The Calamu Category Creation Framework: From ‘Protect Infrastructure’ to ‘Protect Data’

The Calamu Category Creation Framework: From ‘Protect Infrastructure’ to ‘Protect Data’

The cybersecurity industry has spent trillions of dollars on a single premise: protect the infrastructure that holds the data. Build better firewalls. Add more layers. Make the walls higher and thicker.

But what if the entire premise is wrong?

In a recent episode of Category Visionaries, Paul Lewis, CEO and Co-Founder of Calamu, shared how questioning this foundational assumption led to creating an entirely new category—cyber storage—and getting Gartner to recognize it as an emerging market. The framework he used to challenge industry orthodoxy offers a blueprint for any founder looking to create categories rather than compete in existing ones.

Identifying the Orthodoxy Everyone Accepts

The first step in category creation isn’t finding a better solution. It’s identifying the constraint everyone else accepts without question.

For Paul, that constraint became clear through years of frontline experience. “Prior to Kalamu, I was an incident response. I was a practitioner. I was working with multi global corporations that were just getting hammered in cyber attacks, like over and over again. And I thought there had to be a better way to do this and there had to be a better solution.”

The orthodoxy revealed itself at industry conferences. “At the time, I was going to all the security conferences, and really, quite literally, I got tired of seeing like, 3000 companies selling the same ten things, and none of those things really were working.”

Three thousand companies. Ten solutions. All variations on the same theme: layer more security on the infrastructure.

Paul’s insight was recognizing this wasn’t a feature problem or an execution problem. It was a foundational assumption problem. “I thought there had to be a better way. We have to think about how can we protect the data in a way that we’re not doing so today?”

Understanding Why the Orthodoxy Exists

Challenging orthodoxy requires understanding its origins. Paul traced the industry’s infrastructure-first approach to cybersecurity’s founding mistake.

“I think one of the core problems that we’ve got, all of us, is that this whole cyber world started without security in mind, right? So it started all about ease of communication, and then we had to kind of interweave security after we realized we had security problems. So now the whole world is on cyber, and we have problems that are all throughout but creates opportunity all throughout.”

This historical context is critical. The industry didn’t choose infrastructure protection because it was the best approach. It chose infrastructure protection because security came second—a retrofit rather than a design principle. Once established, trillions in investment made questioning this approach nearly impossible.

Path dependency had locked an entire industry into a suboptimal solution.

Articulating the Alternative Clearly

Category creation requires more than critique. It requires a crystal-clear articulation of the alternative approach.

Paul’s formulation is precise: “Instead of putting layered security on the infrastructure, and instead of trying to protect the network that holds the data, Calamu protects the data itself, regardless of what infrastructure happens to be on.”

This isn’t a incremental improvement. It’s a complete inversion of the security model. Rather than trying to control who can access where data lives, make the data itself secure no matter who accesses it or where it ends up.

The shift unlocks a new category definition. “We’re in a category called cyber storage. So it’s cybersecurity, but cyber storage is the way that we think about storing data in a way where we’re protecting the data itself. And it’s actually a new category. So Gartner recognizes this as a new category. Just recently, they recognize it as an emerging category.”

Positioning Around What the Old Approach Can’t Solve

The most powerful category positioning identifies a critical problem the existing orthodoxy cannot solve.

For Calamu, that problem is double extortion ransomware. “We think about things like ransomware, and everybody has a solution for ransomware. Most of those solutions are simply just restore from some form of a backup, which is not ideal. Right. And in my opinion, it’s not good enough. But ransomware doesn’t address the problem really, that ransomware is all about when we talk about these backup store solutions, which is double extortion.”

Paul continues: “So we have double extortion where data is actually stolen from the network and that data is then weaponized back against the company and used against the company and threatened to be released. And that’s really where we see the biggest growing kind of pain that we’ve got around ransomware.”

Backup solutions can’t solve data theft. Infrastructure protection can’t prevent data weaponization after it’s been exfiltrated. The orthodoxy has no answer.

Calamu’s approach does. If the data itself is protected, stealing it becomes pointless. The entire extortion model breaks.

Framing the Message as Evolution, Not Revolution

Here’s where most category creators fail: they position their approach as replacement rather than complement, creating resistance from existing security investments.

Paul’s framing is strategic: “We start with the premise that the bad actor has reached the data. So there’s been a failure somewhere in the system and they’ve actually reached the data. So we’re trying to cut through the noise by putting out messaging that the attack has happened. And we need to be comfortable with the fact that attacks continue to happen even with great technologies and great emerging technologies to protect the data. Eventually the data is reached and when the data is reached, that’s where Kalamu kicks in.”

This messaging does three things simultaneously:

First, it validates existing security spending. Companies don’t need to abandon their infrastructure protection—it’s still valuable.

Second, it creates urgency by acknowledging reality: breaches happen despite best efforts.

Third, it positions Calamu as the necessary next layer, not a competing alternative.

Working with Analysts to Legitimize the Category

Getting Gartner to recognize cyber storage as an emerging category didn’t happen by accident. It required deliberate education strategy.

“I think analyst relationships are very important and we are working with different analysts. We’re trying to educate. Right? So we’re not trying to obviously we’d love to get market, we’d love to see if we can get exposure in market, but it’s really more trying to educate because what we’re going through is a change in mindset,” Paul explains.

The focus is education, not coverage. “We’re changing from this layered security model where we’re layering on more and more security onto the infrastructure, into we don’t have to worry about that so much because we’re really now just trying to protect the data, especially if the data gets into the hands of third party or someone that shouldn’t have it.”

Analyst relations in category creation is about shaping how the market thinks, not just getting your company mentioned in reports.

Managing the Mindset Shift Challenge

Paul is candid about category creation’s primary challenge—and it’s not what most founders expect.

“The single greatest challenge for us is it’s a change in mindset, right? So nobody really before was thinking about protecting the data at the data layer. They were thinking about protecting the infrastructure. And there’s billions, trillions of dollars spent protecting the infrastructure. So we’re not saying you don’t need to do that, but we’re saying, look, that’s not working as well as we all hoped it would work.”

The good news? The education curve is shorter than it appears. “So let’s look at protecting the data. Even if the data is removed from your control. So changing that mindset is really the greatest thing, the greatest challenge that we’ve had partly education, not a lot of education, because as soon as we kind of talk through it and explain the process and how it works, people kind of get it right away, and then they get excited about it.”

People don’t resist new categories because they’re complex. They resist because adopting a new category requires unlearning an old mental model. Once that model breaks, adoption accelerates.

The Framework Distilled

Calamu’s category creation framework offers five repeatable steps:

1. Identify the orthodoxy everyone accepts (infrastructure protection)
2. Understand why it exists and why it’s suboptimal (security as retrofit)
3. Articulate a clear alternative (protect data, not infrastructure)
4. Position around problems the orthodoxy can’t solve (double extortion)
5. Frame as evolution, not revolution (complementary, not competitive)

Add strategic analyst education and clear messaging around mindset shifts, and you have a framework for creating categories that get market recognition.

The trillion-dollar assumption Paul questioned wasn’t wrong because it was stupid. It was wrong because it was path-dependent—built on historical constraints that no longer apply. The companies that create new categories aren’t finding better answers to existing questions. They’re questioning whether we’re asking the right questions in the first place.