Market fit by other means.
In a recent set of risk exercises I did with early stage companies, when founders re-imagined the data they needed to protect through the lens of a customer impacted by the threats to it, the result was new insight into what their customer truly valued about the service. In turn, it helped to articulate the essential value proposition of the company.
The question we asked was, if your market already used your product every day, what would the consequences be if your platform were compromised?
If your company has something of value to a given attacker, it means that this attacker represents a potential customer profile who either wants something you have (free) — or, a non-trivial part of what you provide is you manage (or prevent) the relationship between your customers and these perceived attackers.
Let’s say you are a photo sharing app startup A/B testing a new UX feature, and you are worried about hackers stealing your customers social contacts information. Ask the question, what would those hackers do with that contacts data that you aren’t already doing — and why don’t you have a product for those people who do that already? If your service includes keeping that social contacts data private, then part of the basic value prop of your product is enabling users have relationships that are compartmentalized from other identities and social apps. Turns out based on a quick threat assessment, you aren’t just a photo sharing app, you may be a private social network with a photo sharing feature.
Maybe you are an AI startup who provides geophysical data analytics to junior mining companies, and you are concerned about having your customers sensor data and model results stolen by hackers. What would hackers do with it? Probably use the results to front run stock markets. The question becomes, if the results are so valuable, why does your company not acquire the sensor data to process and trade equity and mining stocks itself in the first place? Based on your perceived risks, AI may be your product, but your underlying business model is the arbitrage business that uses data to get head of market trends. Everyone should ask, if your AI model makes money, why aren’t you using it?
If you are an enterprise app platform for banks and the thing that keeps you up at night is an ex-employee taking your source code to a competitor, and the answer to the question of what they would do with it would be to start a competing product and steal your customers, it implies the most strategic aspect of your business is not your IP. Given you can develop anything offshore these days for very little, chances are the main strategic asset you have is your relationship to a customer, who would switch from you without significant friction or cost. Without the head start of your non-patented IP/source code, you lose that. In that instance, without any platform value add, the key business you are competing in is who will be the outsourced software development shop for that customer.
By extension, when you look at a huge company like Apple and their emphasis on an uninterrupted quiet design experience, to achieve that they need to make a huge investment in preventing advertisers, crappy developers, hackers, and spammers from interrupting that brand experience. This means, while they don’t lead with it, their primary underlying business model is to provide an exclusive privacy experience. Based on their security model, at its root, Apple is a privacy company.
Chances are, you are not Apple, but it may be generally true that by looking at the reflections of the security models of companies, their essential value comes into focus. When we sat down with the product owners at some early stage companies for a risk assessment exercise and asked the question of what happens if someone bad gets access to their product, corrupts it, or takes it offline — the answer closely mapped to the real customer value proposition they had not yet been able to articulate clearly.
It will be interesting to find out how broadly this applies.
James Reid is the founder of QTRA.io, a collaboration platform for Quick Threat Risk Assessments.