Cybersecurity Product Building - Initial Ideas and Vision are Hypothesis
Founders and Product Manager: Having initial ideas and technical vision is great.. But they are just ASSUMPTIONS. Plus a free 4U problem template for cybersecurity startups
Hello Cyber Builders 🖖
This week, we are continuing the series on building great cybersecurity companies. This new series discusses the establishment of a new cybersecurity startup. My goal is to detail the methodologies that aspiring entrepreneurs should employ and the tools they need to master.
Last week, I emphasized aligning your new cybersecurity product with the expected business outcomes and, as a startup founder, your company runway. I also stress the idea that initial vision and ideas should be treated as
If you haven’t read it yet, have a look at Part 1, “From Cyber Dreams to Business Realities: Decoding the Success Formula for Security Startups” (LINK)
This week, we are looking at more practical details: how to formulate the hypothesis and which tools you should use. Cyber Builders must learn these simple but very powerful tools, which can be used without compromise.
We will also use my own experience as Sentryo's founder to illustrate.
A Good Business Outcome is something you can measure
So, you're pouring your heart and soul into your latest project. But let's pause for a second. What's the endgame here? It's not just about what you're building but the impact it has. The real magic happens when your hard work translates into tangible business outcomes.
The journey was codified years ago for cybersecurity entrepreneurs willing to build a product company.
At the very beginning of your entrepreneurial journey, business outcomes are very personal. Most of the time, it is to build significant momentum to raise your Seed round until you are out of cash - what is usually called your runway.
After the Seed round, it will be about growing your company enough to hit Series A metrics and raise again.
Established companies probably have more fine-grained business outcomes, as they have multiple products, market segments, or geography.
In the case of Sentryo, the startup I founded, we had clearly in mind that.
1. When we started in 2014, we invested our own money and raised some debt. I also had the chance to receive unemployment benefits for two years (50% of my last package). So, we had two years of runway before going broke. It was a clear business metric we shared with our wives and families.
2. We wanted to protect industrial networks near the industrial devices. Our architecture had “sensors,” the devices we were deploying. One sensor protects one industrial process (a few PLCs and PCs). It was a de facto North Star Metric to grow this.
Identifying your North Star and Business Metrics
In any case, a Cyber Builders must keep her eyes on two main prizes:
The North Star Metric: This boy is your guiding light. The critical measure shows how much value your customers get from your offer. It gets everyone out of bed in the morning, united by a common goal of making customers happy and securing that long-term win. For instance, this might be the count of systems under your protective wing in cybersecurity. It could also be the number of threats you blocked, events you processed, etc.
Note that North Star Metric is an ever-growing metric by design. Yes, it could be seen as a vanity metric, but you can use it to communicate your impact outside your company.
For example, the WhatsApp North Star metric could be the total number of delivered messages since the product's launch.
Business Metrics: Think of these as your business health check-up. They're the vital signs—like your financial pulse, operational tempo, and marketing mojo—that let you know how you're doing and where you're headed. Key players here include the likes of recurring revenue, the cost to snag a new customer, and how well you're keeping the ones you've got.
Business Metrics are often expressed per month, per quarter, or year.
For example, in a SaaS business, it will be your Monthly Recurring Revenue - the income that a company expects to receive in payments every month. MRR is a critical revenue metric that helps subscription companies understand their overall business health profitability by closely monitoring monthly cash flow.
Problem Identification and Hypothesis Formation - Effective Problem-Solving
Picture this: you're bombarded with stories of entrepreneurs who struck gold with a groundbreaking idea or a flash of insight. It's the stuff of startup legend? But here's the real deal—behind every 'Eureka!' moment is a knack for spotting problems that scream for solutions.
The truth is that the most successful entrepreneurs are more like detectives. They have a keen eye for the issues that others overlook. But they don't stop there. They dig deeper, peeling back the layers of the obvious to uncover the root cause—this relentless " why " quest sets the stage for genuine innovation.
Are you ready to start digging? Your next big breakthrough might just be a 'why' away.
So, where do you start? It's simple but not easy:
Begin with Your Idea: Do you have a concept or a vision? Great! That's your starting point. But don't get too attached just yet.
Channel Your Inner Toddler—Ask 'Why?': Not once, but repeatedly. This isn't about questioning your sanity; it's about drilling down to the essence of the problem. Each 'why' peels away another layer, getting you closer to the core issue.
Craft a Hypothesis List: Think of this as your investigative roadmap. Each hypothesis is a guess about the problem and its root causes. You're not looking for immediate answers but setting the stage for discovery and validation.
Here's a pro tip: embrace the power of observation. Great entrepreneurs observe human behavior, market trends, and even the mundane. They find inspiration in the every day, turning problems into opportunities.
At Sentryo, when we started, we had the vision that “OT Networks need more security. We were a few years after Stuxnet, a well-known cyberattack that demonstrated the weaknesses of industrial devices. Like most people in our industry, we thought it was all about detection. Building an industrial network detection system was the initial idea.
The why method added more depth to our analysis, allowing us to understand market drivers, upcoming regulations, etc.
Remember, the journey of entrepreneurship isn't about chasing a brilliant idea. It's about identifying a problem so acute that people can't help but seek your solution. It's about asking 'why' until you hit the bedrock of truth and then building your castle there.
The 4U Framework for Cybersecurity Innovation
Transitioning from a broad list of hypotheses to a structured, impactful approach in product development is crucial. Having a flat list of assumptions about the problems you intend to solve is not enough. What's required is a more nuanced, layered understanding that aligns with the critical needs of your target market, especially in a field such as cybersecurity.
Enter the 4U framework. This framework encourages you to list potential problems and rigorously evaluate them through the lenses of Urgency, Unworkability, Unavoidability, and Underserved. It's about depth, not just breadth.
I already covered the 4U project in a post last summer; please check out this first post.
Let’s break it down again:
Urgent: The cybersecurity landscape is a battleground where threats evolve quickly. For a startup, urgency is in your DNA. You're operating on borrowed time, with limited runway to make your mark. The problems you tackle should keep CISOs and CEOs up at night.
Unworkable: Complexity is the name of the game in cybersecurity. We're talking about intricate and vast challenges that going it alone is like bringing a knife to a gunfight. The threat landscape is moving fast, and new technology is adding more software stacks that could be used as penetration points. And the scale? Monumental.
Unavoidable: In cybersecurity, the 'ignore it and it'll go away' approach doesn't cut it. Regulations and directives, from the EU Commission to US presidential orders, mandate stringent security measures. These aren't gentle nudges; they're iron-clad requirements that businesses must comply with, underpinning the non-negotiable nature of the problems you're solving.
Underserved: Lastly, your target problem should be in a domain crying out for solutions—where the existing 'off-the-shelf' options are.
Crafting Hypotheses with the 4U Framework - An Example
If we apply this to a real-world example - my startup, Sentryo.
Urgent - With the rise of OT cyber attacks, with real-world examples like Stuxnet, BlackEnergy, and later the Ukrainian grid cyber attack or the Wannacry malware that stopped large factories, the problem of securing factories was urgent to be solved.
Unworkable - Industrial networks are full of opaque protocols and proprietary systems that existing solutions cannot decode. More important, the scale of systems is enormous. For example, car painting requires 10,000 IP addresses for controllers, robots, sensors, cameras, motors, etc..
Unavoidable - Critical infrastructures of all countries are facing regulation, asking for more cybersecurity on OT networks.
Underserved - In 2014, we were five startups at the starting line. We were told by incumbents vendors that there was quite no market for OT security.
Wrapping up—4U Framework Hypothesis Template
This is a template for crafting your 4U problem statement for your cybersecurity startup.
As we wrap up our in-depth exploration of the 4U framework, it's clear how it provides a robust structure for pinpointing and addressing the most critical problems in the cybersecurity field.
By aligning your startup with these four crucial dimensions—Urgency, Unworkability, Unavoidability, and Underserved—you're not just building a product but crafting a solution to some of the most pressing challenges in cybersecurity. Now, it's time to put the 4U framework into action in your cyber venture.
Here is a starting point: a 4U Template for Cybersecurity Startups
Urgent:
Hypothesis #1: Customers face an immediate threat from [specific type of cyber attack or vulnerability], necessitating urgent solutions due to [specific reason, e.g., financial loss, data breach risk].
Hypothesis #2: The frequency and sophistication of attacks targeting [specific sector or technology] are escalating, posing an urgent need for advanced protective measures.
Unavoidable:
Hypothesis #3: With the enactment of [specific regulation, e.g., GDPR, CCPA], compliance has become non-negotiable, compelling organizations to adopt [specific cybersecurity measures] to avoid [consequences, e.g., hefty fines, reputational damage].
Unworkable:
Hypothesis #4: The advent of [new technology, e.g., IoT, cloud services] has introduced complex security challenges that exceed the capacity of traditional cybersecurity solutions, necessitating innovative approaches to secure [specific aspects, e.g., data, devices].
Hypothesis #5: The scale of [number of devices, employees, applications] and the pace of change by [day, month] makes the problem hard to solve without [automation, software, AI]
Underserved:
Hypothesis #6: Current solutions in the market are predominantly focused on [specific area, e.g., endpoint security], leaving a significant gap in [another critical area, e.g., network security for industrial control systems].
Hypothesis #7: While there are numerous players in the cybersecurity space, few are addressing the unique challenges faced by [specific target group, e.g., small and medium-sized businesses, critical infrastructure sectors], indicating a lack of tailored solutions.
Conclusion
The 4U framework isn't just a checklist; it's a strategic lens that sharpens your focus and hones your hypotheses. By aligning your startup with these four critical dimensions, you're not just building a product but crafting a solution to some of the most pressing challenges in cybersecurity.
Are you ready to put the 4U framework into action?
Please send me your point of view in the comments 👇
Laurent 💚