There Is No Anti-Ransomware Market
I advise a lot of cybersecurity companies. I have had to lecture so many recent startups on this topic I thought it would be valuable to write my points down. Developing and selling an anti-ransomware solution is a strategy doomed to failure.
If you obsesivley follow the startup community on reddit and Youtube—as I do— you will have heard the advise to “find a problem and fix it.” It is understandable that so many startups identify ransomware as a problem worth fixing. It is in the news every single day.
Here are the reasons you will not succeed with an anti-ransomware solution.
There is already a solution to the problem. There are 3,254 cybersecurity solutions and tens of thousands of service providers and consultants in an industry that has been around for 28+ years. Organizations that have invested wisely in security don’t appear in the headlines for outages due to ransomware. The 3,253 other cybersecurity vendors have already failed to sell to the organizations that get hit by ransomware. What makes you so special that you can overcome the buying issues?
There is no identifiable buyer for anti-ransomware. Think about it. The schools, counties, government agencies, and printing plants, that are devestated by ransomware self-identify as having no mature IT systems. You never see an article that XYZ experienced a two hour outage as they restored all their data from backup. If you tried to sell your quantum safe encryption, or data-diode airgap, or moving target defense solution, to one of these, who would you even call? They don’t have a security team. How are you going to explain your solution to the plant manager, the board of education, or the CEO?
There is an industry that is much more mature than cybersecurity that has already failed to sell to these organizations. The data backup and recovery business. It includes Veritas, EMC, Acronis, Qumulo, IBM, and Quest, to name a few. They have been at this business for decades. Backup and recovery are tablestakes for IT operations. If they cannot sell their solutions to schools, manufacturers, counties, and pipeline operators, how are you going to?
What about “ambulance chasing?” The CEO/board/plant manager is sure to buy an anti-ransomware solution after a near-death experience. It’s too late. The IR (incident response) firm that they brought in is already there. They have sold them an EDR solution and brought in their MSSP partner to bring the victim into the 21st century.
If you truly have a great new technology search for a different use case than ransomware. Can you stop zero-days? Your airgap firewall is inpenetrable? Your AI can detect attacks earlier? Find the organizations who already understand that they have a problem. All the big banks, every member of the defense industrial base, the 17+ US spy agencies, and hundreds of large technology companies. Anti-ransomeware is not the hill you want to die on.