CTO SmackChat: The Dreaded “Pivot”

Your startup is a success! Family and friends have seen you through to the point where an angel investor got excited, and your first alpha customer really likes where you are heading. The beta tests are under way and the feedback is coming in.

One customer says he would be interested in buying if your product could provide two additional capabilities not in the beta version. Another indicates her problem is not exactly the one you are addressing but she sees how it could apply by changing the domain slightly and taking some additional inputs into account. Some feedback says it seems similar to what they are already using. There is a request to show the output on a map background. And, your marketing guru says that several customers are really struggling to solve a problem that one component of your solution could make dramatically easier. Should you pivot, or stay the course? Add features or simplify? Expand to related problem areas? What feedback do you rely on to make those decisions?

A couple things are clear. As a startup your resources are stretched way too thin simply trying to address one market. Expanding to a second problem area before succeeding in the first one makes it much more likely that neither will succeed. The second notion is integrity of a core product offering. If every customer has a different set of implemented features, your business is really a service business built around customizing features rather than a product business.

But the harder trap for most entrepreneurial technologists is falling in love with your own ideas. After all, you thought it up, and your whole career has been built on confidence in your technical ideas. You probably know better than the customer what is really possible from a technical standpoint, and what the hard problems are that you know how to solve. In the end though, the right answer is always what customers will pay for. And in our example above I would be inclined to listen to the marketing guru who seems to be close to some potentially paying customers: perhaps it is time to change the product idea, get rid of a bunch of the features that are not helping differentiate it, and focus on the one core bit that could help several customers solve a critical problem.

There is no science behind when to pivot and when to stay the course. An important indicator is slow or flat sales (or interest) combined with some customer pull along a different development vector than the one you are following. As the divergence grows that market signal gets stronger that the pivot is upon you, but in the end you need to make a judgment call and work with your own company leadership to ensure it is the right one.

Security Spaces Worth Watching

People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.

While “different” is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.

Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I’ll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.

Encapsulated Expertise

This isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.

The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.

A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.

The Internet of Things

A problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is “The Internet of Things.”  Because anything can be a “thing” it’s difficult to even know where this category begins and ends.

If you have been wondering which things are capital-T “Things,” here is a list of some examples that might fit the description:

  • Network-connected home appliances like the Nest Thermostat
  • Network-connected sensor devices such as electric power meters
  • “Smart cars” and “smart highways”
  • Industrial control systems
  • Remotely piloted vehicles
  • Any device that can be attached to a wired or wireless network that isn’t a computer or workstation at which you can sit.

This category creates security challenges because:

1) These things can provide a point of entry for attackers to the rest of your network

2) Some of these things have the ability to affect the physical world in real ways

3) These things may be transmitting information about you or your environment with significant implications for your privacy.

Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.

Software Defined Networks

Another area that is showing up more and more in the enterprise IT conversation is software defined networking or “SDN.” This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn’t improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server’s configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.

Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network “fabric” while systems are in operation without significantly impacting throughput on the network.

Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don’t address security in much depth yet.

Some things to consider about SDN include:

1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;

2) How to prevent unauthorized access to the management/change function on individual routers or switches

3) Emergent network effects after making a change – do side effects “ripple” through the network afterward? How long do they take to dissipate?

Zero-Trust Security Models

Recently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.

The “zero trust” or “untrusted everything” approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various  computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.

These approaches often explicitly reject the idea that there is an “inside network” of trusted resources and an “outside network” full of bad actors waiting to attack things.

In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”

Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.

In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.

Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.


To Mach or Not to Mach

“To Mach, or not to Mach”

So you’re thinking of applying for the Mach37 program? You’re unsure. You’re skeptical. After all, you know this industry inside and out. You’re convinced your solution is the hottest thing going and there’s no competition. You are going to raise some capital from the money you’ve saved, get a few friends to kick in and you’ll sell this company for a gazillion dollars in a year or two to Facebook. Simple plan. Fool proof. That’s why everyone does it, right?

Not so fast…

What do your customers think? Oh you don’t have any yet? Surely they need this solution because you know your technology. You’ll just call up a few government clients where you provided great support and they will just write the Purchase Order. Maybe. Or maybe you’ll chase the “opportunity” for 18 months (standard) while you pour all of your money into product development. Double your estimate of development time and cost. The bank account is dwindling. Maybe you’ll just take a part-time support contract and bill some extra hours. There goes 30 hours that you are going to need but just don’t know it.

Call John and Susan. They are great sales people and are under appreciated at their established publicly traded firm and surely can “moonlight” and get your product out there. They surely will work for “equity” and prioritize this over their $150k year guaranteed salary with bonus opportunities.

Have you thought about intellectual property protection? Trademarks? Total available market? Go-to market strategy? You’ll just figure it out along the way and find an outsourced firm to do that.

You’re a little frustrated though because you’ve explained this technology to your peers and they just don’t get it. It’s because you’re just too smart. It has nothing to do with your inability to articulate the value proposition.

You’ve looked at Mach37. They want a small percentage of your company from the start. Are they crazy? This company is going to be worth millions and you’re going to maintain 90% ownership. If you need capital, the angels will certainly come knocking on the door and Venture Capital firms will stroke checks for millions, asking, asking only a few percentage points.

A backup plan is good. You’ve heard Kickstarter crowd funding is a sure fire way to raise a ton of money. Fool proof plan…can’t lose.

At this juncture, may I suggest setting up a lemonade stand and charging $100 per cup? You’ll more likely to be successful.

Mach37 partners know the industry. They are connected to almost EVERYONE and you will be introduced to many of them. They know products. They understand the market, the competition, the pitfalls and they know how to develop a successful business plan. They are patient. They understand pivoting. They are a holistic accelerator that will give you the best chance to be successful. They provide funding. They introduce you to the real players. And the Thursday night dinners are pretty good too (I highly recommend the cannoli)!

Summarized…apply. Consider it a privilege to be considered and an honor to be accepted. Focus and give 110% to the program if you get in. Be the first in and the last to leave every day. Execute. Accept criticism and feedback. Engage. Debate. Fail. Pivot. Improve. Succeed. Excel.

My name is Shawn Key. I am the founder of Key Cybersecurity, Inc., a Mach37 inaugural cohort member. We are the developer of CyberMerlin, a cyber security illicit file detector geared to Fortune 500 and K-12 enterprise network organizations. We raised $250k in funding in four months and are poised for success. I continue to reach back to Mach37 weekly to ensure I am focused and on the right path. I owe this chance to be successful to Mach37 and the great resources they introduced to me during the program. By far, this is the best experience I have ever had and I am thankful to everyone who took a chance on me and set me on the path.

The ball is in your court….apply.

Shawn R. Key
Founder, Key Cybersecurity, Inc.
“2014 NVTC Destination Innovation Award (Security Category)