Business & distribution model design for cybersecurity founders and startup leaders
Looking for ways security startups can bypass the traditional "get a CISO into a demo" sales tactics while achieving growth
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
It doesn’t take long to notice that most cybersecurity startups seem to lack imagination: they attempt to sell in the same way it has been done for years - by getting CISOs into a demo and hoping security leaders will instantly realize just how awesome their widget is. Seemingly, there are no alternatives to this model: the only other way is to do product-led growth, but that has proven to be even harder to rely on. With that, the conversations tend to end even though this is where the real story begins.
I have previously explained that not everything is about technology and that there are other ways to innovate in the security industry. In this piece, I focus on distribution channels and business model design for cybersecurity startups.
Repeating what we all know: three buyer personas and ways to sell to them
As the story goes, there are three types of customers: individuals, small and medium-sized businesses (SMBs), and enterprises, each with unique ways in which they evaluate and buy security tooling.
Individuals: a pain of B2C security sales
Regardless of whether or not people care about their security, one thing is clear: they don’t want to pay for it. Of all consumer-focused security products, only virtual private networks (VPN) have gained mainstream adoption that compels people to pay for them. The reason for this has little to do with security; individuals get VPNs to watch pirated movies and stream movies outside of the US, and in some countries - to watch porn and access sites blocked by the censors.
In recent years, there has been a push for the adoption of password managers, so Bitwarden, Dashlane, LastPass, and 1Password, to name some, have started offering bundles for individuals even though most derive the majority of their revenue from businesses. B2C security companies find that getting enough people to adopt security tools is an uphill battle. The only company I know of that was able to build a holistic security platform targeting exclusively individuals and families is Aura.
SME: they need help, they just don’t know about it and don’t want to pay for it
Small and medium businesses are a huge part of the global economy. In the US, the numbers are staggering: according to the U.S. Chamber of Commerce, there are 33.2 million small businesses (businesses that employ under 500 people) in America, which combined account for 99.9% of all US businesses. It gets better from here as the same report states that “Small businesses are credited with just under two-thirds (63%) of the new jobs created from 1995 to 2021 or 17.3 million new jobs. Small businesses represent 97.3% of all exporters and 32.6% of known export value ($413.3 billion). They also employ almost half (46%) of America's private sector workforce and represent 43.5% of gross domestic product.”
While SMEs have been greatly underserved compared to the enterprise market, achieving success in this segment is anything but easy. While some SMEs, especially those that employ 100-500 people, may be on the mature side, the vast majority have either low or no understanding of security and, subsequently, no budget for cyber defense. As a result, selling to small and medium-sized companies requires a lot of education, a business model & unit economics that can guarantee profitability despite the low scale of deployment.
Enterprise: the Holy Grail of the cybersecurity market
The vast majority of cybersecurity product companies target the enterprise market - a Holy Grail of the security industry. There are several reasons why this is the case:
Presence of the budget - large enterprises have the stuff to protect, and as such they are willing to allocate money to security
Regulatory requirements - in the effort to protect the public and strengthen the nation’s defenses, the regulators are constantly raising the bar for what it means to secure the enterprise which generates demand for new security tools
Deal sizes - the large deployment sizes in the enterprise result in large deal sizes making them very attractive to the startups (one Fortune 100 customer can bring more revenue than 500-2,500 SMEs)
Historically, what has been working well is selling directly to security leaders - CISOs and CSOs or relying on channel partners (resellers, integrators, consultancies, and so on) which are responsible for 90% of security sales. Because of the ever-growing number of security tools, CISOs of large enterprises have learned to rely on help and advice from industry analysts - companies such as Gartner, Forrester, and IDC. Subsequently, it became a part of the game for startups to invest in analyst relations to build relationships, and hopefully influence their opinion. Over the past several years, new startups started struggling to stand out from the crowd and get noticed in the cacophony of the market.
Pick your poison: the need to specialize in one market segment
Most problems I’ve observed can be categorized into one of the two broad buckets:
Problems experienced by either people or businesses
Problems experienced by both people and businesses
The first category - problems experienced by either people or businesses - is the most common. People want to date, read books, play sports, buy food for lunch and have it delivered to their doorsteps, spend quality time with their friends, etc. A wide variety of business-to-consumer (B2C) businesses work hard to address these desires.
Businesses, on the other hand, have different needs centered around achieving profitability and generating returns to their shareholders. A donut shop needs the ability to track its deliveries from suppliers and sales figures, an insurance company needs to report to regulators the amount of risk capital, and an airline needs, among other things, to manage arrivals and departures of the planes. All these demands unique to different kinds of businesses are being served by business-to-business (B2B) enterprises.
Some problems are experienced by both individuals & businesses, for instance, collaboration, e-signing, note-taking, and document sharing. Companies that address these needs get the ability to build a solution for one customer segment and then move up or down the market from there. For instance, project management tools such as Asana can be used by individuals, SMEs, and enterprises alike; while the specific functionality each of these groups will leverage is going to be different, the core of the solution is likely to be the same.
Although cybersecurity is everyone’s problem, security companies don’t get the ability to build for individuals and move up to enterprise customers, and vice versa. There are some exceptions such as password managers, but for the most part, a solution needed for individuals (all-in-one personal security) looks very different from what’s needed for SMEs (all-in-one business-level security) which is even more different from what’s required by the enterprises (advanced solutions to specific problem areas such as endpoint security, cloud security, etc.). Security startups have no choice but to pick a market segment they want to focus on from day one.
Three basic models for delivering security
Fundamentally, there are three basic models for delivering cybersecurity I see on the market:
“We secure you”
“We give you the tools to secure yourself”
“We build the foundation and leverage the work of others to secure you”
“We secure you”
Most cybersecurity companies fall under the “We secure you” model. Under this model, security startups develop proprietary capabilities to prevent, detect, and respond to threats. The promise is simple: the company has developed some “secret sauce” (intellectual property) which enables it to do a better job in addressing security issues than its competition.
Companies that leverage the “We secure you” model have the biggest total addressable market (TAM) because they are the least likely to require customers to have specialized security talent. On the other hand, products in this category are hard to evaluate and compare against one another; by signing the contract, the buyer expresses a belief that the vendor can keep it safe.
“We give you the tools to secure yourself”
On the other side of the spectrum, there are the companies whose value proposition is that of a hands-off infrastructure provider: “We give you the tools to secure yourself”. Most startups building solutions that fall under this category target mature security enterprises - those that have the resources (especially the talent) to fully take advantage of their offering; consequently, their TAM is limited. What further complicates the situation is that a lot of the companies that have technical security engineering talent don’t just buy products off the shelf. Instead, every time they run into an unsatisfied need, they do a “make or buy” assessment since their teams are well capable of developing solutions in-house.
“We build the foundation and leverage the work of others to secure you”
“We build the foundation and leverage the work of others to secure you” is the model that deserves special mention. Under this model, a security startup lays down the foundations of the product and then relies on the community to do the work, be it to build the content or develop integrations. This model where companies that leverage the work of others is often called “crowdsourced security”; we see the examples of this model implemented by SOC Prime, Bugcrowd, and Shuffle.
Thinking about the buyer's journey from the first principles
Many founders I meet think that building a company in security makes their go-to-market entirely pre-determined. “We are a B2B company so we’re just going to sell to the enterprise, get a CISO into a demo and show them how awesome our solution is”. Or, they get too excited about the alternative and decide to embrace product-led growth, hoping that security practitioners will discover their tool on their own, and after the initial “Wow!” they’ll immediately bring the product to their manager & get them to buy it on the spot. In my view, neither of these approaches is suitable for building a successful go-to-market strategy.
To plan a winning go-to-market strategy, it’s important to start by understanding the problem the company is trying to solve, identifying who cares about seeing it solved the most, how they learn about the new solutions, and what factors and stakeholders impact their decision-making. The buyer's journey, especially in B2B, is non-linear.
Source: Gartner
Even though the reality is complex, it’s unhelpful to think about the buyer’s journey as a mess. There are many great templates for buyer’s journey mapping online. Regardless of which one the founders choose, what’s important is to do several things:
Identify who is involved in the decision, what their power to influence the decision is, and what their interests are.
Understand where people who are the most influential in the buyer’s journey get their information; this is where you should prioritize your sales & marketing efforts. Although this step may sound basic, it’s incredible how many companies spend money on social media ads and campaigns when their money would be better spent organizing an invite-only event, producing a useful report, or sponsoring their local BSides.
Brainstorm the questions prospective customers are trying to answer at every stage of their buying journey, factors that may cause them to churn, their concerns, and motivations.
Understand what activities prospects go through at every step of the journey (demos, internal reviews, budget approval, etc.).
Develop a plan on how the company is going to address the needs of different stakeholder groups at each stage of their buyer’s journey.
Mapping the buyer’s journey is a useful exercise as it helps founders understand how their target market behaves and what people and companies need to turn become happy customers. Most importantly, it enables them to identify and test different go-to-market strategies because everyone who is part of it or who can influence the buying process can be turned into a distribution channel.
Follow the customers: business model generation and different ways to sell security
A great tool for designing, inventing, experimenting with, and pivoting a business model is the Business Model Canvas.
There are many resources and instructions about using this framework such as the one below. Rather than focusing on the tool, I am going to share some thoughts about what different distribution channels could look like in cybersecurity.
Going niche in B2C: some people do care about security
Although it is true that the vast majority of people do not care about their security, some do. A good strategy for B2C security sales is focusing on the niche categories of people for whom digital safety is critical for preserving their wealth, health, reputation, and even survival. The list includes:
Journalists
Human rights activists
Politicians & other dignitaries
TV & movie actors
Executives
High-net-worth individuals
Porn actors
Sex workers
and the like. It may be hard to build a growing business by going so niche, but it can be a great start: people for whom security isn’t optional, are typically the early adopters of consumer-focused privacy and security tools.
Mastering B2B2C: security for individuals paid for by their employers
There are two obstacles to consumer adoption of security products:
Security adds friction, and people don’t like to deal with friction if they can avoid it.
Security costs money, and people aren’t used to paying for software.
While the former cannot be effectively addressed within this discussion, the latter can.
One way to increase the likelihood that people will pay attention to security is to offer it to them for free. Instead of monetizing user data, there is another solution more suitable for selling cybersecurity, namely having the employer pay for it. This model, commonly known as B2B2C (business-to-business-to-consumer) has started to take off in the past few years. BlackCloak, for instance, offers security for executives, and Agency offers security as an employee benefit more broadly. Companies such as 1Password also encourage their customers to offer their password manager to their employees as a benefit. The idea is that once an employee leaves the job, they will most likely continue to pay for access to the tool since it already has their valuable data (better yet, 1Password can nudge people to ask their new employer to pay for it as a benefit).
When security is offered to employees as employee benefits, it comes under the benefits budget and therefore it can be sold to human resources (HR), and people & culture departments instead of CISOs. The downside of this approach is that security as an employee benefit is an optional, not an essential business expense, and as such it can quickly get cut when the times are tough. However, once adopted, I’d assume (with no data to back it up) that most companies will continue to pay for employee benefits because no one wants to go to the people with the message that “we no longer want you & your family to be secure online”.
Doubling down on the channel: giving the channel what it needs to sell
Not only channel partners are important players in the security ecosystem, but some customers only buy through channel making it hard to ignore this distribution method. Here is the reality of cybersecurity sales: according to Canalys and Steven Kiernan’s LinkedIn post,
More than $9 of every $10 of cybersecurity sold goes via partners.
Cybersecurity technology spending through the channel grew 12.7% to US$17.4 billion in Q2 2023, which accounted for 91.5% of the total market.
This growth rate far outstripped the 0.6% growth of direct sales.
Two-tier partners via distributors accounted for 69.3% of total spending. One-tier partners represented 22.2%.
Resellers were the largest channel category, followed by systems integrators. MSSPs were the fastest-growing category followed by service providers.
The leading 12 cybersecurity vendors accounted for 50.6% of spending through the channel.
Image Source: Steven Kiernan on LinkedIn
Startups looking to sell through channel often make a mistake assuming that all they need is to get in front of the resellers and integrators and do a demo of their great solution. The reality is much more complex. First and foremost, companies need to think about the potential to sell through channel strategically, and early on in their journey. Some decisions, if made without consideration for channel sales, can close the door to this distribution method entirely. For example,
If the company lists its pricing transparently on its website, it will be hard for resellers or integrators to charge the price they need to meet their margins.
If the company price is too low compared to the competition, channel partners who make a percentage of sales will not have any incentives to actively promote the solution. A 10% of $1,000,000 is ten times more than a 10% of 100,000 ($100,000 vs $10,000); everything else being equal, salespeople in the channel are incentivized to sell more expensive solutions.
If the product is hard to implement, or if it requires too many manual configurations to start going, channel partners are not likely to be successful in selling it.
To get started with the channel, startups will need:
A proof that there is a real demand in the market for what the company is offering. A demo and a few testimonials aren’t enough: channel partners will expect that the startup will bring several finalized big deals, essentially giving them free money to start building relationships and show the market potential.
Sales and customer enablement collateral, training, and constant feedback to make it easier for the reps to sell. Startups need to hire someone who is fully dedicated to fostering relationships, answering questions, providing training, checking in frequently, and doing anything that needs to be done to keep sales reps engaged.
Relationships with the salesforce and the right incentive systems. Providing collateral and hosting webinars isn’t enough to keep salespeople in the channel engaged and motivated. Companies will have to invest in building relationships, recognize great performance, and treat the channel as an extension of their own team.
Channel sales have a different shape, and there are other players aside from resellers and integrators. Huntress has proven that managed security service providers (MSSPs) and managed service providers (MSPs) are a great source for business. It sounds obvious today, but when the company started, few could believe that it would be able to craft a go-to-market around this distribution channel.
Betting on the new type of channel: selling via data platforms
As I discussed before, data gravity (the ability of data to grow mass and attract products and services) leads to the tectonic shift in cybersecurity: security data is moving to Snowflake, BigQuery, Microsoft Azure Data Warehouse, Amazon Redshift, and the like. In the next decade, data warehouses and cloud providers have the potential to grow into the largest distribution channel for cybersecurity. Customers who already have their data in one place will find it easier to simply “enable” a plugin that will then seamlessly plug into their data, instead of having to go through lengthy deployments and trials.
Security companies capable of getting their foot in the door and building partnerships can sell their offerings entirely through this channel. Field sales representatives for data lakes and cloud providers, equipped with marketing collateral and information about cybersecurity solutions, can upsell and cross-sell their existing customer base with little effort. Data warehouses and cloud providers track two metrics: ingestion and consumption, or to put it differently - getting the data in, and ensuring that customers use as many add-ons and services as possible, fully leveraging the capabilities of the platform. Selling cybersecurity on top of their core offerings can drive consumption, help sales reps hit their quotas, and provide all sides with steady streams of revenue.
Working with ambassadors: reaching SMBs via vCISOs
Global cybersecurity sales in the SME market category are estimated at more than $40 billion and according to some projections, should reach $90 billion by 2025. All this makes small and medium-sized enterprises an attractive market for cybersecurity founders. Selling to SMEs directly is hard as it requires educating them about their needs, ensuring they have enough budget, and so on. One other way to reach small and medium enterprises could be by targeting another growing part of the security community - vCISOs.
Virtual CISOs, often referred to as “CISO as a Service”, are security leaders who work with several organizations at the same time, doing the same work a full-time CISO would do (security strategy development, security & compliance program design, tool selection, and so on). I anticipate that the ever-rising pressure on CISOs, the growing number of regulations, and cases when CISOs are held liable and tried in a court of law for doing their job, will push more and more CISOs to leave their full-time jobs and become vCISOs. As of today, however, most vCISOs are practitioners without experience serving as CISOs in the enterprise.
The vCISO community has the potential to become a powerful distributor of security solutions. vCISOs will have to diversify their sources of income and go beyond consulting, and working with vendors willing to pay a sales commission to get customers to adopt products that solve their problems can be a win-win for all parties.
Aligning incentives: B2B sales by partnering with insurance providers
Insurance companies are greatly incentivized to do what they can to prevent their customers from suffering cyber incidents. One way they do it is by mandating that policyholders purchase, maintain, and periodically upgrade their security product and services coverage.
The degree to which insurance companies are willing to recommend certain vendors varies: some maintain lists of “approved” or “preferred” solutions, while others adopt more of a principle-based approach and accept any tool that checks a list of predefined boxes. While most cyber insurance providers are more likely to recommend that their policyholders buy security from established industry leaders, given the number of insurance firms, startups can find a way to build relationships with some of them.
For service providers, partnering with insurance companies may be even more straightforward. Insurers do not have in-house cybersecurity expertise, and therefore they rely on third parties for incident response (IR) and recovery when breaches inevitably happen. Savvy digital forensics and incident response (DFIR) firms may find partnering with insurance companies to be a great way to expand their reach and find a steady supply of customers.
Doing the PLG right: turning security practitioners into ambassadors
I have talked about product-led growth and getting hands-on practitioners to become champions of security products so much that instead of repeating myself, I recommend people interested in learning more check out some of my other articles; PLG is not a boolean: practical advice for cybersecurity startups looking to embrace product-led growth is a great one to start.
Here I will just say this: the ability for practitioners to easily try a security solution without having to go through several sales calls will continue to become more and more important. At the same time, I do not believe any company can build a business in security by simply doing PLG: it’s a great supplementary growth channel, but not the one that as of today can result in a successful company. Founders have to be mindful of this and temper their wishful thinking that “they just need to build it, and customers will come”; in most cases, they won’t.
Selling through adjacencies: IT, finance, and other functions
Security budget is a part of the IT budget, and therefore when IT solutions the company is already relying on start to offer security capabilities, security teams have little choice but to evaluate them first. This desire to avoid a sprawl of security solutions is here to stay, and companies such as Microsoft that build the whole business strategy around bundling know that really well.
Another fact to keep in mind is that as the surface area of security grows, so does the number of use cases with less than clear ownership. This absence of clarity creates an opportunity for founders to bypass, or supplement the traditional CISO outreach. Here are some examples:
Software security solutions can be positioned and sold to the engineering teams as well as security teams (or bundled into the tools for engineers from day one)
Data security solutions can be positioned and sold to the data science teams as well as security teams (or bundled into the tools for data scientists from day one)
People security solutions can be positioned and sold to the HR/recruitment teams as well as security teams (or bundled into the tools for HR and recruiters from day one)
Lastly, depending on the value proposition of the startup, founders may find that people who care about it the most are located far outside of security. For example, startups that promise to save XX% of costs may find it easier to get looked at by CISOs if the information is forwarded from the finance department. This approach, as with everything else, can potentially backfire: CISOs may feel like an external team is encroaching on their territory and therefore disregard the proposed solution altogether, even if it is otherwise a great product.
VC as a distribution channel: leveraging investors for customer growth
The economics of venture capital firms (the so-called "2 and 20 model") doesn’t make them great customers, but their connectivity turns VCs into perfect distributors. Investors are struggling to show that they are offering value beyond capital, and their operating budgets equal to 2% of the fund size make it hard to hire large portfolio support teams, especially for small funds. The key to success in turning VCs into distributors is reaching out with solutions that:
Have the potential to solve a real problem for their portfolio companies.
Do not require VCs to pay for them - they can pass the costs down to their portfolio companies.
One type of business that satisfies these criteria and therefore has been enjoying great success leveraging VCs as distributors is recruitment firms. By partnering with VCs, recruiters get introductions to the VC’s portfolio companies. It’s a win-win for all parties: investors get to show that they are actually helping their founders, recruiters get a great source of business, and entrepreneurs get a pipeline of qualified candidates who could be a fit for their teams.
Capitalizing on the alignment of interests: why distributors can be good investors
Anyone who has built or been a part of an early-stage venture knows that what startups need the most is customers. Despite what some may position as value-add, nothing is as valuable as an introduction to qualified prospects and closed deals:
Customers are the ultimate validation that the problem is real and that someone sees the proposed solution as viable
Early revenue proves that there is enough value the product offers to compel at least someone on the market to pay for it
More customers means more user feedback, more ideas, more feature requests, more suggestions, and as a result - faster learning
The fact that nothing is more important than the startup’s ability to attract customers doesn’t change: as the company scales, it needs to hire people and establish new processes, but it continues to be about driving revenue growth and a pipeline of prospective customers to fuel this growth.
Traditional investors in the US & globally have struggled to offer real value-add to their portfolio companies. A few firms are known for being run by very networked individuals, some of whom are practitioners looking to give back. Many others promise introductions to potential customers without realizing that their relationships with security leaders and buyers of security tools are often quite shallow - enough to send an email introduction, but not enough to convince a CISO to actually consider whatever the startup is building. One exception is Israel: as I explained before, “the top-tier Israeli VCs built powerful networks of security leaders from the top US and global enterprises, which gives them the ability to act as a powerful resource hub for startup entrepreneurs, bridging those building the next wave of cybersecurity innovation with those who need it. In this arrangement, CISOs get to both support the innovation and benefit from its outcomes, while security entrepreneurs get a force amplifier in the form of executive leader support.”
While VCs in the US have been looking for ways to show that they do indeed add value, the party that has nothing to prove are distributors. Integrators, consultants, resellers (VARs), managed security service providers (MSSPs), cloud providers, and the like can turn a startup into one of the market leaders. When sales teams of channel partners are properly incentivized and given the support they need, they can distribute incredible volume at scale.
One would assume that any entity with so much power in the market would look to capitalize on it in all ways possible, but that doesn’t appear to be the case. Of all the different distributor types, only platform players such as SentinelOne and CrowdStrike invest in companies they choose to sell on their marketplace. As of today, I am not aware of any large service provider, reseller, or integrator establishing a subsidiary to invest in security companies they distribute. There may very well be one-off, off-balance sheet investments, but nothing formal such as a dedicated corporate venture arm. I think players such as Optiv, CDW, Guidepoint Security, and others could be missing out on the opportunity to generate investment returns from companies they resell in the market.
Closing Thoughts
For a startup to innovate in the industry, founders need to, as Steve Zalewski likes to say, “fall in love with a problem, not the solution”. However, knowing the problem deeply isn’t enough: without understanding the broader ecosystem the company will struggle to design the business models and distribution channels it needs to succeed.
Over the past several years, I concluded that most security practitioners have a very surface-level understanding of the security ecosystem. There are indeed many parts - accelerators & incubators, VCs, CVCs, angels, and angel networks, investment banks, channel partners, analyst firms, service providers, the government, insurance providers, cloud infrastructure providers, open source, and the like. It’s a lot to digest, but without a broad understanding of the ecosystem, the players, and their incentives, it’s hard to come up with new ideas and design business models that work.