19 plus one traction channels for growing a cybersecurity startup: a founder’s guide (part 2 of 3)
How to grow a cybersecurity startup: ideas, metrics, questions to consider
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
This post is part two of the 19 plus one traction channels for growing a cybersecurity startup: a founder’s guide. Please read the first part before moving on to the following post for full context and introduction to the Bullseye framework.
In previous article, I covered five traction channels for cybersecurity startups. This article will go over the next ten. Part three will complete the cybersecurity startup growth series.
Speaking Engagements
Speaking engagements are a great way for cybersecurity founders to showcase their work, build a brand and generate leads. Before deciding what conference to approach, you will want to be very clear about who your target market is, who in that target market is a buyer and who is a user. Knowing this is essential as it helps you to avoid wasting time and effort pursuing initiatives that won’t translate into tangible gains for your startup.
For example, if you are a managed security service provider (MSSP) or a cybersecurity vendor that secures financial technology, attending a fintech sales or marketing conference won’t likely get you any valuable leads. On the other hand, an event dedicated to infrastructure security may be a great fit even if it’s not explicitly targeting fintech. Know your audience, and where they go to learn and network.
To get started with speaking engagements, look at Meetups and smaller conferences — they are more likely to accept those with no public speaking experience. It’s tempting to apply to be a speaker at Black Hat or DEFCON right away, but starting small makes it easier to build both the credibility and the skills as a speaker. Keep in mind that most conferences close their CFPs (calls for proposals from speakers) anywhere from a few weeks to many months before the event, so you will want to plan in advance.
It may be simpler and easier to get started by reaching out to podcasts or organizers of virtual events. They are generally run by one-two people, and convincing one person to give you a shot is easier than convincing a panel of reviewers. Additionally, preparing original CFPs for conferences requires a lot of effort while podcasts need much less preparation and therefore can be more suitable for busy early-stage founders. There are many great security-related podcasts on Spotify, one quick search away.
Similar to blogs, don’t try to pitch your product and you will be fine. When preparing the talk, keep in mind the audience of the event, the level of knowledge and technical fluency they possess, and make sure your speech is tailored to them. If you are speaking at a conference for security researchers, you will want to focus on technology while if you are presenting to a business audience, you will want to be much more focused on the business of security.
Lastly, try to avoid complex terms and abbreviations, no matter whom you are talking to. It may look like it demonstrates expertise, but in reality, you are just making sure that someone will get confused (and someone always will). If you absolutely must use abbreviations (cybersecurity is guilty of having too many), try to explain them at least once.
There are many benefits of public speaking. It’s generally free (there are a bunch of pay-to-play options; I’d suggest you avoid them, at least at the beginning), and it helps you to evangelize the mission you are working on, showcase your expertise, and expand your network. Keep in mind that there are not many good security-related events and podcasts, so while great to start, this channel may be hard to scale.
Five questions to ask yourself if you are considering speaking engagements:
Who is the audience?
What’s your audience’s worldview — what do they value, what do they believe in, what do they stand for?
What is your audience interested in/what does it want to know?
How much does the audience need to know?
What objections does your audience have?
Five metrics to track if you are doing speaking engagements:
Number of attendees/listeners — number of people who participated in the event
No show rate — the percentage of people who registered but didn’t participate
Net Promoter Score (NPS) — the percentage of audience members having a positive experience and willing to recommend your talk to others
Quality of leads — the quality of leads generated by the engagement
Conversion Rate — the percentage of people who signed up for your product or service after the speaking engagement
Events
Traction calls these “offline events” but given the realities of COVID, I will instead talk about events more broadly. There are two possible approaches when it comes to events: you can attend them, or you can organize your own.
Almost every big city, state, and province has a local security meetup. Some are local chapters of large communities and organizations like OWASP or ISACA, while others have emerged as entirely local groups. Whatever the case, these are great communities to get involved with as are security conferences — both large like previously mentioned Black Hat and DEFCON, RSA, or smaller in size but equally impactful BSides Conferences across the globe. There are many great security events and more get started every year, even in the past few years despite the pandemic. For instance, 2021 was the year when the Blue Team Con was born (it’s happening again in 2022).
While early-stage startups rarely have money to sponsor large conferences, supporting local meetups is equally important and arguably even more impactful, both for growing the community and building relationships. Great ideas do not have to be conventional: when a large security conference is hosted in a city, you can organize an unofficial afterparty, a tennis competition, or a scavenger hunt without becoming an official event sponsor & just by spreading the word on social media.
While cybersecurity-focused hackathons are less common, Capture the Flag (CTF) competitions are commonplace. CTFs are events in which two or more teams compete against each other in a test of cybersecurity skills. Most CTFs have historically been focused on red teams (attack) but in recent years, several blue team-focused CTFs emerged, including the one hosted by the Blue Team Con. Startup founders can leverage capture the flag competitions to meet security professionals incredibly passionate about their craft (after all, they spend nights and weekends on it), evangelize their vision of security, and get feedback about their products.
Participating in CTFs is not the only way; you can also become an organizer. While doing that requires a lot of planning, it also offers a potentially great payoff long term. Examples of cybersecurity companies that built a fantastic community around their CTFs include Recon Infosec (organizers of the Open SOC) and Splunk (organizer of Boss of the SOC).
Five questions to ask yourself if you are considering leveraging events for growth (organizing or attending):
Who are the event attendees?
What do event attendees value/what resonates with them?
What are we looking to achieve from attending or organizing the event; are events the best way to achieve that?
What speakers would be the most relevant to our audience?
How many potential customers can we engage at the event?
Five metrics to track if you are organizing events for growth:
Number of attendees/listeners — number of people who participated in the event
Customer Acquisition Cost (CAC) — the cost of acquiring one customer
Net Promoter Score (NPS) — the percentage of audience members having a positive experience and willing to recommend the event to others
Quality of leads — the quality of leads generated by the event
Conversion Rate — the percentage of people who signed up for your product or service after the event
Engineering as Marketing
Engineering as marketing is about creating a growth channel by building tools that people find useful and making these tools available at no cost. Engineering as marketing is quite popular in the cybersecurity space given that many companies are targeting technical users — those who prefer to tinker with some cool open-source tool rather than read a marketing memo or attend a sales call.
There are multiple ways to leverage engineering for growth. Before we look at them closer, I would like to highlight that it is a fairly costly approach, both in terms of resources and the time commitment required for it to work.
As discussed before,
“Cybersecurity has evolved from an open-source mentality. Even today, some of the most used cybersecurity products and solutions are built by volunteers looking to solve a specific security challenge and open to sharing their solutions with others.”
Cybersecurity companies understand the value of publicity that comes from providing valuable tools for the community. An example of a company that did it successfully is the Atomic Red Team developed by Red Canary. Red Canary offers managed detection and response services, and it would not be an overstatement to say that the launch of the Atomic Red Team made them famous worldwide. Another tool that falls under this category is Exploit Database by Offensive Security.
Instead of building their own tools, some cybersecurity vendors have acquired open-source tools, including the most recent Rapid7 acquisition of Velociraptor and Checkmarx’s acquisition of Dustico. While Rapid7 has left Velociraptor as a stand-alone product (a great example of the “engineering as marketing”), and invested in its support and development, it appears that Dustico is no longer available as an independent offering.
Engineering as marketing does not mean open source, although making a valuable tool open source can be met very positively in the community.
A number of product-led cybersecurity companies leverage engineering as marketing to amplify their PLG efforts. Great examples include Security Scorecard which enables any company to receive their instant risk score, Qualys which offers a handful of free tools on their website and Shodan, a search engine for Internet-connected devices.
It can be confusing to separate engineering as marketing product-led companies that make their own products available at no cost for a limited amount of time (free trial) or with a limited feature set (freemium). A simple rule of thumb is this: freemium or free trial are common signs of PLG companies, while if a company has built a tool separate from its core offering and valuable on its own, with no goals to make users pay for that tool, you are likely looking at engineering as marketing.
Five questions to ask yourself if you are considering leveraging engineering as marketing:
What tools would people in our target market find the most valuable?
How can offering these tools help us to get people to join our community and explore our other offerings?
How many people can we bring into our community using this growth channel?
How will we expose people who use the free tools to our other, revenue-generating product offerings?
How can we ensure we are able to make a long-term commitment to support this approach?
Five metrics to track if you are leveraging engineering as marketing:
User Growth — number of new users who started using the tools we offer in a given time
Customer Acquisition Cost (CAC) — the cost of acquiring one customer
Daily Active Members, Weekly Active Members, Monthly Active Members — number of users that engage with tools in a meaningful way in a given time
Quality of leads — the quality of leads generated by the use of the free tools
Conversion Rate — the percentage of users who start using the revenue-generating products
Unconventional PR
Unconventional PR, often referred to as guerilla marketing, is a way to attract media attention by taking unusual actions. The cybersecurity industry is full of homogenous marketing with every company talking about the same problems & offering similar solutions to these problems. By being bold and doing things that make your brand stand out, you will increase your likelihood of succeeding in getting your message to a large audience.
Some examples of unconventional PR include:
Product placements — arranging to have a product be shown or mentioned by the actors in a popular movie or a TV show. This strategy is costly and is more applicable in a B2C environment (secure email clients, password managers, etc). Aside from the cost, it’s important to be realistic about the expectations: this kind of publicity stunt can help foster brand familiarity but it is unlikely to become a powerful lead generator for the business.
Placing advertisements in unexpected places can generate attention. For example — placing a provocative message on a billboard in front of the entrance to a well-known security conference, having an area at the conference where people can play with dogs wearing jackets with company logos, etc. There are a few limits here — be creative and it will pay off.
Experiential marketing — designing captivating experiences for the attendees of live events such as board game or VR game championships, tennis competitions, and similar.
Buzz marketing focuses on creating experiences and product ads that make people talk about them. A great example is yearly Super Bowl commercials which tend to spark a lot of buzz like Coinbase’s 2022 Super Bowl ad which was just a floating QR code on a black screen.
Contests, grants, scholarships, and competitions can be great to draw attention as well. Tines, for example, hosted a hackathon-style ‘You Did What With Tines’ competition which encouraged users to share the flows they’ve automated with the company’s offering.
Offering company products or services for free is another way to get good attention. Companies get hacked daily, and while there are usually contracts and agreements in place around remediation, there might sometimes be an opportunity to offer your services for free thus gaining some visibility in exchange for your support.
Unconventional PR is a good addition to your more strategic growth efforts, but it is unlikely it can become a long-term or a primary driver of company growth. Cybersecurity is a very nuanced industry and in my opinion, “any publicity is a good publicity” isn’t entirely true here. You want to be known from an angle that helps shape your brand image, not the one that can damage your reputation.
Five questions to ask yourself if you are considering leveraging unconventional PR for growth:
What are we looking to achieve from doing the publicity stunt; are PR stunts the best way to achieve that?
What kinds of activities can get us the desired media coverage?
How many potential customers can we engage through this PR stunt?
How can we stay top of mind for the people we brought into our community after the marketing event?
How can we ensure that the coverage we get is what we need to build our brand and establish ourselves as leaders in our market segment?
Five metrics to track if you are leveraging unconventional PR for growth:
Customer Acquisition Cost (CAC) — the cost of acquiring one customer
Total people reached — how many people were exposed to the PR stunt
Engagement — the number of shares, likes, comments, and posts in a given time
Quality of leads — the quality of leads generated by the PR stunt
Conversion Rate — the percentage of people who signed up for your product or service after the event
Trade Shows
Trade shows are a great channel for cybersecurity startups due to several reasons: they gather potential customers, partners, analysts, and investors in one place, create a great opportunity to showcase your product, and most importantly — allow time and space to build valuable relationships. The cybersecurity industry heavily relies on trust, so being able to establish connections and build genuine relationships is invaluable.
There are various trade shows a cybersecurity startup can attend; rather than providing a list, I would like to discuss how to approach choosing the right one.
To start, you will want to think about your goals. What are you looking to achieve by attending a trade show? Meet potential customers? Gain some brand visibility? Meet investors? Whatever your goals are, be explicit and start by evaluating if a trade show is the best way of accomplishing them.
Assuming you have decided to move forward, time to put together an Excel spreadsheet listing potential trade shows worth attention. It’s always helpful to ask fellow cybersecurity entrepreneurs about their experiences with different events, but sites like MSSP Alert and Infosec Conferences or even a quick Google search can offer a great start as well.
Once you have the list of conferences in a spreadsheet, add additional columns detailing the location, dates, application deadline, potential number of attendees, and total cost of participation (including estimated cost of travel and accommodation). Some of this information can be found openly on the event sites while for things like the cost of participation, you will need to contact the organizers. Note that the earlier you do it — the better, as there are generally multiple tiers when it comes to participation and/or event sponsorship, and the spots tend to fill out fast.
Armed with full information about trade shows of interest, evaluate the potential return on investment. If your goal is to acquire new customers, it should be relatively simple as knowing the number of event attendees should allow you to estimate the number of potential closings. Compare that against the total amount you need to spend to see if the estimated Customer Acquisition Cost (CAC) makes sense. If your goal is different, the evaluation if a specific show is worth attending will likely be much less quantitatively driven and more based on subjective factors.
To make the most out of attending a trade show, never assume you can just “figure it out once you get there”; you need to prepare beyond printing company swag and booking plane tickets. Start by creating a list of people you want to meet and make arrangements ahead of time. Reconnect with people you know and get warm introductions to those you want to meet, if possible. Yes, I know warm introductions limit access and perpetuate barriers, but unfortunately, it is how the world runs. If you cannot get the introductions you need, reach out via LinkedIn or Apollo; check out this brief guide about writing effective cold emails.
Once at the conference, focus on getting to know people and building valuable connections. There is lots of great advice about event planning and running a booth effectively; I can just add to it that building genuine relationships with a few people is better than collecting tens of business cards with no real substance behind them. Put people first and you will always succeed — whether we are talking about a trade show, or anything else.
Ensure that you capture the contact details of the people that stop by your booth and engage in a meaningful way. It’s wise to brainstorm creative ideas that get people to share their contact details as at this point, few event attendees will input their email to be enrolled into some lead nurturing campaign. Sales and marketing are not dead, but we’ve all developed a thicker skin when it comes to being sold so some creativity here will be required.
Lastly, remember that everyone likes swag. Invest in practical and meaningful handouts, not low-quality items that will get thrown out at the nearest trash container. Offer something valuable and people will not just keep it — they will remember you for it.
Five questions to ask yourself if you are considering attending trade shows:
Who are the event attendees?
What do event attendees value/what resonates with them?
What can you do to draw people to your booth?
How can you capture the contact details of the people that stop at your booth?
How many potential customers can you engage at the trade show?
Five metrics to track if you are attending trade shows for growth:
Number of attendees/listeners — number of people who attend the trade show
Quality of leads — the quality of leads generated by the trade show
Cost — the true cost of the event including the cost of booth, travel, meals, accommodation, marketing materials, and other
Customer Acquisition Cost (CAC) — the cost of acquiring one customer
Conversion Rate — the percentage of people who signed up for your product or service after the trade show
Sales
Sales are the most commonly used growth method, especially in the B2B space. Successfully implementing a sales strategy requires careful planning as these days, nobody wants to talk to stereotypical salespeople pushing their solutions and overcoming objections. Other changes like the product-led growth approach have changed the expectations as well with more and more people looking to try the product and make the evaluation without having to talk to salespeople, engaging with sales only when they have specific questions that can’t be answered online.
This does now, however, mean that sales are not important. They are (and quite a bit!), but the nature of sales is no longer about pushing products and services. It is about providing value and helping people to solve their problems. If so happens that the company offerings are not the best solution for a particular prospect, you want to direct them to an offering that will suit them more, even if it’s the one by the competitor. The trust you build by putting the customer needs first will help you build a successful company long-term as this is how you build a reputation of being a problem solver and get the word of mouth referrals.
Historically, cybersecurity has been full of vendors taking advantage of people’s misunderstanding of security and selling snake oil (I wrote about the psychology of security sales and marketing before). It’s a complex question as, unfortunately, the competitive environment coupled with the pressure from investors (for private companies) and the market (for public), has created incentives for vendors to employ any tactics that work to hit the quarterly growth targets. When this happens, the ethical considerations or even the holistic impact of these product offerings on the company’s security posture are often swept aside.
There are several great sales frameworks such as SPIN selling that can help startup founders learn the basics of the rich art of sales. I want to quickly touch on one item often listed as a requirement for sales professionals in the cybersecurity industry: the so-called “technical background”. I have recently shared the opinion that cybersecurity is not about technology and I stand by it in this context as well. While having a basic technical fluency is important, it can be developed at work, so a degree or experience in a highly technical role should not be a prerequisite. It is much more important that a salesperson is people-centered, empathetic, curious, asks powerful questions, knows when to bring in the right people into the conversation, and can map the customer’s problems to the solutions offered by the company.
Tools like Apollo and LinkedIn navigator are great to look for and establish the first contact with prospects. Before you do it, make sure you have an established profile of the ideal prospect (or a hypothesis if you are still early). This will allow you to use your resources wisely by only approaching those who are more likely a fit for what you do, and, if you are a startup, to test your hypothesis, and/or refine them to find a match.
Sales is an important growth multiplier for the company, especially when coupled with other channels such as product-led growth, content marketing, and community building.
Five questions to ask yourself if you are considering leveraging sales for growth:
What are the customer segments that can get the most value from our offerings?
What categories or types of prospects should we be reaching out to first?
How can we qualify the leads in a way that will allow us to prioritize our efforts and invest our resources into the relationships with the highest return on investment (ROI)?
What is the sales cycle in our segment and how can it be shortened?
How can we design a simple buying process to make it as easy and as quickly as possible to get value out of our offerings?
Five metrics to track if you are leveraging sales for growth:
Customer Acquisition Cost (CAC) — the cost of acquiring one customer
Quality of leads — the quality of leads at the top of the funnel
Conversion Rate — the percentage of people who signed up for your product or service after going through the sales process
Customer Lifetime Value (CLV) — the value a company expects to capture from a customer during the amount of time it leverages its offerings (before churn)
Sales Cycle — the amount of time it takes to complete a sale, from the time of the first contact (lead) to the time a customer completes the purchase (close)
Business Development
Business development (often called BizDev) is a growth channel that relies on building mutually beneficial relationships with other players in the space. Business development can be a great way to tap into the new markets, gain exposure to the customer segments that have previously been unavailable, reduce costs and bring new products to the market.
Similar to other growth channels, you will want to have a good strategy before you engage in business development. This will ensure that you are focused and targeted in your efforts, instead of just doing random things and hoping something will stick.
Here are some thoughts and ideas about business development:
Establish a connection with complementary companies in the industry that share a similar thesis or a view of where the market or a specific technology is going. This can help you form a great advisory board to assist with brainstorming and decision-making, and it can also open opportunities for collaboration.
Start by looking at companies one-two years ahead of you, or companies at the same stage. It can be tempting to reach out to startups 50–100 times larger or to large enterprise companies, but different stages generally mean different focus and different goals.
Before embarking on a large, complex technical integration, look for ways to test the waters cheaply. If you have shared customers — great, as that will allow you to talk to them and learn what could be a good high-value low-effort use case you could cover. Alternatively, start by doing some co-marketing (a shared webinar, a shared social media campaign, or similar) to test the waters, gauge interest and gather some early feedback.
Look beyond other vendors. There are different market participants. Industry groups and not-for-profits (think ISACA, OWASP, or members of the Nonprofit Cyber) could be great to establish a connection with as well. They are often looking for partners, speakers at their events, sponsors, and similar — being on their radar will help you stay on the pulse of the industry. Open source projects can be complementary to your offerings or target a similar audience so it could be worth approaching some as well. Government commissions and advisory groups can offer a great way to position yourself as an expert. Think outside of the box and build relationships with the players in different areas.
Don’t be afraid of doing joint ventures with other companies in the space, but make sure you do it strategically. Before embarking on a potentially multi-year journey, make sure to discuss the economics, areas of ownership, and the legal side of things. While not everything needs to be finalized before you work on the MVP (minimum viable product), make sure the relationship you are building is grounded on transparency and mutual respect.
When thinking about partnerships, always look for win-win as both you and your partner will need to benefit from this relationship in a meaningful way.
If the value of your product is largely defined by your partners (think about marketplaces), it’s wise to be organized when planning different integrations. Some vendors will have their documents and access to the product provided transparently and without any gates, others will require you to go through their partnerships process (there is often an appropriate page on their website), and some will ask that you submit an idea for the integration they may or may not consider. Whenever possible, try to find your way to the decision-maker and craft a compelling case built on the value they get from partnering with you.
Five questions to ask yourself if you are considering leveraging BizDev for growth:
What are other companies or organizations targeting the same market with complementary offerings?
What would the other party get from the potential partnership?
What would you get from the potential partnership?
What additional value would the customer get if you were to form a partnership?
How can you start by offering the most value at the least cost?
Five metrics to track if you are leveraging BizDev for growth:
Return on Investment (ROI) — the value you get from engaging in the partnership in relation to the cost of this engagement
Quality of leads — the quality of leads at the top of the funnel
Conversion Rate — the percentage of people who signed up for your product or service after being referred by the partner
Customer Lifetime Value — the value a company expects to capture from a customer during the amount of time it leverages its offerings (before churn)
Number of Partners — the number of partners you work with or integrate with
Offline Ads
I sometimes think that offline ads are dead until I see something that catches my eye and makes me think “hell, yeah” (admittedly, I don’t think I have seen any truly impressive cybersecurity ads — if you do, please share them in comments). Indeed, offline ads can work for cybersecurity companies.
Start by evaluating what channels your target market uses and your goals. Without sounding prescriptive, I think that unless you are an established enterprise company, channels like TV ads, yellow pages, cards, brochures, and direct mail are probably not going to be a good fit. They can work, but the price you pay can easily outweigh the benefits so you will want to do a detailed ROI calculation before engaging with this channel.
I think that the number and frequency of cyber attacks offer plenty of opportunities to get on TV, radio, and the newspapers for free. To do that, position yourself as an expert, build credibility through writing, podcasts, or social and then reach out to TV/radio/print media offering expert commentary on cybersecurity. One such commentary tends to lead to another, and since you will likely want to build your profile anyway, you can get the coverage in traditional media with almost no extra effort.
If you are targeting a B2B industry where print newspapers are still a thing, then offline ads could be worth considering. Examples include industry magazines — I have seen some for insurance professionals, doctors, and mortgage professionals and I am sure there are more. As always, a solid ROI calculation is key.
What you should avoid doing is targeting anyone and everyone through generic cybersecurity ads. These are not a good use of financial resources, to say the least. They can be good for reinforcing visibility and brand image once you are a large, established enterprise company but they are not a fit for startups looking to grow.
There is one case when I think offline ads can be a great fit, and that’s when deployed very creatively and strategically. Let’s say you are talking to a large financial institution that relies on traditional messages of trust. You could place a banner in front of their office that communicates your value prop and puts their worries at ease. Or, say you are preparing to start approaching new homeowners as your main market. In that case, finding ways to partner with a real estate agent and doing some co-marketing (like printed door hangers or welcome gifts) could be a good creative option.
Five questions to ask yourself if you are considering or pursuing offline ads:
What makes offline channels a suitable growth channel for you?
What offline channels are people in your target market using or are exposed to?
What types of materials do people in your target market trust/are skeptical of?
How can you get the person that saw your ad offline to take action?
How will you track success and/or people’s behavior after they see the offline ad?
Five metrics to track if you are pursuing offline ads:
Reach — the number of people you can reach via select media that fit the definition of your target audience
Customer Acquisition Cost (CAC) — the amount of money it costs to acquire a customer
Conversion Rate — the percentage of people who were exposed to the material and took the action you want them to take after
Quality of leads — the quality of leads at the top of the funnel
Return on Investment (ROI) — the value you get from engaging in the offline ads in relation to the cost of this engagement
Viral Marketing
Without a doubt, every company wants its product to go viral but very few do. Viral marketing can expose the company to many new potential customers at almost no cost, increase brand recognition, and as a result — have a tremendous impact on the bottom line.
It comes, however, with several challenges. First of all, there is no roadmap or a step-by-step list on how to make something go viral. You can study what has worked in the past, but at the end of the day, it’s about having your audience so excited to talk about something that they do it without anyone asking. Second, cybersecurity isn’t the industry people are most excited about which potentially prevents many people from participating.
While there isn’t a readily available recipe for vitality, there are principles that can help you best prepare your content for potentially going viral. As a big fan of HubSpot (who, by the way, invested a ton into content as a vehicle for growth), I would like to refer to their article that outlines six marketing strategies, namely:
Appeal to target audiences
For any content to go viral, it has to speak to the audience and make them excited to share it. If you are appealing to technical cybersecurity professionals, make sure your content is technical. If you are talking to an average user — make it more approachable and easy to understand.
Leverage strong visuals
HubSpot talks about leveraging images but I’d like to define visuals as anything that supports your content and makes it more compelling. A visual for cybersecurity content could be a piece of YAML code if your audience is technical. This is yet another example of why knowing your audience is key.
Champion creativity
You want your campaign to grab attention — this generally happens when something is new, unique, or different from anything else out there. Be creative.
Make emotional appeals
Historically, cybersecurity has been actively leveraging fear for marketing and sales. This resulted in a lot of fear-mongering which I think is bad for the industry as it takes people away from approaching security rationally, the way it should be approached for best outcomes. Fear, however, is not the only emotion. Share content that makes people excited, surprised, confident, angry, or strong — people need to feel something for them to share your content.
Ensure content is easily shareable
You want your content to be shared so make it easy to do. If it’s designed to be shared on GitHub — make it easy to be shared on GitHub. If it’s something for LinkedIn or Twitter — add elements that make it easy to do it in one click.
Share your content at the right time
Timing is everything. There are many good resources about the best times to post on different platforms. For example, you would not want to post on Facebook on Saturdays while the worst time for posting on Instagram are Sundays. Most importantly, cybersecurity is fast-changing — there are new breaches, new exploits, and new attack vectors emerging daily. Staying on top of these can enable you to create viral content more easily. For example, being the first to share IoCs (indicators of the compromise) of a new attack can get you a lot of visibility in the circles of security researchers and other professionals.
Lastly, making it easy for people to share access to your product (invite others) and product artifacts (link with product reports, etc.) will allow you to design growth loops for virality.
Five questions to ask yourself if you are hoping to pursue viral marketing:
What are people in our target market interested in?
What do our customers rave about when they pitch us to others?
How can we incentivize our users to invite others so they too can get value from our product?
How can we create & share timely content to increase the chances of it going viral?
How can we design content that sparks emotional reactions to increase the chances of it going viral?
Five metrics to track if you are hoping to pursue viral marketing:
Reach — the number of people reached by the content
Engagement — the number of shares, likes, and comments your content received
Customer Lifetime Value — the value a company expects to capture from a customer during the amount of time it leverages its offerings (before churn)
Net Promoter Score (NPS) — the percentage of users having a positive experience and willing to recommend your product to others
Conversion Rate — the percentage of people who became customers after engaging with the content
Email Marketing
Email marketing has been, remains, and will likely continue to be for the time to come one of the most popular growth channels for cybersecurity companies. Email allows you to foster relationships at scale and provide value to many people at once.
The key to understanding how to make the most of email marketing today is to reflect on your own experience with emails. How many emails do you receive every day? How many of these do you delete without even opening them? What makes you skim through its content? What makes you read it? What emails do you delete and which ones do you forward to friends and colleagues? This sounds rather obvious but spending some time thinking about it will help you build empathy which is probably more valuable for writing compelling emails than reading thousands of so-called marketing “experts” online.
After reflecting on your own experiences, invest some time to learn your audience — our users and buyers — who they are, what they find valuable, what they like, and what their preferences are when it comes to communication. A few things to keep in mind are:
It is true that people respond well to personalized communication but there are cases when they are not comfortable knowing that you have researched them online. This is often the case with cybersecurity products. Collect the name at the registration & use that for all marketing communications, even if what a person has entered is a nickname.
Keep your message short and simple — give people a summary of what they absolutely need to know along with instructions on what to do to learn more. This is why empathy is so important — think back to when you got an email from a vendor: did you have enough time to read multiple paragraphs? Probably not.
Keep your email as natural and as personal as possible. Send it from the address with your name instead of info@ and avoid capitalizing every word in the subject so it doesn’t look too sales-y.
When talking about your product, focus on the value, the problems it solves, and the opportunities it enables, not the features it has. People want to know what you make possible and why they should care; the features should be easily discoverable in the product itself.
Look for ways to connect emails to customer behavior and their unique needs. If you can learn about the customer needs at signup — use this to personalize the onboarding so that users can get to value quicker. Be careful to not overdo this — remember how creepy it can feel when you visited a pricing page on some website and a minute later received an email from the company saying “we noticed you just…”. Don’t do that.
Ensure that every email has a clear call to action (and only one). Make it easy for people to take the action you want them to take, and avoid introducing anything that can serve as a distraction from taking that action.
Be consistent. If you are sending a weekly email — do it on the same day of the week, if it’s a monthly email — the same day of the month. Humans like patterns, and consistency will make your communication feel more familiar.
Dividing an email into standard sections (announcements, product updates, customer stories, etc.) helps to structure the communication and make it feel more polished. If you choose to do this, it’s better to adopt a template and follow it one campaign after another (consistency and familiarity are great).
You will find that there is a lot of advice on how to craft good campaigns, when to send them, etc. Read it, learn from the experiences of others, and then develop and test your hypothesis. What worked for others won’t necessarily work for you and vice versa so keep an open mind and keep learning.
If you are approaching people who aren’t your customers yet via Apollo or LinkedIn Sales Navigator, make sure to personalize your outreach and keep it to the point. Cold emailing does work, but you want to make it personal. Here is a great guide on how to do it.
Five questions to ask yourself if you are hoping to pursue email marketing:
What kind of updates do our customers find valuable?
How often do our customers want to hear from us?
How can we make our email campaigns stand out?
How much information is worth sharing via email vs other communication channels such as social media?
How can we focus on what is valuable for the user instead of providing the updates centered around our business?
Five metrics to track if you are hoping to pursue email marketing:
Click-through rate — the percentage of people who click on the link in the email
Click-to-open rate — the percentage of people who clicked on any links compared to the number of people who opened the email
Unsubscribe rate — the percentage of people who choose to stop receiving email communications after opening the email
Open rate — the percentage of people who opened the email
Conversion Rate — the percentage of people who became paying customers
This post is part two of the 19 plus one traction channels for growing a cybersecurity startup: a founder’s guide. Please read the first part for full context and introduction to the Bullseye framework.
In the previous article, I covered five traction channels for cybersecurity startups. This article covered the other ten. Part three will complete the cybersecurity startup growth series.