I think I’d start with solving the problem for 1-2 EA orgs, in the spirit of “do things that don’t scale”, and once that works (which will probably be hard in several unexpected ways), I’d try to scale to a consultancy that helps 10 orgs at once.
This is only based on my unverified guess about making a product that would fit what the orgs would say “hell yes” to, and my unverified-in-this-situation intuition that starting by trying to solve the problem in a scalable way before doing it for 1-2 “individuals” usually doesn’t work.
(I can elaborate on my intuitions, but if someone read this and disagrees—I encourage you to ignore what I wrote)
Regardless of building a solution (consultancy?) that orgs will say yes to, I also think there’s something healthy of having a single person in the org (the head of security?) who is personally responsible for the security going well (having “power” to make decisions, having information and knowledge to either make decisions or vet other people’s opinions), and this often isn’t the situation with consultancies, who are not in fact responsible in the way I mean.
I can also imagine a trusted consultancy that very specifically helps hiring competent people to be “head of security”.
I think I’d start with solving the problem for 1-2 EA orgs, in the spirit of “do things that don’t scale”, and once that works (which will probably be hard in several unexpected ways), I’d try to scale to a consultancy that helps 10 orgs at once.
This is only based on my unverified guess about making a product that would fit what the orgs would say “hell yes” to, and my unverified-in-this-situation intuition that starting by trying to solve the problem in a scalable way before doing it for 1-2 “individuals” usually doesn’t work.
(I can elaborate on my intuitions, but if someone read this and disagrees—I encourage you to ignore what I wrote)
Regardless of building a solution (consultancy?) that orgs will say yes to, I also think there’s something healthy of having a single person in the org (the head of security?) who is personally responsible for the security going well (having “power” to make decisions, having information and knowledge to either make decisions or vet other people’s opinions), and this often isn’t the situation with consultancies, who are not in fact responsible in the way I mean.
I can also imagine a trusted consultancy that very specifically helps hiring competent people to be “head of security”.
[rough thoughts, not my expertise]