We recently lost a deal that taught us something about how we'd been thinking about our product. This is an attempt to make sense of it.
What We Missed
The prospect had an ISO 27001 certificate, maintained through spreadsheets, consultants, and annual panic. They knew their current approach was inefficient. They could see the value in what we were offering. They said no anyway.
The reason wasn't that they doubted the value. It was that they couldn't justify the risk. Their current solution, however clunky, was a known quantity. Switching meant switching to something unproven. What if the transition disrupted their next audit? What if the efficiencies we promised didn't materialise?
From their perspective, staying with the inefficient thing they understood was the rational choice.
At first, this felt like a communication problem. We hadn't explained the value clearly enough. But sitting with it longer, I think we were asking the wrong thing entirely. We were asking them to commit to a cathedral when they hadn't even seen us build a wall.
What It Made Us Reconsider
We've recently started experimenting with building in public: sharing what we're working on, getting feedback, letting audience response shape what we build next. And thinking about this lost deal, something clicked.
If we're building one tool at a time and validating each one publicly, we don't need to sell the full system upfront. We can let the components prove themselves individually. Over time, they add up to something comprehensive. But the trust gets built along the way, not assumed at the start.
There's something else in this approach that I think matters more. When you build in public, you're forced to build what people actually need. Not what a framework says they should have. Not what looks good in a compliance audit. What they're genuinely missing.
That changes what the tools become. A risk assessment that gets validated by the people who'll use it is different from one designed to satisfy an auditor. It's more likely to be something teams actually reach for, not something that sits in a folder until certification season.
This is the shift I keep coming back to: compliance that gets used versus compliance that gets performed. If each component earns its place by being genuinely useful, the system that emerges might actually transform how organisations think about security. Not because we sold them a vision, but because each piece proved its worth.
The components of an ISMS have different value profiles. A risk assessment tool can prove its worth in a single use. Run it once, see whether the output is useful. The stakes are low. The feedback is immediate.
A full ISMS platform is different. You won't know if it works until you've migrated your documentation, trained your team, and survived an audit. That takes months. No wonder our prospect hesitated.
What We're Trying Now
The prospect who said no to our full platform might have said yes to something smaller. And if that smaller thing worked, they might have asked what else we could do.
That's the shift we're exploring: start with components that can prove themselves quickly. Let people experience value before asking for commitment. Earn the right to expand.
I don't know yet if this is the right move for us. But it feels closer to how trust actually gets built. Not through promises, but through small demonstrations. Not through comprehensive visions, but through one thing that works, then another.
If it works, the sales conversation might change. Instead of convincing prospects to take a leap of faith, we'd be responding to people who already know the work is good.
That's the business I'd rather be in. We're not there yet. But losing that deal pointed us somewhere worth exploring.