Discussion about this post

User's avatar
Michael A. Davis's avatar

Reflecting on my investment decisions through your concept of second movers, I think your analysis identifies a fundamental pattern that extends beyond cybersecurity.

You called out some patterns:

• Security teams are "overwhelmed, chronically understaffed, focused on endless alerts"

• First-movers must educate about "theoretical" risks

• Second movers arrive after "a breach, compliance mandate, or peer reference"

What if this isn't unique to cyber but is how ALL organizations handle prevent vs. react? I think the same dynamics appear in manufacturing (specifically quality control), healthcare (preventive medicine), and construction/infrastructure (the maintenance vs. repair cycle).

The pattern seems to be:

1. Organizations get trapped in firefighting mode because that's what's visible and rewarded

2. First movers try to sell the organization that they should "work on tomorrow's problems" to teams drowning in today's crises and issues.

3. Only external forces like breaches or regulatory mandates create enough pain to break the cycle

4. Second movers arrive just as the market tips from "theoretical risk" to "urgent need"

This cycle reminded me of a famous MIT paper "Nobody Ever Gets Credit for Fixing Problems That Never Happened." (https://web.mit.edu/nelsonr/www/Repenning=Sterman_CMR_su01_.pdf) The paper proposes the explanation for why organizations underinvest in proactive improvement is the conflict between two reinforcing feedback loops:

The "Work Harder" Loop (Reactive): Problems (e.g., incidents, alerts) consume resources, which reduce the capacity for improvement, leading to more problems. This is the state of being "overwhelmed" that you describe in security teams.

The "Work Smarter" Loop (Proactive): Investing in improvement reduces future problems, freeing up resources for more improvement. The benefits of this loop are delayed, intangible, and suffer from a faulty attribution problem making it difficult to justify the initial investment.

This attribution problem is key. The “value” of the first-mover's solution is basically a non-event - a breach that does not happen. Because this benefit is invisible and its cause is ambiguous, the buyer cannot justify the immediate cost (in money and time) of implementing the solution. The "theoretical risk” does not generate enough pressure to break the "Work Harder" cycle.

So, looking at second-time founders through this lens I think it may explain their success. Second-time founders:

• Time entry for when the firefighting loop is about to break

• Package prevention as reaction which the org is biased to invest in. E.g,("reduce analyst workload" vs. "prevent future incidents"

• Using their connections and networks you mentioned helps them overcome the "nobody gets credit for problems that didn't happen" problem

Would be interested in your thoughts on how these may be linked.

Expand full comment

No posts