# Perspective on Security Solutions for SMBs and NGOs
I partially disagree with the overall message presented, particularly regarding the following points:
- High minimum requirements for security services
- Awareness of solutions
- Charities' desire for security despite lack of funding
## Background and Experience
Having worked in businesses ranging from two-person operations serving SMBs to Fortune 100 companies, and attempted to provide consulting to charities, I've gained a unique perspective. Charities, in particular, often struggle more than for-profit entities with business organization and practices, reflecting their different goals and ownership structures.
## Historical Context: PGP and Its Relevance
Consider how PGP was created by a nuclear activist for secure government communications. It's still used today but criticized for poor UX. This makes sense given it wasn't designed for mass adoption but for highly technical individuals. This example illustrates the challenge of translating such solutions to non-technical NGOs operating in hostile territories.
## The "Secure by Default" Approach
The solution lies in "secure by default" products. We shouldn't expect users to understand the problem; instead, provide them with solutions that work without requiring deep technical knowledge.
## Financial Challenges
The critical question is: who pays for these solutions? NGOs often can't afford market rates. Similarly, SMBs struggle to justify the cost when they can't articulate the problem due to unclear existing processes. Many don't want education; they want solutions that don't require additional thought.
## Business Realities and Security Priorities
Most businesses don't prioritize security because:
1. They don't see it as essential for profit margins.
2. There's often a lack of incentive to change.
3. Plausible deniability exists until they're made aware of issues.
4. The cost-benefit analysis often favors inaction (cost of security > perceived cost of a breach).
## Root Causes of the Security Problem
I believe the current situation stems from:
1. Lack of secure-by-default solutions
2. Unrealistic expectations for business owners/operators to become security experts
3. Fundamentally flawed business processes ("building houses on sand")
## A Path Forward
For those targeting SMBs with security solutions, I recommend focusing on scalable solutions that improve business efficiency and communication while being secure by default. This approach is more likely to have a significant impact than targeting businesses individually for security improvements.
Ultimately, you can't prevent every security breach, but you can create systems that identify potential threats and mitigate damage. However, businesses won't invest in such solutions unless required by regulations. Therefore, the key is to develop products that are inherently secure while providing broader business value. Which is nothing new and has been elaborated on at length on this blog before.
The rewrite lost some of the message, but the gist is the same. I’ve spent a lot of time thinking about this problem and how to solve it: https://github.com/rmusser01/Infosec_Reference
That is my attempt at making a difference. By publicizing and making available a baseline of techniques and knowledge (more in depth than ATT&CK) for anyone and everyone globally for free. It has had an impact and I have been told so by industry professionals as well as foreign (to me) governments. So I’m not saying it’s all doom and gloom, but it’s not some ‘aha!’ problem that can be solved by any single product, existing business processes are the blocker.
crowd has a pro bono program for non profits and ngos that includes the solid full products and services, it's not some bargain bin bs. Its been around for many years. I think it's reasonable to ask the bigger vendors to do their part keeping doctors without borders (i have no idea if they are part of our program, just an example of an org I would hope our industry isn't trying to profit on).
This is an interesting take. Refreshing to see this being discussed.
Sharing what I have seen building Kloudle. Started as a CSPM for mid-market and pivoted to being a cloud security scanner with self-service, product-led motion and a price point of $30 to start with.
At Kloudle, we pivoted to building for the world outside of large mid-market mainly because we saw abysmal product usage in our free trials. To service teams that don't have dedicated security resources meant stepping back from trying to build a Cloud Security product how analysts think should be built. By process of feature elimination we arrived at the simplest way small dev teams and solo devs are willing to consume cloud security. They basically wanted a scanner. Easier to use than manually installing open source ones and definitely a lot guidance around how to fix and when is it okay not to fix.
Changing our ideal user persona meant, that we couldn't sell like a sales led motion. Our users aren't aware about the movement away from long lived AWS access keys, and most of them have never heard of what we consider our competition! They don't care and never want to subscribe. It has to be pay as you go model.
MSSPs don't work with us because cloud security is fairly new and very brand driven. Most MSSPs ask us to invest in marketing for them before they will even consider mentioning us to their existing customers.
Most end customers who consume cloud security through MSSPs are pretty aspirational and are aware of all the keywords from Gartner presentations. :)
Our biggest challenge is about finding a platform where all SMBs hang. Unfortunately there is none. So even though our price point is low, sales cycle is days instead of weeks/months our CAC is still high as we need to go broad to reach problem aware folks.
Would love to see more information about what kind of capital we can tap as VCs are absolutely not interested when we tell them who we sell to.
Rewrote my original comment using Claude:
# Perspective on Security Solutions for SMBs and NGOs
I partially disagree with the overall message presented, particularly regarding the following points:
- High minimum requirements for security services
- Awareness of solutions
- Charities' desire for security despite lack of funding
## Background and Experience
Having worked in businesses ranging from two-person operations serving SMBs to Fortune 100 companies, and attempted to provide consulting to charities, I've gained a unique perspective. Charities, in particular, often struggle more than for-profit entities with business organization and practices, reflecting their different goals and ownership structures.
## Historical Context: PGP and Its Relevance
Consider how PGP was created by a nuclear activist for secure government communications. It's still used today but criticized for poor UX. This makes sense given it wasn't designed for mass adoption but for highly technical individuals. This example illustrates the challenge of translating such solutions to non-technical NGOs operating in hostile territories.
## The "Secure by Default" Approach
The solution lies in "secure by default" products. We shouldn't expect users to understand the problem; instead, provide them with solutions that work without requiring deep technical knowledge.
## Financial Challenges
The critical question is: who pays for these solutions? NGOs often can't afford market rates. Similarly, SMBs struggle to justify the cost when they can't articulate the problem due to unclear existing processes. Many don't want education; they want solutions that don't require additional thought.
## Business Realities and Security Priorities
Most businesses don't prioritize security because:
1. They don't see it as essential for profit margins.
2. There's often a lack of incentive to change.
3. Plausible deniability exists until they're made aware of issues.
4. The cost-benefit analysis often favors inaction (cost of security > perceived cost of a breach).
## Root Causes of the Security Problem
I believe the current situation stems from:
1. Lack of secure-by-default solutions
2. Unrealistic expectations for business owners/operators to become security experts
3. Fundamentally flawed business processes ("building houses on sand")
## A Path Forward
For those targeting SMBs with security solutions, I recommend focusing on scalable solutions that improve business efficiency and communication while being secure by default. This approach is more likely to have a significant impact than targeting businesses individually for security improvements.
Ultimately, you can't prevent every security breach, but you can create systems that identify potential threats and mitigate damage. However, businesses won't invest in such solutions unless required by regulations. Therefore, the key is to develop products that are inherently secure while providing broader business value. Which is nothing new and has been elaborated on at length on this blog before.
The rewrite lost some of the message, but the gist is the same. I’ve spent a lot of time thinking about this problem and how to solve it: https://github.com/rmusser01/Infosec_Reference
That is my attempt at making a difference. By publicizing and making available a baseline of techniques and knowledge (more in depth than ATT&CK) for anyone and everyone globally for free. It has had an impact and I have been told so by industry professionals as well as foreign (to me) governments. So I’m not saying it’s all doom and gloom, but it’s not some ‘aha!’ problem that can be solved by any single product, existing business processes are the blocker.
crowd has a pro bono program for non profits and ngos that includes the solid full products and services, it's not some bargain bin bs. Its been around for many years. I think it's reasonable to ask the bigger vendors to do their part keeping doctors without borders (i have no idea if they are part of our program, just an example of an org I would hope our industry isn't trying to profit on).
PS. no bully pls
This is an interesting take. Refreshing to see this being discussed.
Sharing what I have seen building Kloudle. Started as a CSPM for mid-market and pivoted to being a cloud security scanner with self-service, product-led motion and a price point of $30 to start with.
At Kloudle, we pivoted to building for the world outside of large mid-market mainly because we saw abysmal product usage in our free trials. To service teams that don't have dedicated security resources meant stepping back from trying to build a Cloud Security product how analysts think should be built. By process of feature elimination we arrived at the simplest way small dev teams and solo devs are willing to consume cloud security. They basically wanted a scanner. Easier to use than manually installing open source ones and definitely a lot guidance around how to fix and when is it okay not to fix.
Changing our ideal user persona meant, that we couldn't sell like a sales led motion. Our users aren't aware about the movement away from long lived AWS access keys, and most of them have never heard of what we consider our competition! They don't care and never want to subscribe. It has to be pay as you go model.
MSSPs don't work with us because cloud security is fairly new and very brand driven. Most MSSPs ask us to invest in marketing for them before they will even consider mentioning us to their existing customers.
Most end customers who consume cloud security through MSSPs are pretty aspirational and are aware of all the keywords from Gartner presentations. :)
Our biggest challenge is about finding a platform where all SMBs hang. Unfortunately there is none. So even though our price point is low, sales cycle is days instead of weeks/months our CAC is still high as we need to go broad to reach problem aware folks.
Would love to see more information about what kind of capital we can tap as VCs are absolutely not interested when we tell them who we sell to.