I have been thinking for the best part of this year about building a business and what it is needed in order to achieve it.

I am also currently doing a master’s degree in cybersecurity and have been thinking on how this area of expertise can be sold or is being sold.

This week I have escaped the normal bounds of my routine to assist a small conference in my city about cybersecurity and AI from which I got some insights I might as well share.

Let’s get ourselves a cup of cold latte and dive in.

Understanding business

One of the insights I have reached about the economy is that business is really a fractal network of interfaces between systems and different kinds of people with a variety of skills and worldviews in order to enable large-scale collaboration.

It is the way you get a mildly autistic programmer slightly obsessed with operating systems and network protocols and redirect his efforts towards some outcome that is, hopefully, valued by the manifestations of collective needs and wants which we call a market.

Your manager, the sales team, the product development team, the CEO bullshiting his way over the new hype cycle to get other’s people money and the accountant discipline to keep track of it, all of them do they part in this machinery and through a series of tasks and activities achieve an outcome that result in a sale, because someone decided that whatever they are doing is worth their hard-earned (or freshly printed) money.

A business and a role within a business is an interface between different aspects of reality.

The technical people at IT conferences always give a lot of shit to business people regarding the way they present themselves and the topics they cover.

As I understand it, the reason for this is that technical people and engineers are focused on the hard rules and posibilities of the systems we operate in because we are always on the look of grounding ourselves in hard and strong fundamental principles or frameworks.

The understanding and leverage of these principles with precision is what makes great engineers.

The sales process on the other hand at best pretends to bridge the psychological needs of consumers to an existing product or service offering and at worst might be plain manipulation with extra steps.

As we get further from nature into the depths of our advanced civilization, we begin to interact more and more with abstract constructs running on the minds of individuals of a society, called the noosphere, that needs to be understood and navigated.

Sales is the mother of all the soft skills if you will, it is the set of principles to interact with your fellow human beings to get what you want from them, usually through negotiation.

I make it look like some kind of mathematical construct, but the problem here is that human beings are most of the cases irrational and pretty laxed in most of the reasoning they execute.

Human psychology is mostly relying on a bunch of life-hacks and heuristics from the ice age, the only reason why we are able to operate in modern societies is because of higher level interfaces and technologies such as language, mathematics and corrective strategies of our own individual flaws as individuals.

This is the place in which people that do sales and marketing need to operate.

Sense making in a complex world

The next thing to understand is that there are essentialy two ways to get knowledge about reality or execute some level of sense-making in order to operate in the world.

First, you find something out by yourself using first principles thinking, which means backtracking your way to the most axiomatic principles you can find about a certain area of study and derive through logic its implications.

However, most of our knowledge comes from the second way of understanding reality, which is via proxy, meaning that we know something because we read it somewhere or someone told us.

This is what parents and culture present to us.

When we accept this second type of knowledge, we are making an assesment abouth the trustfulness or the reliability of this information through a variety of mental processess, heuristics and gut feelings.

And over time, we put this knowledge to the test.

My point is that this process of knowledge discovery is parallel to the process of discovering new interfaces to interact with reality, such as tools, techniques or businesses.

Something becomes true and useful, and thus contains intrinsic value, when you can trust it and rely on it.

And if it is valuable, people will pay for it.

Understanding trust

Anyone that has survived a toxic relationship or had to deal with pathological liars will understand that trust and the feeling of safety is a property that cannot be easily restored.

In my experiences as a freelancer I learned that trust was the key factor in any deal.

On the freelancer’s part, the perspective of payment is a precondition for delivery and on the client’s side the perspective of delivery is a precondition for payment.

The assumption that you will get paid or that the work will be delivered is absolutely dependent on trust.

When buying grotheries in a supermarket, you are operating on the assumption that they meet some quality standards that assure you that you will not get poissoned, which on the EU are regulated by law.

In europe we had to deal with widespread adulteration during the nineteenth and tweentieth century until we realised the need for regulation of the food supply chain.

Probably security in software needs to go through a similar transition.

The point is that effective collaboration in a highly advanced society strongly requires a high level of trust between its members.

Trust is key in order to successfully operate with others.

Understanding reliability

Reliability is nothing more than the property related to the level of trust we have on the capabilities of a system to achieve its purpose uppon repeated operation.

The more stochastic or probabilistic the outcome of a system is, the less reliable it is as a tool and the less trust we put on it.

We use the tools we have at our disposal because of their outcomes.

You want your car to be available when you need it to go where you need to go.

You want your bank account to be able to execute and receive payments and not to have hidden costs or implications you are unaware of.

Having access to reliable tools and systems intrinsically give us a general sense of security and safety, from which we can make assumptions and operate with a high degree of autonomy and sovereignty.

The value of this property is straighforward.

The value of cybersecurity

In the world of technology, one of the core fundamentals of information security are related to three properties that must be maintained.

This is called the CIA triad.

• Confidenciality: Your secrets are not disclosed.
• Integrity: You are not being lied to.
• Availability: You have access to something when you need it.

These properties, among others that we will not get into this article, are what allow us to trust something.

The point I am trying to bring across is that the value of cybersecurity is the automatic verification of these properties through a series of mechanisms whose root lies not some authority but on the strength of mathematics and formaly available proofs.

The utopian promise of blockchain some years ago was to precisely build a new world that could implement this concept.

Blockchain was not going to make you rich because some shitcoin would go to the moon, but because it would enable business relationships that were previously impossible due to the lack of trust and reliability between systems and partners, specially in the context of international transactions over the Internet in a globalized world.

Going back to more practical terms, most cybersecurity businesses on the defensive side I have come across seem to focus on two key areas:

• Risk reduction or fearmongering
• Quality control of digital systems

Both of those points of view are valid but seem rather limited on their reach and posibilities.

What I want to bring to the light is the fact that this area can be sold on the basis of the new possibilities and unrealized potential it is able to unlock in combination with different technologies.

For example, without the adoption of the HTTPS protocol to provide guarantees in terms of confidenciality and authenticity of the information being transmitted over the Internet, higher level use cases for the web 2.0 would have beimpossible to implement such as online commerce.

Another example is the seamless management of identity using protocols such as OAuth, which have enabled the seamless authentication of an user over different applications using a single identity.

I commented on a previous article that having unreliable AI is what is limiting its potential because we cannot trust it, either because it is an unrealiable tool or because it might develop a conflict of interest with its operator in the most scify-like scenario.

A threat regarding LLMs that is currently occurring in organizations is that an LLM trained with private data or that has RAG access to private data may disclose it to the wrong party given the adequate prompt.

This could be solved with additional access control mechanisms that segment the access to the information those LLMs can provide in the same way as the permissions provided in a directory tree.

OWASP has released a top 10 list of threats for LLM applications, you might find interesting.

Those are only some examples of how good cybersecurity is able to unblock additional features.

I think that one of the most important problems to solve is the efficient alignment of cybersecurity and business operations, minizing the cost of security implementations.

Today this manifests in large levels of bureaoucracy and operational friction in organizations and systems.

It is the main reason why startups in Silicon Valley leave security out of the picture until they begin to break appart or get broken into.

The most elegant solution to this problem would be finding a way to select the most efficient configuration for operations that are also able to satisfy all security requirements.

This is the promise of frictionless and intuitive security.

Although the statement seems simple, the formalization of such requirements in such a complex environment with so many people and such a large variety of technologies and cultures makes its total implementation challenging and for the most cynical among us, unrealistically impossible.

This is why probably the place in which most value can be extracted from cybersecurity might be in the attackers side, specially when the world keeps advancing towards a lack of trust in institutions, government and more generally, betwen each other.

These are the other kinds of cybersecurity businesses, in alignment with the army and the security establishment.

The other side of collaboration is competition, in the case of cybersecurity this is manifesting in backdoors, trickery, espionaje and others.

All of them present among us since the dawn of times and democratized through the availability of computer systems.

Probably the value of cybersecurity at the high level lies on profiting from the hacking of vulnerable systems in order to later benefit again from making them stronger, and thus forcing civilization to take itself seriously and towards higher levels of trust.

Conclusion

Trust and reliability might be the most attactive properties that cybersecurity can provide from a business perspective.

We will undoubtedly continue to explore these topics on future articles.