Over the past several months, as I was working to flesh out the problem space my co-founder and I are going after, and the specific problem we are looking to solve, I spent a lot of time going through the startup ideation, discovery, and validation. On this journey, I learned several things that I think will be helpful for other founders. In this piece, I am going to share some of these learnings.

Specifically, I am discussing dilemmas with cybersecurity startup ideation, discovery, and validation.

This issue is brought to you by… Vanta

Virtual Event: AI-Powered Risk Management with Vanta

Risk isn’t just growing—it’s spreading across more systems and vendors than ever before. Security gaps, compliance demands, and vendor dependencies can put your customers, reputation, and revenue at risk. For GRC teams relying on traditional tools and manual processes, the workload is quickly becoming unsustainable.

This Vanta Delivers session introduces new AI workflows to centralize risk management, cut manual work, and strengthen security—all while enabling faster collaboration. Join the virtual event and learn from leaders at Anthropic, Arcadia, and Vanta about:

• Automating policy drafts, bulk updates, and evidence gap detection

• Saving time with continuous monitoring and Slack integrations

• Proactively managing compliance and vendor risks with AI

First, some background

In December last year, I wrote an article titled “Let’s have an honest conversation about the state of cybersecurity”. In that piece, I explained several fundamental truths of our industry. Before we dive into the dilemmas with startup ideation, it’s very helpful to discuss a few ideas I covered in that article because they are foundational for what we’re going to be talking about here.

We like to repeat a blanket statement that security should be top priority for every organization, but the reality is that it’s objectively not equally important for all kinds of companies. For example,

• For companies in highly regulated industries such as insurance and financial services, being able to meet compliance requirements is quite literally an existential problem. If they cannot prove to the auditors that they are compliant, they might not be allowed to stay in business. This is a huge deal.

• For companies in the technology sector, security and compliance are critical sales enablement instruments. This makes sense since tech companies need to make sure customers are comfortable sharing their data or embedding the companies’ software into their organizations. To them, cybersecurity is a

...