Re: "Market Failures"

[Nathan Landon via Dailydave <dailydave () lists aitelfoundation org>]

This reasoning is similar to why selling iOS 0-days for a million dollars a pop for a talented computer scientist is 
not the most economically appealing choice when you can potentially build and sell a neat $1 app to 100 million people. 
   

> On Aug 24, 2022, at 10:48 PM, Thomas Dullien via Dailydave <dailydave () lists aitelfoundation org> wrote:
>
> 
> Hey all,
>
> 2022 is a year in which I post to Dailydave *at least twice*. This hasn't happened in a while.
>
> Dave's last paragraph hits on something that I have repeated to startup founders and other folks in security for the 
> last few years. When I started optimyze, a lot of my acquaintances asked me: "Why not a security company?". And my 
> reply was always a variant of the following:
>
> In B2B, there are three categories of product, and the importance of your sales org goes up exponentially as you 
> travel down that list:
> 1. The best category to be in is "top line growth" products. These are products that the customer buys, and they grow 
> their top line -- e.g. they make more money. It is the best category of B2B product to build, and things like AdWords 
> fit right into this category. You won't need a huge sales force for this, as the economics for buying the product are 
> great, and it will be easy to find an internal champion that wants to shine by pushing through the purchase of your 
> product. If you have an idea in this category, and the TAM is large, go for it.
> 2. The second best category is "bottom line growth" products. They essentially say "we will measurably save you 
> money, without you having to drastically change the way you do business". They are not quite as compelling as the 
> first category, and will work best in down markets or recessions, but they will still allow a good product to shine, 
> and your sales org to not dictate all aspects of your business.
> 3. Everything else. This is the category where your success will largely be driven by your sales org, as the 
> economics of your product are not clear-cut. The quality of your engineering, or whether your product measurably 
> works, is secondary here - it is only relevant to the extent that it damages or enhances your marketing message, and 
> deficiencies can be compensated by louder voices. (Engineering also matters "all else being equal", but in this 
> category you cannot compensate a weaker sales/marketing org with better engineering).
>
> Security usually falls into category 3. So as a technical startup founder that is not good at building sales orgs, 
> you're probably well-advised to stay away from security products, unless you somehow managed to find a way to be in 
> (1) or (2). This is also a good explanation why RSA looks the way it does.
>
> Cheers,
> Halvar/Thomas
>
> > On Wed, 24 Aug 2022, 15:48 Dave Aitel via Dailydave, <dailydave () lists aitelfoundation org> wrote:
> > If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a 
> > government official, are there to address "market failures". And immediately you thought: This is a load of 
> > nonsense. 
> >
> > Because that government official is not allowed to, and has no intentions of, addressing any market failures 
> > whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every 
> > cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how 
> > trying to get into different markets means every social media company faces huge pressures to put Indian spies on 
> > their network. 
> >
> > Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the 
> > answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" 
> > now. 
> >
> > But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known 
> > as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who 
> > their friends are is outdated now. 
> >
> > In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by 
> > sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their 
> > executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing 
> > the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses. 
> >
> > And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who 
> > have no plans to make strategic investments in security or anything really - which is why on public calls you can 
> > hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs. 
> >
> > The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of 
> > investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their 
> > network this week using offensive cyber operations that themselves cost the government an order of magnitude more 
> > than the bitcoin is worth.
> >
> > As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to 
> > regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the 
> > market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system 
> > to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product 
> > because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell 
> > the FBI they did their best, and the FBI needs to go out there and pick up their slack.  
> >
> > -dave
> >
> > _______________________________________________
> > Dailydave mailing list -- dailydave () lists aitelfoundation org
> > To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
> _______________________________________________
> Dailydave mailing list -- dailydave () lists aitelfoundation org
> To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org