Categories
security

A bomb just dropped in endpoint security… and I’m not sure anyone noticed

wp84552171_01_1a
Pay no attention to the man behind the curtain…

Update: Reuters now has the story

Update 2: I’ve updated this post with additional information, here. 

VirusTotal just dropped a major bomb, and only people deep in the endpoint security ecosystem understand the ramifications of this announcement.

If you’re involved in endpoint security to any degree – as a customer or an industry person – you need to understand what just happened. It’s really, really big.

A bit of background.
VirusTotal is a multi-engine virus scanner. You upload a file, and it passes the file to a large number of commercial antivirus products, and it tells you which engines detected the file as malicious.

While there are other tools available, and some have come and gone, VirusTotal is the big dog in the space. It’s owned by Google, has massive computing and resource power and everyone in the security industry uses it.

VirusTotal shares the results with subscribers. So, you can pay to get extensive and detailed information on what has been detected at any moment of the day, and who detected it. 

How antivirus companies use VirusTotal to make better detections.
It’s common practice of antivirus companies to use VirusTotal as a tool to make better signatures.

For example, if a researcher finds that two high quality antivirus engines detect a file as malicious, he/she has a high confidence that it’s actually malicious without further analysis. As an antivirus researcher, it saves an enormous amount of time.

Now, there’s absolutely nothing wrong with using VirusTotal results in research, and many antivirus companies use VirusTotal to supplement their own labs. They get samples from VirusTotal, and along with the samples, what engines detected them. If they find that a couple of high quality engines are detecting a file, they can easily add the detection to their own signatures without much further thought.

Now, there’s a next step. You could set up an an API integration with your product. If you scan a user’s machine and find an unknown file, you could upload it through an API to VirusTotal and get a disposition on the file –who detects it. From this data, you can flag a file as malicious.

In other words, you can use VirusTotal to create your own antivirus program. Easily. 

Until now. 

It’s fine to use other engines. If you’re also contributing.
Using other engines to improve your detection rate is completely fine. If you’re also contributing back to the community yourself. In other words, if your antivirus product is also one of the participating antivirus engines.

The dirty little secret
And here’s the dirty little secret that very few people know. There are a number of endpoint products that use VirusTotal to determine if a file is malicious. Without any contribution to the communityWithout giving anything in return. 

They simply pay VirusTotal a subscription fee, and receive the information.

And some of these companies have been getting a lot of attention for their supposed prowess. But for some mysterious reason, they refuse to put their own engines on VirusTotal. Could it be because they don’t want to contribute back? Maybe. Or it could be that they just don’t want everyone else to see how poorly their products actually perform.

Unfair? Yes.
Using VirusTotal information without any contribution back to the community is patently unfair. The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers. 

So as a customer, perhaps you can ask the next endpoint security vendor if they’re on VirusTotal. If they are, they’re contributing to the antivirus community. If they’re not, they’re not. Whatever their PR story, that’s the simple truth.

Until now.
Well, the world just got a bit brighter for the many endpoint security companies that actually contribute to VirusTotal: Because VirusTotal just announced that they are requiring that all scanning companies that use their service must integrate their engines into VirusTotal. Furthermore, “…new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).”*

It’s big news. It levels the playing field. No longer will antivirus companies see their hard work taken by some sexy startup that’s raised millions of dollars on the false promise of “next generation” endpoint or other such nonsense, while bashing the very companies that they’re effectively stealing the intellectual property of. And perhaps, we’ll see what their products are really made of. Because without VirusTotal as a crutch, companies that rely on it are going to see their detection rates take a hit.

Poetic justice, indeed.

What does this mean for the IT manager?
If you’re an IT manager who has been duped by sparkly marketing materials to buy-in to one of these “next-generation” endpoint products, take a hard look at their actual detection capabilities. If they’ve been using VirusTotal results but not contributing back, their ability to detect malware just took a potentially serious hit. This is serious.

You don’t have to believe the marketing hype. Setup a virtual machine that’s separated from your corporate network, and go to a site like MDM to find all kinds of nasty stuff. In the words of Ronald Reagan, “trust, but verify”. One nasty piece of malicious software (especially ransomware) can have serious consequences.

In closing
My compliments to the VirusTotal team for seeing this disparity and unfairness and taking such swift action. A class act, indeed.

And now, perhaps, we can all finally see what is really behind the curtain.


* Disclaimer: I am a board member of Malwarebytes (a contributing member to the VirusTotal community), and an advisory board member to AMTSO.  The opinions in this blog post are my own and are not connected to these two organizations.

Categories
politcs

The myth of the wall

BorderAtJacumba2

1414203158407

I’ve written about immigration policy before, and this is not that kind of post.

Instead, I am addressing a conventional fiction that “there is no wall” on the border of Mexico and the US. I’ve found that this is a surprisingly widespread belief.

The border
The total length of the border is just under 2,000 miles. Roughly half of that distance is the Rio Grande (which gave rise to the derogatory term for Mexican immigrants, wetback, as many illegals used to swim the river to get to the US).

Securing the border
In 1994, a National Border Patrol Strategic Plan started the process of improving security on the border to stem the flow of illegal immigration. The post-9/11 war on terror gave this attempt a big boost, with the Bush administration pushing hard to build a fence and ultimately passing a series of laws.

In other words, we have had legislation in place for many years to build the wall. And it’s largely funded.

Quite a bit of the wall has been built
So far, the US has built roughly 600 miles of fence. Taking out the river, we’re more than halfway there.

(The remaining land is handled by the Border Patrol and various infrared and technical contraptions.)

The Rio Grande
Now, here’s where it gets complicated: AP_BORDER_FENCE_WILDLIFEWe have this big river, the Rio Grande.

Putting a fence in a river causes all kinds of environmental problems, which even if you’re a conservative, are cause for some concern (I live in Florida, and have seen the damage that the Tamiani Trail did to the Everglades, and while a porous fence isn’t nearly as bad as a dam, there are some real issues at stake here.)

No worries! In 2006, the Real ID Act was passed, which, in part, gave the Secretary of Homeland Security (then Michael Chertoff) the ability to waive environmental regulations in this context. He really wanted a wall, so he did just that.

Yet, we still don’t have a fence completed.

A major problem is the fact that there are three Native American reservations that sit on the border in Arizona. This leaves a gap in the “wall” which is occupied by sovereign Indian nations.

Most notable is the Tohono O’odham reservation, which is huge — about the size of Connecticut — and includes the vast Sonora Desert. Citing its sovereignty, it once successfully barred the Border Patrol from entering the reservation. They’ve since changed their tune, since now, this opening in the border has driven drug smugglers into the area (as well as illegals, who are dying in the thousands trying to cross the Sonoran Desert).

This is a major issue: we have to figure out a way to build a wall through a sovereign Indian nation. It’s not insignificant. Imagine a wall going through your own neighborhood — the Native Americans are not crazy about this idea. And we can’t move the border south, nor north. It has to be a wall right through these Indian nations.

In other words, it’s a bit more complicated than a simple stump speech.

My Dystopian Vision
FOT1213780I talked to a Trump supporter recently in San Francisco. I asked him how he thought Trump would fix the economy.

“He’s going to get rid of all those fucking illegal immigrants,” he said, enthusiastically*.

So here’s my dystopian vision:

Trump enters office. Since “The Wall” is already approved and funded (by us, not Mexico, who will tell us to fuck off), it finally gets built.

Yay for Trump.

But then there’s the nagging problem of all of those “fucking illegals”. Trump wants forced deportation.

The last time that happened, the program, Operation Wetback, was stopped after Mexicans started dying in a trial of tears (we’re so good at this trial of tears thing, aren’t we?).

But what if, as some speculate, the military or others won’t follow his orders?

I see those, like my San Francisco Trump supporter, who will become effectively “brown shirts” for Mr. Trump.

I’m not making this up. Look at the protests. Watch Cartel Land, with citizen paramilitary outfits taking shots at Mexicans. The stuff going on right now is crazy.

Perhaps they will be called “Trumpeters” or some such name.  I expect they will bang on the doors, wrench the illegals out of their homes, and probably engage in a bit of good old-fashioned pillaging.

Outlandish? Not really. We’ve had plenty of paramilitary groups in our nation’s history. 

It’s only one of the disasters I foresee with a Trump presidency.

————–

* A silly statement. Getting rid of 11 million illegals will do nothing positive for our economy. It might very well crater it. The real problems — the massive national debt, the Federal Reserve hell-bent on printing money into ridiculous asset bubbles, massive spending on the military instead of national infrastructure, well… those are some of the real problems. Further simplistic arguments by Trump about taking on waste and fraud in the government? A drop in the bucket. 

I’m not in favor of illegal immigration at all, but getting rid of the people who pick our lettuce, wash our dishes and clean our cars isn’t going to do a thing to help the economy. Illegals are easy scapegoats, they always have been, but they are not the correct reason WHY things aren’t going well in our country.

Categories
Uncategorized

The fake review problem on Amazon

Fake-Companies-List-Announced-By-TCS-and-IBM-2015

Amazon got a lot of press recently for going after fake reviewers.

Sadly, this problem has not gone away.

For example, let’s take this product on Amazon, which ironically has quite a few good real reviews (no idea why they have to get fake ones):

Untitled

reviews

We have our first red flag — so many of the positive reviews are not verified purchases.

Simply clicking on the reviewer’s names shows that these are professionally paid reviews.  For example, both “Grant_Williams” and “Patrick K. Bracewell” amazingly have the same tastes — they both love breast pumps. In fact, they both love a lot of the same products.

reviews2

Without going on ad nauseam, this pattern continues for other reviewers. They magically like the same products.

Other types of reviews come from “Reviewer Clubs”. Companies like AMZ Tracker, ILoveToReview.com and others offer Amazon sellers the ability to get reviews from reviewers, in exchange for a free or discounted product. These are legitimate (and encouraged by some) and as long as the reviewer makes it clear that the review came in exchange for product, I don’t really have an issue with it.

Enter FakeSpot
Curious about a brand’s level of “fakiness?” Try FakeSpot. It will try spot the fake reviews.

Amazon, please change.
Reviews are a cornerstone of Amazon’s success, and allowing non-customers to post reviews has to end. Furthermore, Amazon can still do a lot more to make sure that fake reviews, even from “verified” customers, don’t happen. Their brand depends on it.

Categories
Uncategorized

Social media scams using false identities

theman
The Man Himself

Fake profiles are rampant on social media these days. I’ve even had my own photograph stolen to falsely connect to other people.

The purpose is invariably to spam you or to scam you. So you have to be careful.

I’ve written about this before.

So I thought I’d share a particularly pathetic attempt to scam me today.

I got an invitation from “Bruce Diaz”, representing himself as a tech columnist for the New York Times.

diaz1
Who is “Bruce Diaz?”

Huh? Never heard of that name. A quick Google search shows no such man at the NY Times.

So I search for his image on Google (you should always do this on anything suspicious).

diaz2
The search begins.

Hmm… no luck there:

diaz3

So I go to TinEye, a reverse-image search engine and upload his picture.

diaz4
TinEye to the rescue.

Bingo! It’s not “Bruce Diaz”, it’s “Attractive Young Man” on Shutterstock.

diaz5

I reported it to LinkedIn. But you might still find him for the next few hours.

So don’t just accept a social media invitation with out checking!

Categories
Humor

A public service message to people of the northeast

I’m just trying to help here, people.

Categories
Uncategorized

The G2 on buying domains

Very useful if you’re ever considering buying a domain

The domain name market is a mercurial one; it’s relatively secretive, however not by choice. When most people approach me about a domain they’re trying to buy I usually hear the same thing, “it looks like a squatter has it, what should I do?”

So I thought it was time to take my experience in buying, selling, and brokering millions of dollars in domain names and share the same advice and step-by-step process that I share with my friends and startup founders around the world. Here it goes.

 What Every Startup Founder Should Know About Buying Domain Names

(h/t Larry Smith)

Categories
politcs

The Immigration Paradox

Citizenship

Economics is about incentive. You get what you reward.

And our system of immigration has perverse incentives which are causing economic damage to our country.

The Immigration Paradox

Why are American technology companies off-shoring to other countries?

The obvious answer is cost. And that is true, cost is a benefit, but I would argue it’s of far lesser importance these days. (The cost of having an off-shored development team is far higher than people imagine, due to inefficiencies in teamwork, cultural differences, time zones, etc.)

There is another, hidden, problem, which I call the Immigration Paradox.

1. When a country makes immigration difficult, educated talent that is needed can’t come into the country.

2. This, in turn, forces business in that country to go offshore in order to get that talent, hurting the country’s economy.

And it’s exactly what’s happening in the United States.

Why are Apple’s computers and phones made in China? The immediate, snap answer is cost. Well, actually, that isn’t the complete answer. A more correct answeer is that Apple was unable to get the amount of engineers it needed in the United States, which forced them to go overseas (Apple, for many years, had their manufacturing in the United States).

Running a manufacturing operation in the US is productive. Simple things like stable electrical power, infrastructure, ease of transportation  — all these things are taken for granted, but are really meaningful in manufacturing. But it means nothing if you don’t have the engineers available in high tech.

The argument that there are “perfectly qualified people in the US willing to take the jobs” is disingenuous. Believe me, I’ve been there. At my last company, we would spend months trying to hire software development talent, and couldn’t get enough of them. I found plenty of great talent outside of the country, but getting those people in was nearly impossible.

So I ended up setting up off-shore development centers.

I really wanted these people in the United States. But I couldn’t get them in. It can cost upwards of a $100k to bring a software developer into the country; the hassles are legendary. And your chances of being successful are low.

It’s always been fairly difficult to bring in educated immigrants. Post 9/11, it’s extremely difficult.

This is why Mark Zuckerberg and others are trying to bring more overseas talent into the country.

And so, American businesses go to Romania, or Ukraine, or India, or wherever, to get the access to the talent. And our economy suffers.

We don’t have to make them citizens. But we should make it much easier to get a work visa.

But what about those horrible illegals?  They are criminals! They are rapists and murderers!

Now that discussion is different. I am talking above about getting work visas for smart people to boost our own economy.

But…while I’m on the general subject, I’ll go there.

The argument starts with “legal immigrants are fine (I myself am a child of immigrants!), but it’s the illegals who are terrible. They rape and pillage and steal and murder and all kinds of other awful stuff!”

Let’s start by pointing out that undocumented immigration is not spiraling out of control, it’s actually down from 12 million in 2007 to about 8 million now (you’d never know it if you listened to the news, though).

Furthermore, immigrants are actually less likely to commit crimes than natives (I know that doesn’t sit well with a lot of people who listen to talk radio, but it’s the truth).

Then, let’s get some perspective: Given the choice between starvation and food, would you choose to (a) starve, or (b) eat? I would hope your answer would be (b). Undocumented workers come into the country because they need the work to survive.

And calling them “criminals” is a bit misleading. You see, they can’t really get in legally themselves.

Sure, there are “guest worker” programs, but these are a) a bureaucratic nightmare and b) rife with exploitation. That’s why many Latinos come over the border illegally.

Farmers need cheap labor. If you want to go out and pick lettuce in 110º heat for 12 hours a day, be my guest. I think you’ll find almost zero interest in Americans in doing this kind of labor. Restaurants need cheap labor. If you want to wash dishes all day, be my guest. But again, you won’t find many Americans willing to slave away washing dishes at minimum wage.

The immigrants do the jobs we’re not willing to do.

The political answer is simple: Make it a straightforward process to bring workers into the country, under effective guest worker programs. Document them. Tax them. Track them. But erecting massive walls to keep them out is really not a solution.

The cost of illegal immigration

There is also a disingenuous argument that undocumented immigration is destroying the country’s economy and causing high taxes. This is not backed by data. The CBO itself has determined that 70-80% of undocumented workers pay Federal, State and Local taxes, and $7 billion per year to Social Security. In Texas alone, over $18 billion per year is added to the state budget by undocumented immigrants. Again, the facts are lost.

Let’s take the position that there is, in fact, a cost. Fine. But then, that’s even a stronger argument for documenting them, isn’t it? Let’s document them, and tax them.

Incidentally, the Great Wall of China didn’t work (and it wasn’t an immigration wall, it was to guard against invasions from the Mongol steppe tribes, as Mr. Trump recently learned for the first time). Walls don’t work.

In closing

Undocumented immigrants are easy targets. They are poor, can’t represent themselves, and they’re, well, different. But scapegoating another race or class of individual has never worked well historically. The truth is that a country needs a steady stream of fresh immigrants to survive. We need the educated immigrants to continue to fuel our technology boom; we need the uneducated immigrants to pick our lettuce; we need immigrants to breathe life into an economy; and finally, we need immigrants to create a healthy population pyramid (unlike xenophobic Japan, for example, whose anti-immigration policies are destroying their economy).

For my part, I just want to see a reasonable, sensible discussion based on common sense and facts. Not wild, unjustified opinions.

That would be a good start.

Categories
Uncategorized

Should Your Logo Be a Wordmark or a Symbol?

SH-print-blog-April-2015-Beko-main-imageInteresting overview of using wordmarks vs. symbols by one of the great logo designers of this century. (h/t)

Categories
Uncategorized

Meros: My new venture

meros logo smallModern software development is going through a massive change. Cloud computing, big data, new methods of developing products — the convergence of these factors (and others) has put the world of development into one of the most significant evolutions in how software gets designed, developed and managed.

A central part of this change is the DevOps revolution — new methodologies and tools to deal with the massively complex computing environments we live in today. At the same time, we are seeing the emergence of a game-changing technology, Docker, which is sweeping the development community with breathtaking speed.

Just google these terms yourself and you’ll see what I mean.

Disruption is occurring, and yet the tools are barely keeping up. Companies like Puppet Labs, Chef and SaltStack were unheard of a few years ago. They are now mainstream, successful companies.

Back in 1993, I was at the birth of the modern internet and this feels just like that — the tools are often rough, difficult, and buggy. And those companies (including mine) that got in and made it all work did very well indeed.

So, I have assembled some of the finest developers I know to help me create a new company, Meros, focused on tools for DevOps. Our first product will be specifically for Docker and will release later this year.

We are currently in stealth mode, with the company being funded by my founding team and me. (We are starting initial discussions with a small group of select early stage investors and if you’d like to know more, email me directly.)

I have had fun working with and consulting dozens of companies over the past several years, doing several turnarounds and, generally, having a blast. But it’s time for me to go back to doing what I do best — running software companies.

 

Categories
Uncategorized

Why board meetings suck

I’ve been meaning to write something along this line for quite some time, but never seem to have the time to do it. As someone who currently sits on four boards, plus more advisory boards than I can count, there’s lots to fix in how board meetings are run.

Fortunately, my friend Mike Rogers did the work for me (thank you, Mike!).

You can read his excellent article here.

Categories
Uncategorized

One man’s battle against a bad vendor: an atom bomb

 

Jason Heller hired a company to clear out some poison ivy, and got horrible service. He was pissed.

Unfortunately for the vendor, Best Poison Ivy Removal, Jason is a weapon’s grade expert on web SEO. And he is out to make sure that other consumers don’t get ripped-off. Another SEO expert, Kevin Lee, has piled on (bro code in action). This is just the beginning.

And now, let the games begin.

Categories
Uncategorized

My life is complete: There is a periodic table of unicorns

It doesn’t get much better than this.

 

From CB Insights.

Categories
General

Competitive intel

photo-1419791503936-ff970db3c3c2

The competition.

It’s what drives us to create better products, and stay on top of our game.

But how do you find out the skinny on your competitors? You could hire a private detective to fish around, but most likely, they’ll find the stuff that’s publicly available anyway. Yawn.

You can do it illegally, and that’s a really bad idea.

However, there are plenty of ways to find out about a competitor, using perfectly legal methods.

Let’s start with a few tricks.

Glassdoor

Glassdoor is a bit of a cesspool, since it allows anyone to anonymously comment on their employer. And, while the intent is good, that is one of the great dangers of the platform: anyone could gang up on a company and write horrible reviews.

However, it’s still a very useful tool to get an understanding of the internal dynamics of a company. Put on a BS filter and read through the reviews and interview comments. You’ll often be surprised at how much you can learn.

Google dorks and advanced search operators

Get to really know Google’s advanced operators to turn search into a powerful intelligence tool. You can also use a number of Google dorks to find things like price lists and other interesting intelligence. It’s not necessarily that hard: I can’t tell you how many times I’ve just typed in the name of a company with the words “price list” and gotten great intel.

Surveys

I’ve done this with great success: Survey customers of competitors to get valuable information. Or, here’s a tip: you can simply create an inexpensive Google survey and get a quick NPS score on your competitors, and then track your NPS against theirs. Makes for a heck of a game.

Similarweb and Alexa

Unfortunately, you can’t find out what a competitor’s actual web traffic is without hacking into their system (again, no illegal stuff here!). However, you can get a feel as to how popular their sites are by using services like Similarweb and Alexa. And, if you have the bucks, pony up for ComScore.

Google alerts

Always set up a Google alert on a competitor to stay on top of what they’re doing.

Keep an eye on their keywords

Use tools like SpyFu or KeywordSpy to find out what keywords they’re buying.

Social

Track your competitors through Yelp, their Facebook pages, Twitter and Citysearch.

Customers and suppliers

Customers and shared suppliers are amazing sources of information. In fact, some of the most valuable intel I’ve learned is from customers. Pricing, product plans, release schedules… the works.

Watch who they’re hiring

You can learn crazy amounts about a competitor by watching who they’re hiring.

Call them

Yup, you can actually call your competitors and you’ll be surprised at how much you’ll learn. For example, call their tech support with a question, and then perhaps ask innocently “how many people do you guys have in support, anyway”. You get the picture.

Google Trends

Google Trends is useful to see what’s trending, whether in your industry, or with your competitor.

LinkedIn

LinkedIn, of course, is a weapons-grade intel system. Not only can you find who works somewhere, but you can also get a feel for employee counts, etc. Employee count alone can give you a feel for revenue.

Ex-employee interviews and hires

Ex-employees sure seem to like to talk…  ANd nothing is a better source of intel than a disgruntled former employee. This is sometimes a gray area; you don’t want to be in a position where you’re compromising the ethics of an employee’s own confidentiality. But a lot of what they will tell you is not confidential and very useful.

Trade shows

It’s lame to even write this, since everyone knows it and does it. But tradeshows and conferences are cesspools of leaked information. If you want it, chances are you can get it by just chatting away with people. Buying drinks helps.

It’s surprising that competitive “booth busting” is not done by more people.  And sometimes, your competitors will do astonishingly stupid things. Be on the lookout for these rare opportunities. For example, many years ago, I was a product manager for a disk utility. A competitor was coming out with a new version, and we were dying to know what features were in it. So I went to a trade show, and they were demonstrating the beta version at the booth. That was somewhat useful, but I really needed to (legally) obtain a copy of the product.

And then something amazing happened: Over the PA system, they announced that they were raffling off a beta version of the software. I couldn’t believe my ears. I ran to an ATM machine, took out $200 in cash and then waited. Soon, a winner of the raffle was announced. I walked up to him and bought it off of him for $200 and we had a beta copy of the company’s software. We were able to run it and find out what features were planned. Needless to say, it didn’t end well for them.

However, keep in mind the Golden Rule. Compete fairly and ethically.

But that doesn’t mean that getting out there and doing some basic reasearch won’t drive tremendous results.  You might be surprised at what you’ll discover.

Categories
business advice finance Leadership

Building teams with team-based budgeting

Recently, an executive coach was advising a CEO I work with on building teamwork in his company, and encouraged him to do “ra-ra” type activities (group outings, that kind of thing).

That’s meaningless.  While it’s always nice to get people together for a bit of fun, the real way to build teams is to get people working together on actual business problems.

Team-based budgeting is the method I have used for many years to perform the budget process and build teamwork, and it makes a lot more sense than what is often done.

In most companies, budgets are done by each manager turning in a budget to the CFO, the CFO puts it together for the CEO, the CEO cuts out expenses and adds additional revenue, and poof! – the budget is presented to the board.

Not really a workable process.

This brings me to the subject of team-based budgeting.

I’ll start with a story: Many years ago, I started as the president of a software company and found several things wrong with the accounting and finance functions:

– No one had responsibility for a budget.
– The VP of Sales was in a heated deadlock on commissions.
– Forecasting was done on a hope and a prayer.

At the time, the company was small — about $15 million in revenue — and so, at that size, it had largely been run on a sort of “financial dictatorship” by the major investor. Well, considering that this shareholder was dealing with a management team that didn’t really understand finance, his point of view was understandable.

However, it’s important to develop a team-oriented approach to forecasting and budgeting. By implementing this approach, I rapidly had the whole senior management team working together smoothly on the finance functions. Better yet, we were able to grow very fast, to nearly $50 million in revenue, without any outside capital. Because we responsibly controlled costs, as a team, we were able to do great things, without a lot of money.

But it really wasn’t that hard. All I did was:
– Rework the financials to make them clear and understandable.
– Make the managers responsible and accountable for their budgets.
– Implement team budgeting

Reworking the financials
Of the three financial statements required to run a business (P&L/income statement, cash flow and the balance sheet), the one that managers must have a good grasp of is the P&L. The other two can be worried over by the CEO and the CFO.

And there we run into a problem: GAAP accounting, which can muddy the scene. Revenue recognition, accruals, depreciation and amortization can make it like a company is bleeding money hand over fist, but when you really look into it, it’s actually doing just fine. Or, a company can look wildly profitable, but is a toxic mess (anyone ever heard of the old Computer Associates?). Reading a modern financial statement, especially for a software company, is a bit of an art in itself.

So first I pivoted the focus onto billings as the topline focus. Billings is what sales guys go for, what they see “on the board”. They closed a deal, and it was for $100k. That’s what they see, and that’s what motivates them, and that’s what you want them to get.

There are fine nuances to get into here, that aren’t worth cluttering up this article with. It’s different in a SaaS environment (where you typically compensate on MRR/ARR and make that your target), and yes, there are cases where you may not compensate on billings. But the bigger point is, get a number that’s real to the sales people, that they can go fight for.

So the first thing I got everyone around was the concept of one topline number. And it was the billings number. This was in direct contradiction to what the CFO had been doing earlier (bizarrely, paying commissions on recognized revenue).

Now to the expenses: there are expenses that managers have control over, and ones they don’t. They go out and buy something for $10,000, it’s $10,000. It’s not some amount amortized over a period of time.

I wanted the managers to know that if they bought something, it didn’t matter how we would book it from an accounting perspective: they bought it. Business live on cash flow, and the impact of cash decisions is vitally important for managers to understand.

So I went a step further, creating a “modified EBITDA”. Basically, I turned the P&L into a cash-based accounting system (we still maintained a separate set of standard GAAP financials for the board, investors and other external parties).

To create my modified EBITDA, I simply added back in certain capital expenditures to my EBITDA figure to get an income statement that reflected actual cash spend, making it easier for everyone to understand.

And then I got them all in room and we budgeted as a team.

Now, depending on your business, you can probably ignore the other pieces of advice here, but this last one is important.

The way you do team based budgeting is to you set the goals in advance of the meeting — a realistic target. Like: “20% operating income, 25% increase in sales.”, and so on.

You then give all the managers enough time to pull their numbers together. Each has a departmental spreadsheet for their own area.

For the sales forecasting side, I would work between the product teams and the sales teams to get our product launch dates figured out, new versions, etc. I would take the teams off-site and we would work through the product planning. (Product planning is a huge driver for revenue, and something to spend quite a bit of time on).

And then I got all of the management team in the same room. We sat with a large-screen projector, and our spreadsheet was built with links where I would have all of their files loaded at the same time. Then, we would go through every manager’s area, and they would have to account for their expenses. As we made changes to each department’s budget, the main P&L forecast was automatically updated, giving a very quick view of the impact of each little change.

Now, peer pressure is a powerful motivator. We’re all on the same team, so when the sales person says “I can’t get sales without more leads”, the marketing person is right there to answer him, and the CEO is right there to work with the team.

When I first loaded that spreadsheet, it was comical, as a first-pass budget always is. Everything was in the red, because sales people sandbag and managers ask for more money than they need. But after a marathon two or three-hour session, we started to get to reality.

The CEO is driving the process. But the CEO is letting the team work on the heavy lifting of figuring out where to get the money.

I’ve literally been in a situation where I said “not enough money for a Christmas party”. R&D and sales then began to horse-trade expenses back and forth to get the money for the Christmas party. We got our Christmas party. (I really doubt I would have killed the party, but it was the idea that counted — that we had to work out a way to cut more costs so that we could earn the luxuries.)

After one marathon session, managers are given homework, to go back and figure out ways to get the costs worked down more (or get the sales up). Department heads have individual break-out sessions with other department heads to work on the budget. And then we have another team meeting a week later.

After that, the budget is pretty much a wrap.

Getting to the target number becomes a game. And when you have a game where everyone works together, you have a team.

Key is that the managers own their budget. They are given leeway to execute on their plan, although I still had in place basic cost controls to ensure that costs were still being managed.

Pushing responsibility down into the organization is the way that company’s succeed. And team-based budgeting is the first step to correctly delegating and managing authority.

Categories
Uncategorized

Forget infographics. Gifographics are the new black

Sick of infographics? I am.

Gifographics, using gif animation to tell your story, is the new new thing.

Some examples of hip cool gifographics.

 

 

The Author Rank Building Machine #verticalmeasures #Infographic #Authorrank

(Data Graphic by Vertical Measures )

And my favorite:

 

 

Tickle you eyes with a broader round-up at the Content Marketing Institute.