Many security pitches end in a polite "no" because of a fundamental mismatch in expectations. The founder and the practitioner are often speaking two different languages, despite looking at the same problem.
I call this the Security Bandwidth Gap.
When this gap exists, vendors and potential customers become ships in the night, passing each other in the dark, unaware of why they aren’t connecting.
The Hierarchy of Security Attention
To better understand the bandwidth gap, we first need to understand how attention works in security teams.
Attention is a finite and non-renewable resource in security land. The Security Bandwidth Gap is about a team’s physical capacity to support and care about specific cybersecurity problems.
We can visualize this as a sort of pyramid of needs.
Click to see full-size
This isn't meant to be a Capability Maturity Model (CMM) for improving a program’s maturity, but rather a map of what a team is physically capable of supporting at its current stage.
The Base (Basics): Visibility and control. Cloud posture, Identity (IAM), Endpoint, and Email security. If you don't know what you have or who is accessing it, nothing else matters.
The Middle (Operationalization): Vulnerability management, AppSec, basic logging and monitoring in some kind of SIEM, and incident response processes and procedures. This is where the security team spends 90% of their time. This area is the hardest part of the job, and this is essentially “Survival Mode.”
The Apex (Specialization): UEBA, Insider Threat, Detection Engineering, Threat Hunting, and more. These are high-signal and high-value, but require massive amounts of context, process, technology, and people to run.
These are all examples, and not exhaustive, of course, but you can get the gist.
The friction, and the “ships in the night” concept, occurs when a company pitches an “Apex” solution to a team still building the “Base” and part of “The Middle". A practitioner is looking at the fire(s) in front of them, and the founder is looking at a horizon that a practitioner may be unable to see. They are separated by a Bandwidth Gap that technology alone cannot bridge.
Consider Insider Threat or User Entity Behavior Analytics (UEBA) as examples. For a global bank with a dedicated Insider Risk department and a SOC, this is a top-tier priority. For a 200-person, tech-focused scale-up, it’s a "backlog" and a “maybe some day” only if a large enough customer demands it.
For security teams that are lower on the Hierarchy of Security Attention, they don’t have the bandwidth to care about behavioral anomalies. It’s not that they don’t care about rogue employees, it’s that they are still working through the basics of provisioning and de-provisioning. They have process issues, basic technologies, and sometimes other people they’re still fighting against. What practitioners want when they’re at this stage is a way to get out from underneath the noise, not add a new category of alerts they don't have the headcount to investigate.
To the practitioner, that cool, new startup’s pitch sounds a lot more like noise than an answer. To the founder, it feels like the practitioners just don’t “get it.” In short, frustration all around.
The Cost of Assumptions
Another compounding in this exchange mismatch is the cost of assumptions.
These assumptions can take various forms, but most often appear as Infrastructure Tax and Organizational Tax, and can widen the Security Bandwidth Gap.
The Infrastructure Tax is when a company assumes its ideal customer has a specific tech stack that their product can work flawlessly within. Founders often fail to appreciate what must be "true" within a company before their platform can even be deployed.
It is the unspoken assumption that "you must be this tall to ride the ride."
If your solution requires a lot of other technology and cybersecurity to already be in place, what you are really selling is the work required to get there. For a team in survival mode, this looks like a six-to-twelve-month technical and process cleanup project before they can even see value. These teams simply don’t have the bandwidth to execute on that.
Beyond the technical setup, practitioners calculate a second, silent cost called the Organizational Tax. This is the amount of political and social capital required to get buy-in from the rest of the company when bringing something in-house. If a security tool requires the Engineering team to change their workflow or HR to adjust their habits, the practitioner has to spend their limited influence to make it happen.
Security teams have to do an internal math equation to see if the juice is worth the squeeze, and it looks something like this:
This can give you a rough estimate of the velocity and the value of what you’re looking at. If the "speed" and “value” aren’t worth the combined friction of the taxes, the project is a non-starter. The political and technical overhead is just too much to bear.
The AI Variable
You might now be asking if AI helps or hurts this equation. This depends on the AI Agency of the company itself.
AI Agency is the freedom, support, and mandate an organization has to use AI to enhance or replace the traditional organizational constructs. Right now, companies are falling into two buckets:
High Agency Orgs: These organizations use AI to pay down their infrastructure tax and are generally more accepting of ideas that leverage AI to circumvent, enhance, or replace existing technologies and processes in the name of forward progress.
Low Ageny Orgs: These organizations still see AI as something that must be strictly controlled or blocked. AI won’t get in the way of extended risk reviews and legal hurdles.
There’s a caveat here, however. Different parts of an organization will be a different phases of agency, and this again can create barriers for security teams to move up the pyramid.
The future is already here, it’s just not evenly distributed. Discovering where companies are on this journey will help both sides know what they’re in for.
Thank you for reading! If you liked this post, please share it with your friends, colleagues, and anyone interested in the cybersecurity market.