Mr. Craig D. Brennan
President and CEO
Tumbleweed® Communications Corp. (Nasdaq: TMWD)

SecuritySolutionsWatch.com: Thanks for joining us today, Craig, and congratulations on your new position as President and CEO of Tumbleweed. Please give our audience an overview of your background.

Craig Brennan: I’ve been in the enterprise software space for most of my career, beginning with business applications as a management consultant at Anderson and Deloitte, and moving into corporate roles at Oracle and Brio. Brio, a $100m public company which was acquired by Hyperion, provided business performance software for enterprises, and the division I led at Oracle provided CRM solutions scaling from mid-size companies to enterprises. I have a great deal of sales, marketing and operational experience. The common thread throughout my career is a passion for software solutions that extend and enrich business processes.

Tumbleweed provides enterprise software products that improve business processes by enabling the secure exchange of information over the internet. Tumbleweed’s business model is similar to those I’ve worked with in the past, as is the audience and customer base. I look forward to incorporating the strategic and operational models I’ve used in the past, while at the same time enriching my understanding of the security space.

My objective as president and CEO at Brio was very clear -- to turn the company around and regain profitability. I was very pleased with the success I had, and I left there feeling like I’d accomplished what I set out to do. With Tumbleweed, my objective is different, but equally clear -- grow the business to the next level, through products, channels, acquisitions, whatever makes sense. Grow the business, improve the bottom line and enhance shareholder value. That challenge appeals to me, and I'm excited by the prospect of making this happen in such a dynamic space.

SecuritySolutionsWatch.com: Tumbleweed has an impressive track record of “wins” with 8 out of 10 of the top US banks, over 40% of Blue Cross/Blue Shield companies, and all four branches of the US Armed Forces. Please tell us about the solutions which Tumbleweed provides to these major markets and feel free to mention a specific “success story” in each one of these major markets.

Craig Brennan: Sure. While we have customers in a wide range of market segments, our strategic verticals are financial services, healthcare, and government. A common thread running through all of them is the need to protect the highly confidential information they're entrusted with, including personal identity information, financial data, health information and of course national security.

We enable our customers to automate and manage communications processes, protect communication channels from threats, and move information securely over the Internet. Our products sit at the gateway between the organization and the Internet, which lets us do a few interesting things.

For example, we can look at information coming into or leaving an organization, compare against policy, and make decisions about what to do with that content.

This allows us to block things like dark traffic, spam, viruses and phishing attacks on the inbound side, while preventing confidential information, identity information or trade secrets from leaving on the outbound side.

Or we can do things like encrypt at the gateway if an email or file contains confidential information, but is headed for an authorized recipient or trading partner. Or block messages with social security numbers in the attachments if they're going to an unauthorized recipient.

Our customers generally use several of our integrated products in combinations that allow them to meet their specific business and security objectives.

Many of our Blue Cross / Blue Shield customers use Tumbleweed products to stop malicious traffic from coming into their networks, while selectively and automatically encrypting valid outbound communications that contain private health information. This keeps them compliant with HIPAA mandates for data protection, but also provides productivity and security benefits outside of HIPAA in the same product. With Tumbleweed, they have fewer things to manage, fewer points of failure, and the ability to use the public Internet to move information for timely health information management.

In the financial services market, Tumbleweed recently hosted a Webcast with Gartner Group and Experian that went into some detail on how Experian is using Tumbleweed products to manage and secure the movement of credit information over the Internet. The old way meant that business partners, lenders, banks, etc. had to use trucks and magnetic tapes as the primary means of updating Experian. That's essentially 1950's technology. So you're dealing with the problem of information 'freshness' while data is on the truck, in addition to a real crisis for the sender when a tape goes missing, as has been reported in several high profile incidents in the past few months. Our products are a faster, cheaper and more secure replacement for legacy technologies and business processes.

One of our government customers, the U.S. Department of Defense Public Key Infrastructure (PKI) Program Management Office is providing world-wide digital certificate validation to more than 1.3 million users using Tumbleweed products. With support for numerous widely adopted security standards including the Online Certificate Status Protocol, the VA ensures that revoked PKI credentials cannot be used for secure email, smart card login, web access, wireless, VPN, or other electronic transactions that might compromise mission-critical DoD infrastructure.

SecuritySolutionsWatch.com: "Phishing" threats are becoming more and more prevalent and sophisticated. Yet, many business people and consumers are still not familiar with how these "scams" work. Please give us an overview "phishing" attacks and how best to protect against them.

Craig Brennan: Phishing attacks have one end-goal -- ID theft. They achieve this by encouraging users to give away confidential information by pretending to be a trusted brand- one that the victims might do business with online.

Customers (and employees) of banks, credit unions, government agencies, insurers, healthcare providers, and retailers are all targets of these online scams. These are our customers, which is why we founded the Anti-phishing Working Group over a year and a half ago as a forum for really understanding and arriving at solutions to this fraud problem.

In phishing, email users receive a spam message claiming to be from a trusted brand, requesting that a link be followed and information of some sort be updated. Upon clicking the link, users are taken to a fake web site, where login information, account numbers, and other identity or access-information are stolen by thieves and fraudsters. The critical bit with phishing is the hook -- the email. It is also the weakness, as phishers rely on spam techniques to blast out the fake messages, including sender forgery, shotgun-style distribution to the Internet at large, and the use of zombie networks.

In the short run, Tumbleweed stops phishing attacks by identifying and filtering out these messages using our MailGate anti-spam solutions. For almost 2 years now, we’ve been analyzing and blocking phishing attacks based on a live feed of reported phishing attacks coming to the Anti-Phishing Working Group. In the longer run, our vision is that organizations will apply next generation email authentication approaches such as digital signatures, SPF, SenderID, and DKIM to identify and block email messages that have been spoofed, effectively killing the sport of phishing. Tumbleweed has been working closely with the leading vendors and ISPs in the email field to create these next generation email authentication standards, but they will take time to be broadly adopted and deployed – in the meantime, pragmatic spam filtering solutions will be the answer.

SecuritySolutionsWatch.com: End-users today seem to want a suite of comprehensive, secure messaging solutions from one vendor in one box for greater benefits and lower costs. Are you seeing evidence of this among your customers? Is Tumbleweed positioned to respond to this trend?

Craig Brennan: Yes, and yes. During my career I’ve worked in several different segments of the enterprise software market, from CRM to BI. One thing these markets have in common is that they’ve matured from many providers of point solutions to a small group of providers who offer comprehensive, integrated applications. The secure communication market is poised to follow this same evolutionary path.

When I look at the landscape, there are 50+ competitors in this space, 30 of whom are under $25M. This tells me that the industry is still fairly immature and fragmented. The space is growing rapidly, and I expect we’ll see the same consolidation we’ve seen in ERP, CRM and BI: fewer players with more comprehensive, complete solutions. The focus will inevitably move from point products to solution suites, and right now there are no clear dominant leaders. Tumbleweed has an advantage right there -- the company’s products were developed to interoperate and provide complete functionality for our customers. We’ve had a complete, single-vendor approach for some time, have been battle-tested in some of the most demanding companies in the world, and we’re well-positioned to lead the market as consolidation occurs.

SecuritySolutionsWatch.com: To combat e-mail forgery and protect the value of the Internet for customers, Cisco, PGP Corporation, Sendmail and Yahoo! are submitting the e-mail authentication specification DomainKeys Identified Mail (DKIM) to the Internet Engineering Task Force (IETF) for consideration as a new e-mail industry standard and to help enable industry-wide adoption of the technology. Tumbleweed is part of a select group of companies who played a valuable role in furthering the development of the DKIM specification. Would you kindly give our audience an overview of the DKIM project.

Craig Brennan: Spam, viruses, phishing attacks and other email threats rely heavily on forged 'from' addresses in order to mask the true source of the offending message. They do this to avoid prosecution, trick end users, and leverage zombie networks, while rendering address-based block lists ineffective.

The goal of the various email authentication proposals out there is to provide positive verification that a given message is really from the sender or organization it claims to be from. Once you have proof that a message is from a real sender, you have a framework for making decisions based on identity - like bypassing spam filters altogether for trusted sources (minimizing false positives, or email incorrectly blocked as spam), dropping messages from zombie networks en masse, or building reputation services based on sender that allow you to evaluate behavior over time and filter accordingly.

DKIM in specific is a digital signature-based e-mail authentication proposal which is based on Yahoo!’s DomainKeys e-mail authentication technology and Cisco’s Identified Internet Mail, with Tumbleweed lending technical expertise from our experiences developing the S/MIME standard. DKIM was developed to give businesses and consumers a stronger, more accurate means for identifying legitimate e-mail messages. And it provides transactional institutions added brand protection by giving consumers increased assurance of the legitimacy of the e-mails they receive.

DKIM uses digital signature technology to authenticate an email sender's domain. This reliable authentication information enables local policies to be safely implemented on the recipient's email server or relay. It also provides a key trust element for domain-based reputation services to emerge in the future, possible replacing IP-based reputation services. Like S/MIME, DKIM relies on public-key cryptography. A DKIM signature can co-exist with an S/MIME signed and/or encrypted email. It differs from S/MIME in two important ways. Firstly, the signature is embedded in the header of the message, and is not visible to the end-user recipient. This means that the recipient's email gateway can perform the signature validation and enforce policy without relying on the end-user to decide what to do. Second, there is no real concept of a certificate associated with a DKIM signature. The necessary keys to validate the DKIM signature are published in the sender's DNS record. If the DNS query of the sender's domain by the recipient's MTA returns a key that can "unlock" the signature to verify it, then the original signature is deemed to be legitimate.

DKIM addresses many of the shortcomings present in SPF and Sender ID, namely that 3rd party emailers and mail list operators can leverage DKIM effectively to authenticate a sending domain's email. The industry-led coalition that developed DKIM includes all the major players in the email as well as Internet authentication markets. The group relied on Tumbleweed's own domain-based S/MIME experience to help guide many of the technical decisions. While the adoption of DKIM may take a bit longer than SPF or Sender ID due to the fact that both sender and recipient MTA must support the standard, the long-term prospects for DKIM providing a robust email authentication infrastructure are good.

SecuritySolutionsWatch.com: Tumbleweed has generated losses the past four years. What can you tell us regarding Tumbleweed’s profit outlook going forward?

Craig Brennan: One thing I learned at Brio -- there is always a penny to be found, and a penny to be squeezed. At Tumbleweed, the challenge is continue growing revenue while rigorously policing expenses, and optimizing operations. The company has a great team in place, and we’re cash flow positive and nearly profitable. We have a great opportunity to get profitable quickly, and continue to accelerate our growth through sales productivity, partnering, international expansion, and product diversification.

Clearly, we have an excellent opportunity to reach sustainable profitability moving forward. As to exactly when, I can’t make predictions on that.

SecuritySolutionsWatch.com: Thank you very much for your time today, Craig.