Idea #3: Risk-Scoring Industrial Control Systems and Networks
I had looked at, and then walked away from, both insurance and parametrics. On to the next idea. It was discouraging, having thought about, and planned to do insurance for months, and then walking away when I couldn’t “get to conviction.” I decided to call a well-respected industry leader (one that had taken a company from founding to a major liquidity event - just what kind I’ll not say) who had offered to serve as a sounding board.
I ran him through my thinking, and asked for his advice.
“What about risk-scoring?” he said.
Those of you who know me know that, despite having a military reputation for being something of a round peg in a square hole (I used to say that I was “Good for the Navy, just not that good in the Navy), I am a firm believer in both best practices and processes. And so when someone very successful gives me a process, idea, or concept, I try to take it as seriously as possible. So, with that one phrase, and a few minutes of conversation, I was off to investigate my next idea.
Having done the SWOT analysis on the last two concepts, I decided to again use it on this latest idea, as a way to structure my thinking.
Though I didn’t do it at the time, for the purpose of the blog you are reading right now is to review the ideas I considered along the way to starting a new company. I am therefore going to use key elements of the famous Sequoia format for early-stage companies to describe each idea from here on out:
(1) Problem
(2) Solution
(3) Why now?
(4) Market potential
(5) Competition / alternatives
(6) Business model, then
(7) closing thoughts (go/no-go).
So, here we go:
OT Risk Scoring (idea #3)
(1) Problem
The SolarWinds hack exposed many to risks inherent in digital supply chains. The problem here is similar. How could a large industrial firm understand (and maybe even index) the cyber risks to their manufacturing supply chain?
For example: if a large consumer packaged goods (CPG) company relies on cardboard boxes to package a specific product, and operates with twelve hours of “slack” capacity of cardboard boxes in their system, any pause in excess of twelve hours means that the company is losing money by the minute.
How can that company have a higher assurance that their cardboard box manufacturer won’t be held hostage by ransomware?
(2) Solution
The goal would be to build something that looks a lot like BitSight or Security Scorecard (among others, think credit score/report for cyber risk), solely focused on operational technology (“OT,” nee “Industrial Control Systems/ICS”). It was pretty simple: go to a big company (e.g. the CPG company mentioned above) with lots of suppliers, get them to sign up and pay, then have that company walk the startup over to each of their critical suppliers (the cardboard box manufacturer), and essentially demand permission for the startup to audit the box company’s OT security practices. The startup would then assign a “risk score” to the box company, and report the score both to the box company’s leadership, and to the CPG company leadership (most likely the COO).
The MVP would be built almost entirely off of the the prototype ten-part risk scoring system I developed and refined when I considering starting an insurance company. So, to begin with, essentially a problem of convincing a group of people to go along with a basic risk management exercise: go to a place, interview some people, come to some conclusions about how they do what they do, and report back with a general risk profile.
(3) Why now?
Confluence of: (1) increasing OT/ICS cyber risk, (2) awareness of “supply chain” risk, (3) continued macro-industrial reliance on just-in-time manufacturing (4) increasing in-the-wild examples of big companies losing billions of dollars following cyber attacks on OT systems.
To be clear, (1) and (4) carry over to every startup idea I considered.
(4) Market potential
I spoke to several senior executives at large OEMs in the automotive industry who told me they lose millions of dollars of revenue for every day they’re ‘down,’ and became convinced that if positioned correctly a company doing this type of work could be huge. A former hedge fund trader — friend of mine from college — did a bunch of research in this area, and we came to believe that there could be a big enough market to merit further investigation.
Some big numbers: Manufacturing accounts for 11% of U.S. GDP, and most of that relies on complex supply chains where, if one link of the chain goes down, there are cascading effects across the entire company.
(5) Competition / alternatives
The biggest risk is that Bitsight or Security Scorecard might pivot to cover both IT and OT. While certainly possible, close inspection (by this same friend whom I describe as my ‘secret weapon,’ to be revealed later) of publicly available information, yielded enough information that convinced me that there was plenty of room not only in the OT risk scoring space (where nobody seems to be doing it), but also in the IT cyber risk scoring space overall. Which is to say that, though they seem to be great companies, Bitsight and Security Scorecard seem to have not fully cracked the cyber risk scoring market, if only because we were unable to find evidence of broad adoption of their offerings, and because it appears that most of the data they use to generate their scores is publicly available. Which meant that in a (and I cringe at what i’m about to say) “three-sided marketplace,” which in the example above are the CPG company, the OEM, and the startup, nobody has found a way to align the incentives between all three parties in such a way that one company or another pops, and runs away with the market.
(6) Business model
There are good and bad aspects here, which I remain convinced could be overcome by the right team. Lots of this is covered in shorthand, on the SWOT analysis:
The good:
Recurring revenue: it’s a subscription service
Collect once, sell ∞: the goal is to get enough risk scores together that you build an increasing moat with a certain kind of network effect.
It’s Sticky: nobody is ever going to tell some executive that they should not keep tabs on the security of their supply chain.
Interesting network effects, and top-of-funnel opportunities to sell/partner with security hardware and software companies.
The bad:
It is going to be hard to do a survey of a company’s OT/ICS infrastructure unless you have permission from a company.
And even if the company’s biggest client asks them to, the startup would most certainly see friction on the part of the OEM’s staff, who are not/not interested in airing their dirty laundry not only to their superiors inside the company, but to the company’s major client (the CPG company). Which means you’re dealing with something even worse than a “two-sided marketplace,” a three-sided sale.
You’re just selling bad news. Nobody likes the credit rating agencies (and not just because their UI’s suck). Not that it isn’t a good business, but you’re basically coming in and saying “everything is terrible here, and I’m going to go tell your biggest customer” and then walking out. The only way to turn that into a good experience (that leaves a customer happy) is to offer consulting services on top.
Watch this.
(7) closing thoughts (go/no-go)
Passed. The "three-sided sale” part really tipped it over the edge. Too many moving parts. Too many people whose incentives are misaligned.
Thinking backwards from the “NPS” investor mindset (i.e. if you have happy customers, your business grows), I started thinking about when/if this company could generate good vibes. The answer is: only if, after surfacing all the “bad,” the company then offers to come in as a consultant and fix some or all of the problems surfaced during the investigation.
Even if the company were to stand up a consulting services arm, not a particularly scalable business, and would represent a separate vector of force on the company, with one group of sales people selling the “risk score” product, and yet another trying to follow that weeks or months later by selling services. It wasn’t the venture-backable idea I wanted to pursue.
Nevertheless, I believe that an OT risk scoring business could be successful, but perhaps not as a tech startup. It probably takes a long time to get something like this right. Perhaps it would be good as part of a big consulting firm, but it is more consulting firm with interesting, SAAS-style lead-gen than SAAS company.
Fixing the problems or: the next idea
So, what about being the company that “fixes the [OT cybersecurity] problems?” The more I talked to CEOs of small- and mid-sized (heck, even large, publicly traded) industrial firms, the more I heard “I just want someone to fix the problem of ICS cybersecurity for me.”
And with that, it was off to the next idea.
Which I’ll cover in the next post.
My friend Marc has a startup that’s trying to make this space much, much better, starting with “one-touch credit freeze,” you all should check them out.
In fact, this could actually be a good business model for a consulting aspect of this company, as the CEO at the OEM likely wants to make their business more secure, but is probably told “everything is fine” by their subordinates. But that would be a consulting company, not a venture-backed startup. And the company would still be walking into the bureaucratic version of an ambush for every sale.
*audio version* running the numbers (startup idea #3)