pwn the future
pwn the future
The one before the beginning.
0:00
-12:00

The one before the beginning.

February - August recap post: lessons from seven months of customer discovery and startup ideation at the intersection of industrial control systems and cybersecurity.

For those new to PWN THE FUTURE, and that is most of you, as readership has quadrupled since July, this email is a recap of seven months of full-time work investigating potential startups at the intersection of industrial control systems and cybersecurity.

Why industrial control systems and cybersecurity?

  1. Team. Our founding team has a combined 20+ years of experience in and around the industrial control systems cybersecurity space, in the US Navy, Merck, Bechtel, Amazon, and the White House. We all agree it is one of the largest potential catastrophic failure points of modern society, and therefore an important problem to work on. But just because something is a problem, doesn’t mean going after it is a good business.

  2. Tension. Since 2017 there has been a dramatic increase in attacks against industrial networks. These attacks are driving companies to search for risk-reduction tools; for example, one Fortune 500 company is spending $250m in FY21 to re-architect their global network, having observed a competitor lose over $1bn after a cyber-attack took down their industrial infrastructure. The time is right to start building companies that can scale in this space.

  3. Timing. With less than 5000 industrial control systems cybersecurity professionals in the United States, we believe that demand for expertise is quickly coming to an inflection point with too few professionals needed to perform too many jobs. In other words: it’s time to build.

Since February we have explored seven different business models. Two of us were working on this problem full-time, and our third joined three weeks ago. We talked with over a hundred corporate executives, security practitioners, researchers, angel investors and venture capitalists. Scrutinized seven different businesses models. Pressed potential customers for their concerns, needs, and thoughts.

Where did it get us?

Here. To the starting line.

Next week we will be talking publicly, for the first time, about what we’re going to build. Here on substack.

This week is a recap of how we got here, with quick reviews of each startup model we considered, and five lessons learned in the process. Each header links to the underlying article/podcast.


The six failed ideas:

Idea 1: Industrial Control Systems Cyber Insurance (link)

We started out thinking we were going to create the world’s first specialized industrial control systems cybersecurity insurance company. The goal would be to create a recursive function whereby we would — under one roof — assess with the world’s best ICS cybersecurity experts, mitigate with the world’s best engineers utilizing the world’s best commercial or proprietary technology, and then ultimately transfer cyber risk. The only problem: we didn’t really understand the insurance business. A few months of research later and we learned why this wasn’t a workable idea over a long period of time.

Idea 2: Industrial Cybersecurity “Oracles” and Parametrics (link)

We moved on from insurance to insurance technology, thinking about two different ideas — the first, building out a “Parametric” around compromises of industrial networks, and then simply building the enabling technology for insurance firms to do the same. Both were very interesting concepts, but as we discovered, not yet ready for prime time. Parametrics — the concept of selling options-like contracts that pay out when a certain condition is met — are an interesting and emerging area of risk management, but unlike existing contracts for crop damage and internet downtime that have clear, publicly-observable “oracles,” we couldn’t find a good way to apply the core technology concepts to industrial control systems networks. As we looked into building those oracles, we found ourselves staring at a problem with no clear customer willing to buy the product. So we moved on.

Idea 3: Cyber Risk Scoring for Industrial Networks (link)

We consulted some mentors, and started thinking about risk scoring for industrial control systems networks. There are big companies already in this space but for information technology (“IT”) networks, such as Security Scorecard. The more we looked at the business model, we realized it would require navigating an overly complex sales and customer success process (with multiple centers of gravity). We didn’t see a viable way to sell the risk-scoring concept to one company, and then have them walk us over to their subcontractors, who would then be forced to give us full access to their industrial infrastructure (only to be given a ‘bad grade’ as we discovered that, much like everybody else, they were at high risk). We also wanted to be on the problem-solving side of the equation. Again, we moved on.

Idea 4: Managed Security Services for Industrial Networks (link)

As we continued talking to potential customers, the number one piece of feedback we heard was “I just want to pay someone to fix it all for me.” So we started thinking about building a managed security service provider. This would essentially look like a small expeditionary military unit, with small groups of specialists who would deploy to our customers’ sites, and help them make decisions to buy down risk. Ultimately, we decided against this manpower-intensive model. But the question remained: how to help manage this problem at scale?

Idea 5: “TurboTax” for Industrial Cybersecurity (link)

Coming off of the idea of a managed security service provider, we started thinking about how it might be possible to build a very simple user interface that would help companies start to buy down the cyber risk to their industrial networks. The problem turned out to be incredibly complex, especially since industrial control systems cybersecurity sits at the intersection of a company’s security apparatus and operations apparatus. A large volume of anecdotal evidence from folks we talked to indicated that operators would be hostile to remote “remediation” of security issues if those issues were on an operational network. Regardless, the thought-experiment of building consumer-grade technology for the industrial cybersecurity industry struck a chord with us, and has continued to inform our process about what to build.

Idea 6: Trading on Vulnerabilities (link)

This was one of the final ideas we considered, sitting at the intersection of blockchain technologies, “oracles” (see idea #2), vulnerability research, and markets. We opted not to publicize the actual idea, and instead post this somewhat abstract discussion about the governing dynamics of the global zero-day and vulnerability marketplace.


Five simple lessons learned.

  1. People want to help. Give them an opportunity.

    Numerous friends, colleagues, and mentors offered advice, introductions, and observations over the course of the last few months. They did this out of generosity and confidence that my team and I wanted to do the right thing. And we wouldn’t be here without them. Whether it’s a network built online, or in person, or both, it’s never a bad idea to start off by telling people where you would like to go, and asking them if they have any ideas for how you might get there.

  2. When you are talking with someone, listen.

    When people offer advice, take it seriously. Throughout this process there were moments when someone told us something that seemed crazy, but over days, weeks, or months, revealed itself as wise. You won’t catch those gems unless you are genuinely listening, and taking notes.

  3. When someone smart gives you a recommendation, take it seriously.

    Your friends and mentors are taking time out of their busy schedule to give you advice. The best way to honor this is by taking that advice very, very seriously. Whether a book, or a tool, or a mindset, think about it seriously. Try it out. And realize that you are asking them for advice because they have something figured out that you don’t. This is why they’re someone you want to ask for advice! It makes sense that they are telling you something that doesn’t compute right away, or seems strange. THIS IS WHAT THEY KNOW THAT YOU DON’T. This is the wisdom. Take it seriously.

  4. Almost everything comes down to a list.

    To do-lists. Email lists. Process lists. 95% of the process is just that: process. The creative part, the 5%, is what happens in the details. The flourishes. But those creative moments won’t count if you can’t do the basics. Email people. Respond. Schedule meetings. Send them follow-ups. And so on. Do the basics first. Everything else will come.

  5. The world is not conspiring against you.

    Throughout this entire process, MINDSET is the most important tool. It may seem a bit hocus-pocus, but your brain is where you live your entire life. It’s the difference between passing the test and failing. And having the foundational mindset of abundance, believing that the world is neutral/apathetic at worst, and might just possibly be convinced to conspire in your favor at best is the way in which you can set aside your natural human jealousies, fears, and suspicions, and get yourself in a position where you can think about building something new and important.

That’s all for this week. Check back next week for the big reveal. And if you want to talk about any of this stuff, my Twitter DM’s are open - @JoshuaSteinman.

Discussion about this podcast

pwn the future
pwn the future
notes from the (industrial control systems cybersecurity startup) underground.