Avoiding The Infosec Extinction Part 1.

800 words, 3 12 minutes.

Making Your 1st Decision

Spinning Top

This is the first of a short series of posts about the Cyber Security market. This market is interesting now because I believe it’s at a juncture where we can choose one of two possible futures. We being the product builders, investors, and customers. The choice being whether to align ourselves with reality or fantasy.

Plenty of markets perpetuate a degree of fantasy. A beautiful story told by companies to customers or by customers to each other. Among the worst are faddy diets, magical hair products, and miracle anti-ageing treatments. When pressed their proponents argue that the customer is happy. They must be getting value. After all, they keep buying.

The fact that the product doesn’t materially change their outcome is overlooked. Results in these markets tend to be hard to measure, subjective, uneven across customers. The customer buys because he knows buying something is better than nothing. He knows at some level that he’s trying to prevent the inevitable.

Switching costs in those markets are low. If a breakthrough product suddenly appears, customers can easily seize it. Worst case they need to spend a few seconds reading the label on a bottle. They can always find a little more space on the bathroom shelf. The amount spent on such items in any month isn’t particularly material.

Fantasy is a spectrum; at the one end we have the market for hammers and nails. Not fantasy. At the other end we have healing crystals and lucky charms. Voodoo.

The reality for many customers is that Information Security outcomes are not improving. This is in-spite of excellent products. The fantasy is that somehow the market for security will keep growing (as it has done up to this point) regardless of that fact. Said another way, the fantasy is that a given budget holder will continue to allocate new funds even though he has little evidence his risk is being reduced.

How long can we really expect that to go on?

We can argue about why outcomes are not improving. We can argue why it’s still necessary to tell users to beware of email attachments. We can argue about whether the focus should be on skills or systems. We can argue why we still rely on users not clicking “OK” when they are told there’s something wrong with a digital certificate. We can argue customers aren’t using products properly. We can argue that the bad guys are getting smarter.

None of that will matter, because those arguments aren’t persuasive to budget holders.

Sooner or later the fact that outcomes are not improving will force us to confront reality or slip permanently into a beautiful fantasy. In the fantasy world, a wise AI wizard casts a signature-less spell over the dark waters of a data-lake. Advanced Persistent Threats are slain. Camelot is secured and Guinevere kept safe by knights of the magic quadrant. Everyone lives happily ever after.

Some customers have woken up from this fantasy and are attempting to rouse vendors. The more independent-thinking analysts have also noticed this gap between fantasy and reality.

The way out of the fantasy is to wake up. Waking up means embarking on a different quest. It means uniting the three kingdoms of Torvalds, Gates, and Jobs. It means solving the riddle of integration. It means mastering the alchemy of automation. It means accepting that you’ll never command an army of Cyber Security knights, because they take too long to train and cost too much gold. Choosing reality sounds less exciting than a beautiful dream, but that’s because I haven’t told you about the treasure yet.

There’s a treasure?

The Treasure

What if there was a way for customers…

  • To still choose “best of breed” products while reducing integration burden?
  • To accelerate deployment of new products, getting them into service faster?
  • To add products without a constantly increasing skills burden?
  • To switch out inferior products without disruption?

What if there was a way for product builders…

  • To make it quicker, easier, and cheaper to bring a new product to market?
  • To make product trials easier?
  • To make smaller more specialised products economically sustainable.

What if there was a way for investors…

  • To increase the chances of continued growth in the security market?
  • To make acquisition of portfolio companies more likely?
  • To reduce funding and time required to build and launch products?
  • To reduce risk associated with finding product/market fit?

Over the next few posts I’ll explore how the Cyber Security market might better align itself with reality, and how we might get our hands on some of that treasure. If that sounds interesting then check back soon or follow me on Twitter or LinkedIn.

Nick Hutton

Engineer, Investor, Founder, Product Manager

London, England https://blog.eutopian.io