The more knowledge you gain about your business and your technology, the more you decrease the sphere of unknowns and maximize your odds of success.
Director of R&D at Seccuris
The fourth TIM lecture of 2013 was presented by Paul Card, Director of R&D at Seccuris. Card drew upon his experience as a programmer, entrepreneur, and professor to reflect upon the importance of leveraging uncertainty and managing risk when developing a technology platform in a small company. The event was held at Carleton University in Ottawa, Canada, on May 1st, 2013.
The TIM Lecture Series is hosted by the Technology Innovation Management (TIM) program at Carleton University. The lectures provide a forum to promote the transfer of knowledge from university research to technology company executives and entrepreneurs as well as research and development personnel. Readers are encouraged to share related insights or provide feedback on the presentation or the TIM Lecture Series, including recommendations of future speakers.
At the core of this lecture was the concept of using an ICT platform to enhance or grow an existing business. Once a company has sufficiently developed the technological platform upon which it will differentiate itself from its competition, it must use this platform to play both offence and defence. On offence, it must decide how to enhance and market the platform; on defence, it must mitigate risk and leverage uncertainty. In contrast with existing platforms, which benefit from established business models, a startup with a new platform has nothing to draw upon and faces greater risks and challenges on both offence and defence. Additional challenges arise a startup focuses on the technology first, which is a common scenario.
The challenges with the technology-first approach to platform commercialization include:
1. Customers may be reluctant to change.
2. It may be difficult to demonstrate to customers how much better the new platform is compared to existing alternatives. Gaps in communication and understanding are common with new technology.
3. Customers may not be as enthusiastic as the startup about "state of the art" technology. They do not care how "cool" the technology is; they are driven by the problem, not the solution.
4. At times, a technology-focused startup must overcome its own reluctance to use existing, simpler technology, which may be the most efficient solution from a business perspective.
5. The business case (even if validated) might not fit the vocabulary of customers or they may not be ready to consume the solution.
6. At least in Canada, there is very little funding available for technology development.
To some extent, these risks can be mitigated by the education and experience of the management team. Ongoing efforts to further validate the business case, analyze the market, and understand the underlying business problems are essential. Furthermore, startups should recognize and embrace the uncertainty that comes with doing business in the technology domain. Although risk is a negative aspect of uncertainty, its opposite is luck, which is an undervalued success factor in business.
Card explained that luck is especially for important for startups, which are more susceptible to the positive and negative impacts of uncertainty than large companies, in which unexpected events can be buffered by momentum and time. For a startup, hiring the wrong person or missing an opportunity can be fatal; however, the opposite is also true: a startup's early success can hinge upon taking the right opportunity when it comes along.
To take advantage of good fortune, a startup must be prepared. Although uncertainty can be a major blindspot to many CEOs, there are ways to minimize or manage it, such as:
1. Identifying the unknowns: if you "find out what you don't know", you can at least recognize sources of potential risk and opportunity.
2. Hedging your bets: when possible, maintain a flexible strategy in which different positive outcomes are possible, depending on how conditions change.
3. Modelling risk: understand the likelihood of different risks and how they can affect the company.
4. Embracing risk: foster a culture that does not shy away from uncertainty, but rather manages it and embraces it as a source of good fortune.
Case study: Seccuris
In the second half of the lecture, Card used Seccuris as a case study on risk management using a technology platform. Seccuris is a privately owned Canadian company that was founded in 1999. It employs over 120 staff in its headquarters in Winnipeg, in regional offices across Canada, and in its US headquarters in Dallas. Initially, the company's vision was to provide a managed data-security service for residential customers; however, the business model and technology evolved over a 10-year period in response to increasing uptake by enterprise customers. Now, Seccuris specializes in helping companies manage their information risks using a service model they describe as "information assurance". Seccuris provides its clients with information assurance by first carefully studying the core of the client's business and then building a security service that is tailored to its needs. The broad set of integrated services offered by Seccuris includes consulting services, managed services, cloud services, education services, solutions integration, and R&D.
As the Seccuris platform evolved, a key question was how to de-risk the platform and business as they grew. Through an analysis of alternative technology in the market and a re-evaluation of its own platform, Seccuris was able to not only reduce its own risks, but also identify further opportunities for the business. Thus, the case study illustrates how embracing risk can help a company play good offence and good defence at the same time. Seven of these opportunities are summarized below. The first four opportunities are business-driven and arise from the same investment in a common platform:
1. Service opportunity: given that solutions offered by the competition often neutered the technological functionality in pursuit of ease of use, Seccuris concluded that these solutions were no longer effective for security purposes. By addressing the functionality deficits and hiding the complexity from users, Seccuris was able to take away the headaches currently affecting customers, while using the same vocabulary that customers were familiar with.
2. Product sales: for customers that did not want a service, Seccuris would offer product sales.
3. Add-on services: through interactions with customers, opportunities for add-ons and upselling arose.
4. New markets: the platform also opens up new markets for other services (e.g., training, reselling, consulting, platform customization).
The final three opportunities are examples of future markets for the technology:
5. Advanced persistent threats: Seccuris gains valuable experience with its diverse client as it observes, categorizes, and studies the cybersecurity threats faced by these clients. Seccuris can leverage this information to focus its analysts' time and develop future services that focus on sophisticated threats.
6. Insider threats: in addition to providing security against outside threats, Seccuris also leverages their platform and experience to counter data loss by "legitimate" channels (e.g., disgruntled staff, laptop infection from home). The level of monitoring and the response to insider threats can be tailored to the needs and risk levels of clients.
7. Real-time, tailored monitoring: the model of the client organization's goals and risks can be continuously updated using real-time data from the client's network. Thus, the monitoring service feeds into multiple levels (e.g., IT infrastructure, security, human resources, financial systems) and helps the client organization refine its own view of the organization and the risks it is facing.
These seven examples demonstrate how Seccuris mitigates risk by allowing various sales and services models based on a single platform. All of these opportunities are tied to a number of real business problems and are applicable to many industry verticals and regions. However, the company does not require all of these opportunities to succeed; it has hedged its bets by making a single investment in a platform upon which overlapping routes to success can be mapped out. Most importantly, Seccuris has developed and is refining this platform by leveraging its existing knowledge and a deep understanding of its customers and their business needs.
In the discussions that followed each portion of the presentation, audience members shared the lessons they learned from the presentation and injected their own knowledge and experience into the conversation.
The audience identified the following key takeaways from the presentation:
1. Companies should find it liberating (not depressing) to recognize that luck plays such an important role; it makes them more agile and ready to take advantage of opportunities.
2. We set our own measures of success.
3. At lot of people make their own luck. Attitude is important... and tenacity.
4. The platform is what you build on top of, but you can differentiate in the add-ons or in the platform itself.
5. Large companies reduce risk by having a portfolio of projects; a startup is really just one project.
6. If you pivot off an opportunity, multiple opportunities can result.
Following the lecture, Dr. Tony Bailetti, Director of the TIM program, asked the audience to suggest actions that the local Ottawa community could take in the domain of cybersecurity. Audience members proposed the following actions:
1. Develop an architecture to allow comparisons of cybersecurity capabilities.
2. Create an industry-driven consortia of cybersecurity companies to create standards, collaborate, and network.
3. Avoid local/federal bottlenecks; the cybersecurity market is global.
4. Develop a mechanism for harnessing cybersecurity knowledge in Ottawa.
5. Develop an education/marketing program to overcome ignorance of basic security practices and modern technological developments.
6. Seek funding for startups in the cybersecurity space. Develop a network of investors that understand the space; find out who these investors are and engage with them.
7. Reach out to the security community and invite them to participate in defined activities.
8. Dedicate upcoming issues of the TIM Review to the theme of cybersecurity.
This report was written by Chris McPhee.
Keywords: cybersecurity, platforms, risk management, security, services, strategy, uncertainty