Where does cyber information directly leads to positive ROI?
Two notable examples are:
- Cyber training
- Penetration testing
In the former, you can say "spend money/time on this cyber training and you will be get more $$$ at your job." The key thing to note is that this is mainly targeted at individuals or academia. Once in a job, there is limited ROI for a company to spend money on training security employees. This comes back to the same problem in part 1 of "paying to avoid a breach" and where is an upper limit on how much the company can "save" on this. Of course they could also go to market and hire someone with those skills. For people outside of an desired job, the upper limit on what they will spend is however much more they can make at new job. Someone will eagerly spend $1,000 for a $10,000/year salary increase, but asking someone to spend $5000 to [maybe] get $5000/year more is a tough sell.
In the realm of penetration testers (or their dark brethren cybercriminals), there is a direct ROI in terms of learning more hacking skills = more capability to breach and thus more payment. This group is the most motivated because their job is influence. Having a higher influence energy level means more money. The entry level training market for people going down this path already has reputable companies like hackthebox, tryhackme, and Offensive Security. There is potentially an option to offer crypto-payment, pseudonym-based training but then you run into ethical boundaries of having a hard time showing you are not helping threat actors who are not likely to want to put their name on a PO.
Where does that lead a cybersecurity entrepreneur? Offering services to smaller companies (SE1-2) but these are the ones with the smallest budgets and least desire to do any cybersecurity. They simply want to buy a product like cyber insurance, do whatever it requires and know that they are covered if a breach happens. Larger organizations in the SE3-4 range have more need for cybersecurity but it's must be tailored to their environment. This is ripe for consulting as a service and many opportunities exist for those willing to carve out a niche. The downside here is that the level of per-customer tailoring prevents true scalability. In fact, the very service you are offering is the tailoring to each customer since public security guidance is sound and often misapplied.
The most scalable entreprenuerial opportunity appears to be the insurance space, particularly at the low end for <10MM/year business. Giving them a clear set of guidelines or better yet a fully automated assessment to be eligible for cyber insurance and know they are protected against IE1-2 threats is a compelling option. This is something I will continue to write about in 2025.