Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

Thought Leaders

Table of Contents

Mike Yaffe, Director of Product Marketing, Core Security Technologies.

Stephen Northcutt - April 15th, 2009

Mike Yaffe is Director of Product Marketing at Core Security Technologies. Most of the interviews that we have done in this series have been focused on technical people, but we believe Mike is a game changer. We are very glad that he has agreed to be interviewed for our thought leadership program and we thank him for his time.

Mike, I remember when I was first introduced to CORE, you set up the meeting and after I saw the demo, I had two comments:
- I am not sure you guys should have created this, but please be careful who you sell it to.
- Would you be interested in any investment money?

Please tell us about your beginning with Core.

When we started at Core, in terms of sales and marketing, we had one sales guy (Eric Sherman, who's still here too) and one marketing guy (me), both hired the same day in March 2003. Jeff Cassidy, who now serves as our Vice President and General Manager of South American Operations, was the first marketing hire technically, but he also did business development and sales - so we were the first official people in the company with those types of titles. We had a few thousand dollars a month for marketing, literally like two or three thousand, and we spent it ALL on banner ads for SecurityFocus...that was it. Remember me telling you we had no money and you offering us up SANS@Night? Well it was really true.....

I remember it very well, SANS has a responsibility to be vendor neutral, but sometimes we bend that just a touch for startups, we know how important innovation is for information security. I offered Core a chance to come and demonstrate the tool at a SANS event and was very surprised when you said you could not come, you didn't have any money. So we decided to invite you to a DC event because we felt the U.S. Government might be an early adopter. Now in those early days, you weren't even an employee, true?

That is correct, I was a consultant for Core for the first 14 months of my work for the company, I had to prove that I was worth hiring full time.

Well you are an employee now! Do you remember the DC show, that was a hoot!

When we flew down to the first SANS@Night (the one you invited us to), we flew into BWI and drove to DC to save $150 (in total). We had $12 worth of Taco Bell for dinner (three guys) and we three also shared a room. But I think coming from that background really gives you an appreciation for respecting your "marketing dollars". To this day we still share rooms on the road.

I had not realized that, I know WalMart does that also (as long as the two employees are same sex, of course). In any case, that demonstration came off very well; I seem to remember you guys took out the targets in less than ten minutes. Many of our readers will not be familiar with lead generation; can you tell us, at a high level, what marketing activities security companies generally use to generate leads and the difference between a high quality lead and the other leads?

Well, I’m sure a lot of the listeners have attended a SANS webcast or a SANS conference. Vendors like Core attend those shows or sponsor those webcasts to meet people who might have a problem that our technology or service can solve. Hopefully, they choose to pass along their contact information or stop by the booth, that’s where we get names of people that we hope to eventually turn into sales. I think a lot of people, including myself, have had a problem one time or another with a company that wouldn’t leave us alone – I know that I have vendors that don’t leave me alone today.

My advice is that if you are going to ask for the pen or shirt, then there is the expectation that someone might follow up with you. The one thing I have to say is that, and I mean NO ONE, wants to waste their time. So, if you are just not interested say no, don’t just ignore the communications, and if you do say no, people will leave you alone.

I have been involved in a few startups myself, and as I understand it, you guys are self funded, what was that like?

In 2004, we still weren't making payroll regularly so the only way we got paid was when a customer bought something and then paid for it. This experience helped me really appreciate our customers and remember that is WHY we are in business. We only got to the point where we were self-sufficient by selling enough IMPACT.

And as you have grown, you have been a strong SANS supporter and we certainly appreciate that. Can you share a bit about Core's view of SANS? I know that may sound self-serving, but I promise that I am heading somewhere interesting.

SANS folks are the perfect type of people for me to work with, pushing the norm, a little whacky in terms of sense of humor… and also, of course, very interested in IT security, and typically very technically oriented to boot. People at SANS events “get” us, they understand our value proposition and what we’re trying to deliver. There’s always a lot of fun give-and-take with people on the show floors who want to ask unique questions or challenge the way that we approach things. That makes it fun.

Now don't get me wrong, I know if you were not getting value out of showing your wares with the SANS Vendor program, you would be gone in a flash. What is your approach, what is working for you?

I also used to be a sales guy (first job out of college) - so I think I bring a no BS perspective to marketing. I had to sell industrial safety products to mechanics - I 100% built my territory cold calling. So I think I have an overly pragmatic approach to marketing. SANS people don’t want to be over marketed to, they want the info without the high pressure tactics or BS. So once you understand that, you see what is left – and that is just honest conversations and letting the product speak for itself.

OK, but I still do not see a laser lock. What is it that you are looking for when you are showing at SANS ( or anywhere else)?

I want to find the right people who get what Core IMPACT is and who have that "holy cow, that is cool" moment when they see IMPACT demoed for the first time. It's more powerful when you lead them to the oasis, but they decide to take the drink for themselves.

Right, I don't know if you remember, but I talked you guys into coming into my class, SANS Security Leadership Essentials, once to demonstrate the tool since my students can't attend your lunch and learns. More than once, I have had a student that had procurement authority purchase the tool that very day. However, there is always a possibility that we have a reader that does not know what IMPACT is. Can you give us the elevator pitch?


Core IMPACT is a software based penetration testing product – and when I say pen testing, I mean it actually exploits a vulnerability, just like a hacker or attacker would, and allows you to interact with the target (upload, download info.etc). This is a complement to network and/or web app scanners. These products scan and tell you what your potential threat universe is. We take the next step and tell you if the threats are real and exploitable, and what info is exposed. Fundamentally, if you can break in, then someone else can, so it gives you a way to proactively figure out where your existing security exposures are.

Our industry is always changing, can you share a bit about what it has been like marketing your product in the early days compared to today?

When we first started trying to sell in the space, no one really knew what penetration testing was. They barely knew what a vulnerability scanner was and the customers we had were the uber-early adopters. You know executives, they always want that "game changing event." My opinion? There isn't one (in most cases). You stay on message, set aggressive goals, hit them, show people that you hit them and then repeat. It's not magic, it's hard work. We resisted the urge to change our messaging at least four times and shift into some other fancy term for penetration testing. But we had a niche, we carved it out, and now it's a market.

Yup, a market complete with competition. What is your sense for the next five years? I know about Metasploit and Canvas, are there other players in the space, and do you think there will be other players in the space?

Pen testing is now mandated by standards including PCI, and NIST in the government space; analysts are saying it is now an established part of best practices. The NERC report that came out just the other day concluded that U.S. electrical grid infrastructure is under cyber-attack and we need more proactive testing mechanisms. I think we have only had a glimpse of what is to come. At the same time, pen testing is hard, getting working reliable exploits is not easy – but yes, over the next few years I do see significant competition entering the market

One of the things I noticed Core do was hook up with a number of experts in the field, especially Ed Skoudis, can you share a bit more about that? How did you meet, what was the plan?

Our initial marketing revolved around working with partners to accomplish a common goal. We started off with trainers and some training organizations, including SANS, to see who might be interested. Basically, we guessed that they could benefit from working with us since we had new cutting-edge technology. One of the first people I reached out to, way back when, was Ed Skoudis. I literally sent him a blind e-mail - that is how we met.

That is one of the things I appreciate about the SANS faculty, they answer their email; of course what that means is, when their heads get so big that they cease to be responsive, we replace them with a young hungry wolf. I know you guys have some money today, what are you doing today to generate leads?

I spend every dollar like it is mine. We hand carry items to shows, share rooms on the road, take the cheapest flights (can you believe I just booked a flight that has two stops to Denver)? Also we NEVER got into branding here; every nickel, to this day, is invested in meeting someone else who might buy. Branding is something you need to do when you are already VERY big, not when you are trying to build a company.

OK, tell us something about your team, you guys spend as much time on the road as we do, so you must know your co-workers well.

I 100% absolutely need to believe in the product that I'm working with. If I don't, it doesn't work for me. And, I must like, as friends, the people I work with, like Jeff Cassidy, Eric Sherman, Alex Horan, Selena Proctor - these people are my friends, as well as my colleagues .

Part of the Core success story is leadership, I am a big fan of your former CEO Paul Paget, give me a Paul story, preferably some dirt!

Paul hosted the worst Christmas party EVER, in 2004. We weren't getting paid, so Paul thought it would be a good idea to have a party to celebrate the holidays. So, we had a party in the office; eventually we ran out of food and liquor, then shortly thereafter we (including the wives) were all standing around in a circle - not talking, not drinking, just thinking what the hell were we doing there. It was the worst holiday party ever. I had never left a party depressed before.

That counts as dirt, thanks for that, Mike. However, Paul certainly helped you grow from where you were to where you are. OK, focus on finding the next customer, treat money as a precious resource, those are keys, but I am going to put you on the spot. As I said, you are a game changer. One of my observations about Core is that, as a vendor, you do not treat SANS as a commodity. It feels much more like a partnership. You let us have ideas and try them, and you have ideas and we try to make them happen. What are two things that you feel really work well for you and what was the dumbest idea ever tried?

As for best – I’d say our lunches are the best; we typically have 150-200 come and have been told that other vendors don’t like to have them on the same day as us!

The pen testing series with Ed has also been phenomenal…

As for dumb, we don’t have that much time…..but last year we did too much of the same type of things. We did 10 webcasts, 4 “What Works,” etc… And you reach a point where you’ve saturated the same market with your message and you need to approach things differently.

Now this latest thing you guys are doing, that is when I knew you were a game changer. It was January 2009 at Security West Vegas. I had set up an evening talk with John Pirc from IBM, a guy with some significant insights especially in the area of virtualization and cloud computing. I also had Mike Poor. You guys popped up with an evening hands-on event with a speaker (I think Ed Skoudis), beer and food, and put your room in front of ours so the attendees had to walk past you to get to us. I think we had six people in the audience until you started to run out of food. I was fairly ticked at our vendor team, but what an idea. I also notice the SANS instructors are hanging out around your room when you do this. Can you share anything about the idea, your thoughts on its success and future tweaks?

Stephen, I don’t think it’s anything special. Maybe to some degree I’m the last person standing. I’ve been coming to these SANS events since 2004, I’ve grown to know and like a lot of the instructors. We trust each other - I think we realize we can help each other now and/or later, but it’s an honest and sincere relationship. We took the time to get to know each other, that doesn’t happen a lot these days. We actually enjoy each other’s company and we all try to have fun when we are together.

For me, if I don’t feel like I can get behind the company and product and do it with complete confidence, I can’t do all the other things that I need to do to be successful.

One of the traditions of the Thought Leader interview is a bully pulpit; a chance to share what is on your mind, what would you like to share with our readers?

First, Stephen, thanks for the opportunity – I think one of the things that the last six years at Core, and 4-5 years of working with SANS, has taught me, is that companies and organizations are always looking to adopt, evolve their message and products, what they say and how they say it. There’s a cliché’ that if you are not evolving you are going out of business, and I agree with that. BUT, big but here, I think a good deal of the success at Core is attributable to the fact that we have always been about one thing, we have done it done it well, and NEVER over marketed. My goal was always to expose people to the product, help them understand who we are and what we do, and then have IMPACT speaks for itself. It’s a fine line, and you won’t hear many people say this, but I’d rather be slightly understated in my marketing than overstated, as that can be a real turn off.

Finally, we always ask our Thought Leaders to share a bit about themselves, what do you do when you are not working?

I have 3 children, 2 girls and a baby boy, so, as you can imagine, that’s most of my time. If I’m not working, I’m mostly spending time with them or driving them somewhere. As to activities for myself, I like going to Red Sox games (it’s a religion around here,) I really enjoy traveling, and I try to get some form of exercise when I can.