This reasoning is similar to why selling iOS 0-days for a million dollars a pop for a
talented computer scientist is not the most economically appealing choice when you can
potentially build and sell a neat $1 app to 100 million people.
On Aug 24, 2022, at 10:48 PM, Thomas Dullien via
Dailydave <dailydave(a)lists.aitelfoundation.org> wrote:
Hey all,
2022 is a year in which I post to Dailydave *at least twice*. This hasn't happened in
a while.
Dave's last paragraph hits on something that I have repeated to startup founders and
other folks in security for the last few years. When I started optimyze, a lot of my
acquaintances asked me: "Why not a security company?". And my reply was always a
variant of the following:
In B2B, there are three categories of product, and the importance of your sales org goes
up exponentially as you travel down that list:
1. The best category to be in is "top line growth" products. These are products
that the customer buys, and they grow their top line -- e.g. they make more money. It is
the best category of B2B product to build, and things like AdWords fit right into this
category. You won't need a huge sales force for this, as the economics for buying the
product are great, and it will be easy to find an internal champion that wants to shine by
pushing through the purchase of your product. If you have an idea in this category, and
the TAM is large, go for it.
2. The second best category is "bottom line growth" products. They essentially
say "we will measurably save you money, without you having to drastically change the
way you do business". They are not quite as compelling as the first category, and
will work best in down markets or recessions, but they will still allow a good product to
shine, and your sales org to not dictate all aspects of your business.
3. Everything else. This is the category where your success will largely be driven by
your sales org, as the economics of your product are not clear-cut. The quality of your
engineering, or whether your product measurably works, is secondary here - it is only
relevant to the extent that it damages or enhances your marketing message, and
deficiencies can be compensated by louder voices. (Engineering also matters "all else
being equal", but in this category you cannot compensate a weaker sales/marketing org
with better engineering).
Security usually falls into category 3. So as a technical startup founder that is not
good at building sales orgs, you're probably well-advised to stay away from security
products, unless you somehow managed to find a way to be in (1) or (2). This is also a
good explanation why RSA looks the way it does.
Cheers,
Halvar/Thomas
On Wed, 24 Aug 2022, 15:48 Dave Aitel via
Dailydave, <dailydave(a)lists.aitelfoundation.org> wrote:
If you were at a talk at Defcon this year in the Policy track, you probably heard someone
talk about how they, as a government official, are there to address "market
failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing
any market failures whatsoever. If the Government was going to address market failures,
they'd have to find some way to convince every cloud provider from making their
security features the upsell on the Platinum package. They'd have to talk about how
trying to get into different markets means every social media company faces huge pressures
to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security
community yesterday, that the answer to having a malicious insider on your network is
probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable
as the great monster known as TikTok has eaten every eyeball in every market because the
very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position!
They're cutting costs by sending jobs overseas while spending huge amounts of money
propping up their stock prices and paying their executives to sell them to a dwindling
market of buyers. Private Equity companies spend every effort on squeezing the last dollar
out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water
and power companies - who have no plans to make strategic investments in security or
anything really - which is why on public calls you can hear them humiliating themselves
asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the
taxpayer, which is why instead of investing in security, they cry for the FBI to go
collect their bitcoin from whatever ransomware crews are on their network this week using
offensive cyber operations that themselves cost the government an order of magnitude more
than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk
about how they only want to regulate with the "input of industry" or something,
you have to wonder: if this is every company we know, maybe the market failure isn't
just how hard it is to buy a good security product because they all abuse the copyright
system to avoid any kind of performance transparency. Maybe it's also how hard it is
to SELL a good security product because every single company is trying to cut their budget
to the exact minimum amount that will allow them to tell the FBI they did their best, and
the FBI needs to go out there and pick up their slack.
-dave
_______________________________________________
Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org
_______________________________________________
Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org