"TurboTax" for Industrial Cybersecurity (startup idea #5)

what's next – exploring potential startup ideas at the intersection of industrial control systems and cybersecurity - part 9


Welcome to “What’s Next,” a series of posts where I explore potential startup ideas at the intersection of industrial control systems and cybersecurity.

Idea #5: TurboTax for Industrial Cybersecurity

I wasn’t in the greatest of moods.

After going deep on insurance, insure-tech, risk scoring, managed services, and passing on each, things didn’t seem to be headed in the right direction.

My conviction remained high. I had lived “behind the curtain” for four years, coordinating United States Government cyber strategy, policy, and incident response from the National Security Council. Industrial cybersecurity is going to be bigger than information technology (IT) cybersecurity in a world where every factory, transmission station, self-driving truck, and deadbolt is connected to the internet.

After three months of full-time research (by this time it was April of 2021), sitting in a drafty attic conference room in a three hundred year old converted house in Northern Virginia, I was still in the starting blocks. My OCS Gunnery Sergeant’s words echoed in my mind: “the only way out is through.” He was usually talking about pushups.

So I kept talking to people. Experts, consultants, practitioners, and investors.

From catch phrase to business model

Then, one day, a flash of light: “It sounds like people need TurboTax.”

The former investment banker turned entrepreneur had a flair for marketing, and getting hard-to-procure goods to people in tough spots. The phrase was electric.

We were talking about a subset of potential customers I had discovered: Fortune 500 and below, whose alpha generating infrastructure were internet-connected, yet they had not yet started to manage the attendant cyber risks. It was our third conversation. The first had been in late January, and I had told him about my interest in industrial control systems cybersecurity. Then the Tampa Bay water treatment facility attack happened. And then Colonial pipeline. He was paying attention.

“What do you think TurboTax for industrial cybersecurity looks like?” I asked.

“Dude, you’re the expert on this stuff, not me!”

Business model analysis.

As a reminder, I’m using the Sequoia business model format to structure my thinking.

I started thinking about a potential problem statement of: “How can we accelerate the process of minimizing the cyber risk to the industrial infrastructures of the 99% of companies that can’t afford huge security teams?”

(1) Problem 

And as I kept talking to potential customers about their industrial attack surface, they most often fell into one of three categories:

A) “We still haven’t solved IT security.”

B) “We know industrial cybersecurity is a problem, but haven’t started working on it.”

C) “We assigned it to someone and they are working on a plan.”

In each, the customer had yet to spend any money on the problem.

So what was the problem “TurboTax for Industrial Cybersecurity” could solve? That industrial firms, likely already behind the 8-ball on cybersecurity in general, needed a straightforward way to start buying down the cyber risk to their industrial infrastructure. Without elaborate security teams, it would need to be simple and manageable by one or two competent staff who are most likely not specialists.

(2) Solution

Brainstorming the “TurboTax” model, I began to imagine a user interface first, technology stack second, especially with an eye toward two previously examined ideas: my ten basic indicators of vulnerability, and ICS cyber risk scoring methodologies. They could be combined into a basic questionnaire yielding a customized report with a set of recommendations on how to improve the company’s security posture.

(3) Why now? 

Similar to the previous concepts, there are tens of thousands of companies with significant and unprotected alpha-generating infrastructure. For this idea specifically, the idea would be to build a company capable of capturing the “first dollar spent” on industrial control systems cybersecurity, almost as an automated consultant. The company could expand from there, perhaps offering software, hardware, and services.

The more I explored the idea, the more it became clear that timing was a major part of the model, and the potential pitch. By “timing” I mean that in terms of what risk management goods and services companies are buying at any given time. More than 95% of the industrial companies I had come in contact with had not even identified someone responsible for industrial control systems cybersecurity. And so by starting a company aimed at capturing that first dollar, we would need to think very carefully about things like getting in front of customers, building a self-service architecture, sales funnels, and what types of products and services we could offer to our customers to both keep them coming back (it seemed that this type of company would be a subscription service), and staying with the platform as they grow their ICS cybersecurity programs.

(4) Market potential 

The market for this idea is similarly large as the others, but the specific dynamics are interesting as it is essentially a bottom-up approach, as opposed to the current startups in the ICS cybersecurity space, which are moving top-down. Similar to TurboTax (which doesn’t really compete against blue chip accounting firms), the play here would be around delivering value at a low price point, and then upselling clients when they needed it.

(5) Competition / alternatives 

More than most of the other models explored in What’s Next, I couldn’t find much in the way of competition for this concept. The closest thing would be the big consulting firms’ ICS cybersecurity practices — and the possibility that another ICS cybersecurity firm would build a similar workflow and “solution.”

(6) Business model

This alpha product could be done with a typeform that would ideally take less than four hours to complete. Pricing would be under $1000, which a mid-level manager could likely authorize on a company charge card without needing to get permission from senior management.

The initial product would serve as a kind of top-of-funnel product that would pre-qualify buyers for future sales of tools and services, based on a client’s assessed strengths and weaknesses. Optimally, that interface would eventually serve as a single dashboard to a security services platform that would be able to provide real-time risk management products and services. Imagine a future where deploying the software of a company like Nozomi could be done at the click of a button, and hiring an incident response team could be done just like ordering a book from Amazon.

Additional considerations:

Visual, easily understandable assessments enable stakeholders to approach management or the board to secure new funding. This problem was pointed out to me by a very successful venture capitalist with a background in risk modeling, who filled me in on how powerless boards sometimes felt. Kept in the dark about risks, and unable to hold management accountable for solving problems even when they were surfaced in their periodic meetings, dashboards, the VC offered, might serve as a mechanisms to surface, monitor, and ultimately ensure the resolution of cybersecurity issues like the threat to industrial infrastructure.

Additional rapid-fire thoughts:

The good:

  • Inexpensive to start

  • Scalable to some degree

  • Low cost of first purchase

  • Pre-qualification of customers for higher-priced products and services

  • Funnel structure could lead to interesting places, while generating revenue

  • Contact with paying customers likely to yield clear information about what additional products and services they are willing to buy

The bad:

  • No customers actually asking for “TurboTax”

  • Cost/benefit is unclear

  • Easily replicable

  • Possible this runs into the current crop of “compliance automation” startups

  • Risk that this model simply leads to a consulting services company

(7) closing thoughts (go/no-go)

TBD/soft no-go. The more I thought about it, the more I realized that this was a tool, and not a business model. I am actively considering how to utilize it for the company that I’ll ultimately start.

For long-time readers: we are coming to the end of What’s Next. One last business model before the reveal.

For first-time readers: check out the backlog if you want, or here are the links to the previously-explored startup ideas:

Idea 1: Industrial Control Systems Cyber Insurance

Idea 2: Parametric Insurance Technology (/Industrial Cybersecurity Crypto-Canaries)

Idea 3: Cyber Risk-Scoring Industrial Networks

Idea 4: A Managed Security Services Provider for Industrial Control Systems Cybersecurity

Thanks for reading. As always, I have open DM’s on Twitter, feel free to reach out there.