nCircle.com >> 360 Security

« The Modern Tinfoil Hat | Main | SCADAGard SIG To Be Established »

Customer's 24-hour SLA

Recently, a fellow competitor took issue with nCircle's 24-hour SLA on Microsoft vulnerabilities claiming that it is too slow relative to the competition. While I completely respect this opinion, the issue is not that there are 86400 seconds in day, the issue is listening and responding to the needs of a target market.

First, a bit of background.
I didn't get up one morning and say "Golly, we should wrap an SLA around our Patch Tuesday release." The entire idea came from our customers. In fact, I spent a lot of time on the road asking them about time parameters and the result was a 24 hour window. No magic at all, just a good conversation with the consumer. Yes, they do care about the timely delivery of a authenticated and non-authenticated check, but they are also concerned about the quality of that check, the details of the descriptions, and ultimately the actionable results from that check. I cannot speak to other target markets but in the case of nCircle, the large enterprise is a very different beast and is never shy about sharing their opinion.

I have a deep respect for all of the other vendors in the Vulnerability Management space and by no means want to suggest that quality and time are always in a direct relationship with each other. My one goal with this posting is just to say that nCircle's 24-hour SLA is not meant to annoy other vendors, it is there because our customers asked for it. If they feel that a 12-hour or 48-hour time window is more appropriate, then we make changes and move on.

As long as we are all sharing pet peeves, why can't vendors treat each other with more respect? If I have offended anyone with this posting, I'm sorry. The more vendors can work together, the more customers benefit.

--tk

Posted on August 22, 2006 11:28 AM |

Comments (1)

Derek Vadala:

This is a great example of software vendors not understanding how things actually work in practice.

It's noon on patch Tuesday. Microsoft has just released its bulletins. How many systems in my environment are vulnerable?

12 hours later, how many systems in my environment are vulnerable?

24 hours later... 48 hours later... etc.?

If the security people at a given company need a vulnerability assessment tool to answer these questions, you have a much bigger problem than your SLA on vulnerability checks.

This data doesn't get interesting until other systems have had some time to send out patches, and I hope that process included some packaging and testing. Maybe this is useful for really small environments that are relying on Windows Update-I'm guessing such environments can't afford commericial vulnerability scanners anyway.

Posted by Derek Vadala | September 6, 2006 1:35 PM

Posted on September 6, 2006 13:35

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on August 22, 2006 11:28 AM.

The previous post in this blog was The Modern Tinfoil Hat.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]