How new security categories emerge: the Security Adoption Life Cycle (SALC)

Lately I've been talking with several "security pioneers": companies that are trying to convince the world to adopt new types of security products.  They are offering solutions for emerging security problems, or perhaps for security problems that have been around for a long time but for which awareness is still emerging.  What I've observed is that companies trying to pioneer a new security category often target the wrong kind of accounts in their sales process, and listen to the wrong feedback in validating their market assumptions.  They should be following what I call the Security Adoption Life Cycle, which can guide both whom to target and what feedback to value.

The most valuable security technologies don't make you more secure

There's been a baby boom in security startups, and a lot of people I know are involved in young security companies now.  Over the next few years, we can expect this startup cohort to generate a bunch of exits; so there are interesting Design for Exit questions to think about here.

As noted in the title, the assertion of this post is that the most valuable security technologies - many of them, anyway - aren't used to make their users more secure.  In fact, a Fortune-50 Chief Information Security Officer (CISO) told me flat out: "my job is not to make my company more secure."  He proceeded to explain that in fact, his job was to make his company more productive, within a given security posture.  And, I claim, that's the same job many companies are "hiring" security technologies to do.