A little personal history - - I worked for two different hardware information security vendors from 1990 to 1998 in just about every role you can imagine. Engineering, cryptologist, marketing, sales and executive management. So I have some first hand experience that makes me very skeptical about the market for a standalone field security device from the vendor perspective. 

In two recent blog posts (here and here), Walt Boyes of Control Magazine has been wowed by Eric Byres new Tofino field security product with the key quote being “Tofino will be out later this year… or early next. I betcha he and MTL sell a bunchaton of them.”  Let’s try to define what a ”bunchaton” will need to be for success. 

I’ll go into three reasons why my friend Eric has the best chance of success of any that have tried to date at the end of the post.

Business Case

Let’s assume a street price (actual sales price) of $1,000 and a gross margin of 60% for a field security device. Both these numbers may be a bit optimistic. Previous field security devices have discussed street prices of $500 and the IT security equivalents are $500 or less. 60% gross margin for a hardware device is also on the high end. These assumptions lead to a gross profit of $600 per unit.

If a vendor sells 1,000 units annually this only leaves $600K to pay for the engineers, sales, distribution, support and other costs.  Even if a business can eek out a small profit on this by running very lean, it is hardly worth the effort and risk. So lets further assume that a vendor needs to sell 3,333 units annually to make a $2M gross profit to be successful.

The next step is to look at sales. What is the average sale size? 10 units, 50 units, 100 units?  Let’s assume 50 units as an average sale size. This breaks down to 67 sales annually or a little over 5 per month. What is the sales conversion rate (number of customers/number of customers where a sale is attempted)? A conversion rate of 25% means we have to approach 288 potential customers this year.

The sales cycle and cost to close each sale will be a very important factor with a new concept product like this. Information security, even in the IT world, has typically been a long and costly sales cycle. Not as long or costly as a SCADA system, but remember this is only a $1,000 product.

Information security products that cost $10K - $20K each and had average customer purchases of $500K supported a dedicated, direct sales force. The lower the product and price and average order price, the more important “pull” and distribution become.

In marketing speak, “push” is when you go identify potential customers and bring the product to them.  Push is typically represented by a direct sales force selling the company’s products. 

“Pull” is when you create enough demand for the product that customers come to the vendor or distributor asking for the product.  This is what most people think of as marketing and combines media campaigns, events, buzz and other elements. Pull is very important for effective distribution because as a rule, distributors are going to focus on selling the products that are easiest to sell and make the most profit. It is not unusual for a product vendor to give the distributor many of the initial sales the vendor made through their direct sales force just to seed the channel and generate enough interest at the distributor to look at the potential of the product.

The downside from the product vendor is profits need to be shared with the distribution channel.  If the vendor can generate pull and attract the distributor’s sales force to the product it is well worth the money.  If the vendor is closing the sale and the distributor is only doing fulfillment it is not worth with it.  As a rule, most $1000 products are better going through distribution unless they are part of a large product line.

Byres / Tofino

I blogged earlier on the impressive technical features from my early look at Tofino. From the business standpoint I believe Tofino has three important things going for it that previous field secuirty products have lacked, and two have to do with MTL.

1. The form factor - Tofino is going to look like any other MTL module. It will fit in the MTL chassis. The other field security devices to date have been pseudo-field devices that were basically metal extrusion cases, not certified to meet the environmental conditions., and had some basic issues on how they would be deployed in the rack. 
2. Management - I covered this in the earlier blog entry. This was a huge gap in previous offerings. 
3. Distribution - This is the biggest difference. MTL sells a lot of field products both under its brand and rebranded by other SCADA vendors. If there is any ”Pull” for a field security device, this is the ideal channel. MTL also has a credible support organization in place and the market credibility so asset owners will not feel like they are dealing with a company that might not be around a year from now. None of the other efforts to date have achieved a distribution deal even close to this, and their lack of success cannot be attributed to a lack of market demand because they did not have a complete offering.

So assuming Tofino goes from prototype to production successfully, and assuming that Byres Security and MTL execute properly, we will finally learn if there is a market for a field security device.

If the answer is no, we will need to wait until this technology is directly integrated into the field device - - most likely in the Ethernet interface module.