19 plus one traction channel for growing a cybersecurity startup: a founder’s guide (part 3 of 3)

In the previous two articles, I have covered fifteen traction channels for cybersecurity startups. This article will go over the last five, as well as notes and closing thoughts.

Jun 09, 2022

Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

This post is part three of the 19 plus one traction channels for growing a cybersecurity startup: a founder’s guide. Please read the first and second parts before moving on to the following post for full context and introduction to the Bullseye framework.

Part 1 can be found here: 19 plus one traction channel for growing a cybersecurity startup: a founder’s guide (part 1 of 3).

Part 2 can be found here: 19 plus one traction channel for growing a cybersecurity startup: a founder’s guide (part 2 of 3).

In the previous two articles, I have covered fifteen traction channels for cybersecurity startups. This article will go over the last five, as well as notes and closing thoughts. This part completes the cybersecurity startup growth series.

Search Engine Marketing

Search engine marketing (SEM) is a growth strategy for driving traffic and increasing the visibility of the website in search engine results. Today, the vast majority of the people shopping for new solutions, start by performing a search on Google which makes SEM a crucial component of the company’s marketing strategy. Bing is another search engine that, depending on your audience, may make sense to explore, but in this post, I will assume we are talking about Google due to its dominant market share.

In search engine marketing, advertisers pay only for the ads when someone clicks on the link, thereby maximizing the return on investment (ROI) of the marketing spend. Most importantly, SEM is displayed with the search results, right at the moment someone is looking for a solution and is open to suggestions of products and services they would benefit from, unlike with social media where people go to connect with others and consume content with no clear intention to buy.

Google uses a complex algorithm to decide which ad should be displayed but not all ads are displayed with searches. Instead, the auction process is used which takes into account two factors: the quality score (a metric that evaluates the quality of the ad by taking into consideration several factors such as location, keywords, relevance, meta tags, URLs, page loading time and more) and the maximum bid (the maximum dollar amount you are willing to pay per click).

When a user searches in Google, the relevant paid ad will appear on top and the side of the search results — making it much more prominent than organic (not sponsored) content.

SEM networks are easy to get started with but it takes years to master. First, you will want to develop an understanding of your users — how they conduct their online research, what keywords they use, etc. I cannot emphasize enough how important it is to conduct some testing or observe people browsing online. How people navigate their research might be very different from the way you think they do it, dictating what keywords you should use.

The cost of Google marketing will be highly dependent on the number of other bidders and their readiness to pay top dollar for their ad to be displayed. Because of this, you will want to look for niche search terms and keywords that are less competitive. Additionally, you will want to identify the so-called negative keywords — search terms you should exclude from the ad campaign. For example, if you sell strawberry jam, you should likely mark the keyword “strawberry jam recipe” as negative because people searching to buy a jar of jam are not likely to be looking to make it themselves.

Search engine marketing is one of these areas that you should thoroughly research before starting with as it can get very expensive pretty quickly without yielding any tangible results. You could also benefit from hiring an agency or an experienced consultant to get started in this area and then take it in-house as you grow.

Five questions to ask yourself if you are hoping to pursue SEM:

Is there already an existing market for our solutions, or are we trying to define a new one?
What do people in our target market search for?
How can we narrow down our focus and find some niche search terms to get better results at a lower cost?
How can we optimize our landing pages to increase signups once a person clicked on the ad link?
How can we improve the quality score of our website to increase the chances of winning the bid?

Five metrics to track if you are hoping to pursue SEM:

Click-through rate — the percentage of people who saw your ad clicked on it
Cost per click (CPC) — how much it costs to have one person click on your ad
Cost per acquisition — how much it costs to acquire a customer through a SEM campaign
Time-On-Site — how long do people stay on your site after clicking on your ad
Conversion Rate — the percentage of people who became paying customers or signed up for your product

Existing Platforms

Existing websites and apps with a large user base can be used as growth channels for your startup. Some of the ways this can be done include leveraging the app stores, social media, browser extensions, and marketplaces.

There are over 6 billion smartphone users in the world, which has led to the explosion of the apps reaching tens of millions of users in a matter of months. App stores can be a great growth channel for cybersecurity startups offering products and services that cover mobile. For example, Malwarebytes, Bitwarden, and Okta all have iOS and Android mobile apps which have helped their brand visibility and user growth. B2C products in anti-malware, password security, mobile protection, and similar can especially be a great fit for the app stores.

People’s social habits are rapidly evolving, which leads to the emergence and growth of new social media platforms thereby creating opportunities for startups to take advantage of this growth. While staying on top of all the new media is a titanic task on its own, there are undeniable benefits from being able to jump onto the new platform quickly when the competition is low and you can capture a large user base.

There are multiple ways cybersecurity startups can leverage existing platforms for growth. The most obvious one is to actively engage with people by offering value without asking for anything in return. Answering questions on Quora, Reddit, and Stack Overflow, to name a few, and similar can get you much-needed visibility and social capital. Look for ways to add value and engage with people on social platforms that work well for your target market overall: if you are selling to cybersecurity policy professionals, engaging with their posts on LinkedIn could enable you to make new connections. Remember to be genuine and not pitch your products — look for ways to help, make connections, answer questions and add value in the ways you can, and it will pay off.

Google Chrome browser extensions and Firefox add-ons can be great ways to leverage the existing platforms as well, and many cybersecurity companies have taken notice. HTTPS Everywhere, for example, is a Firefox, Chrome, and Opera extension by The Electronic Frontier Foundation that encrypts communications with many major websites, making Internet browsing more secure. Privacy Badger is another add-on by the same organization that protects your privacy on the Internet. LimaCharlie’s sensor can be installed as an add-on in Chrome or Edge and gives visibility in the browser allowing you to see DNS requests, HTTP requests, responses, and headers, all without SSL interception. The most successful, however, are extensions of the password managers such as 1Password.

Leveraging the browser add-ons allows you to expand your reach as well as the number of use cases you can support which can open new growth channels. People visit hundreds of different websites every day, and asking them to return to your product frequently is a difficult task. Leveraging add-ons allows users to benefit from your product functionality without having to continuously navigate back to your website.

There are hundreds of popular platforms online you can leverage for growth. Start by identifying where people in your target market spend time and go there. You might benefit from joining & becoming active in several cybersecurity Discord & Slack channels, on GitHub, Quora, or any other channel that is suitable for your business. Platforms such as Stack Overflow, GitHub, Amazon, eBay, Craigslist, and others have enabled many companies to grow, and there is no reason you can’t explore this strategy as well.

Five questions to ask yourself if you are hoping to pursue existing platforms for growth:

Is there already an existing market for our solutions, or are we trying to define a new one?
Where do people in our target market spend time & what tools do they use?
What communities are people in our market a part of?
What extensions or add-ons would our users find valuable?
How can we stand out in the crowded cybersecurity market?

Five metrics to track if you are hoping to pursue existing platforms for growth:

Downloads — the number of people installing add-ons and extensions
Customer Acquisition Cost (CAC) — the amount of money it costs to acquire a customer
Engagement — the number of shares, reviews, mentions, and comments
Net Promoter Score (NPS) — the percentage of audience members having a positive experience and willing to recommend your talk to others
Conversion Rate — the percentage of people who became paying customers or signed up for your product

Search Engine Optimization

Search Engine Optimization (also known as SEO) is the process of increasing the visibility of your company’s website in Google search results. Before we talk about the details, I would like to highlight the importance of SEO by asking you a question: when was the last time you searched for something and then went to the second or the third page to see the results? That doesn’t happen often. If your company is not displayed on the first page of the search results, you are missing a ton of potential opportunities.

According to Findstack, 89% of consumers say they look for reviews before buying products online. This combined with the fact that over 85% of people as of January 2022 use Google, makes SEO optimization an important growth tactic for cybersecurity startups.

*CrowdStrike and McAfee on the first page for “endpoint detection & response”. Source: Google*

SEO enables the company to get traffic organically, without paying for ads, which leads to potentially great ROI. Ranking on top of search results organically is especially important in cybersecurity where customers heavily rely on trust. As much as Google ads are important for getting additional visibility, especially at the beginning of your startup journey, they do not foster as much trust as organic search results without an “ad” badge next to them.

Google’s mission is to organize the world’s information and make it universally accessible and useful. Whenever you use a search engine, its algorithm goes over millions of pages, looks for the most relevant for your search, and arranges them to reflect this relevance thus bringing the most useful results to the top. The exact algorithm Google uses is secret, but SEO professionals after years of work are now able to highlight the most important pieces companies should be paying attention to.

Here is an interesting fact that may change the way you think about SEO: when we, people, open a web page, we see a collection of graphics, tables, nicely formatted paragraphs of text, and much more. Web designers and developers work hard to cater to our needs and to continuously improve user experience. When a search engine crawls web pages, it can only see text and links, and not the formatting that makes it look great.

I highly recommend that you spend some time learning the latest & the greatest from the SEO experts. Here are some bits to get you started on optimizing the SEO for your cybersecurity startup:

Similar to what I discussed in the section about Search Engine Marketing, you want to develop a deep understanding of how customers look for products in your space, what keywords they use, what alternatives they look for, and similar. This should allow you to build a list of keywords you should then use when writing content for your website. Also, I recommend reading this post about the focus keyword.
Make sure that the page loading speed is as high as possible. Third-party apps running on the website, heavy imagery, and other factors can impact the loading speed so you want to make sure you use the best practices when in web development. Tools like Google’s PageSpeed can help identify areas for improvement.
Reference links to your other content as well as to external websites to make it more convincing for the algorithm that your content is relevant and high quality. From time to time, check your links to make sure they are still relevant and not broken.
Keep your URLs short. Make sure that the keywords you want that page to be displayed for are present in the URL.
Add alternative text for images while making sure it also contains your keywords.
Try to write longer content and add illustrations (images, tables, videos, etc.) if at all possible. Make sure that the first paragraph of the text contains keywords you want Google to pick up. All this tells Google that your page is high quality so it will more likely be displayed on top of other search results.
Try to have other authoritative websites (especially those relevant to cybersecurity) link back to your content as it will tell the algorithm to rank your page higher in the search results. You can build these links by publishing guest articles on different websites and media platforms, creating relevant content that your audience or industry players will choose to repost on their own, or by reaching out to potential media partners and sharing links to your materials.

SEO is a constantly evolving knowledge area, so staying up to date with the latest trends will help your cybersecurity company get to that coveted #1 rank on the search results page.

Five questions to ask yourself if you are hoping to pursue SEO:

Is there already an existing market for our solutions, or are we trying to define a new one?
What keywords do people in our target market use when they search for products in our category?
Which of the keywords we rank highly for speaks to our potential customers?
How can we make sure that we are attracting the right audience to our website?
How can we optimize our landing pages to increase signups once a person clicked on the link from the search results?

Five metrics to track if you are hoping to pursue SEO:

Organic Traffic — the number of people visiting your website by clicking on the link from the search results
Click-through rate — the percentage of people who saw your page clicked on it
Bounce Rate — the percentage of people who navigates to your website and then leave without continuing to another page
Time-On-Site — how long do people stay on your site after clicking on your page
Conversion Rate — the percentage of people who became paying customers or signed up for your product

Affiliate Marketing

Affiliate marketing is the growth channel that enables cybersecurity startups to pay commissions for referred business. This method of advertisement is entirely performance-based, which can make it a great fit for startups.

There are two ways to participate in affiliate marketing: leverage an existing network, or create your own program. The former is the easiest and the least costly way to get started while the latter offers you full freedom about the terms, the process, and the way it will work for you overall. If you choose to use the existing network, there will typically be four parties involved in the transaction: the brand (your company), the network (an intermediary that handles listing offers and payments), the affiliate (a party that publishes links to your website), and the end customer. If you start your own program, you would be replacing the traditional network component so both sourcing affiliates willing to post your content, negotiating the compensation as well as handling payments will have to be fully managed by your team.

Before engaging in affiliate marketing, you will want to have a good understanding of your conversion rates as well as the Customer Lifetime Value (CLV) to make sure that the affiliate program will be worth it. Generally, you will be expected to pay affiliate partners for the traffic they send to your website (usually either a flat fee), and it will be your job to convert people visiting your website into paying customers. While there are also engagements where you would pay a flat percentage of the conversion instead (the percentage of the price the customer paid), unless you are in a B2C space where the purchase cycle is short (let’s use the previously mentioned password manager as an example), it’s unlikely you can take advantage of this setup. It can take weeks and months for a web visitor to become a paying customer in cybersecurity (especially in B2B), so pay per conversion compensation scheme is usually not appropriate.

Affiliate programs are one of the core revenue drivers for many e-commerce companies, such as Amazon, eBay, and Zappos. I’ve looked at ShareASale, Commission Junction, and Clickbank, some of the leading affiliate networks, but it is unclear how many cybersecurity companies are working with them. As a blanket statement, I can say that if your product can be purchased online without any customizations or sales support, and if the barrier to purchase is low, then affiliate marketing can be a great tool. Alternatively, if you are a B2B company in the cybersecurity space, you can explore working with a reseller (I will briefly cover resellers at the end of this material).

Five questions to ask yourself if you are hoping to pursue affiliate marketing:

What affiliate networks or people with a large following have built an audience that could find our products and services valuable?
How do we want to compensate our affiliate partners for referred traffic?
How can we make sure that we are attracting the right people to our website?
Should we launch our own program or leverage existing affiliate networks?
How can we optimize our landing pages to increase signups once a person clicked on the link from the affiliate website?

Five metrics to track if you are hoping to pursue affiliate marketing:

Affiliate Traffic — the number of people visiting your website by clicking on the link from the affiliate sites
Bounce Rate — the percentage of people who navigate to your website and then left without continuing to another page
Time-On-Site — how long do people stay on your site after clicking on your page
Quality of leads — the quality of leads generated by the engagement
Conversion Rate — the percentage of people who became paying customers or signed up for your product

Social & Display Ads

High levels of social media adoption have led to the growth of social ads in recent years. Social advertising uses platforms such as LinkedIn, Twitter, Facebook, and similar to get people to take the desired action. As people today are checking their social media from the moment they wake up to the very minute they go to bed, social media ads have proven to be very effective for companies looking to increase their brand visibility, improve conversion and grow revenue.

Cybersecurity startups should not stay away from exploring social media ads as a potential growth channel. As a blanket statement, it is often said that LinkedIn and Twitter perform best for B2B cybersecurity companies, while Facebook, Instagram, and YouTube have proven to work especially well for B2C. This is true, although like with all other channels, you should start by learning where people in your target market spend their time and what social media channels they use most often.

Armed with that knowledge, start by defining measurable goals for your ad campaign. You want to be clear about what you are looking to achieve, and set measurable goals. Is it brand awareness? If so, how will you measure success? Is it new user signups? If so, how will you measure success? Is it conversions? If so, what does it mean & how will you measure it? Document your plan, goals, and underlying assumptions so that you can reference them later.

Set aside some budget to test different channels and different approaches across these channels. Make sure you instrument a way to measure the performance of your social media ads; it might feel great to say that “people seem to like what we put out there” but it’s not valuable unless you understand the total spend, the number of people who clicked on/engaged with the ad, and the conversions this has led to. Make sure to use tracking links so that you can understand which of the ads worked and which didn’t. If you have enough time (ideally you do) — A/B test different ads to see which one performs better and then double down on the winners.

One of the reasons social media ads are great is that you have the ability to target a specific segment of potential customers very precisely. To fully take advantage of this ability, take a close look at your customer base (or at your hypothetical ideal customers if you are still pre-revenue), and try to see the patterns beyond the obvious “midsize security company” kind of segments. What companies are you having success with? Maybe, you should be looking at companies that just hired their first security engineer in the last four months? Or, companies that have someone fully dedicated to red teaming? Or, maybe it’s a law office with an IT team of over 3 people who have recently suffered a security breach? Look for patterns and dig deeper to understand your customers — it’s this kind of deep understanding that will allow you to replicate your success stories with other prospects.

Display ads (also known as banner ads or simply banners) allow you to promote your business across the internet. They are the banners you see when you navigate between different sites (the ones that tend to follow you after you searched for a product or visited a specific website once). Display ads are managed by the ad networks with the largest network being the Google Display Network. Using display ads can enable you to reach new audiences, build your brand, as well as to convince people who visited your website to return & purchase your product (also called retargeting).

Instead of going through an ad network, you can also place your display ads directly by contacting the owners of different websites. While this approach is not scalable over the long term, it might be a great start that can get you to the next level.

Five questions to ask yourself if you are hoping to pursue social & display ads:

What social media does our target market use daily?
What customer segments should we be targeting for the highest impact?
How can we make sure that we are attracting the right people to our website?
Should we reach out to website owners directly or place ads through existing ad networks?
How can we optimize our landing pages to increase signups once a person clicked on the link from the ad?

Five metrics to track if you are hoping to pursue social & display ads:

Conversion Rate — the percentage of people who became paying customers or signed up for your product
Cost per click (CPC) — how much it costs to have one person click on your ad
Engagement — the number of shares, likes, comments, and posts in a given period
Time-On-Site — how long do people stay on your site after clicking on your page
Quality of leads — the quality of leads generated by the engagement

Other ideas (going beyond bullseye)

The Bullseye framework is great, but after all, it is still a framework — it is meant to guide the efforts of discovering what works for your company, not to be the limited menu to choose from. Ideas can come from any direction, and it’s likely that the best approaches are not the most common ones.

Other ideas cybersecurity startups can consider for growth include the following:

Sponsoring open source projects

There are many great open source initiatives out there, and the best way to ensure they continue doing the work they do is to fund them. Many open-source projects already have sponsorship programs through GitHub sponsors, Ko-fi, or similar, and many others are always happy to get support — you just need to reach out. A few hundred dollars per month can make a big difference for an open-source initiative; in return, you can often ask for a mention which includes your link & a logo in the project’s README. Don’t forget to attach a UTM tag so that you can track how many people navigate from the project to your site, but don’t expect huge traffic. Support the open source community not because you can benefit from it but because it’s the right thing to do; the rest will come.

LimaCharlie is a great example as we support multiple open-source cybersecurity projects.

Scholarships, grants, and product credits

Depending on the kind of product or service you offer and whom it is for, it can be a good idea to offer it for free to some categories of people and organizations. Students and schools are often looking for cybersecurity tooling they can use in the lab, while charitable organizations and non-profits need cybersecurity services they rarely think about and can even more rarely afford.

On the other hand, offering scholarships and grants can be a great way to gain visibility while also supporting a good cause.

Starting a media — podcast, online magazine, etc.

Running your own media requires considerable time but all that effort you put into it can pay off. Having your podcast, for example, allows you to reach out to industry leaders and feature them on your show — a great way to start a relationship by helping them showcase the work they do. Seasoned industry veterans are generally open to sharing their experiences, so that can help you achieve a few goals at once: creating great content, having a compelling reason to reach out to cybersecurity leaders, and building our brand as a cybersecurity expert. Cybersecurity startups that recently started great podcasts include Panther and Tines.

Downloadable content

Downloadable content is quite common in the cybersecurity space. Any B2B company is almost guaranteed to have a few case studies showing how they perform with different customers covering various use cases. These case studies are useful to showcase how the company products are being used (social proof) but they aren’t growth drivers as people are not interested in sharing the corporate marketing.

The kind of content that can be a great driver of growth and sometimes even go viral is the content about the market, customer problems, trends and opportunities in the industry, and similar. Not the “there is this problem on the market but if you use our product — we’ll solve it for you”, but genuinely valuable, vendor-neutral resources like e-books, industry surveys, and whitepapers. Great examples are the ‘2022 Voice of the SOC Analyst’ and the ‘State of Mental Health in Cybersecurity: 2022’ reports by Tines.

I would suggest syndicating the same content to different channels while adapting it to the unique needs of that channel. For example, a report above can have a PDF version available for download, a large infographic summary, a webinar discussion, a YouTube summary, and a number of social media posts each highlighting a unique point and providing a link to access the full content.

Working with resellers

Working with resellers is incredibly common among the B2B cybersecurity companies. Rightfully so — many IT providers, integrators, managed security service providers (MSSPs), consulting firms and individuals have built solid networks of trusted customers and partners that can benefit from implementing the solutions you are offering in their environment.

Generally, if you are a sales-led company, you will likely be a better fit for working with resellers than when you are a product-led startup. When a prospect can see the pricing openly on your website and can get started with using the product without having to talk to salespeople, they will have fewer reasons to engage the resellers.

Keep in mind that some large enterprise companies will only buy tools from select resellers so make sure you understand the buying journey of the types of customers you are targeting before dismissing a potential growth channel. In general, I would encourage you to develop deep expertise in your market and make any decisions based on what makes sense for your business.

Gift cards vs donations to charities

This one is somewhat tactical and philosophical at the same time. You can often see companies offering gift cards when asking people to complete a task like signing up for a demo, completing a survey, etc. I think that while the intent is great, a $25 gift card (or sometimes the potential of winning a gift card) is not an appropriate motivator for people in tech.

This goes deep into human psychology: the thought of getting a gift card doesn’t invoke an altruistic desire to help and instead triggers a rational evaluation if it’s worth their time. In many cases, the answer is — it isn’t, and so people choose to not participate.

What seems to work better (and we can see some companies already using this approach) is donating to a charity on behalf of the user. We understand that helping others is a great thing to do, so having a company donate on our behalf for completing a simple task seems like a win-win (and it is).

An example of a cybersecurity company that does this well is the already mentioned Tines.

Tools

There is a lot of useful tooling available online — you just need to look for it. For example,

Canva enables you to create great marketing visuals in seconds
SpyFu helps you understand how much your competitors are spending on paid ads
Buffer reduces the time you need to spend posting across different social media
Orbit allows you to manage your community across different platforms
HubSpot enables you to track all customer interactions in one place
Zapier enables you to automate manual tasks and build workflows across different tools
Grammarly is a writing assistant that takes care of your grammar, punctuation, and style
Apollo gives you a way to find email addresses or almost anyone and connect with them by creating email sequences
Clearbit shows you what companies visit your website and offers other intelligence you can use to supercharge your sales process
Google Trends analyzes the popularity of Google search queries across different regions and languages
LinkedIn Sales Navigator allows you to reach prospective leads, find relevant decision-makers in the target company, and keep track of the relevant changes
Intercom provides tools to personalize customer communication and tailor it to the behaviors within the product

Are there any other tools you would recommend? Drop a link in the comments section.

Closing thoughts

There are tens of time-proven growth channels you can explore. While I attempted to briefly summarize some, you can generate many more ideas by joining or starting a mastermind group with other founders, or by joining communities such as the above-mentioned Cybersecurity Marketing Society. Feel free to connect on LinkedIn & subscribe to my Medium/Substack content newsletters as well — I often share relevant resources with people within my reach.

Growth is a discipline that requires focus and consistency. By following the bullseye framework, you should be able to identify a few channels that work for your business. Then — focus and double down on these.

This post is part three of the 19 plus one traction channels for growing a cybersecurity startup: a founder’s guide.