How to figure out what cybersecurity product to build for clients that might not know what they need?

A recurring challenge for cybersecurity practitioners is the frustration of understanding the security problem while not necessarily having a consistent or direct path to solving it. There are three seemingly contradictory reasons for this.

  1. When asking a client what they believe they need, it’s common that their beliefs aren’t grounded in fact or accepted security best practices. Because of their lack of awareness and experience, any security ideas that are seemingly related are accepted as good and useful.
  2. When contemplating industry need, you learn quickly that the teams building cyber security products aren’t usually cybersecurity experts or practitioners, and therefore don’t have the context to correctly identify and address critical industry challenges.
  3. Examining cybersecurity buying or adoption trends as a means of “crowdsourcing” that awareness, you quickly realize that, our cybersecurity industry is very good at diverting prospective clients from what really solves cybersecurity challenges to new and exciting ideas. When any new idea funded by big investors is a brilliant idea (if you ask them) overworked and less experienced teams are simply distracted from what they actually need. It becomes a situation of a hammer looking for a nail, and any nail will do.

Getting to the Data, over one hurdle at a time

In our first case, if unrecognized, human nature and confirmation bias will wreak havoc with any analysis.  People are generally averse to conflict, and most do not relish giving bad news or risking their own credibility.  As a result, when, in the course of asking someone if they think something is a good idea, more often than not your audience will tell you it’s a good idea and it could work. Generally speaking, it’s much easier to be agreeable in order to smooth communications, and people like easy communications. A true friend and a great prospective product user is one that will tell you when they think your idea is flawed. Keep the direct and honest people close and let them know how much you appreciate their candor – people who know our industry, understand how to solve the problem you’re proposing to solve, and are brutally honest, are scarce, but will save you TONS of time and potentially your business.  Over the years I have talked to hundreds of people have told me my ideas are is great, but they didn’t have the understanding or commitment to personally participate when the time came to join or sign a check.

In the second case, we start with the many people in the cybersecurity industry who are very capable of building solid, attractive, products, but have no experience in the deployment, use, or integration of those products.  They’ve never been practitioners at that level. The best analogy I can draw – imagine a world where very capable pharmaceutical developers don’t understand human behavior and never talk to doctors.  The results would be a world  filled with effective pharmaceuticals that people don’t use.   Think children’s vitamins that require intravenous injection everyday, or antibiotics that need to be taken every two hours, day and night.  In cybersecurity it’s great to have an idea, and yes it might solve a problem, but it doesn’t matter if no one wants to use it or invest their time in understanding it.  This, unfortunately, is a big issue in our cybersecurity industry: the cybersecurity industry is shifting so quickly that the usual product and market advisors, and their opinions,  are being outpaced by the evolution of the problem space.

Third, have you noticed that certain years are marked by a new wave of development in a specific cybersecurity technology?  I mean honestly – we had one year that was all EDR.  Everyone was an EDR company, even companies that only had tangential investments in the space. We had another year where everything improved cloud security. Everyone was a cloud security company. You get my drift. Our industry is plagued by groupthink that will not solve the true, underlying, cybersecurity challenges. The upside to this is there are sales and marketing dollars being poured into the industry to make prospective clients aware of their critical needs. The downside to this is we are just kicking the can down the road and not addressing the comprehensive challenge of cybersecurity that continues to exist within our industry. There is a real upside, though: While people are following the crowd –they leave behind massive white space in the cybersecurity industry that no one is now, or will ever be, thinking about.  For anyone developing products there’s much you can do help our industry.

As you start your journey to figure out a product direction to pursue, here are three questions to ask yourself:

  1. Do my clients needs this? You need to talk to clients and ask them.
  2. Does the industry need this? Are you building a feature in someone else’s platform, or is this an independent and viable product for the long term? Features are great, but be honest with yourself about the scale and differentiability of your offer because it changes your sales and marketing strategy.
  3. What are current industry trends and where do I see the market going?

People outside the cyber security industry don’t realize is that it’s unlike any other technology market today. It’s an established industry vertical that has only been popular for the last 10 years or so, and as a result, we have inexperienced professionals trying to solve in increasingly sophisticated set of problems. That’s okay.  It just requires a healthy dose of humility and the willingness to keep asking yourself, ”Do my clients really need this?  Is it complementary to other offers in the industry?  Does it address problems the industry is going to have in the future.”

Internalize these facts and let them guide your questions, your confidence in your own opinion, and your diligence in validating important decisions.  The white space is everywhere, and you just need to carve out your place in it.