It is often said that we learn more from our failures than from our successes.I was recently asked to share an ongoing technology problem in government that has frustrated me over the years and remains unresolved in most state\/local government situations. Here\u2019s the story I told about why it is so hard to bring in hot new technology (that is needed) from startup companies:Back in late January, 2014, a delegation of public and private sector technology leaders from Michigan visited Israel for their excellent Cybertech 2014 event in Tel Aviv. It was a great event, wonderful trip, etc.As Michigan State Government\u2019s CSO at the time, I was especially impressed by the many new cyber companies, their \u201cStart-Up Pavilion\u201d and the culture developing between Israel\u2019s tech and defense communities.We learned a ton, and our team was energized by the ideas, innovation and \u201cget it done attitude\u201d that we observed. You can read more about the trip and related background material in this Government Technology Magazine blog.\u00a0But as Paul Harvey used to say, \u201cHere\u2019s the rest of the story\u2026\u201dAfter we got back from the Middle East, my former boss, Michigan CIO David Behen, asked me, \u201cWhich were your favorite Israeli start-up companies and why?\u201dI pulled out a list of about ten or so companies, and we discussed each of them for a few minutes.David pressed further, \u201cOK, I know this is hard, but what were your top five?\u201dI gave David my list, and I even wrote about them in my govtech.com blog:Here are a few examples of start-up companies that we were impressed by:Seculert \u2013 Advanced threat protection with no hardware or software. \u201cSeculert provides an integrated platform that analyzes malware communications, traffic logs, and suspicious files to identify known and unknown advanced threats.Aorato \u2013 Protects Active Directory (AD) from advanced attacks. I asked the CEO Idan Plotnik what the company name meant, and he said, \u201cInvisibility\u201d in Greek.SQream Technologies - Big data benefits which are faster and cheaper. \u201cSQream Technologies provides you with state of the art software which combines modern GPU technology (Graphic Processing Units) with the best practices in today's Big Data platforms, providing up to 100x faster insights from data.\u201dOther start-up companies that impressed us included LightCyber for targeted threat protection and Dome9 for securing cloud apps.Finally, David went even further: \u201cIf you had to pick just one - who would it be?\u201dI said, \u201cThat\u2019s really tough, they are all so different. But if I had to pick just one \u2013 I\u2019d pick Aorato.\u201dMy boss asked, \u201cWhy?\u201d\u201cBecause \u2026 Yada, yada, yada\u2026\u201d(Note: For a variety of reasons, I don\u2019t feel the need to go into the details of Aorato\u2019s products\/services or state government security needs in this public blog. Needless to say, several key people saw benefits to this particular vendor solution. More important, those details are not required to make the point of this particular piece.) \u201cOK, go for a pilot,\u201d David replied.With that support, I set off in February to build the necessary coalition within the technology department to kick-start a successful proof-of-concept and security infrastructure pilot with Aorato.(Note:\u00a0 Michigan government has a very centralized technology function with centralized authority and an ample security budget. The good news right off the bat was that initial funding and authority were not significant hurdles in this particular case. However, these can be major issues in other governments or situations. The budget would even have been a major issue a decade ago in Michigan with major cuts all around.)\u00a0\u00a0\u00a0 So here\u2019s what we did:STEP 1: Get my own security team onboard \u2013 I pulled my direct reports into my office and told them about the trip to Israel, along with some details on a few cyber companies that I liked. After answering a few questions, the team left \u2013 looking forward to the upcoming WebEx meetings.\u00a0STEP 2: Scheduled the online demo \u00a0\u2013 My excellent executive assistant coordinated a WebEx demo, but the first available date was 3-4 weeks out due to very busy schedules.\u00a0STEP 3: Scheduled another demo for those who didn\u2019t make it the first time \u2013 The first demo went great, but several people could not make it because of last minute \u201cmini-emergencies.\u201d This best date for the next meeting was another 2-3 weeks out due to very busy schedules and other higher priorities like Windows XP migration and other \u201chot\u201d deadlines.STEP 4: Corral the troops \u2013 I asked: \u201cIsn\u2019t implementing this a good idea? Let\u2019s make the business case.\u201d After a second round of demos that included some of our key onsite vendor partners, the reaction was only lukewarm.Typical comments were:\u201cSounds ok, but we\u2019re too busy.\u201d\u201cWhat can you take off our plates to do this soon?\u201d\u201cAre you sure this is such a hot security issue for us?\u201d\u201cI like it, but can we even buy from a foreign start-up company? Do we really trust these guys?\u201d\u201cI don\u2019t see what this will replace in our current security architecture? We use Office 365 in the cloud. How can do this without new staff or, yada, yada\u2026\u201dSTEP 5: Get in Line - I decided to make a few phone calls to key directors, managers and other leaders and push the issue harder. I even told a few people to get it done. They said Ok, but pushed back harder. What could they stop doing if we do this? They finally agreed to develop a pilot project charter.A few weeks later, some of the staff working the pilot came in and asked: What are we really trying to accomplish with this product?\u00a0 \u201cCan\u2019t we do this is 3-6 months after we finish identity management and other more important projects that we are on the hook for delivering on time and on-budget.\u201dSTEP 6: Fight the vendors \u2013 Meanwhile, I spoke with a few key vendors who I trusted. They didn\u2019t say \u201cNo, this is a bad idea.\u201d But\u2026 they clearly had their own special interests. They wouldn\u2019t go out of their way to see another new competitor\u2019s product succeed \u2013 especially a startup with no track record. \u00a0STEP 7: Procurement Woes \u2013 After a project update meeting in June, I pushed the issue again with various team members. I remember getting a phone call from some procurement specialist asking: \u201cHow can we pay for this, even if we like it and the pilot is successful?\u201d Can we buy this sole source? What would be the justification? (Answer: No sole source).One person made it clear, \u201cThere is no competitor. This is a one-of-a-kind product. Also, the vendor has no track record with unique testimonials? How can we pay for the product?\u201dSTEP 8: Project champion leaves \u2013 When early July rolled around, I announced that I would be leaving state government in August to join Security Mentor, as their new Chief Strategist & CSO. Over the next few weeks, I watched as my departure announcement took the wind out of the sales for this product. \u00a0My last day in Michigan State Government was August 1.STEP 9: Project Stalls with other high priorities taking precedent \u2013 I spoke with some government colleagues in September, and they told me that they stopped working on the pilot. The reason: two other higher priority security efforts, including identity management and the enterprise-wide risk assessment. Both of these projects had gone through the formal Request for Proposal (RFP) process, with competitively won contracts. Management expectations were high on those efforts.\u00a0 There were no available people to work out the necessary details for a pilot with Aorato. \u00a0STEP 10:\u00a0 Microsoft Buys Company \u2013 And then\u2026 in November, I see this blog announcement from Microsoft, announcing that they are buying Aorato. (This was actually welcome news to me from a distance, and made total sense given the functionality of the product protecting Active Directory.) If you go to the Aorato website, you get this message:We are excited to inform you that we have been acquired by Microsoft.Hello Microsoft, At our core, Aorato has always been focused on strengthening enterprise security, by giving customers deeper visibility into their Active Directory and identity infrastructure with an emphasis on user behavior intelligence and analytics. Joining Microsoft gives us a unique opportunity to pursue this vision, and help customers at the broadest possible scale.With this acquisition, we will cease selling our Directory Services Application Firewall (DAF) product. As part of Microsoft, we will share more on the future direction and packaging of these capabilities at a later time.\u00a0Thank you to all who have supported Aorato.In conclusion, this story has both a happy and a sad ending. The happy ending is that Michigan can implement the functionality within the current Microsoft contract that is already in place - since the startup company was bought by Microsoft.The sad ending (to me) is that it took so long. We didn\u2019t get it done faster. \u00a0One colleague told me: \u201cSee Dan, I told you so. This Aorato acquisition just proves my point \u2013 Wait long enough\u2026 and the innovative companies will be bought and rolled into exiting products from existing large vendors. Dealing with technology startups is too hard and usually ends badly.\u201dAnd My Point Is\u2026Perhaps you\u2019ve heard this quote from Denis Waitley: \u201cFailure should be our teacher, not our undertaker. Failure is delay, not defeat. It is a temporary detour, not a dead end. Failure is something we can avoid only by saying nothing, doing nothing, and being nothing.\u201dI share this story, since the problems identified, when a security startup company tries to sell to a government organization, are not unique to this particular Michigan situation. I hear similar stories from colleagues all around the country.\u00a0 Vendors need to remember that they are usually selling to over-stretched technology and security teams that rarely have dedicated research, development, test and evaluation (RDT&E) teams.\u00a0No, selling to governments is not hopeless for startups. Yes, there are plenty of things that I could have done differently. As I look back at what happened, I made mistakes. I could have pushed harder, made more phone calls to the vendor, asked more questions or taken a host of other actions. I was accountable. I tried, but not hard enough.\u00a0The new Michigan DTMB Strategic Plan even calls out special efforts to dedicate staff for innovative initiatives in the future. Other governments are planning similar innovative things \u2013 so take advantage of those special programs for small companies.But my point is that government technology and security teams struggle mightily to implement hot new products, even when they know they need them. There are numerous reasons for this, many of the reasons can be seen in this brief case study. Some issues flow from governance models, others from culture and others from government procurement challenges. Regardless of the reasons, it hard for very small or startup companies to sell bleeding edge technology to most government organizations. \u00a0In my next blog early in 2015, I will return to this topic and provide some lessons learned from the government side and some tips for vendors who are trying to break into the government marketplace to sell technology and security.