About Andrew Hay

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Chief Information Security Officer (CISO) at DataGravity, Inc., he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy.

Andrew has served in various roles and responsibilities at a number of companies including OpenDNS (now a Cisco company), CloudPassage, Inc., 451 Research, the University of Lethbridge, Capital G Bank Ltd. (now Clarien Bank Bermuda), Q1 Labs (now IBM), Nokia (now Check Point), Nortel Networks, Magma Communications (now Primus Canada), and Taima Corp (now Convergys).

Andrew is frequently approached to provide expert commentary on security-industry developments, and has been featured in such publications as Forbes, Bloomberg, Wired, USA Today, International Business Times, Sacramento Bee, Delhi Daily News, Austin Business Journal, Ars Technica, RT, VentureBeat, LeMondeInformatique, eWeek, TechRepublic, Infosecurity Magazine, The Data Center Journal, TechTarget, Network World, Computerworld, PCWorld, and CSO Magazine.

Why You Need a Research Group

investiga2If your product fits neatly into a magical chart comprised of 4 equal areas made by dividing a plane by an x and y axis, odds are it is commoditized and indistinguishable from the vendors beside you. As a result to drive differentiation, organizations are beginning to form their own research groups as a vehicle to establish thought leadership, create sales opportunities, and, of course, differentiate the company and its products from the competition.

I’ve worked as a vendor, an industry analyst, and as an end consumer of security products. I’ve seen my share of commoditized products artificially inflated with buzzwords and the latest security breach news in the press. I’ve also sat through more than a few presentations (or panels) where the presenter communicates how hard they thought about a particular problem – and that is the extent of their research.

336464-scanners_croppedWhat continues to impress me, however, is when a vendor (or a presenter writing/speaking on behalf of a vendor) can provide concrete data to reinforce a hypothesis or position on a particular issue or problem. I don’t care how creative you are with your marketing language or how hard you think about a particular problem, it’s not going to mitigate or prevent the problem from reoccurring – unless, of course, you’re Michael Ironside’s character from the movie Scanners.

Types of Research

In the security field, there are really two types of research: Pure and Applied. According to Wikipedia(http://en.wikipedia.org) pure (sometimes called basic) science is the “development and establishment of information to aid understanding of the world, whereas applied science uses portions of basic science to develop technology or technique establishing interventions to alter events or outcomes as desired.” (source – http://en.wikipedia.org/wiki/Basic_science#Versus_applied_science)

Applied science, on the other hand, is a “discipline of science that applies existing scientific knowledge to develop more practical applications, such as technology or inventions.” (source – http://en.wikipedia.org/wiki/Applied_science)

As an alternative, I offer the following differentiation:

  • If the purpose of your research is to convey thought leadership, interesting and qualitative takes on previously identified problems, or states your position on one side or the other of an ongoing debate; you’re probably conducting (and conveying) pure research.
  • If your research provides a tool or methodology that addresses an industry or community need, provides quantitative data proving a hypothesis, or, once implemented, shows a differentiation of your product; you’re probably conducting (and conveying) applied research.

pouting-childNow, before people get upset, I’m not saying that pure research isn’t valuable, it is. Without pure research, there would be no applied research. Big ideas influence those who can execute and turn the pure research into applied research.

In my opinion, a vendor should have a research group that operates on a 30/70 split of pure to applied research. This lets researchers be creative and express themselves with a greater emphasis of implementing quantifiable research into portfolio features, tools, or products.

Stay Tuned…

As this series evolves I’ll touch on how to structure your research group, how to staff, how to create a business case to justify its existence, and how marketing, sales, and product teams can utilize the findings of your team. If you have any questions, please put them in the comments section below or reach out to me on Twitter via @andrewsmhay.

Andrew Hay