You’ve been PONED & you probably didn’t even know it!

Are you wondering why we used PONED instead of PWNED that you might typically hear in gamer parlance meaning that you’ve been OWNED?

That’s because in the world of IT there’s an organization called the “Ponemon Institute” and if you’ve read any of their study’s, seen any of their quotes or gasp, used one of their study’s to shore up something you’re hocking like “IT Security Services” then you’ve been PONED or maybe you’re PONEing. Getting PONED with a Ponemon statistic is like the IT version of getting Rick Rolled.

It’s not your fault, you’re in good company. The reason why we wrote this piece is because of the most recent instance of Ponemon’s handy dandy data analysis we bumped into in a piece ConnectWise released titled: “Building Your MSP Security Offerings“. Yeah, we got PONED! Welcome to the club my friend!

The ConnectWise piece is decent and the Ponemon study well; that’s a real gem as always (chuckles). When you think about the industry of tech, IT and technical services (IT Services) it’s a mess. Here are a few points to think about when talking about the business with possible providers or just about anything:

  • The industry is filled with fake news and 21st century snake oil salesmen, proceed with caution!
  • The global industry of tech company’s wants dependence not independence. Mindless button clickers and support callers.
  • Focus and goals of most company’s (MSP’s or other) are about new markets and revenue, not customers or their needs

Lets first take a look at what started the train wreck in the ConnectWise report for MSP’s.

Cyber security is the talk of the industry

They start off by saying “Cyber security is the talk of the industry”, attacks are getting more sophisticated and the costs are increasing. Note, it’s only the talk of the industry because everyone is so bad at it and tech isn’t generally built “with security in mind” as they say. The fact that security is top of mind to them means a business opportunity, we can’t disagree. This is the crux of their discussion for the entire document letting MSP’s know how they can increase their monthly per seat for security services. Hmmmmm…I wonder why costs are increasing? Business opportunity’s aren’t inherently bad but if you’re inherently bad at executing not knowing where to start well then…that’s not good for the buyer of your wares!

The subtle angle here for this market opportunity is using fear to sell. Ponemon sets the tone with scary statistics throwing in a little bit of #fakenews to extort money out of your unsuspecting and trusting customers. ConnectWise conveniently even includes a template showing how you can increase your offerings! They go on to discuss how many Managed Service Providers (MSP’s) “don’t know where to begin” as we’ve mentioned before. Well certainly, the problem with MSP’s is that they’re dependent button clickers who don’t generally know how things work but that then begs the question even further doesn’t it? How is it possible for a company that doesn’t know where to begin able to charge so much per seat additionally over what they’re already charging? Therein lies the question! MSP’s are more loyal to brand than protocol. Their first love is to the partner program, commission and marketing. The typical MSP (the “successful” one’s anyway as I’ve read) enjoy getting paid a pile of money for little knowledge with aspirations to do less and for higher costs! The secret sauce is marketing just like the snake oil salesman of yesteryear!

How do we know the ConnectWise piece is mostly a trash marketing rag with little substance? It doesn’t take long…page 2 where they say “Attacks on MSP’s are on the rise.”. That’s not even the topic! It should say attacks on Small-Midsized businesses not MSP’s as attacks on SMB’s are the subject matter and how you as an MSP can sell them more junkware. Perhaps what they meant to say is “SMBs” instead of “MSPs”…we’re not sure but it’s a definite dead giveaway to anyone who thinks reading is fundamental and comprehension is the golden rule.

Another reason why this is a trash marketing rag, and the point of our piece is because they immediately mention the “Ponemon Institute”. As noted, coming across something from Ponemon is the IT equivalent of getting Rick Rolled. I’ve even heard, as mentioned on another blog post, a Ponemon Institute statistic on the radio!

Here are just a few of the major problems we have with Ponemon and their legitimacy:

  1. Their study’s are generally “sponsored”. In the past Palo Alto has sponsored a study, the 2017 study was sponsored by “Keeper Security“. In our view this means it’s highly likely to be biased unless proven otherwise and as you’ll see in point #2, they don’t have anything in there about the methodology as they did in past issues which makes not only this study dubious but others who don’t show you their methodology like Ponemon. A lot of company’s show you the data, statistics and facts with a large enough sample to be legitimate but Ponemon doesn’t. They have a smattering of survey respondents.
  2. Their study methods are self confessed to be not “statistically significant”. A reason why you know they’re shady is because in this published study (2017), see point #1, they don’t mention how statistically insignificant their sample size is but in a 2009 study they do! The 2009 study about data breach costs (link) has a large section discussing their methods which makes it statistical garbage and almost meaningless. Perhaps Ponemon just asks a bunch of hacked losers for information? You can read more here (link) where we break things down using their methodology section. The 2017 “study” has nothing about the methodology of how they came to their conclusions only that…this is our conclusion. We are Ponemon, believe us. We are Ponemon, dum dum dum dum dum dum dum (like the Farmers Insurance commercial LOL). 2017 is therefore as statistically insignificant as 2009 was! They fail to disclose their methods!
  3. Another point however minor in the 2017 study is that they survey company’s with sizes of less than 100 up to 1000 “head count”. Well isn’t “less than 100” possibly just 1…or maybe 10? What’s the definition of “SMB” or Small-Medium Sized Business? Seriously? We mention that on our other blog post but in the US it’s about 99.94% of all business in the US. 99.94% of all business in the US have LESS THAN 250 EMPLOYEES! So you bump that up to 1000 and you’re no longer talking about SMB’s now are you? No, you’re talking about everyone, 100%. They can’t even keep their baselines straight. 250 employees / head count is kind of an industry standard as far as I can tell for “SMB”. Anything over that then you’re “Enterprise”.

My final point however unworthy of not actually being a bullet point on how dopey Ponemon is, is the monetary value. Are they adjusting for inflation? Are they adjusting for the “remediation”? What is it that’s costing company’s so much money?

Hmmmmmmmmmmmmm…things that make you go hmmmmm hmmmmm hmmmmmm.

Here’s a screen shot form that study. It seems it’s insufficient budget with an overwhelming yes! Lack of personnel and budget are the top two (budgetary problems). That reminds me of the IBM King Arthur commercial with the giant sloth approaching the gates (that’s IT security here folks, scare talk about hackers and the dark web) 🙂 (link). King Arthur and the IT knights at the round board room table need to fell the greatest of trees to build a giant catapult to launch the “greatest of projectiles” at the giant sloth (which is funny too because of how slowly a sloth moves, it’s a brilliant commercial really). Then they ask, “What kind of projectile”? Then the “consultant” hurls a big sack onto the table (clink as it hits the table) and they ask…what’s in the sack? He says…MONEY! It’s hilarious AND SO TRUE.

The answer here people isn’t to throw money at the problem, it’s to throw engineered solutions that don’t cost you an arm and a leg…or, a kings ransom! The answer here is to throw legitimate engineers to stand up secure by design infrastructure or evolve your existing infrastructure into something that’s locked down.


When you’re reading about “IT Security” or any of the 21st century snake oil salesman products beware of being PONED. Always ask questions, dig into the data, dig into the facts. Ponemon is Junkmon and it’s almost unbelievable how credible they’re taken in the industry. In an industry supposedly filled with so many that mistrust because they’re leery and skeptical to trust a Ponemon statistic without verifying their “facts” boggles my mind! “The industry” in fact is bamboozled in large part drinking the cool aid given them by marketing materials rather than technical specs and technical data sheets.

If you need real technical consulting give us a shout. Don’t believe the hype. Unhackable IT security shouldn’t cost you a kings ransom…maybe a prince but certainly not a king 🙂


Comments or questions are welcome.

* indicates required field