Post Incubation: Part one

A brief recap of my past 12 weeks at District 3

One of the things I learned in the last few months of doing discovery conversations was that most people I would talk to have no idea what an incubator is or what a discovery conversation is.

Incubators in this context are referring to a startup incubator. In my own words it's a group that nurtures people with a business idea into a financially sustainable one, but here's the official definition:

A startup incubator is an organization that supports early-stage 
companies by providing resources such as mentorship, office space, 
and access to funding. 

This matches my experience, except I did not find incubators that were providing access to funding. If anything, some institutions will now ask for a fee to join their incubator program. Other founders I spoke with remember when incubators were giving out financing in exchange for equity. Fortunately, the incubator I was accepted to, District 3, did none of that. They offered workshops, weekly coach meetings, and a well-maintained business casual co-working space with a prototyping lab.

The laser cutter in their lab was particularly fun to have totally work-related purposes with.

Going back to the incubator and why I was doing discovery conversations with random people I didn't know. Discovery conversations are effectively are open ended conversations. They're designed to be less formal than an interview and aren't as structured (if at all). The idea is to make them comfortable and get to know them a little bit before asking them open questions. So for weeks I got to know more about people in my area before asking them things like:

Can you tell me about the last time you got a suspicious message?

Why did you think it was suspicious?

How did it make you feel? How did you solve it?

Can you recommend anyone else I should talk to about these types of messages?

There's more to it, but that's the gist of how discovery conversations go. Afterwards, you spend more time processing all of that into data. The social validation program goal is to do 100 by the end of the 12 weeks. These conversations provide you with quotes to build your story that you'll use in your pitch(es). The data you process from those conversations is there to validate your hypotheses. These insights should be transcribed into your responsible business model canvas. Our coaches recommend starting with the customer and their problem, and once you've done enough of these discovery conversations you should:

Know who your ideal customer is
Know what their BIGGEST problem is

What I found fairly early in my discovery conversations with the small business owners & non-profits in my city is that their biggest problems are not remotely cybersecurity related. A few of the businesses I spoke with had even dealt with scams or breaches in the past, but ultimately their top priorites are on making enough revenue to keep their doors next year.

To summarize this sentiment in one quote, "I work with non-profits like Animals [full name redacted for privacy], and they don't have security on the radar. All of their budget goes into vaccines for dogs. It's a prioritization issue."

After 23 conversations where not even one person mentioned email-based slop or scams organically, I lost confidence in my assumptions. Asking money from them to solve a minor problem seemed counterproductive to me halfway through the program. I was feeling pretty down about the project, but the District 3 coaches were there to help remind me:

invalidation is part of the validation process

It was clear I needed to pivot while still staying true to the values of what set me out to go about this venture in the first place. If you've read my previous works, you can infer I'm not in love with the state of the for-profit cybersecurity industry. By design, these billion dollar enterprises do not help the people that need it most, they help those they can charge the most. I wanted to break this design pattern by helping the most cyberfragile. That was the idea behind the Community Cyber Centre.

The one thing that came up from business owners that was even remotely cybersecurity related was a recently updated local privacy law that impacts most businesses in Quebec. What I found in my research was that even massive companies fail to comply with the law as written. One law firms I spoke with estimated that 40% of businesses are compliant with Quebec privacy laws. And yet... somehow a shelter that barely pays its own staff is somehow magically going to read, understand, and implement all 100+ provisions of this law.

Most businesses that I spoke with were not were even aware of these data privacy obligations and most of them didn't care until I mentioned the fines. Some still don't care. They believe they are too small to be considered a target of these fines. I hope they're right, but I'm not convinced it will always be this way so I started to pivot into another solution that addresses this problem.

From my discovery conversations with IT consultants Ludic of Hermit Tech and Jodie Miners from The Detail Department who have both spoken to a lot more businesses than I have over their careers, there is a least one recurring theme that I didn't connect right away.

Not exactly in their words, but the sentiments they shared made sense: business owners (of all sizes) don't really care about governance/cybersecurity, they just want a box to check.

"I'll take one security please", I can still remember Jodie's arm making a little check motion and the tone she used to describe this wishful thinking.

My approach was, why not meet these folks where they are? Let's give them a box to check that will give them hardware & knowledge to protect themselves at a price they can afford & understand.

The revenue model is being hardware reseller & educational materials provider, which the latter are conveniently exempt from tariffs. As an example, "First Time Business Owner" starter box for the small office home office (SOHO) would include:

1. A Ubiquiti/MikroTik router with printed instructions for defensive network setup & applying maintenance updates
2. Two MFA devices (Yubikey/Signet) with printed instructions on how to set up with your professional email
3. One external encased HDD and printed instructions on how to set up and maintain backups
4. Calendar with very professional security reminders ("No matter how handsome, don't pay the ransom", "Back that thing up... offsite and offline")
5. Printed copy of your applicable local privacy laws (ex: PIPEDA, GDPR, CDPR, Essential 8)
6. Coupon for free hour consultation for setup & best practices
7. Data Breach Officer "DaBreachy" squishable figurine to absorb sentiments

Now the question I was facing was, who would want this? Not just to buy it, but who else would benefit from this existing?

Finding the right stakeholders

One of the things that separated District 3 from other incubators was that they ask us to consider who would your business impact? They ask us to consider both the positive and the negative.

The negative impact exercise clearly wasn't for everyone in my cohort, but I found channeling my inner Kendrick Lamar and hating on my own business idea to be therapeutic.

Even hosting your services in a part of the world with 99%+ renewables, like Quebec, you will still have some negative impact. Those servers you're running your services on need silicon, lithium, cobalt, and labor are not sourced locally, sustainably, or ethically. The best you can do is be mindful, consider & limit your impact, before provisioning new servers.

On the positive side, I was able to find lots of stakeholders that would be delighted to see me no longer writing Our Daily Breach. Let's start with this group you might have heard of called the United Nations.

All 193 members of the UN agreed to the Sustainable Development Goals (UN SDG), which are 17 problems that we (collectively) need to address by 2030.

To track their goals, the SDGs have target indicators, like this one for Goal 16 (Peace & Justice).

"16.4: By 2030, significantly reduce illicit financial and arms flows, strengthen the recovery and return of stolen assets and combat all forms of organized crime".

Hey North America, how are we doing on that reducing illicit financial arms flows thing we all agreed to?

WELL since you asked, in 2024, Canadians lost $645M last year and it is trending up year over year.

According to the FBI's Internet Crime Complaint Center (IC3), in the past 5 years, Americans went from losing $4.4B annually in 2020 to $16.6B reported lost in 2024.

Then there's that whole thing about Facebook making 10% of its revenue from scams, some part of me is screaming internally that... yeah we're gonna get hit that goal in the next 4 years.

I wasn't so delusional in thinking I'd be getting help from the UN or the CAFC as a brand new startup, so I had to think a bit more locally.

What I found in my own city was a rich ecosystem of 30 cybersecurity service providers who have had a hard time reaching finding new clients, especially the smaller businesses. The vendors I spoke with all mentioned that it doesn't make as much financial sense for them to to pursue anything except enterprise level clients.

By the time I put all this data together, I was less than 3 weeks away from my final pitch. This idea was so radically different from where I started and I could feel it still needed more data to collect. I talked to my coaches about dropping the program to focus on this, but they insisted I had data and needed to present something. I would never end up presenting the Good Goverance Bundle, but what I did end up presenting was better than I anticipated.

To be continued...