Discover more from Venture in Security
12 ways to fail a cybersecurity startup
Analyzing the most common reasons cybersecurity startups fail, and how to prevent that
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
“Why do startups fail?” is one of the most commonly asked questions among anyone interested in building a startup. At first glance, a lot has been written about this problem. However, wherever I go, I continue to see three things:
Most of the analysis is based on the consumer startups
Most of the analysis lacks the context of the cybersecurity industry
Cybersecurity founders repeat the same mistakes over and over again
In one of my previous deep dives, I discussed the fact that both success and failure in cybersecurity look different compared to other industries. In this piece, my goal is to offer a guide to failing a cybersecurity startup, highlighting some of the reasons I have seen startups fail, and offering insights and advice to avoid the failure.
Test controls, not your patience. Automate your risk and compliance testing with Drata.
Eliminate time-consuming, manual control testing and get a complete view of your compliance status at all times—giving you peace of mind and saving you time.
With 450+ 5-star G2 reviews, you’ll see why 2,500+ customers choose Drata to automate compliance for SOC 2, ISO 27001, and more.
Want to see automation in action? Book a demo and get 10% off and waived implementation fees.
12 easy ways to fail a cybersecurity startup
Not understanding the difference between building a product and building a company
Most of the future cybersecurity founders get exposed to the industry through products - tools they use to do their job. This makes sense: as domain experts, they are paid to ensure that their organization is secure and to do that, they need to either build solutions in-house or use those provided by third-party vendors.
When security practitioners run into a pain point with tools available to them, they naturally notice gaps, issues, and opportunities that can be solved by building a better product. Determined to solve a painful problem, some decide to build an open-source project on the side, and make it accessible to the community for free, while others choose to start a company.
While most security practitioners are not engineers, a small percentage of them are. Enterprises that have a combination of a unique technical problem and mature security and engineering talent to solve this problem, sometimes choose to build custom tooling internally (Netflix and Google are great examples of this pattern). Security practitioners who end up doing the work, accumulate precious experience planning, architecting, developing, testing, and rolling out a new solution. Following this experience of taking a security product from zero to one, some entrepreneurial engineers decide to launch their own company.
Whether or not a security practitioner has experience building technical products will impact the speed with which they will be able to design the solution and the composition of the founding team. However, it does not impact a critical fact: both security engineers and non-engineers are predominantly exposed to the vendor market through their products, technical documentation, and customer success. What they don’t see is hiring, building the company culture, solving human resources issues, running operations, managing payroll, marketing, investor relations, and a myriad of other areas critical to running the company.
Because a large number of security practitioners do not understand the difference between building a product and building a company, when they become startup founders, many tend to over-invest in building, and under-invest in areas equally critical to the company's success.
To mitigate the chances of this happening, security practitioners interested in building their own company in the future can look for ways to get exposure to the inner workings of cybersecurity startups. Angel investing (such as what we do at ViS Syndicate), or advising early-stage founders can be a great way to do it.
Not knowing the broader context that influences their ability to succeed
Somewhat related to the former, another challenge I am seeing is that many cybersecurity founders do not understand the broader context that influences their ability to succeed. The cybersecurity industry is notoriously complex, and a lot of the intricacies can only be learned with time, through trial and error.
I am a living example that it is not mandatory to spend two decades in the security space to build this understanding. People are shortcuts: by being active in the community, staying curious, asking questions, embracing the long-term mindset, and intentionally expanding their network, cybersecurity startup founders and aspiring entrepreneurs can build the foundational skills to navigate the industry.
Some of the areas critical to grasp include:
The market, its composition, forces that impact its direction, players that operate in it, and how all of this fits together. This includes the worlds of insurance and government regulation, venture capital and three-letter agencies, the legal landscape and channel partner ecosystem, and the like. Each of these components has a unique role to play, and understanding how they all interact, where they are at odds with one another, and where they amplify each other’s impact is key to successfully navigating the industry landscape and making sound business decisions.
The types of buyers, their buying criteria, and their buying journey. Depending on the geography, cultural context, industry, size of the organization the startup is targeting, and other characteristics of the purchasing process, the company will need different things to succeed. Over and over, I see companies saying things like “We are selling to enterprises”, which means little: a bank in New York is going to buy differently than a large tech company in Austin, and the people who can influence the process in the Bay Area scaleup are different than those who can expedite or stall adoption at a pharmaceutical giant in Chicago. Not understanding the context and the buying journey can lead to a lot of waste, and ultimately - a failed startup.
The competition, its strengths, weaknesses, and the wedge it is trying to use. When asked about the competition, most cybersecurity founders I meet start talking about their products, highlighting how the solution they are building is superior, scaleable, user-friendly, and feature-rich than that of the competition. Unfortunately, as I’ve mentioned before, the product is not everything. Most of the time the companies that appear to do the same thing, are built on different assumptions, target different market segments, and acquire customers in different ways. Understanding the competitive landscape deeply is critical - not simply to build a better product, but to craft and execute a business strategy that has a higher chance of winning.
One way to understand how buying journeys and purchasing decisions look in different companies is to spend time working in these organizations. If learning them from the inside isn’t an option, building a network of practitioners and decision-makers at these companies can help form an understanding of how they operate. I find it helpful to visualize the connections, relationships, and directions in which different players in the ecosystem affect one another, the industry as a whole, and the strategy I am interested in pursuing.
The same is true for competitive intelligence. It is not enough to simply get access to the competitor’s product; one must understand how the competition is going about positioning and customer acquisition, what is their runway, what are investor expectations, and possibly even the company’s exit strategy.
Having unrealistic expectations about distribution channels and customer adoption
The biggest challenge of cybersecurity startups is not the product; it’s distribution. There are no right answers, but there are plenty of wrong ones.
One of the most common mistakes I see cybersecurity founders make is focusing heads-down on building the product instead of allocating time to figure out distribution. Many in the field wrongly believe that the product will sell itself. In practical terms, it typically looks like this: a few security practitioners experienced a painful problem, saw an opportunity to bring a better solution to market, and inspired by tech podcasts and articles, developed the conviction that they can just “do the product-led growth (PLG)”.
As a product leader who published a whole library about the realities of product-led growth both on TechCrunch and in my blog, I will never stop repeating: PLG is not the same as “build it and they will come”. Many cybersecurity entrepreneurs find comfort in thinking that they can build cool products, and people looking for alternatives to the “bad” options offered by the competitors will inevitably find them, get excited about their tech, and ask “Where do I punch my credit card number so that I can start paying right away?”. Unfortunately, it is rarely that simple, and success is never just a by-product of having a great product (no pun intended).
While believing that PLG is going to solve all problems is a relatively new issue, the “we will get a CISO into a demo” isn’t. The unfortunate reality, however, is that most cybersecurity startups cannot turn cold calling and email spam into a viable growth strategy, especially if they are selling to security leaders. What else is possible then? There are options:
Investor introductions. Those selling to CISOs should know that Fortune 500 security leaders tend to buy products based on introductions from their venture capital networks. Being funded by the “right” VC can be the difference between getting the ability to demo the solution, and being discarded as a junk email in the busy executive’s inbox. Although many cybersecurity entrepreneurs don’t want to think about this, it is the reality of the broader B2B SaaS industry, not just security.
Security-adjacent functions. The ownership of several emerging areas of security is not clearly defined yet, which presents the opportunity to savvy founders to target people outside of the security team who can influence buying decisions. Software engineering, data analytics, human resources, procurement, finance, and other functions all have stakes in some or even all cybersecurity buying decisions, making them targets for security sales.
Channel partners and marketplaces. As the shape of the channel partner ecosystem is evolving, and the effects of data gravity create opportunities for cybersecurity vendors to develop new distribution partnerships, savvy founders may find new ways to acquire and retain customers.
New ideas for distribution. Without trying to be prescriptive, I think it’s important to highlight that the cybersecurity landscape is constantly evolving, which presents an opportunity to find new distribution ideas. A lot of what appears to be both obvious and crowded today wasn’t so just a few years ago. For example, Huntress’s strategy to sell through service providers, which looks like a no-brainer today, was seen as an odd choice by many investors and security leaders when the company originally started. Other examples are personal security companies such as BlackCloak, Agency, and Castle Black, some of which are going B2B2C.
Neither pure PLG nor pure top-down “get a CISO into a demo” sales strategies are viable, but as we’ve seen in the examples above, there are (and will always be) ways in which security companies can distribute their offerings.
Another challenge in the context of distribution is underestimating the amount of effort required to fully adopt the solution. When founders say that they consolidate 5-10 tools, they often forget how many resources it takes for customers to rip and replace ten different solutions. Aside from technical considerations, there is also change management, the fact that different solutions may be owned and/or managed by different teams, have separate contracts that would require cancellation, require training and enablement documentation, and so on. Having the ability to insert the solution (“land and expand”) is always superior to any “rip and replace” strategy. For that, the new solution must offer additional value that can be layered over (and co-exist) with the tool it may eventually replace. The more grandiose the change, the more excited the founders typically get and the more likely it is that the friction at the enterprise will be too high to move forward.
To address the challenge of distribution, founders can pick a niche and become intimately familiar with the buying process, habits, and patterns in this niche. Moreover, they have to be realistic and understand that buying decisions are complex; a solid distribution machine is a must for any company looking to grow.
Scaling before the company achieves the product-market fit
The concept of product-market fit (PMF) has long been misunderstood, both in and outside of cybersecurity. I recall hearing from some founders that their company is “pre-product, but post-product-market fit”, - a combination I believe is impossible by the very definition of what the PMF is. I have also read statements from industry leaders that “you will understand what product-market fit is when you see it”; in my view, these “insights” are rather unhelpful.
Gauging product-market fit in cybersecurity is much harder than in other industries. This is because in security, the creator of the solution is often forced to educate buyers about the problem, thus creating the demand for what the company is building. In an industry where new attack vectors trigger the creation of new “categories”, and market demand is often driven by government regulations, analyst firms, and catastrophic incidents, arguing what is PMF is is not an easy task. The way I would define product-market fit is a state where the product the company is building is solving a commonly seen problem for a well-defined persona/market segment so much so that the customer is ready to pay for the solution. Let’s have a look at the components of this definition:
Product-market fit is not a milestone or a point in time, it’s a state. Some companies mistakenly think that hitting $1 million of the annual recurring revenue (ARR) means that they have achieved the PMF, but that could not be further away from the truth. If the startup has 3 customers that pay $400,000 each, that likely just means that there are three companies on the market with some problem that this company is, hopefully, solving. But, if the company has 20 customers who happily pay for its product and renew their contracts year after year; these customers share some characteristic that makes them unique; and when the startup approaches other prospects with the same characteristic a large percentage of them become paying customers, all this combined can be a strong sign of the PMF. Product-market fit is not about a number, it’s about repeatability.
A well-defined persona/market segment is critical for the company to build a repeatable sales process. If a milkshake shop in Iowa, a large enterprise in New York, and a two-people law office in Delaware use the product, and there is nothing common among these three customers, the startup will find it hard to understand whom it should approach to increase the chances of closing the sale. If, on the other hand, all three firms rely on a managed service provider or a vCISO, and the buyer (MSSP or vCISO) finds the product critical for securing their customers, that is an entirely different story.
Willingness to pay for the solution is easy to gauge: the customer must either already be paying, or have signed a contract that obligates it to start paying in the near future in exchange for the value it receives from the product. A prospect saying in a demo that “the product looks very powerful - we would definitely pay for something like that” is not the same as receiving the actual money.
When a venture-backed company has mastered founder-led sales and found the type of customer who is willing to pay for what it has to offer, then it’s often the time to start scaling. Unfortunately, what we see much more often is that cybersecurity startups are raising a lot of capital, hiring large sales teams, and hoping that by doing so they can get to the product-market fit quicker. This can create a deadly spiral:
Sales teams are given unreasonable quotas. When they struggle to hit the targets despite doing the very best work, sales teams start channeling customer feedback that “we would probably buy if the product had X”.
Since founders become more removed from the sales process, the learning cycle necessary to get to PMF breaks and gets replaced with the feature factory. The company starts building features customers ask for in the hope that it will help with closing deals. However, since there is no well-defined customer persona and problem the customer is willing to pay to see solved, the company quickly loses focus.
The loss of focus leads to the sales team trying to approach different types of prospects, and since the sales numbers are not going up, more feature requests are sent to engineering teams.
Since the company has hired sales teams, its burn rates increase, and so does the pressure to deliver results. More pressure from investors to meet forecasted levels of growth means more marketing spend, more unfocused attempts to solve the problem of growth and more building.
This is a vicious cycle that traps many great founders eager to scale too quickly. If despite all these challenges the company can preserve some focus and build a working product, it may still get acquired, but if not - it will have to conduct massive layoffs and hopefully do some soul-searching and iteration to get to the PMF. When the market is “hot”, startups can access cheap capital and the pressure to be prudent is lower. Given the current conditions, I think we will see a large number of cybersecurity companies trapped in this deadly spiral. Many have raised their growth rounds (Series A/B) but are struggling to show significant growth because the prerequisite for growth, product-market fit, is missing.
Attempting to scale the company before the PMF can have disastrous results. At the same time, it is hard to get to a product-market fit if the startup doesn’t have enough resources and creative energy to keep pushing. This is because in cybersecurity, a large part of demand generation is educating customers about why something is a problem. Threading this balance is not easy, and there are no playbooks about how to do it well.
To avoid potential problems, cybersecurity entrepreneurs should continue learning and iterating quickly to get to the PMF before they start scaling the company. And, they must understand that just because they hired more salespeople, they won’t automatically get more sales, especially if their positioning is not working, there is no PMF, the product is not meeting expectations around quality, etc.
Not assembling the team that has the chance to win
One of the factors that lead to cybersecurity startups failing is having the wrong team. One may argue that the same is true for any industry vertical or horizontal as conflicts and misalignment between co-founders, as well as a lack of necessary skills on the team can destroy any company. While that is true, the definition of the “right” team in cybersecurity has a somewhat different flavor.
The composition of the founding team has a direct impact on how the company is going to develop, and what challenges it is likely to encounter.
Many security companies are started by two or three security engineers or domain experts who found the problem or identified an opportunity in the market, and decided to tackle it. This is also the composition of the team often preferred by VCs, and I must say for a good reason: at the earliest stage, startup founders need to build the product, and two people can ship the code faster than one. Additionally, the argument is that cybersecurity is a technical discipline, so having all founders with deeply technical backgrounds is a good factor. Engineers are typically clear and logical thinkers, which makes them well-suited to take care of other sides of running the company as well, from operations to fundraising.
Despite the consensus that having several engineers start a company is a good idea, I have also observed a potential dark side of this approach. It’s not uncommon to see that when things get tough and the company is struggling to acquire customers, the all-engineering founders retreat to the area they can control: the code. I have seen company founders doubling down on building new features when what they should be doing is conducting customer discovery and deciding where to focus their efforts strategically. Instead of building the company culture, asking questions to understand what they might be missing, developing partnerships with other industry participants, and addressing other pressing issues, engineering founders often decide to build - more code, more features, more scale, etc.
On the opposite side, I have seen what happens when a few business people with little to no understanding of the technical side of cybersecurity try to build a company in the industry. The chances of this approach succeeding directly depend on the area/market segment founders choose to tackle. This is because there is a difference between building a tool for compliance teams, and a cloud security solution: the former can be done with the business understanding alone, but for the latter, having deep technical expertise will be critical. What I haven’t seen work is having a person with no background in cybersecurity assemble a team of contractors to build a “next-generation, revolutionary solution” to a very complex, technical problem.
I personally believe that having a combination of technical and non-technical founders is ideal; having 2-3 engineers, some of whom are much more interested in the non-technical side, can work well too. If I were to build a cybersecurity company (or rather when it happens), I would be looking for an engineer who can complement my expertise in product, go-to-market, business development, positioning, operations, and other areas of the business.
Being a solo founder in cybersecurity is hard, and I would argue that in 99 cases out of 100, it’s a very bad idea. Since most products target enterprise teams, it’s not reasonable to expect that a simple prototype built with no-code can get the customers to sign up. Many organizations want the product to be enterprise-ready even before they consider becoming design partners (enterprise-ready in this context means more than having SSO capability and recording audit logs). And, it goes without saying that domain expertise in cybersecurity is critical. As an angel investor, I will (almost) always pass on startups where none of the co-founders have a background or experience working in cybersecurity.
When it comes to the number of founders, the opinions vary. I think that two to three founders are ideal; four and more can cause challenges and introduce unnecessary overhead. It’s worth keeping in mind that there are no perfect formulas for team construction because different people have different ambitions and bring to the table different skills. Although most cybersecurity domain experts are not software engineers, these “unicorns” that are equally good at both do exist. And, while not all engineers are interested in sales and fundraising, some very much are. Building a winning team is much more about bringing together people who are clear and transparent about their goals and ambitions than it is about trying to artificially assemble a certain combination of founder profiles.
Assembling a winning team means working with people who have a bias for action, the ability to execute, and understanding when to talk and when to listen (a skill equally or more important for founders than talking).
Other reasons cybersecurity startups fail
The number of reasons why cybersecurity startups fail to achieve their mission is limitless, and the above five bullet points are by no means an exhaustive list. Here I will briefly cover some of the other challenges I have observed specifically in the security industry.
Trying to be a yet-another “single pane of glass”
Being invisible in the enterprise stack does not sound as exciting as building “the only dashboard” that the security practitioner will be using daily. Most companies are driven by the desire to own the customer and eventually upsell them on new products, so cybersecurity is full of companies that want to be at the center of attention. As a friend said once, “Most security products want to become a single pane of glass but instead they become a single glass of pain”.
There cannot reasonably be 50 dashboards a practitioner must interact with daily. Therefore, trying to go to market as “yet another single dashboard” is not a winning strategy for many products.
Building features in search for a product
Many cybersecurity solutions start as single features which then grow into products. Every feature wants to be a product, and every product wants to be a platform. While it is true that innovation in the industry is most commonly acquired, not built in-house, some solutions are way too granular to have the ability to grow into something larger. And, if a big vendor can build the same product in a month and a half, and the whole defensibility of the company relies on the hope that it won’t, it is probably not the best problem to build a company around.
Only planning for the most positive scenario
When it comes to startup success, luck, and timing are everything. If the economy didn’t tank, we would have likely been celebrating the successful IPO of Cybereason, but today, we see the company cut its valuation by over 90%. In a different market, Snyk would have likely also been public, but instead, the company had to lay off about 25% of its employees to reduce burn.
Yet, while luck and timing are critical, cybersecurity startup founders cannot plan exclusively for the most positive outcome. It’s important to be prepared for different scenarios, since some factors such as the state of the economy, are out of the company's control.
Being too early or too late to the market
D'Arcy Coolican of a16z coined the term “product zeitgeist fit (PZF)” which he describes as a state “when a product resonates with the mood of the times”. I think product zeitgeist fit is a concept that is critical to understand for cybersecurity founders.
Being too late to the market is bad, and we know that: building an endpoint detection and response (EDR) solution in 2023 is most likely a bad idea. At the same time, so is being too early to the market, when the approach is too futuristic and many years ahead of the time.
In cybersecurity, there is the first entrant disadvantage because the company that champions a certain approach has to educate buyers about the problem. On the other hand, the first entrant can also enjoy enduring market leadership, if it can educate the market and execute well. Knowing whether the pros of championing the new approach are going to outweigh the cons is an art, not a science.
The absence of the viable business model
Not every solution to an important problem can be a foundation upon which a successful company can be built. Moreover, not everything needs to be a business, and some initiatives are better off as non-commercial, accessible, free open-source projects.
Founders interested in creating a company, whether or not they are trying to build a venture-backed startup, need to be intentional when thinking about the business model, unit economics, revenue channels, cost structure, distribution, and other factors that impact business success. Just because someone is buying a product doesn’t mean that the company will be able to scale, if the unit economics does not make sense.
Looking for consultants to craft the go-to-market strategy
I have seen several founders hiring consultants to “figure out the go-to-market”. This is especially (but not exclusively) common when all founders are engineers who built a great solution and now they “just need someone to figure out who needs it”.
Cybersecurity entrepreneurs are the ones who know their product, their market, and their vision the best, and their success is most aligned with the success of the company. In 99 cases out of 100, outsourcing the learning and crafting of go-to-market strategy to an external agency or a consulting group does not work. If the founders can’t understand who needs their product and close the deal, it’s unlikely that someone else will.
The inability to distinguish between selling to investors and selling to customers
Time and time again, I see companies repeat the same mistake: attempting to sell to their prospect the same way they sell to their investors. This is especially the case in cybersecurity where the vast majority of the market players are startups.
Security founders must understand the difference between how these two groups make their buying decisions:
Only ~10% of what the investor is buying already exists; 90% (or more) is yet to be built. VCs are buying a vision of where the company could (and hopefully - will) be, assuming everything goes well. Selling to investors is about excitement, getting their eyes light up, and imagining what is possible tomorrow.
Over ~90% of what the enterprise customer is buying must exist today; 10% (or less) can be a future vision. Buyers know that startups are inherently risky and unstable, and a year or two later the company may be gone. By agreeing to buy from the startup, the enterprise is already taking a risk. CISOs want to know what problems the product will solve for them today. Every single founder has an inspiring vision that goes miles beyond what the product is in the present, yet the customer isn’t looking to buy that vision - its goal is to solve the problems it deals with today. Selling to enterprises is about enablement, support, response times, contract price, product capabilities, and the ability to replace parts of the current (or legacy) stack, and other pragmatic matters.
Combined with my previous article, “On a hunt for successful cybersecurity startups and unicorn founders”, this piece offers a deep overview of the landscape for current and future security entrepreneurs.
There is a myriad of options for what can go wrong when building a cybersecurity startup. This deep dive wasn’t intended to cover all of them but to focus on those that are especially common in the industry. Although we cannot avoid repeating all past mistakes, it’s a good idea for founders to block off some focused time on their calendars to periodically reflect if the trajectory of their company is taking them in the direction they want to go in and course-correct as necessary.