Lately I've been talking with several "security pioneers": companies that are trying to convince the world to adopt new types of security products. They are offering solutions for emerging security problems, or perhaps for security problems that have been around for a long time but for which awareness is still emerging. What I've observed is that companies trying to pioneer a new security category often target the wrong kind of accounts in their sales process, and listen to the wrong feedback in validating their market assumptions. They should be following what I call the Security Adoption Life Cycle, which can guide both whom to target and what feedback to value.