Re: Concerns with NFR

From: Matt Curtin (cmcurtin@interhack.net)
Date: 06/28/02 

To: focus-ids@securityfocus.com
From: Matt Curtin <cmcurtin@interhack.net>
Date: 28 Jun 2002 08:59:48 -0400

Greg Shipley <gshipley@neohapsis.com> writes:

> Back to your question about NFR - I'd look at the technology, see if
> it is a fit for your existing customers and target customers, and do
> as much due diligence on the financial/biz side as possible.

This is the most sensible way to go. If you're considering a major
commitment to a privately-held vendor, you might be able to find
someone there who is willing to discuss some financial issues
privately in more detail than in public, perhaps even under NDA.

Raising questions about a vendor's viability and asking questions
like, "Is the company truly stable financially?" tends not to be
helpful. In my mind, unless such a question is accompanied by
specific information that prompted the question, that behavior tends
to call into question the motivations and even integrity of the
questioner. I'm not suggesting that's the case here, but neither am I
asserting that it isn't.

Furthermore, it's surprisingly easy to create a self-fulfilling
prophecy. If customers won't buy because they have unfounded concerns
about the vendor, it's possible to create financial problems for the
vendor. This is why unscrupulous firms float unflattering rumors
about their competitors.

There are plenty of things that can be done without having to get into
a private firm's books. You can ask for references. You can ask for
a credit report. You can ask for confirmation of lines of credit.

Avoiding privately held companies because you can't see their internal
financials is just plain stupid.

 a) It's rare that the people asking would have the kind of insight to
    make sense of the mess anyway.

 b) There are numerous motivations for being privately held. In the
    case of my firm, I can tell you that because after having gone
    through one of the earliest dot-com tanks (Megasoft Inc. of New
    Jersey, December 1997) I came to believe that the model of taking
    a firm public so quickly was too risky. It's an all or nothing
    model, one that doesn't make sense in the long term for the
    company, its customers, its vendors, or its investors. Interhack
    has been turning away outside capital and purchase offers since
    1998. As I started telling people last year, Interhack tried a
    different model for starting a tech company: making more than we
    spend.

 c) You don't really care about their financial performance, except to
    the degree that the vendor will be around to continue support and
    upgrades on the product you bought. Companies breathe life into
    products and kill them off all the time. Apple is still around,
    but that doesn't mean your Apple IIgs is going to get an OS
    upgrade. A vendor's commitment to a product is more of an issue.
    Another thing is that even if a company tanks, the product itself
    and its support agreements are likely to be bought by another
    firm.

 d) Enron

 e) Rite-Aid

 f) WorldCom 

-- 
Matt Curtin  Interhack Corp  +1 614 545 HACK http://web.interhack.com/
Author,  Developing Trust: Online Privacy and Security  (Apress, 2001)
Knight of the Lambda Calculus | Quod scripsi scripsi. --Pontius Pilate