I think this is a pretty good example of how "Enterprise Software" will continue to quickly lose favor with customers. My personal opinion is that the "Enterprise Software" market is now more than ever about sales and marketing rather than innovation and and delivery.
Just look at the release budgets for enterprise software - sales and marketing are at the top, while R&D and support are at the bottom.
If any open source implementation of anything like this happened, I can assure you the comitters and developers would be appalled and embarrassed (in public), and significant lessons would be learned all within users view.
Meanwhile, in the "Enterprise Software" arena such as McAfee's - their learned lessons are clear. How do we spin this? And how do we align our marketing and sales teams to minimize the impact on our sales models.
It's also a good example of why an organization needs to continuously evaluate vendors of their software. McAfee long ago slipped into the pile of "not good enough" system security vendors while plenty of other alternatives shot past them in the virus/malware detection space. Basically they've been coasting on the good name they built up in the past, but I wouldn't think of installing any of their software on my system from the last 3-4 years. Slow, buggy, system resource hog, poor detection results, etc. This is all pretty common knowledge at this point. An enterprise should go through a yearly eval of all baseline software and find better alternatives. Or at the very least, when the software comes due for another purchase.
The thinking should be, if they've gotten sloppy about their core business, they are going to get sloppy elsewhere...and that's exactly what happened here.
edit
relevant quote from the article, "One thing I’m picking up from that coverage is that McAfee is pretty much a spent force, especially in the consumer PC protection market, and I shouldn’t be relying on the company to keep my PC safe anyway." Even Mr. Wainewright fell into the trap of not caring about critical security software on his system. It was news to him that they've fallen off the horse. It scares me that somebody who couldn't even be bothered to stay up to date on something like this has a column on ZDnet. Maybe I'm being unfair, but like I said, McAfee has had this reputation for piss poor software for at least 3 years.
> I think this is a pretty good example of how "Enterprise Software" will continue to quickly lose favor with customers. My personal opinion is that the "Enterprise Software" market is now more than ever about sales and marketing rather than innovation and and delivery.
How so? According to McAfee, the problem only affected less than 0.5% of their non-enterprise customers. I'm sure only small fraction of those affected will decide to switch their vendor; the rest of non-technical crowd will simply ignore this.
> My personal opinion is that the "Enterprise Software" market is now more than ever about sales and marketing rather than innovation and and delivery.
> Just look at the release budgets for enterprise software - sales and marketing are at the top, while R&D and support are at the bottom.
In 2009, McAfee spent $839mn on SG&A and $325mn on R&D. Sure, the R&D number is less than SG&A, however:
- SG&A number includes administrative expenses, paying rent for buildings, providing customer support etc.
- $325mn on R&D is a huge number. Assuming fully-loaded annual developer cost of $200k, it's 1.6k developers working full-time on this product. I'm not sure how many open-source software project have similar number of at least part-time developers involved. Even taking into account "A Mythical Man-Month" etc. is still a significant resource.
Having a decent anti-virus product requires, among other things:
- Having full-time dedicated security experts - and by experts I mean people who literally have decades of experience in the field. You cannot become a security expert overnight.
- Dealing with thousands of different software/hardware environments at customer machines
- Regularly updating virus databases, monitoring threats 24/7 and providing rapid updates for every new virus/trojan
- Providing decent customers support to all of your non-technical customers who don't know much about computers.
I don't know how well McAfee handles all the tasks above - I'm not their customer, and not affiliated with them in any way. I just want to emphasize that anti-viruses are non-trivial, and there is no existing open-source business model today that can handle this complexity.
I was specifically referring to their non-enterprise customers. For them, their statement says that "a fraction of our consumer base–home users" [is affected].
Enterprise customers are in a different league: even if individual users are extremely unhappy, it's the IT department who makes the final decision about switching vendors.
I'm extremely unhappy about using Lotus Notes for email/calendar where I work, but can do nothing about it, other than whining on the internet.
Hmmm, I guess I confused what you said with this early statement from them:
"We believe that this incident has impacted less than one half of one percent of our enterprise accounts globally and a fraction of that within the consumer base."
> In 2009, McAfee spent $839mn on SG&A and $325mn on R&D. Sure, the R&D number is less than SG&A, however:
- SG&A number includes administrative expenses, paying rent for buildings, providing customer support etc.
Building rentals, fixed assets depreciation, services and energies used can go to COGS (R&D) if it is possible to allocate them to specific cost center. If you have building (or part of it) dedicated to developers, it will go to their cost center & COGS. Similarly their equipment and other items.
The SG&A part will have depreciations, rentals etc. only for sales & communication, IT, finance, HR, management and other support functions.
Well, my point is, that R&D in their PL is not only cash out wages. It includes all other costs incurred by R&D.
vtail has already done a good job of proving most of your statements as false, but I would like to drive the point further:
"If any open source implementation of anything like this happened, I can assure you the comitters and developers would be appalled and embarrassed (in public), and significant lessons would be learned all within users view."
There is no merit to this argument as the open source development model hasn't proved itself capable of delivering a competitive anti-virus solution. The most well known open source anti-virus software has consistently been ranked as poorly performing.
Most open source developers work on platforms that don't suffer from the same level of malware abuse. There isn't pain to make someone care enough to write one.
Besides, AV is addressing the symptoms and not the actual problem: The MS operating system is completely broken from a security model. It won't improve until it's scrapped and redesigned. There is no patch for all those decades of broken and boneheaded.
> AV is addressing the symptoms and not the actual problem
This is where you've lost me. Show me a piece of invincible software.
Even stuff like Java with its top-notch security model and with its managed code has been vulnerable to various zero-day exploits. Even virtualization environments.
I have a Windows workstation that's been running for 2 years, with no resident AV running and with the standard firewall. I do have a good AV, but I'm doing a scan every 3 months or so.
Never caught anything, mostly because I'm a technical user that knows how to stay out of trouble.
Give me a normal end-user using any of those non-MS platforms you mentioned and I'll show you how I can break his computer. Quite simple really ... "This game needs administrative rights to install. Please enter your password:"
Not to mention that the desktop managers running on Linux have serious security flaws that haven't been fixed just because the platform itself is obscure enough for crackers not to bother with it.
So if there is room for innovation in the antivirus market or enterprise software market why aren't more startups attacking that space? Enterprises are strictly served only by other enterprise software companies. CRM, financial systems, billing systems, HR systems, - all of these enterprise apps are appaling in their usability and implementation. Is it because the modern startup culture is interested only in solving "easy"/consumer issues?
The cost of customer acquisition is sky high. Now, if I can pull a series A out before I get a customer, this might be fine. However, the pipeline is long, and nothing is guaranteed.
Here's a personal example. The company I just finished a contract with was looking to purchase a product that will cost in the low 5 digits. The company spent two months on due diligence in between dozens of fires to fight. Even after selecting the company, it may be two to three more months before they actually buy the product.
So, that's four to five months between initial contact and sale for a product in the low 5 digits. When I worked on products for governments, we had people specially working on RFPs and they would put man-months into these, and an answer could be up to a year away.
Now, it's possible to get into the business without this, but you have to have an in for your first client.
McAfee desperately needs some PR help on this one. It will be much better in the long run to put a large, prominent announcement on the their site linking to instructions, etc. Even better would be an 800-number so that affected customers could call and be walked-through the process of fixing their PCs.
Yes, this would hurt the bottom line, but it is just good business.
Why? In a matter of days even the most computer savvy of folks will have put this behind them. McAfee will still be bundled with Localtown-ISP or installed on the new desktops. Mom and pop will see that their "subscription" is about to expire and won't even wonder if this was the program that broke something with svhost.exe.
While you and I may agree that it would be good business for them to go out of their way to fix this and clean up their image, I just don't think it really matters in the long run. I would be surprised if they do anything other than, "Whoops. The next signatures are here".
Just look at the release budgets for enterprise software - sales and marketing are at the top, while R&D and support are at the bottom.
If any open source implementation of anything like this happened, I can assure you the comitters and developers would be appalled and embarrassed (in public), and significant lessons would be learned all within users view.
Meanwhile, in the "Enterprise Software" arena such as McAfee's - their learned lessons are clear. How do we spin this? And how do we align our marketing and sales teams to minimize the impact on our sales models.
I'm just shaking my head at this one...
Serious lessons to be learned here...