Discover more from Venture in Security
A shortage of cybersecurity founders building companies, not features or products
The difference between building a product and building a company, what would building a company look like, and why it’s important that at least some people in the industry dare to do it
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Join the 8150+ leaders shaping the future of the cybersecurity industry
This article was written in collaboration with Nick Muy, a friend, CSO @ Scrut.io, Venture Partner at Tidal Ventures, and Co-Lead at VIS Angel Syndicate.
Over the past several years, I’ve noticed an interesting problem: many cybersecurity companies fail because founders build features & products, not companies. To some, this may even sound confusing because from the outside, it’s hard to draw the line between the two. This is precisely what this deep dive is about: the difference between building a product and building a company, why it’s so common for cybersecurity founders to focus on the former and to not think about the latter, what would building a company look like, and why it’s important that at least some people in the industry dare to do it.
Features, products, and companies
Most security startups are building features or products, not companies. What’s ironic is that from the outside, it’s hard to tell what the founder’s ambitions and capabilities are, and whether they are trying to build a feature, a product, or a company.
Security features: useful, but not enough to build a company around it
Security features masquerading as startups are incredibly common:
a founder used an existing tool widely recognized in the industry, and found that it misses a seemingly critical capability - one that if added, would make the product in question much better
a team of researchers figured out a way to make a stronger algorithm than what most players on the market use, a way to detect threats that’s 5% better than everyone else, and so on
an open source enthusiast built a plugin that extends the functionality of a platform and can save time for security teams who rely on it
More often than not, starting a company by only building a “killer feature”, and without a long-term strategy in mind, is a losing game for several reasons.
First, startup founders like to dismiss the incumbents as slow-moving and irrelevant. That may be true in some cases, but overall they do employ a large number of pretty smart people. If the missing feature doesn’t prevent the incumbent from successfully growing its market share, it may not be as critical for its customers. Even if the capability is indeed important to some of the users, it may be too niche for the broader market, not feasible to implement, too risky, etc.
Second, building a company around one niche use case is risky: if there is nothing preventing the original platform from adding a missing capability, the startup may lose all of its customers on the day when the incumbent ships the feature in question. If the feature is an add-on of an existing platform that relies on its APIs, the company that owns the platform can make a change that renders the whole solution unusable.
One way or another, to build a successful company one needs a vision - a vision that goes beyond “it would be really cool to build this amazing feature - I am sure people will love it!”. Starting with a feature without good research on the breadth of the problem, how widely it’s experienced and who experiences it, is a recipe for “features” looking for problems.
A successful outcome for most feature startup founders is an acquisition: if the big vendor determines that it’s easier for them to just buy a working feature with the team that built it than it is to develop it in-house, they may decide to acquire the team and their technology. For this to happen, many factors must be true, including:
the startup must have developed something that the company either doesn’t have the expertise or time to build in-house
the startup must be reasonably priced - meaning it cannot have raised a lot of money at a high valuation
It may often be harder to get acquired than some founders think. In security, the incumbents have an advantage because they 1) have access to a large amount of customer data, and 2) have well-established distribution networks. If the company can quickly copy the startup’s solution, use its access to data to make it better, and deploy its sales teams to sell the crap out of the new feature, it can destroy the founders’ dreams of an exit.
Building security products
After features, the second most often situation is when founders have identified an opportunity to build a product. Products offer value on their own, as they solve larger, stand-alone problems. Security products have a broader range of potential outcomes: some may end up getting acquired, while others can become large companies. If a startup doesn't have a great product to offer to its customers, it will likely fail. However, having a good product alone won’t make it successful.
It can be too tempting to look at any security startup that starts out small and dismiss it as a small “point solution” that has no potential of ever becoming anything of value. I think this is a mistake - it’s akin to looking at a baby named Agatha Christie and saying “how can it ever write a book - it can’t even say a word”. Babies grow up and learn, and after some time they can realize something they didn’t know before, show new talents, and ultimately define industries. Companies are similar: when Palo Alto started as a firewall company, nobody could have predicted that it would become a one-stop security provider; there is nothing that says that several of today’s small startups building seemingly unimpressive products cannot repeat its path (I am sure, some will).
There is more to building a company than shipping great features & launching awesome products
What’s most rare in the industry are people building companies. These can be incumbents such as Cisco, CrowdStrike, Tenable, and Palo Alto Networks, but they can also be newer players such as Wiz.
All companies are akin to an iceberg in that only a small percentage of the startup’s reality can be seen from the outside. What the outsiders see are typically the product, brand and positioning that can be dissected through the startup’s website, marketing materials, events and social media presence, and posts shared online by the employees. All this tends to revolve around the company’s offerings, the value it brings, new feature announcements, and the like.
What isn’t open to the outsiders (and even to many employees that work at the company) is what it takes to actually run the startup, which includes among other things corporate governance, fundraising, legal, investor relations, operations, finance and forecasting, payroll, risk management, recruitment and team design, incentive design, partnerships, and the like. Although a startup unlike large corporations would not typically have separate departments for each of these functional areas, someone must still do this work as they are critical parts of building a company.
While building a product is what enables the company to offer value to its customers, shipping new features in itself isn’t the same as running a business. Moreover, from the go-to-market standpoint, the product offering is just a part of the larger picture which includes market sizing, business model design, positioning, and competitive analysis, to name a few. Many great products fail because the company’s business model wasn’t designed intentionally so the revenue doesn’t cover the infrastructure cost or requires too many people and therefore doesn’t provide acceptable profit margins. Some go down because they fail to consider the competitive landscape and enter a market segment that is fully commoditized. All this while a large percentage of cybersecurity startups build great stuff but still go out of business because of poor capital allocation habits, over-hiring and over-investing into building before validating the customer demand, not taking most critical risks into account, and other issues that have nothing to do with their product.
Why cybersecurity founders tend to build features & products, not companies
Security practitioners lack the context of the business of their own organizations
Many security leaders and practitioners lack the understanding of the business side of their own organizations. It’s not rare for security to be seen as a function that operates separately from the rest of the business. In practical terms, this means that security practitioners don’t get to spend enough time understanding what it takes to run a company, how areas like finance, customer success, operations, business development, human resources, payroll, and investor relations, to name a few, contribute to company success, what they do on the day-to-day, and how it enables the company to grow. When security teams see the rest of the organization as purely sources of risk, they end up lacking the context of the business of their own organizations. Fortunately, as the profession matures, this is becoming less and less true for many security teams.
When security practitioners think about security vendors, they think features & products
When security practitioners think about CrowdStrike, they are looking at its CrowdStrike Falcon platform; when they discuss Wiz they talk about its cloud security capabilities. Focusing on features and capabilities enables security practitioners to evaluate what solution was better designed, has better support, and can offer a better protection for their environment.
The reality is that both Wiz and CrowdStrike platforms, similar to all other solutions, are the creations of their parent companies; they are not companies themselves. The reason companies succeed or fail is rarely as simple as “because they have a better set of features”. Instead, it’s the way they prepare for, identify, and address risk; the way they raise and allocate growth capital; the way they manage expectations of their investors and plan for exits; the way they decide what customer segments to focus on and in what order to win a larger percentage of the market, and so on. To beat the competition, it is never enough to simply build a better set of features because what defines companies is much more than a list of features in their products.
It’s hard to shift mindset when you don’t know what you don’t know
A large percentage of future founders are people who haven’t been exposed to the business of the companies they worked for, and who learned about the vendor market by looking solely at the features of their products. When security practitioners launch their startups, the “security versus business” mentality is no longer acceptable: now security itself is the business.
Although we are now finally admitting that “security should be a business enabler, not a department of “no'', in practice relatively few security professionals get exposure to the business metrics, and build a holistic understanding of what it takes to run a company. When it’s their turn to build a company, not only do they lack the mental models to make decisions as business owners, but also they often lack the network of people they can reach out to for help.
The irony is that many security practitioners start companies to focus on what they can do best - security, and to help other organizations solve problems they themselves have faced. Yet, the skills needed to run a startup have little to do with security; worse yet, as time goes by, founders will spend less and less time doing security and more time focused on company building - something people find hard to adjust to if they are not surrounded with good mentors.
Investors often don’t understand the context of the founders they are backing or don’t offer support even though they do
There is a lot of capital available to back cybersecurity startups, so VCs are eager to find potentially promising entrepreneurs and provide them with money to make their ideas happen.
Although there are many investors ready to write a check, few are prepared to offer tangible support to help security founders build companies. This doesn’t happen because of some malicious disregard on the part of investors, but because many of them don’t fully understand the context security practitioners operate in. VCs are used to backing software engineers, product managers, and the likes - people with experience working in functions that have a high understanding of what it takes to build a business. What many investors miss is that security practitioners have much less exposure or understanding of what it takes to run a company.
Security as a discipline is very new, and as such it is years behind compared to areas such as software development when it comes to business context. Unlike Chief Technology Officers (CTOs) and Heads of Engineering who are invited to executive discussions to co-create with other leaders, CISOs in many organizations are still fighting for the right to sit at the table where business decisions are made. This culture where security is seen as something outside of the “business” trickles down from the leadership to security practitioners who don’t allocate enough time to build relationships and understand the intricacies of the business their company is in; often not because they don’t want to but because they have no time for it.
All these gaps are solvable if people who support the founders - namely investors and advisors - know about them, have the resources, and are prepared to offer support. If they don’t or aren’t, the chances are high that capital they invest will be used to ship cool features, not to build a lasting company. This is what I think Israeli VCs do so well - supporting their early-stage founders, and helping them with everything from marketing to sales and operations, until they get on their feet. We have a lot to learn from the Israeli model, and the results it can enable.
Building a company, not a feature: notes for security founders and investors
Founders need to decide what they’re building, have a plan & execute it
It’s important for the founders to be honest with themselves and decide what they are trying to build. If their goal is to develop something a big player could acquire in 2-5 years, what they have in mind is a project (feature or product), not a company. This approach isn't bad, as long as
founders are transparent with themselves
founders are transparent with their employees & investors, and
the company is making decisions aligned with this goal
If they, on the other hand, are looking to build a company that will be around for decades, the decisions they need to make to succeed in their goal are going to be very different. It goes without saying that the decision alone isn’t enough; what matters is the execution that follows. It’s not uncommon to see founders make technical, fundraising, product, and other decisions that will prevent them from being able to evolve their feature into a company. Whether it’s raising too much too quickly, and over-investing into building without finding the product-market fit or anything similar, these mistakes are more common than what many people realize.
Security practitioners need to invest time into understanding how to run a business
Out of many business domains, security is one of the few which see the rest of the organization as a risk or a liability. This mindset is limiting as it prevents security practitioners from building the understanding of all the nuts and bolts that constitute a company.
When security professionals choose to build a startup, they will need to think about the go-to-market strategy, plan marketing campaigns, handle sales, raise funds, provide regular updates to their investors, read legal contracts, and the like. Even if and when they get to hire dedicated employees to own each of the areas they’re weak at, they will still need to oversee the overall direction of the company - something they can’t outsource to anyone else.
For founders to be effective running a company, they need to develop business acumen. Ideally, this happens a long time before they leave the security team to build their startups; if not, they need to surround themselves with trusted advisors, mentors, and support groups to get up to speed quickly.
To solve the prioritization challenge, founders need to think about their business holistically
Security professionals are mostly good with prioritization - there are always competing priorities, and not enough resources to get everything done. At the same time, all their work is somewhat related in that it addresses one need - the need for security.
Founders of cybersecurity startups need to get their prioritization skills to the next level as they are expected to prioritize work that isn’t at all related. What’s more important - interviewing a prospective employee when the team really needs someone to start as soon as possible, talking to a prospect looking to clarify pricing before they share information with the decision-maker, working with auditors to obtain a FedRAMP authorization that can unlock new sales opportunities, or addressing a critical bug in production? When the resources are limited, and the amount of work in all directions is ever-growing, those without a strong understanding of the business will struggle to make decisions that maximize the probability of positive outcomes.
To get to the next level, security founders need to learn how to build relationships and alliances
Although security professionals work in teams, individual contributors are mostly accountable for their own work, and managers are expected to also take responsibility for the contributions of their reports. Security leaders, on the other hand, add value through setting the direction, establishing goals and keeping people accountable for meeting them, and most importantly - through stakeholder management. A good CISO spends time building relationships across the company, turning sales, legal, finance, customer success, engineering, and other functions into their allies.
Most security professionals are used to influencing others through formal authority - by issuing and enforcing policies, demanding compliance, and so on. The reality is that good stakeholder management, and especially building a company require the opposite, namely influencing without authority.
A startup CEO needs to be able to inspire and motivate people - employees, investors, industry analysts, partners, and even customers. If the founder needs to formally push an employee to listen to their opinion because they own the company, they have already failed.
To get to the next level, current and future security founders need to build relationships and invest in developing their communication skills. Without this, they can still get by as individual contributors in the industry, but they’ll most certainly struggle as entrepreneurs.
What doesn’t get measured, doesn’t get done
I am a big believer that startup founders need to be obsessed about metrics. This means that going heads-down into building isn’t good enough; a company CEO needs to know in numbers how the business is performing, and with that - what quantifiable metric each person is driving. This includes:
Understanding customer acquisition costs, average contract value, conversion rates, and other metrics related to acquiring customers.
Having a financial plan, obsessively right-sizing the resources and knowing what they’re doing with their money. Most companies end up spending a lot to build a product long before they get any customer validation. They don’t have a budget - instead they have a bank account they draw from to build cool stuff they wish they had when they were working in the field.
Establishing key performance indicators for the startup overall, and for every part of the organization in a way that contributes toward the company objectives.
Putting systems and processes in place form day one
Founders thinking about building long-lasting, scaleable companies need to look for ways to put systems and processes in place from day one. They must be appropriate for the stage the company is at: the idea isn’t to add bureaucracy or to slow down the process where it’s not valuable but to think long-term and lay the foundations for future growth.
Some examples of what I often see lacking include:
Communication channels: founders should be intentional about designing appropriate communication channels in the company so that conflicts, misunderstandings, and the likes are addressed quickly and transparently. (e.g. internal open slack channel with leadership team updates)
Feedback mechanisms: putting a system in place to identify gaps, performance issues, and communication breakdowns early. (e.g. ensuring enough attention is devoted to unblocking by someone on the leadership team)
Performance expectations: founders need to set clear expectations around performance, and be willing to make tough decisions when people don’t meet them. A lot has been said about hiring slow and firing fast, but I find that few security practitioners are comfortable making staffing decisions.
Vision & mission alignment: when everyone moves fast, the cost of misalignment is enormous. A simple misunderstanding of the vision or the direction of the company, if not discovered and addressed, can result in several people all pulling in different directions. (e.g. weekly all-staff updates, brief and consistent)
Not every startup will become a large publicly traded company - many are started as 2-5-year projects, with the goal of getting acquired quickly. It’s important that founders think about company building, make explicit decisions about what they are trying to build, and are transparent with their investors and key stakeholders.
Building features is fun and exciting; building companies is hard. As an industry, we need to encourage long-term thinking: it will be hard for us to innovate, if most entrepreneurs will continue to look for quick exits, or worse yet - dream about building long-lasting companies without making the decisions that support this path.
If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do. If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate. If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!