The Five Pillars of the Cyber Economy

Mike Privette is the cybersecurity economist behind Return on Security and the practitioner most consistently mapping the funding rounds, M&A activity, and structural patterns that define the industry as a market. This is his first Zero Signal appearance, and the conversation works through three substantive threads: what it actually means to be the first security hire at a company, the five-pillar framing he uses to make sense of the cybersecurity economy as a system rather than a list of headlines, and where AI security investment is heading as the category reorganizes around the work it's actually doing.

The opening segment on the first security hire is the operating-experience material every founder considering their first CISO and every aspiring first-security-hire candidate should read. Mike was the first security hire at a US fintech for a couple of years, and the gap between what founders typically expect from the role and what the role actually requires is the source of most of the trial and error he's seen across his consulting work. The job is structurally a swing between very low-level technical work and very high-level board persuasion — and most founders write the job description for one of those two halves without realizing the other half exists.

The cybersecurity economy framing is the conceptual frame Mike's built Return on Security around. The five pillars — investment activity, government posture and national defense, business and regulatory landscape by region, labor market dynamics, and the community layer of conferences, podcasts, and informal networks — are tightly coupled. The investment data alone doesn't tell you the story. The regulatory delta between regions explains why some markets attract startups and others don't. The labor market dynamics explain why the M&A activity looks the way it does. The community layer is where talent finds opportunity and where ideas crystallize into companies. The CISOs and founders who treat any one pillar in isolation are missing the system. The ones who pattern-match across the five are the ones who see what's coming.

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

Mike's BSides SF talk on the first security hire was the source material for the opening segment, and the operating insight is sharper than the typical "wear many hats" framing. The role requires a daily swing between very low-level technical detail — DevOps, AppSec engineering, infrastructure config — and very high-level board persuasion, often within the same day. Most first-time security leaders are good at one of those two halves and hit the seams hard the first time the other one is required. Most founders write the job description against one half and are surprised when the other half gets neglected.

The framework Mike uses to set the roadmap is the most exportable part of the talk: focus on what's true regardless of you being there. Customer expectations are true. Regulatory obligations are true. The "must be this tall to ride the ride" enterprise-customer requirements are true. None of these care whether you've raised seed or Series C. Back the roadmap into those non-negotiables, and the work prioritizes itself. The trap is treating security as an open-ended exercise in best practices when the actual job is delivering the specific subset that closes contracts and avoids regulatory hits. The first security hire who internalizes this is going to outperform the one who tries to build a 200-person SOC at a 30-person company.

The level-setting conversation with founders is the other piece every aspiring first security hire should rehearse. Founders often expect a unicorn — someone who can write Terraform, ship Python, present to the board monthly, and respond to incidents at 3 AM. The honest framing Mike encourages early is that "security cannot be just me and a laptop blasting away running scripts" — and getting that conversation done before the offer signs prevents most of the misalignment that breaks the role within 18 months.

Mike's most exportable conceptual contribution is the five-pillar framing of the cybersecurity economy. The pillars are investment activity (funding rounds, M&A, exits), government posture (national defense, federal cyber programs, threat intelligence sharing), business and regulatory landscape (the requirements to do business in a given region from privacy and cyber compliance perspectives), labor market dynamics (people working in cyber and people doing cyber jobs at non-cyber companies), and the community layer (conferences, podcasts, local meetups, informal Slack and WhatsApp networks). The pillars are tightly coupled. The output is increased defense capability writ large. Pull on any pillar without understanding the others and the system produces predictable failure modes — overregulation, talent flight, missing community formation, capital concentration.

The geography example is the cleanest illustration of the system at work. Regions with strong investment but weak community don't produce founders at scale. Regions with strong regulatory protection but weak investment overregulate to compensate and lose the next generation of innovation to other geographies. The US has all five pillars and dominates global cyber capital — but the unbridled-capitalism trade-offs are real, and the European model with its different pillar weights produces different outcomes that aren't inherently worse, just different. CISOs and founders who pattern-match across the five pillars when reading market signals see what's coming. The ones who only watch the M&A leaderboard are working off one-fifth of the data. 

The investment data Mike walked through is the signal worth tracking. Two years ago, AI security was less than half a percent of total cybersecurity funding. The next year it more than doubled. This year it's tripled again, and total funding had already nearly surpassed the prior year before the half-year mark. The directional signal is unambiguous — capital is flooding into AI security at scale, and the pace is accelerating.

The category is reorganizing as it grows. The first wave was generic "AI security" companies that were undifferentiated. The second wave was the segmentation Mike now uses operationally: AI for security (using AI to do security work better), security for AI (securing the models, agents, and supporting infrastructure), and security from AI (deepfake detection, disinformation, defect detection — defending humans and institutions from AI-generated harm). Each of those sub-markets has different buyers, different go-to-market motions, and different defensibility. The companies still positioning as undifferentiated "AI security" are the ones most likely to get squeezed out as the segmentation crystallizes. 

The CISO buying implication is direct. The right diligence question is no longer "does this product use AI" — every product does now. The right questions are which of the three sub-markets the vendor actually plays in, what the integration depth into your existing stack is, and whether the productivity claim survives a real-world workload test against your specific environment.

Mike's prediction on the AI governance role lined up with the broader pattern several other Zero Signal guests have flagged. Nobody has fully figured out what an AI governance lead does, but the role is emerging across enterprises and the work is real — it sits at the collision of safety, security, regulatory, ethics, and product. The closest historical parallel Mike drew is the moment around 2018 when privacy stopped being purely a legal concern and became a security concern as well. GDPR and CCPA forced security teams to learn data privacy regulations, consent management, and data lifecycle controls. The AI governance moment is structurally identical, and the security teams that get out in front of it are going to define the role inside their organizations rather than have it imposed by legal.

There is unlikely to be a permanent "AI security" role distinct from existing security work. The more likely outcome is that AI governance becomes another duty assigned to senior security engineers, AppSec leads, and CISOs — the same way cloud security became another duty rather than a separate function for most organizations. The teams that build the muscle now will have the better operational answer when the regulatory cycle catches up.

The most quotable take of the episode came on the long-run consolidation question. The market is in another iteration of the same pattern — accordion-style consolidation followed by a new wave of startups, then consolidation again. CrowdStrike acquiring, Palo Alto acquiring, CyberArk acquiring — the pattern is real and won't stop, but it also doesn't end the market. New categories keep getting born as new infrastructure (agentic AI being the current one) creates new attack surfaces.

The corollary on the content and business side is the framing Mike's built Return on Security around. The cybersecurity economy is too crowded to support medium-positioned content or medium-positioned products. Be the biggest in your space or be the most precisely niche.

That's why Return on Security narrowly focuses on the cybersecurity economy as its niche — and explicitly leaves threat intelligence and security research to the practitioners who do those better. The same lesson applies to anyone trying to build a brand, a product, or a personal voice in this market. The middle is the worst place to be.

The closing segment on building a personal voice was the most quietly useful career advice in the episode. Mike's first LinkedIn post took six months of internal back-and-forth at a corporate job to get approved — and the lesson he took away wasn't that corporate environments are hostile to writing, it was that the friction was the test of whether the writing mattered enough to push through. The writing process is for the writer first. The audience is the byproduct.

The practical advice for any security leader thinking about building a public presence: write something specific to your own experience, don't try to make the ultimate thought leader piece, take a lot of notes (Mike uses Obsidian), do it consistently for far longer than feels reasonable, and write for yourself. The audience that finds you over time will be people whose problems your writing actually addresses — which is a more durable foundation than chasing engagement on someone else's framing of the conversation. And accept that good writing repels as well as attracts. The pieces that produce the most value are the ones with a real opinion, and a real opinion will lose some readers while it earns the trust of the rest.

Guests — Mike Privette, founder of Return on Security; the cybersecurity industry's "first cybersecurity economist"; previously the first security hire at a US fintech; speaker at BSides SF on the first-security-hire role

Books mentioned — none

Frameworks / models / tools named — Return on Security newsletter (Mike's publication); the five pillars of the cybersecurity economy (investment, government, regulation, labor, community); "AI for security" / "security for AI" / "security from AI" segmentation; "what is true regardless of you being there" framework for first-security-hire roadmapping; "all value accrues to Microsoft" entropy framing; the accordion-consolidation model for cyber M&A; MCP and A2A protocols (referenced as the new orchestration trust zones); Obsidian (Mike's note-taking practice); BSides SF (the talk venue for Mike's first-security-hire material)

Other people / shows / resources referenced — Sam Altman (referenced re: voice-print authentication being defeated); Palo Alto / CyberArk (the acquisition cited as planning for the authenticated-agentic future); CrowdStrike (acquisition spree referenced); Anthropic and OpenAI (referenced as the model providers most likely to accrue platform-level value over time); Symantec (referenced re: the early DLP era); Liquid Death (the running Conor plug, kept absent from this transcript by virtue of Mike being the focus)