Tag Archives: market

Availability Risks and Cloud Computing

Don’t get me wrong at all, I love Cloud computing and even invest in cloud computing companies but since cloud computing is becoming more popular than ever as more and more applications core to our businesses move into the cloud we need to consider some of our own risks. One thing I’m not sure if you or your business has thought of is availability on your own end (your internet connections). Availability is not just on the provider side which is normally fully redundant. Being that I am a CISSP, of course I know the clever Triad, but given that most of availability issues are still addressed by other parts of our organizations (network engineering, telecom etc). I know that I myself mostly focus on confidentiality and integrity related controls and not on availability. I don’t think I’m the only one in the security industry that is in this boat.

So, if we take a moment and step back from our little paper cluttered desks filled with pie charts and excel spreadsheets of PCI or SOX controls and take a look at availability, we should ask ourselves these questions: Would our company function if we lost our primary internet connection? How about if we lost our internet connections entirely? How about if a global routing event or some other attack on the Root DNS servers was successful? hmm…

My 2 cents is that companies are relying very heavily on a mixed bag of routing protocols and interconnected networks who don’t always have your company’s goals at heart. I’d love to see a lawyer try and say that the company internet connection going down should be reimbursed to the level of reliance that has been placed on those same connections. So please please please ensure you have fully redundant internet connections and think this issue through. Keep in mind that you may have two circuits coming out of your data center but they often could go physically through the same single fiber connection at the Telco (a single point of failure). You should also consider financial risks associated with the 2nd and 3rd Tier cloud providers. Providers such as Salesforce.com and Amazon are best suited to provide you financial stability and fault tolerance, but startups often lack the resources or money to really cover all these availability issues effectively so be cautious and have a backup plan in place to address any of the issues that could arise.

More questions to ask….If your internet went down:

1. Would your helpdesk software work?

2. Would your finance portal work?

3. Would your out-sourced marketing work?

4. Would your advertising continue?

5. Would your paycheck administration continue?

6. Would your recruiting efforts continue?

8. Would your customers be able to buy from you?

9. Would your banks be able to communicate to you?

10. Would you be able to get updates for your operating systems?

The list goes on and on…. Think about it at least a little.


Symantec’s 2010 Trump Card for McAfee

As many security professionals know, Symantec in the last couple of years seemed to have stumbled a bit. The merger with Veritas which left IT professionals scratching their heads and lead many to feel they were losing their focus. Later they acquired Altiris and everyone said “ho hum” to that and struck it up as just another crazy purchase. The interesting thing is how this seems to be all coming together in 2010…

McAfee on the other hand was still recovering from their stock option scandal, brought in a completely new management team in with a billion dollars in the bank. At the same time, Sophos, Kaspersky and other anti-virus companies were pounding the pavement as well. This created a hyper competitive marketplace for Symantec’s leadership. Then last year, McAfee announced their “Security Innovation Alliance” which basically allowed them to bring smaller vendors in and integrate functionality into their ePO console providing McAfee a better integration story against Symantec.

So where’s the “Trump card”?

The real trump card for Symantec against McAfee and others in the security industry is the Altiris management console. The key benefit for Symantec is the framework that Altiris provides to the multi-faceted agent based technologies that Symantec has acquired over the years. Altiris is very well known for their asset management technology and the ease of management of agent based technologies. This combo will provide Symantec a significant advantage against McAfee mostly in the ease of adding new integrated agents. I feel the Altiris integration framework is  superior to that of McAfee’s ePO  so if Symantec is successful in making this their main console to manage  their endpoint protection products this could be a game changer  and bring much greater competitiveness to Symantec’s story. Stay tuned….


My Resume

Lawrence Pingree – CISSP

View my video resume by clicking here.


Lawrence , has many years of experience within organizations of varying sizes with an extensive background in engineering, technical architecture, networking, security policies, procedures, systems analysis and auditing. Throughout his career, Lawrence has  engaged in extensive consulting efforts for organizations of all sizes, he and  is  an active member of multiple non-profit organizations. Lawrence was a founding board member of the Digital Forensics Association where he served as Vice President and he is currently working as a Research Director and Market Analyst at Gartner, Inc. At Gartner, Lawrence continues to engage daily as a strategic advisor for literally hundreds of organizations worldwide and enjoys helping  individuals become more successful with their businesses.

Industry Participation

• Served as Vice President of the Digital Forensics Association

• Member of the Silicon Valley chapter of the ISSA (Information Systems Security Association).

• Member of the Open Web Application Security Project (OWASP)

• Served as Vice President of the Springtown Association Board of Directors

Industry Awards





Book: “The Manager’s Guide to Becoming Great” by iUniverse Publishing – Author

Book: “CCSA Study Guide” by Syngress Media/McGraw Hill – Author and Technical Editor

White Paper: Analysis of VRRP v2 Issues and Solutions

Blog: LawrencePingree.com “Pingree on Security”

Special Talents

Vendor Negotiations, Contract Negotiations, Budget Management, Program Management, Goal development, Technology Roadmap Planning and Business Strategy.





CISA – Pending



RIP v1 & v2, and PIM 802.11 PKI


GLBA Sarbanes Oxley (SOX) Common Criteria

SB1386 COBIT ISO 17799 ISO 27001 FISMA

Select Experience

Research Vice President –  Security Technologies at Gartner, Inc.

Jan 2017 – Present

Lawrence Pingree’s responsibilities include providing critical insights to both end users and technology providers. He closely tracks the information security markets, technologies, technology and adoption trends, and competitive market dynamics. His inquiry and research goals focus on providing Gartner clients with in-depth technical and strategic analysis and research deliverables pertaining to the latest security market technologies, trends, technology alignments and competitive security market dynamics. Mr. Pingree regularly reviews security technologies, technology provider businesses and their go-to market strategies and focuses on helping clients plan, choose and evolve as market dynamics shift and change. For technology providers, his analysis includes a close examination of market messaging, go-to-market strategies for both current and future road-mapped product or service offerings, end-user buying behaviors, provider technology development plans, and various other business attributes to identify the key competitive differentiation and competitive strategies. For end users, he is focused on identifying best-practice technologies to address strategic customer risk management requirements and to provide insights into the best strategies and technologies clients must employ to successfully combat advancing threats and their threat and risk management goals. Sampling of Market Coverage: – Advanced Threat Detection and Defense Strategies – Emerging Security Technologies and Markets – Network and Cloud Malware Sandboxes – Malware Analysis Tools – Network Traffic Analysis – Network Forensics – Network Firewalls – Threat Intelligence Platforms – Threat intelligence Services and Feeds

Research Director –  Security Technologies at Gartner, Inc.

Nov 2010 – Present

(Research Available here)

Responsibilities include the coverage of information security technologies and markets, security program execution, advanced threats, network-based security technologies, mobile device security and cloud-related security issues. The emphasis of his research is on providing insights to the security vendor community. His inquiry and research goals are to provide technology providers with critical insights on the latest security market trends, technology alignments and potential partnerships and to aid technology providers competing in the security markets. He achieves these goals for technology and service providers by reviewing their businesses. This includes examination of their marketing efforts, go-to-market strategy, currently employed technologies, technology development plans and various other business attributes to identify the key competitive differentiation and competitive strategies that providers should use to navigate the market. On inquiry with end users, Mr. Pingree is focused on identifying the best opportunities and technologies to address strategic customer requirements and providing insights into the strategies they may need to employ in order to successfully combat the advancing threat landscape by leveraging security technologies.

Sr. Security Engineer at Williams-Sonoma, Inc.

June 2009 – August 30th 2010

• Responsible for the review of security alerts originating from our MSSP security monitoring service including triage, investigation and root cause analysis

• Instrumental in coordinating compliance remediation efforts effectively raising our systems configuration compliance levels from approximately 40% compliant to over 98% compliance in just 6 months for over 200 systems.

• Participated in the prioritization and planning for our $1.6 million capital expense budget aligning it to both business and information security program goals.

• Responsible for Corporate Security Policy development

• Developed Security Operations procedures to maintain regulatory compliance in accordance with prescriptive PCI controls

• Assisted in the internal review of corporate information security policies in cooperation with key systems administration departments in alignment with PCI, SOX and future regulatory frameworks utilizing CIS as a guideline for their provisions

• Participated extensively with external PCI and SOX audits by developing audit evidence and coordinating with internal compliance teams

• Actively Participated in corporate PCI Compliance initiatives and assessment

• Responsible for managing the corporate Tripwire Enterprise file integrity management product

• Responsible for RSA Envision SIEM monitoring and configuration aligned to internal PCI and SOX controls

• Evaluated the selection of Managed Security Services for key IT security systems

• Responsible for corporate Cryptographic tools (Safenet Appliances) and key management processes/procedures.

• Acted as Sr. Security Engineer, Security Analyst and Security Architect for IT projects

• Managed extensive PCI remediation efforts across IT

• Deployed corporate Intrusion Prevention systems for all corporate and ecommerce DMZ environments.

• Evaluated data loss prevention technology for future deployment and budget needs

• Responsible for review/monitoring of corporate Symantec (SEP11) virus/malware remediation efforts

Vice President at Digital Forensics Association (DFA)

July 2007 – Present

  • Responsible for the development of internal policies and procedures for chapter startup
  • Responsible for Member Services
  • Responsible for Member Recruitment
  • Member Collateral & Promotion
  • Advertising and Evangelizing the Organization

Chief Information Officer (CIO) at BuddyFetch, Inc.

August 2007 – July 2009

  • Currently serving in an advisory capacity while the company looks for funding sources.
  • Provides strategic and tactical planning, development, evaluation, and
  • coordination of the information and technology systems for the network.
  • Facilitates communication between staff, management, vendors, and other technology resources within the organization.
  • Oversees the back office computer operations of the affiliate management information system, including local area networks and wide-area networks.
  • Responsible for the management of multiple information and communications systems and projects, including voice, data, imaging, and office automation.
  • Designs, implements, and evaluates the systems that support end users in the productive use of computer hardware and software.
  • Develops and implements user-training programs.
  • Oversees and evaluates system security and back up procedures.

Sr. Security Engineer at McAfee, Inc.

October 2007 – April 2009

  • Responsible for McAfee Competitive Analysis for Enterprise Products
  • Act as liaison to Internal and External Sales staff
  • Responsible for Evangelizing Enterprise Security Products & Services

Sr. Security Architect at Safeway, Inc.

August 2004 – October 2007

  • Served as Security Evangelist for Safeway Information Security program
  • Managed over $1 Million in budget for Application Security Program, Information Security Lab and Forensics/Investigations
  • Managed complete eDiscovery Process for IT and Legal
  • Responsible for over 52 Safeway Information Security policies for the Overall Safeway Security Program
  • Responsible for risk assessment and remediation recommendations of all IT applications assessed by risk assessment process
  • Responsible for SOX Compliance Audit and Assessment
  • Liaison to the Business to promote security within Safeway
  • Responsible for Training Classes for IT to ensure Information Security Standards are communicated and adopted
  • Responsible for developing Safeway’s Vulnerability Assessment Program
  • Responsible for Safeway’s Intellectual Property Monitoring Program
  • Safeway Forensics & Investigations team lead
  • Responsible for assessing application security and compliance

Chief Security Architect at Netscreen Technologies

2003 – 2004

  • Managed over $600,000+ budget for the Information Security Program
  • Responsible for Information Security Program
  • Responsible for Creation of Information security policies
  • Responsible for Security assessment and audit of IT Projects
  • Responsible for the Security Awareness training program
  • Responsible for New Hire Training
  • Completed the rollout of a SSL VPN Solution
  • Successfully deployed TWO-Factor authentication system.
  • Successfully deployed corporate wide intrusion detection and prevention devices
  • Successfully deployed vulnerability assessment software
  • Responsible for the creation and implementation of the IT Change Management plan, schedule.
  • Participated extensively in the review of the companies Sarbanes/Oxley audit.
  • Reduced overall corporate systems patch level non-compliance from 70% to 10%
  • Implemented processes to provide investigatory services to other departments.
  • General Network troubleshooting and support across global architecture.

Chief Network Security Architect at PeopleSoft, Inc.

October 2001 – June 2003

  • Lead for PeopleSoft Network Infrastructure Security Group.
  • Provided enterprise networking experience to troubleshoot network and security related events.
  • Designed implemented and maintain the PeopleSoft worldwide firewall security and Network
  • architecture.
  • Provided design and support for customer and internal IT related security solutions.
  • Provided top-level support in the creation of company-wide security policies and procedures.
  • Developed Unix Security standards
  • Participated in the forensics, tracking and assessment of threats to PeopleSoft’s global network.
  • Provided security auditing services
  • Multiple Installations of Cisco PIX firewall for internal access controls.
  • PIX VPN integration with Checkpoint firewall-1
  • Responsible for Perimeter access controls
  • SecureID strong authentication controls with Cisco routers and layer 3 switches.

Sr. Security Consultant at Siegeworks, Inc

January 2001 – October 2001

  • Responsible for Training Room Setup and maintenance at the main corporate campus
  • Customer Firewall Deployment
  • Provided essential Pre and Post sales customer support for security products
  • Network Vulnerability Assessments
  • Physical security evaluations
  • Taught certification courses in Check Point Firewall-1 and the Nokia Security Administrator for many large scale customers

Sr. Network/Security Engineer at Avantgo, Inc

June 2000 – January 2001

  • Designed and supported the Avantgo corporate Network infrastructure on Cisco 7206 and 2621 routers
  • Wide Area Network planning and support of DS3 Circuits for national infrastructure.
  • Installation of corporate security infrastructure using Check Point Firewall-1(Nokia Ipsolon platform).
  • Management, configuration, installation and maintenance of National and International Virtual Private Network.
  • Responsible for the management and monitoring of the Avantgo National Intrusion Detection deployment.
  • Created project management plans for national Intrusion detection deployment.

Sr Security Engineer at Nokia, Inc

May 1999 – June 2000

  • Supported Value added resellers and end customers of the Checkpoint firewall-1 Nokia Security Appliance.
  • Supporting all Network components of the Nokia product family, which included supporting OSPF,
  • RIPv1, RIPv2, DVMRP, T-1 Serial Lines, Frame-Relay, CSU/DSU, Fast Ethernet and other complex environments.
  • Installed 150+ Check Point firewalls across the country on Solaris, NT, and Nokia Platforms.
  • Team lead for USinternetworking upgrade project. The project consisted of coordinating and assisting the upgrade of approximately 120 firewalls nationwide.
  • Trained Customer Support engineers for the Nokia UK and Singapore Support centers
  • This included interviewing potential candidates for each site and helping the launch of each support center.
  • Developed in-house documentation and lab testing for Ipsolon integration with other security products (e.g. Cisco PIX and Axent Raptor.

Sr. Security Consultant at Verisign, Inc

December 1997 – March 1999

  • Responsible for Management of San Diego Office location
  • Duties included, firewall installations, technical support, pre-sales, network vulnerability assessment and physical security evaluations.
  • Network and Security architecture, design and implementation for customers.
  • Taught certification courses in Firewall-1, Internet Security Systems ISS product and a course in advanced hacking techniques and methodology.
  • Consulted for the National Security Agency, Federal Bureau Of Investigation, Department of Defense – Defense Information Systems Agency, and other related agencies and companies about hacker attack scenarios and abilities and methods.
  • Certified and taught Check Point Firewall-1 to over 400 people across the country including many large banks, Government Agencies, and fortune 500 and 100 companies.

Sr. Security Consultant at Websense, Inc

November 1996 – November 1997

  • Duties included design, implementation and installation of 3 different Firewall Software packages for customers
  • Responsible for troubleshooting and support for existing customers.
  • Consulted in the implementation of the following technologies: Checkpoint’s Firewall-1,Borderware, and Raptor.
  • Responsible for the maintenance of all NetPartners# Internal Workstations, Servers, and Internet connections using Cisco 2501 routers.
  • Responsible for internal NetPartners# machines including Windows 95, Windows NT Workstation and Server.
  • Responsible for implementing a clear and concise backup policy for our networked machines.
  • Responsible for implementing a standard WinNT Login and Drive mapping policy, and administration our Corporate SQL Server.
  • Final duty included the management of our corporate computer security policy and our corporate Firewalls.


Las Positas Community College, Criminal Investigations, 2007 – 2007

Las Positas Community College, Criminal Evidence, 2006 – 2006

El Capitan 1990 – 1994

Honors and Awards

2009 – Participated in ISACA 26th Anniversary Winter Conference PCI Panel Discussion with other industry leaders

2007 – Presented at SecureWorld Expo – eDiscovery and Forensics

2007 – Presented at ISACA 25th Anniversary – Penetration testing panel

2006 – Presented at Cornerstones of Trust Conference on Emerging Firewall Technologies


Computers, Electronics, Hiking, Biking & Exploring the Wilderness

23 people have recommended Lawrence

“Lawrence is a highly technical, highly motivated individual who gets the job done. His passion for information security is second to none and his knowledge in the space is incredible. Lawrence would be a great addition to any security marketing or technical team.”

— Scott Emo at McAfee, Inc., Group Product Mkting Manager, Network Security, McAfee, worked with Lawrence

“Lawrence is an excellent professional with a breadth of knowledge of the Security Industry and its players that is second to none. While working with him at McAfee, I saw him bring a level of exposure and credibility to the company that I know would not have had been possible without him.”

— Afonso Infante worked with Lawrence at McAfee, Inc.

“I have not known Larry Pingree all that long, but from what I have seen of him, I would like to learn much more. He demonstrates great professional maturity as well as outstanding communication and people skills. I am amazed at how many information security professionals who work in Silicon Valley know and respect him.”

— Eugene Schultz when working with Lawrence at McAfee, Inc., Chief Technology Officer, Emagined Security, was with another company

“I had the greatest opportunity to work and partner with Larry Pingree at PeopleSoft. A master and intellect in information security practices, Larry was incredible in his ability to quickly analyze a situation and create solutions. In the mist of building our information security organization, Larry immediately stepped-in to plan, architect, and implement a secure network environment and developed key partnerships with critical IT and business organizations. He is an exceptional talent, professional, and a visionary leader. I would consider myself fortunate to have the opportunity to work with him again in the future.”

— Kimberly Trapani – CISO at PeopleSoft, Inc., CISO / Director Information Security, PeopleSoft, managed Lawrence

“Larry is a professional and skilled network and security engineer. He is highly motivated and driven to succeed. He keeps abreast of new technologies and is always evaluating new solutions. I wish Larry all the best in his professional career.”

— Timothy Brush Inc, Web Operations Manager, AvantGo, worked with Lawrence at Avantgo

“Lawrence is a pleasure to work with. He is always professional and comes prepared to his meetings. His competitive intelligence research has been a great asset to me and my team contributing to the success of my product. Lawrence is a keeper.”

— Harold Toomey Inc., Group Product Manager, Governance, Risk & Compliance, McAfee,, worked directly with Lawrence at McAfee, Inc.

“Larry is an asset to any team. He brings energy and a fantastic team approach to challenging situations and is ready to tackle problems. I hope to work with Larry again in the future.”

— Phil Agcaoili SecureIT), Chief Information Security Officer & Co-Founder, VeriSign (formerly, managed Lawrence indirectly at SecureIT, Inc.

“If I had to pick a single word for Larry, it would be this: Focus. Incredibly potent, laser-like focus that cuts right through “to the chase” – in the time it takes most people to realize a chase is even afoot. If that sounds like the sort of person you need (who doesn’t need him?) then you will find him to be among your most valued resources.”

— Gary Arthur Douglas II

Lawrence at PeopleSoft, Inc., Sr. Security Systems Engineer, PeopleSoft, worked directly with Lawrence at Peoplesoft

“Larry is truly an asset to any Information Security organization. His wealth of technical knowledge combined with big business know-how enables him to succeed in any diverse, high impact environment”

— Woody Hughes

Safeway, Inc., Information Security Analyst, Safeway, Inc., worked directly with Lawrence at Safeway

“PeopleSoft was moving to a complete architecture and platform change for our support systems and our customer support website. Larry worked on the project team to design security for our customer facing applications. Larry’s prior experience and understanding of how we wanted to conduct business with our customers was critical to releasing the project and new capabilities on time with minimal impact to our customer base. Larry possessed a business focus and a could relate real risks back during the process, which minimized debate as we planned, configured and communicated.”

— Sean Bingham, PeopleSoft, Inc., Director, Service Readiness, PeopleSoft, Inc., worked with Lawrence at   Peoplesoft

“Larry was a highly valued security thought leader at Safeway. He is an extremly well versed computer security professional who provided superior customer service to a wide variety of internal customers.”

— Colin Anderson, Director Information Security, Safeway, managed Lawrence at Safeway, Inc.

“Larry has a great passion about what he does. He is also willing to take the time to teach anyone who will listen. If you go to Larry needing help, he will teach how to solve your problem. He would make a great manager.”

— Benjamin Woodford

Lawrence at Safeway, Inc., Information Security Analyst, Safeway Inc., worked indirectly for Lawrence

“Larry is an incredibly sharp and well rounded information security and technology professional. In working with Larry, no matter what the technology issue was at hand, he always seemed to have a very insightful and visionary perspective. I quickly learned that he is a very valuable resource and his willingness to go above and beyond to help others makes him that much more valuable.”

— James (Jim) Range

Lawrence at Safeway, Inc., Senior Consultant, PwC, was with another company when working with Lawrence

“Larry is a technologist, very personable, creative strategist who can execute and implement the solution meeting the business needs. I know him for long time from his days at Nokia when we were building Global Firewall Management Solution and partners trust model at Applied Materials. He was, always, out there to understand our technical/complex global blue print architecture and surprised us every time with the solution. He was a life saver for my team and highly respected. I am very impressed with his progress over these years and helping companies succeed and expand globally. I highly recommend him for a leadership role in the area of security requiring to bridge the gap between business, IT and spearhead security program/product.”

— Jit Singh, was Lawrence’s client

“Larry is a brilliant Security Architect who I first met while trying to sell him NetScreen security solutions while he worked at PeopleSoft. I recall very clearly how impressed I was with his depth of knowledge, penetrating questions, wit, and engaging personality. I was thrilled when not long after Larry ended up working at NetScreen! When I moved into a Business Development and Solutions Strategy position at NetScreen, Larry became one of my most reliable and effective advisors whom I routinely sought for feedback and counsel on my most important strategic initiatives and projects. I strongly endorse Larry as a top tier player in the security industry.”

— Vince Barboni,Lawrence at Netscreen Technologies, Sr. Solution Architect – Corp Dev Strategist, Juniper / NetScreen, worked with Lawrence at Netscreen

“I worked with Larry for almost 4 years at two different companies. Larry is an extremely intelligent, dedicated, and passionate IT professional. Larry cares about continuously improving the organization and himself. I would hire Larry (and have) in a heartbeat!”

— Joshua Mauk PeopleSoft, Inc., Manager, Information Security, Safeway, Inc., worked directly with Lawrence at Safeway

“Larry was a fantasic coworker–knowledgeable, dependable, and a sincere personal interest in his field of expertise and expanding it. I knew that if I asked him something, he either knew the answer or knew where to find it. Any company would benefit from having Larry on board!”

— Laura Leff, PMP, Safeway, Inc., Director, Vendor Management Office, Safeway, worked with Lawrence at Safeway

“Larry is an excellent engineer whose passion for excellence leads him to deploy the right solution with the right components in the right way. He was a pleasure to manage, both professionally and interpersonally. I look forward to working with him again sometime.”

— Sean Casey, Avantgo, Inc, Manager of Networks and Information Security, Avantgo, managed Lawrence at Avantgo

“Larry has a lot of expertise of information security. He is very dedicated to his work at Safeway. He has contributed to the improvement of enterprise security posture.”

— Lena Shey, Supervisor Sr. IT Auditor, Safeway, worked with Lawrence at Safeway, Inc.

“Larry has been the lead engineer for digital forensics and workplace investigations for our team. His customer focus and dedication have been instrumental in handling many large scale cases. He is a skilled mentor for junior members of the team, as well as an excellent educator for raising security awareness among business groups. He is one of those rare breeds–a person with strong technical knowledge and the soft skills to interface well with all levels of management.”

— Suzanne Widup, Safeway, Inc., Sr. Information Security Analyst, Safeway, worked directly with Lawrence at Safeway

“Larry is a down to earth, very detail oriented, technical person, who knows how to get the job done. He is always ready to go the extra mile to get the job done.”

— Eric Locastro, Account Rep, Netscreen, worked with Lawrence at Safeway, Inc.

“Larry is a strong security expert. Many people know him and respect him in the area. I always heard great things about Larry.”

— Norman Girard with Lawrence at Netscreen, Technical Product Manager, Qualys, was with another company when working

“Larry made an immediate impact when he joined Netscreen. Working in the Legal Department, I soon had my consciousness raised to the significance of security awareness not just for our network but also for every aspect of our information handling. Larry weaves together threads from many disciplines into one comprehensive picture. And he’s fun, too.”

— Alex Rathbone, with Lawrence at Netscreen

SWOT analysis of vulnerability management vendors

Best Enterprise Vulnerability Management Product: Rapid 7 NeXpose

After reviewing the top players in my select list, it is my opinion that the vendor who is the most feature rich, low cost and safest deployment option currently available is the Rapid 7 appliance. Qualys is my second choice based on the same criteria and mostly due to my favoring onsite deployment. Finally with McAfee and they come in last for me mostly due to their lack of web and database scanning.
I just jotted down SWOT thoughts on the following vendors so if there are any corrections please send me them via my blog’s contact form.

Vendors I Selected for the SWOT

  • Rapid 7
  • Qualys
  • McAfee, Inc.

Rapid 7 – NeXpose

– Highly focused on just vulnerability management
– Quick deployment
– Fast customer adoption (high growth)
– Recent infusion of growth capital (VC funding)
– Enterprise ticketing integration
– Web application scanning
– Database scanning
– VMware capability
– Onsite deployment
– Low cost (depreciable)

– Small company
– Limited policy compliance functionality (ITGRC)
– Operations cost (management, power, rack space etc)
– Small research team
– Small support team

– Take greater market share as larger vendors lag
– Expansion to policy management (ITGRC)
– Expand distribution channel
– Integration with 3rd party blocking technology (web app firewalls)
– Integrate web app scanning ticketing to development bug tracking systems

– Company aquisition
– Alternative technologies are developed
– Large players address weaknesses

Qualys – QualysGuard Enterprise

– SaaS and cloud adoption increasing
– Web application security
– Database security
– Quick deployment
– Enterprise ticket integration
– Highly focused on vulnerability management

– SaaS only (high cost for onsite deployment option)
– High ongoing fees (non depreciable)
– Lower ROI due to continuous yearly subscription model
– Limited database scanning support

– Commitment to on site deployment option
– Reduce yearly subscription renewals to address ROI argument
– Move more towards SaaS based ITGRC platform
– Integrate web app scanning ticketing to development bug tracking systems

– ITGRC vendors expand to Vulnerability management space
– Smaller (more nimble companies) develop better functionality
– Larger players lower pricing further
– Larger players match SaaS offering

McAfee – McAfee Vulnerability Manager

– Large market share
– Countermeasure awareness
– Vmware option available
– Foundstone research heritage
– Instant new threat assessment reporting
– Onsite deployment option

– Limited web application scanning
– Limited database scanning
– Countermeasure awareness limitations (competitor products?)
– Console strategy unknown (epo?)
– Some functionality requires separate console

– SaaS expansion to include ticketing and policy compliance (ITGRC)
– Consolidate existing SaaS offerings under one single website console.
– Consolidate separately managed products into EPO (i.e. Vuln manager, Risk and compliance manager and remediation manager)

– Poor execution of consolidated console strategy
– Possibility of Acquisition
– Reduced revenue due to commoditization

Note:  The results of this analysis are not quantitative in nature and are only opinions of the author and no other associations, organizations or persons.


About Me

About the Author

Lawrence Pingree (aka Larry Pingree)


Lawrence has many years of experience in engineering, technical architecture, networking, security policies, procedures, systems analysis and auditing in organizations of varying sizes. Throughout his career, Lawrence has engaged in extensive consulting engagements for a wide-range of organizations,and he is an active member of  a number of non-profit organizations.  A founding board member of the Digital Forensics Association,  he served as Vice President. Today he is a Research Vice President and Market Analyst at Gartner, Inc. At Gartner, Lawrence works as a strategic advisor who engages with hundreds of different organizations worldwide. He enjoys helping individuals become more successful in their businesses. In his spare time enjoys trading his money through exchange traded funds on the stock market, hiking, nature and performance cars.