Using Security for Insight Into Product Market Fit.

  • The business you think you are in may not be the business you are in.
  • A loosely structured risk analysis exercise may yield the insight a founder needs to state the essential problem their product solves.

After leading several risk workshops with early stage companies, from a security perspective, the key difference for a startup from an enterprise is it doesn’t need to worry about losses so much as barrier events that impede the trajectory of its growth.

Having your customer data privacy model rejected by an enterprise customer for “data commingling,” is a common hurdle, where for a small/medium business, you can derail a sale by failing to provide documentation and risk assessments. Perhaps rightfully, these are alien priorities at the earliest stages when you are still finding the path you will commit to.

Getting things to go right, just once, before worrying about how they could go wrong is the main priority. But the result of a few of these sessions yielded some surprising direction that merited a write-up.

You already have some idea of what you need to protect if you have built something. And yet, even knowing what you need to protect, you still might not be able to articulate that essential thing about your product that your customers cannot live without. In those threat/risk demo sessions with startups we found an underlying congruence between the problems of knowing what to protect, and knowing what customers valued.

Students of YCombinator’s (rather excellent) Startup School course learn that a startup is a quest for Product Market Fit (PMF, market fit, or fit). It’s too nuanced to do justice to here, but in general it is that point where customers start using a product like it’s oxygen. It becomes the most obvious and simple thing which they can’t imagine how they lived without before they had it. Without market fit, products fail.

If most companies run aground because they don’t have a clear view of what is valuable to them and their customers, a better way to develop that sense would save a lot of companies.

A factor that behavioural economists use to describe how people value things sheds some light on that congruence between security risk analysis and startups finding market fit. People tend to value something much more when they already have it, as a result of common psychological loss aversion. They will even often value it more than something objectively more valuable they don’t already possess (hence the so-called “endowment effect.”)

To link these ideas together, leave aside for a moment the things that are great about your product and the things it helps people do.

Ask the question: If your market already used your product every day, what would the consequences be if your business or data platform were compromised?

What came out of the security risk assessments was founders re-imagining the data and services they needed to protect through the lens of a customer impacted by the threats to them. The result was new insight into what a customer truly valued about the service, and in turn, the essential value proposition of the company.

If your company has something of value to a threat actor, as an interested party it means that this attacker either represents a potential customer profile who just wants something you have free, or, a non-trivial part of the value of your service is that you manage (or prevent) the relationship between your actual customers and these perceived attackers and scenarios.

Let’s say you are a photo sharing app startup A/B testing a new UX feature, and you are worried about hackers stealing your customers social contacts information. Ask the question, what would those hackers do with that contacts data that you aren’t already doing — and why don’t you have a product for those people who do that already? If your service includes keeping that social contacts data private, then part of the basic value prop of your product is enabling users have relationships that are compartmentalized from other identities and social apps. Turns out based on a quick threat assessment, you aren’t just a photo sharing app, you may be a private social network with a photo sharing feature.

Maybe you are an AI startup who provides geophysical data analytics to junior mining companies, and you are concerned about having your customer data and results stolen by hackers. What would hackers do with it? Probably use the results to front run stock markets. The question becomes, if the results are so valuable, why does your company not acquire the sensor data to process and trade equity and mining stocks itself in the first place? Based on your perceived risks, AI may be your product, but your underlying business model is the arbitrage business that uses data to get head of market trends. It raises the question of if your AI model makes money, why aren’t you using it?

If you are an enterprise app platform for banks and the thing that keeps you up at night is an ex-employee taking your source code to a competitor, and the answer to the question of what they would do with it would be to start a competing product and steal your customers, it implies the most strategic aspect of your business is not your IP. Given anyone can develop anything offshore these days for peanuts, chances are the main strategic asset you have is your relationship to a customer, who would switch from you without significant friction or cost. Without the headstart of your non-patented IP/source code, you lose that. In that instance, without any platform value add, the key business you are competing in is who will be the outsourced software development shop for that customer.

By extension, when you look at a huge company like Apple and their emphasis on an uninterrupted quiet design experience, to achieve that they need to make a huge investment in preventing advertisers, crappy developers, hackers, and spammers from interrupting that brand experience. This means, while they don’t lead with it, their primary underlying business model is to provide an exclusive privacy experience. Based on their security model, at its root, Apple is a privacy company.

Chances are, you are not Apple, but when you look at your product and ask the question of what happens if someone bad gets access to it, corrupts it, or takes it offline — the answer will closely map to the real customer value proposition you may not have been able to describe or articulate clearly yet. In the security field, we refer to these incidents as compromising the attributes of confidentiality, integrity, and availability of something valuable.

For my own product, a collaboration platform for product teams to do security in agile dev, I run this scenario regularly and it has yielded a some useful features. Without taking you through the whole exercise, what it yielded for me was, if the service were compromised, product managers and security analysts would lose their key collaboration tool for mitigating security risks to their products and services. Their development teams, enterprise customers, regulators and board committees would revert to depending on expensive consulting firms to provide 3-lb documents that nobody actually reads, and their launches would be derailed by costs and delays.

Surely, without this, how does a company even live?

Join James Reid Friday afternoon on Dec 7th in downtown Toronto, for a Security for Startups training event at: https://www.eventbrite.ca/e/security-for-startups-tickets-52537993553