Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Over 1,825 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.

Get your copy of "Cyber for Builders"

Every startup dreams about achieving rapid growth by word of mouth but very few can pull it off. Why is that? What distinguishes those who are successful in doing it from those who aren’t? The answer is simple: a startup's ability to get customers to love it. 

In this piece, Rami McCarthy and I discuss customer love as a recipe for building winning cybersecurity startups. Rami is a security engineer, author of an active blog for technical security practitioners, and a frequent contributor to tl;dr sec, one of my favorite newsletters. I am excited to have Rami contribute his first article to Venture in Security. 

Significance of customer love for the success of cybersecurity startups

No matter the industry or domain, customer love can influence business success. It has the potential to drive inbound leads, turn users into evangelists, and make it possible to quickly win the hearts and minds of decision-makers. 

This is especially the case in cybersecurity. 

Companies where technology is a profit center (SaaS, infrastructure providers, fintechs, biotechs, and others) and companies where security has embraced an engineering mindset, are more likely to have smaller security teams. In these organizations, individual contributors are usually well compensated, actively involved in the industry, familiar with industry trends, and influential on buying decisions. It’s not uncommon to see a team that consists of a CISO and one or two mid-level product security engineers, which means that these mid-level (and sometimes even junior) hires often end up running the proof of value (POV) process for large contracts. 

Traditional organizations, on the other hand, tend to have more complex security environments and subsequently longer lists of factors that could become a show-stopper for making a purchase. Additionally, because their security teams are larger and less engineering-driven, they have more people who need to be able to quickly learn new tools. 

Regardless of which kind of organization the startup is selling into, being able to elicit customer love can be a game changer as it shifts what people pay attention to. When security practitioners and leaders are evaluating products that have achieved a great reputation and are loved in the community, they are usually focused on the positives, seeking to find what others love about these tools. The opposite is true as well: when doing diligence on a vendor that has a bad reputation, buyers are more likely to be critical. After the tool is deployed, the consequences of customer love only get stronger. People who love a security product are much more likely to:

• Share useful feedback - because they want you to succeed.

• Be less critical and patient with the product’s gaps - a huge perk when you’re an early startup.

• Participate in content and event marketing - webinars, customer stories, engineering blogs.

• Recommend the solution to others - because sharing something you love is a win-win.

People who are satisfied with a product are usually open to doing inbound referrals when someone in their network has a problem they need solving and explicitly asks for a recommendation. Customer love is something else - it goes beyond product recommendations. The best way to spot customer love is when users start evangelizing about the product without being asked, when they take it to social media to share their experiences, when they incorporate the product in their conference talks without the vendor’s knowledge, and so on. No one credible is going to do free advertising, even for a really good product, unless they have a strong feeling of connection and value. 

Examples of customer love in cybersecurity

When we think about examples of customer love in cybersecurity, one company that immediately comes to mind is Thinkst Canary. Thinkst Canary is a fully bootstrapped product company that as of December 2023, had crossed over $16M in ARR. 

There are many things Thinkst Canary did differently to get where they are today. First and foremost, the company focused on building a great product - one that is easy to deploy, inexpensive to buy, and very simple to use. Thinkst is uniquely great at what is often called “engineering as marketing” - using valuable, free solutions to generate awareness of the product & get people to use it. Canarytokens, described by the company as “tiny tripwires that you can drop into hundreds of places” that are “trivial to deploy, with a ridiculously high quality of signal”, can be deployed for free. This fantastic tool has received a lot of love in the community. Thinkst Canary is a tool that doesn’t send many alerts - but when it finally does trigger a detection, that single alert means something very worth paying attention to. When you think about it, this is a huge challenge: how do you drive retention, discovery, and the “wow” moment with a product that ideally never makes a peep? The ambient customer love of Canaries is crucial social proof for buyers. The number of happy Thinkst Canary users taking it to X (Twitter) and other social media to spread the word about their work is astounding. 

Image Source: Thinkst Canary

Another example of a successful player that is well-loved in the industry is Duo Security. Once upon a time, a large company was going through a particularly nasty data breach. Their engineers stayed up at night trying to fix the problem. The Duo team decided to deliver pizza to support the hard-working incident responders, even though this company was not even their customer. While this act of kindness never converted into a sale to this specific enterprise, that wasn’t the goal. By doing marketing differently, Duo got passionate evangelists who would happily spread the word among their friends and later advocate for the company’s solutions at their next jobs. 

One of the easiest ways to recognize security startups that put emphasis on fostering customer love is to look for the so-called “love pages” - web pages with links to customer feedback. Of course, these pages aren’t evidence that a product is genuinely loved, for that you need to look for faces you recognize and organic positive feedback coming from your security community.

 Examples of `/love` pages include Chainguard, Material, Impart, and Anvilogic. 

Image Sources: Chainguard, Material, Impart, and Anvilogic

It’s important to not confuse customer love pages with customer testimonials. The line between the two isn’t always clear but it does exist. Many sites have walls of customer testimonials but more often than not they read like “these are our customers giving us a quote”, not like organic things people are shouting about in an authentic way. This isn’t at all surprising as most cybersecurity products don’t elicit the kind of love that would compel security practitioners to talk to their friends or post on social media about them. 

Ways to foster customer love in cybersecurity

Over the past several decades, most cybersecurity solutions have been hard to love. Some of the reasons include:

• The low signal-to-noise ratio, a high number of false positives, and the “we show you the problems and you have to fix them” mentality created a lot of work for already under-resourced security teams.

• Poor user experience, along with reliance on training and documentation and insufficient support, made it hard to navigate security tools.

• Needing to attend multiple demos before one can access a tool and do a proof of value (POV) wasted a lot of security teams’ time.

• Complicated technical products, by technical founders, can miss the mark on product design.

• Products either based or marketed on FUD (Fear, Uncertainty, Doubt).

All this also made it hard to adopt, mature, and realize the full value of security solutions companies did purchase. The 2023 Panaseer security leaders peer report offers evidence that most security breaches could have been prevented by the tools enterprises already have in place. When security teams struggle to understand how products work, what capabilities they do and do not offer, and what knobs and buttons have to be pressed to enable the functionality they are designed to provide, it’s no wonder that most solutions get under-utilized. Add to the mix the large percentage of cybersecurity startups that are solutions looking for problems, and it’s no wonder that very few companies in the industry are lovable. 

The good news is that the bar for what can be considered a good product in security is quite low. The bad news is that getting to a point where customers can genuinely love what the startup is offering, and evangelize about the company among their peers does take time and focused effort. Here are some ways for security startups to foster customer love. 

Put people first

Every product is designed to be implemented and operated by people, so cybersecurity startup founders have to put people first. This means understanding who is going to use the product and which of their problems it will be solving, who else besides the end users will be affected by the tool and in what ways, and how the product can impact the people’s ability to get promoted, get a raise, or even retain their job. 

Companies that put people first think about their go-to-market practices and make decisions that prioritize relationship-building over transactional interactions. 

Solve papercuts and invest in user experience

An easy way to make people love a product is to relentlessly prioritize removing papercuts. When users report bugs, gaps, and suboptimal product experiences, product teams should be willing to listen and find a way to turn around and fix that, even though it may not be on a short-term roadmap. Security people are so used to bad user experience that if it’s bad enough that the vendor is hearing about it, founders should take it more seriously than they would in other product domains. 

Papercuts prevent users from being able to realize the value of even the most advanced security products. Fixing papercuts engenders emotional connection and makes people feel that they have an impact and are being listened to. This, in turn, causes them to want to evangelize the product. 

Solve problems, communicate value, and get out of the way

The times when security teams were satisfied with products that offer “visibility” are coming to an end. Today, the amount of visible gaps has become overwhelming - thousands of workstations, tens of thousands of dependencies, hundreds of thousands of vulnerabilities, and so on. Security professionals need solutions that fix problems, don’t just generate alerts to show that there are problems. There are too many tools that say “Look, there is an issue”; and we need products that say “Here is the issue I found, here is how I determined it to be the issue, and here is how I addressed it”. A great example of a cybersecurity product that strives to solve a problem and get out of the way is Resourcely. 

It is not enough to simply solve problems - founders need to design products that make it easy for people to understand what is going on in the background, what exactly the tool is doing, and what value it provides. Without that, users may take the work a security product does for granted or even cancel the contract without realizing its importance. 

Pick a core area to focus on

Startups need to focus and be very clear about who they are serving. This is because what can make them loved by one group, will not necessarily work for another. CISOs and security practitioners love companies for different reasons. CISOs care most about the sales culture, pricing, relationships, ROI, and support. Buying pizza for security teams in the middle of an incident is likely to resonate with them better than cold-calling and ambulance-chasing (“You would not have been breached if only you used our tool”). Mike Pivette recently wrote a great article about what works and what doesn’t work for CISOs. Security practitioners, on the other hand, are likely to respond well to things like easy-to-access and free-to-try products, open source projects, and community leadership. 

CISOs and security practitioners aren’t in competition with one another so startups don’t necessarily need to choose one group. But, since early-stage companies have limited resources, they need to pick one area to focus on. Some founders are trying to do everything at once - assembling customer advisory boards and interviewing CISOs, but also launching open source, writing technical blogs, giving stuff away for free to practitioners, sponsoring BSides, speaking at conferences, and organizing capture the flag (CTF) competitions. Doing all this well at the same time requires resources - something startups usually don’t have. Picking a core focus is critical for these efforts to be successful. 

Be authentic

Last but not least, cybersecurity startups should look for ways to foster customer love while being authentic. A lot of companies try to brand themselves as lovable using anthropomorphic mascots, sleek designs, and marketing campaigns but that rarely translates into love. People crave authenticity, and authenticity is best shown by being consistent about experience partnering with a company throughout the whole customer journey, from initial interaction to post-closing support. 

Another reason for being authentic is that authenticity sparks creativity. There are many ways to build a genuine connection with the market by doing what a specific company and its founders are uniquely positioned to do. 

Things to keep in mind about customer love

Products that inspire love don’t have to be revolutionary

Products that inspire love don’t have to be revolutionary. Take Duo Security as an example: Duo didn’t invent the concept of multi-factor authentication, and RSA tokens existed long before Duo started. Despite this fact, Duo Security was able to build a successful company to a large degree because of customer love the product was able to elicit. If people can fall in love with what’s fundamentally a new generation of RSA tokens, they can fall in love with many other products. The key is simplicity, and making cumbersome experiences easier and much more pleasant. 

Don’t look for shortcuts

Getting customers to love a security product takes a lot of time and effort. There are ways to do it, but there are no shortcuts. Bribing people with $50 Amazon gift cards to leave reviews on G2 doesn’t work. Faking customer testimonials by asking friends who have never used the solution to give a quote isn't the way to go either. 

There are many cases when startups feature security leaders or practitioners as customers when in fact they are not. It’s understandable why founders are asking their investors, friends, and former colleagues for help. What they don’t realize is that it’s a small industry, and people talk, so eventually, someone will reach out to those who gave testimonials and ask how exactly they’ve used the product and what their experience has been. 

Be realistic about what you can and cannot do

Founders must understand that every activity comes at a cost, and be smart when they decide what to focus on. It’s common for security startups to launch open source or community editions of their products only to then realize that while free tools are easy to love, they are also quite costly to manage. Security entrepreneurs would benefit from examining their options, understanding what events, activities, or initiatives are most likely to make people love them, and having a realistic conversation about the cost of each. It may be better to, say, not release an open source project at all, instead of having to announce the end of support or the need to close-source it a few months later. 

Don’t lose sight of building a company

Lastly, it’s important to not go too far when trying to build a deep connection with customers. We frequently see that startup founders who do understand the value of fostering customer love, go too far and forget that love is not a final outcome, but a way of offering value. Instead of seeking to be loved by everyone all the time, entrepreneurs must focus on building businesses that solve real problems for specific customer segments and generate revenue. While we don’t think we as an industry should be striving to create soulless companies devoid of any culture and values, the opposite (world-loving projects with no commercial agenda) is not the only alternative either. Examples like Thinkst Canary, Duo Security, Tines, Chainguard, Material, Impart, Panther, Anvilogic, and LimaCharlie where Ross leads product, show that it is possible to be pragmatic (and successful!) as a business and loved at the same time. 

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share

Share Venture in Security