in code they deployed, rather than staying quiet (and delaying a fix) in hopes someone else will catch the blame?

Where there are good, a new question like this, there’s opportunity to engage customers and set the terms of the marketing conversation. DevOps devotees, fire away!

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.