by Keith McCammon

Customer discovery questions (or, better alternatives to “What keeps you up at night?”)

Whether you’re a founder, in sales, an account manager, or in almost any other customer-facing role, the most valuable thing you can do is ask your customers questions, and learn what their goals, incentives, and measures look like.

This is a short list of questions I’ve found lead to substantive discussion (these are geared toward cybersecurity teams, but most are broadly applicable):

Q: How is your team measured?

What I’m listening for:

  • Objectives, ideally those that roll up and support the broader organization
  • Cybersecurity maturity models or frameworks (NIST CSF, CMMC, C2M2, etc.)
  • Compliance audits or certifications (SOC 2, ISO 27001, FedRAMP, etc.)
  • Risk measures, commonly specific to realized risks (exposure or vulnerability management, third-party risk, etc.)
  • Incident measures related to detection, investigation, containment, and response
  • Other basic operational measures, like tickets or cases

Q: Where do your incidents come from?

This is a simple question, but sometimes it lands. If it’s helpful to follow with some elaboration, consider:

  • Q: What controls are most useful in helping you identify higher severity incidents?
  • Q: What data or tools do you find most useful for investigation? Response?

These can lead to useful insights related to control effectiveness, operational maturity, and incident management. A good organization can tell you how many incidents they have; a great team can speak to trends related to root cause, severity, cost, mean time to detect/respond, and more. Teams that are exceptional at incident management will use incidents as a key lever for driving continuous improvement and change.

Q: What does your roadmap look like for the coming months or year?

Here I’m listening for initiatives that:

  • Align with what we do today, where we can satisfy the requirement or meaningfully accelerate progress
  • Are on our roadmap, as this helps with prioritization, and reinforces that we have some shared vision
  • Include tooling consolidation or platform migrations, which can indicate a natural entry point, or a risk if the consolidation cuts you out
  • Aren’t on our radar at all, particularly those that factor into competitive losses

Q: If you could add a single skillset to your team today, what would it be? If you could add an entire team, what would you have them do?

What do they know they want? Usually, they’ll frame it around a specific, acute problem they can’t solve or solution they can’t build in-house.

Note: There’s a subtle but important difference between this type of question and “What causes you to lose sleep?” When asked about fears, a mature team will probably name a specific threat or risk. You can then explain how your product addresses it and hope they connect the dots — but unless that fear is your primary point of value, you’ve gone down a rabbit hole and likely missed the broader product story.

Assorted things I’ve read, watched, or listened to:

  1. A fighting retreat - An email from Will Wilson (CEO and co-founder of Antithesis) to his company, on delaying the inevitable change that occurs when a startup experiences significant growth.

  2. AI as tradecraft: How threat actors operationalize AI - A solid roundup of adversaries’ various uses for AI throughout the intrusion lifecycle.

  3. Deception and Detection: Why Artificial Intelligence Empowers Cyber Defense over Offense - “Rather than heralding a revolution, AI automation is likely to further tame cyber conflict. Highly skilled human operators, not AI, will be necessary to avoid being detected by AI-empowered defenders.”

March 15, 2026

Assorted things I’ve read, watched, or listened to:

  1. $ Why AI Is ‘Not Particularly Good’ at Curing Disease (Plus: The Next GLP-1 Boom and Why America Hates Big Pharma): A wide-ranging interview with Dave Ricks, the CEO of Eli Lilly - Pound for pound, Derek Thompson may be my most valuable Substack or newsletter subsription. I learned so much from this.

  2. The Brand Age - “One obvious lesson is to stay away from brand. Indeed it’s probably a good idea not just to avoid buying brand, but to avoid selling it too. Sure, you might be able to make money this way — though I bet it’s harder than it looks — but pushing people’s brand buttons is just not a good problem to work on, and it’s hard to do good work without a good problem.”

  3. The Signal: The cybersecurity economy, charted. - “Real-time venture funding, M&A, and market intelligence across thousands of companies and investors in the global cybersecurity industry. The market intelligence platform behind the Return on Security briefing.”

  4. The Hidden Cost of Hard-to-Fire Labor Laws: Why European Firms Don’t Take Risks - Related to items I shared back in February.

March 11, 2026

Assorted things I’ve read, watched, or listened to:

  1. How will OpenAI compete? - “OpenAI has some big questions. It doesn’t have unique tech. It has a big user base, but with limited engagement and stickiness and no network effect. The incumbents have matched the tech and are leveraging their product and distribution. And a lot of the value and leverage will come from new experiences that haven’t been invented yet, and it can’t invent all of those itself. What’s the plan?”

  2. Be a thermostat, not a thermometer - Solid life advice, disguised as employment (and management) advice.

  3. Time to Move On – The Reason Relationships End

February 24, 2026

Assorted things I’ve read, watched, or listened to:

  1. AI Taxonomy: An Operational Framework for Precision in AI Discourse - “AI” has become an umbrella term similar to “cloud”, and some precision is useful.

  2. Why Europe doesn’t have a Tesla: Europe’s cutting edge firms are falling far behind the American frontier because of restrictive labor laws, and a coincidental case study “Made in EU” - it was harder than I thought

  3. The Dangerous Economics of Walk-Away Wealth in the AI Talent War: How firms are accidentally paying their best employees to become their biggest competitors

  4. Research ROI: Floors & Ceilings - As someone who believes in the importance of research, but loathes what often end up being company-sponsored science projects, this resonates.

February 23, 2026