Cyber favors seconds: second movers, second-time founders, and second opinions
In cyber, the firsts rarely win big
It’s our natural desire to always want to be the first at everything (after all, the first usually means the winner). However, I’ve observed that in cyber, the firsts rarely win big. Our industry favors seconds: second movers, second opinions, and second-time founders. This is what today’s article is about.
This issue is brought to you by… Permiso.
The CISO Guide to Detecting and Preventing Identity Attacks
Are your identity defenses keeping up with the speed of cloud?
Nearly half of organizations suffered an identity-related breach last year - despite 86% claiming visibility into their riskiest accounts. The gap between perception and protection is growing.
This guide breaks down:
-The top identity-based attack vectors across SaaS, PaaS, IaaS, and IdPs
-Real-world breach examples from Okta, Snowflake, Cloudflare, and others
-How adversaries exploit non-human identities and abuse MFA gaps
-Practical frameworks (like NIST CSF 2.0 and ISO/IEC) for modern identity defense
-What CISOs must do to align identity with their broader security strategy
Get ahead of the next attack, and download the CISO Guide to Detecting & Preventing Identity Attacks today.
Cyber favors second movers
In most sectors, customers have some level of awareness of their problems. When I was working in the mortgage technology space, helping mortgage brokers improve their operations and better serve their customers, our prospects knew they were not being as efficient as they could be. For many, this meant wasted resources, suboptimal retention, and ultimately lower profitability. Not everyone agreed that fixing these problems was their number one priority, but the awareness was there. The same applies to many other domains. Marketers (usually) have clear KPIs they are accountable for driving, so they will try anything that promises to help. CFOs know that manual account receivables lead to wasted resources and sub-optimal results. The list can go on and on. In many of these sectors, there is a market pull to solve problems, especially if the solution can either enable the company to make more money, or provably reduce millions in spend.
In most cases, security isn’t really a strong revenue enabler. Of course, we can argue that being secure increases trust etc. but it’s not as easy to connect trust to money as it is, for example, connecting a new customer acquisition channel to money. The only companies that I know that enable revenue are tools like Vanta and Drata. They and other players in SOC2 automation are essentially sales enablement products because they allow startups to unlock new revenue options and start selling to enterprises quickly.
The vast majority of security products fall under the category of “we help you save money”. Saving money is objectively a weaker argument than making money, but it can still be pretty good as long as these savings are consistent and measurable. The most common way to achieve measurable savings is to reduce labor costs. A SOC or compliance automation tools, for example, can do exactly that, reducing the number of people hours. That’s great, and it works. What doesn’t work as well is simply showing and supposedly guarding against theoretical risks. Fear is a strong argument that drives purchasing behavior, but only if the risk is understood. This finally brings us to the biggest challenge in cyber: that risk alone isn’t really a strong revenue driver. Everything is risky, and everything can blow up, so where do CISOs start? In 2 places: what’s “hot” and what saves them money.
There is very little genuine market pull in cybersecurity, at least not in the way most founders would hope. Security teams are not sitting around with free time, waiting to discover new categories of risk. They are overwhelmed, chronically understaffed, and focused on the endless stream of alerts, incidents, compliance demands, and architectural complexity already on their plate. No one is waking up thinking, “What else can I secure?” This reality runs against the traditional startup advice that says “solve a hair-on-fire problem” and customers will come running. In security, almost every problem is a fire, but that doesn’t mean buyers are looking for a new fire extinguisher or even that people are aware that they are burning.
This makes life especially hard for first-movers, those trying to create entirely new categories. Unlike in more proactive industries, first-movers in security are at a structural disadvantage. They’re not just competing with other vendors; they’re competing with the status quo. Before anyone will even look at their product, they have to spend months (or years) educating the market about the very existence of the problem. That education burden is expensive, slow, and usually benefits second-movers more than the original innovator. Meanwhile, security buyers tend to be skeptical by default. If a problem isn’t well-known, it’s likely to be dismissed as irrelevant or theoretical until there’s a breach, a compliance mandate, or a peer reference to make it feel real.
This is one of the underappreciated reasons why second-movers often outperform category creators in cybersecurity. Second-movers come when there is already some market awareness but not enough market penetration. Since it takes a long time for the industry to realize a new need, first-movers usually spend millions of VC money to educate the market, and get acquired for a few hundred million at best, only to see second-movers come and take the market by storm. By the time the second wave of startups enters the scene, the original company has done the hard work of priming the market - writing blog posts, speaking at conferences, getting Gartner to pay attention. The second-mover doesn’t have to convince buyers that the problem is real; they just have to offer a clearer, easier, or cheaper solution. In a world where urgency and credibility dictate budget allocation, timing often beats originality.
This concept isn’t theoretical, and nothing illustrates it better than the evolution of the CSPM space. People like to talk about Wiz as the best CSPM, but it follows the steps of those that came before it such as Evident.io (acquired by Palo Alto), RedLock (also acquired by Palo Alto, which combined it with Evident.io and created Prisma), and Lacework (sold to Fortinet), to name a few. This is a shortlist, but it isn’t in any way exhaustive - there were also open source projects like Cloud Custodian and Prowler, lesser-known security companies like Fugue, as well as those that haven’t started in security but became security vendors like Sysdig. The market was fragmented, and there wasn’t a killer platform. Wiz, as well as Orca's founders, understood that, put forward a great vision, and executed on it.
I know that the example of Wiz is pretty overused at this point, so it’s worth calling out others. Palo Alto wasn’t the first firewall, CrowdStrike wasn’t the first endpoint security player, Proofpoint and Mimecast weren’t the first email security players, CloudFlare wasn’t the first CDN, and so on.
Here’s the tricky part: sizing the market at the beginning is pretty hard. If the bet pans out and the market ends up being big, then first-movers will get acquired, and second-movers will capitalize on the work someone did before them. However, if the market ends up being smaller than anticipated, then first-movers will often still get an exit, but second-movers will struggle (since the market is capped). I think the API security space is an example of the latter.
Check out the latest episode of the Inside the Network Podcast where Sid Trivedi, Mahendra Ramsinghani and I bring you the best founders, operators, and investors building the future of cybersecurity.
In this episode of Inside the Network, we sit down with Joe Levy, CEO of Sophos, a 40-year-old cybersecurity company that has quietly become one of the most important global players, serving over 600,000 organizations and generating over $1 billion in revenue.
Cyber favors second-time founders
There is no denying that cyber favors second-time founders. Here are some examples:
Palo Alto Networks. Before co-founding Palo Alto Networks, Nir was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Before NetScreen, Nir was co-founder and CTO at OneSecure, a pioneer in intrusion prevention and detection appliances.
Wiz. Wiz was founded by Assaf Rappaport, Yinon Costica, Roy Reznik, and Ami Luttwak. Assaf, Ami, and Roy previously co-founded Adallom, a cloud access security broker (CASB), which was acquired by Microsoft in July 2015 for approximately $320 million.
CrowdStrike. CrowdStrike was co-founded in 2011 by George Kurtz, Dmitri Alperovitch, and Gregg Marston. Before this, George founded Foundstone, a security products and anti-virus software company, and became the chief technology officer of McAfee after it acquired Foundstone in 2004 for $86 million.
Zscaler. Jay Chaudhry co-founded and sold four security companies - SecureIT, CipherTrust, CoreHarbor, and AirDefense, before founding Zscaler, a Zero Trust cloud security company, in 2007.
Splunk. Splunk was founded by Michael Baum, Rob Das, and Erik Swan. Before starting Splunk, Michael Baum co-founded Reality Online (acquired by Reuters in 1989), Pensoft (acquired by AT&T), 280 Inc. (acquired by Infoseek, which itself was later acquired by Disney), DotBank (acquired by Yahoo! in 2000), and Collation (acquired by IBM).
I think there are a few major reasons why second-time founders tend to succeed bigger in security. Sure, there are the obvious ones like the fact that second-timers have more experience, so they can move more confidently, avoid making rookie mistakes, and execute at a faster speed, but what I think makes a real difference is the details. When you think from first principles, in order for a company to be able to move fast, it needs to pick the right problem, validate it with the right prospects, assemble the right team, build the right product, and sell it to the right customers. Having previous experience as a cybersecurity startup founder helps with each of these:
Deciding which security problem to pursue is like playing the game of multi-dimensional chess with a nearly infinite number of parameters that need to be taken into consideration. Do companies care about the problem, and are they willing to allocate time and resources to solve it? Is there a founder-market fit? Is the market growing? Which adjacent players are most likely to step into the space? Second-time founders have a better understanding of the market, a better sense of what sells, and a much better intuition about the industry and the buyer behavior.
In order to validate that something is a real problem, founders need to be able to reach a broad pool of buyers. This can be really hard to do given that the majority of security buyers are enterprises, and CISOs at large companies don’t hop on a call with strangers because they got a cold outreach message on LinkedIn. First-time founders tend to have smaller networks of buyers, and as a result, even when they do try validating problems before building (many don’t even try), they tend to talk to the same 200 CISOs who are already overexposed to startups. While their perspective is important, it’s equally important to hear from the “quiet majority” - buyers who aren’t deep in the startup ecosystem.
Anyone who has tried building a company knows that bringing the right people is not easy. Hiring takes time, and this is again where experienced entrepreneurs get an edge because they have established networks of employees to tap into. Second-time founders can move much faster when hiring the team.
Building the product from zero to one is anything but easy. Not only do founders need to have experience building something new from nothing, but they need to be able to cut corners and to know which corners to cut. Second-time founders can be much more ruthless when it comes to scoping and delivering products, which gives them a huge advantage.
Enterprise sales (especially founder-led sales at the early stage) are all about relationships, and second-time founders know more people and have a much better experience building new relationships. In security, in particular, this makes a huge difference: since everything in cyber is about trust, the amount of time it takes someone who doesn’t have the rolodex to get started is going to be much higher.
All this is not to say that first-time founders don’t stand a chance. First of all, that’s simply not true, but secondly, every second-time founder was once a first-time founder. It’s more that in most cases, first-time founders end up with smaller outcomes than experienced entrepreneurs. There are, however, two exceptions.
First, some founders get the opportunity to build enterprise-level networks and gain enterprise-level experience in their previous careers. Okta is a great example of this since Todd McKinnon led engineering at Salesforce and had a strong network at some of the largest enterprises before embarking on the journey to build his own company.
Second, sometimes changes in the market create an opportunity for bottom-up adoption. For example,
Duo Security - targeted SMBs vs. enterprises to start, and only later expanded to large enterprises
Huntress - targeted SMBs via MSPs by offering MSPs the ability to add security as an offering to make money and differentiate
Cloudflare - targeted SMBs vs. enterprises to start, and only later expanded to large enterprises
Vanta - started by selling to SMBs and startups
In each of these cases, first-time founders took a risk and decided to serve the underserved market (they all benefited from the innovator’s dilemma) before going head-to-head against established players in the enterprise segment. On the flip side, it’s much harder to find cases when a first-time founder would succeed going head-to-head against established incumbents in security.
It’s hard to tell the future, so it’ll be interesting to see who unsits the industry giants like Zscaler, Okta, CyberArk, and KnowBe4 and how. Each of these companies has a great brand recognition, sticky products, and well-oiled distribution. I suspect it will be experienced entrepreneurs, but time will tell.
Cyber favors second opinions
In cybersecurity, people crave second opinions. It’s almost like a reflex. Security practitioners, for example, are skeptical and trained not to trust the first explanation or the first vendor pitch. That same mindset shows up in how the market itself evolves. VCs like to say that they are placing contrarian bets, and some do, but the majority lack the conviction to bet on a lone startup with a unique insight. While category creation can most definitely lead to big outcomes, most investors would rather see a second (or third) team working on the same problem. They see competition as validation that the problem exists and that something real is happening in the market. One startup with a novel take might be early or delusional, but two or more startups that look like pattern recognition (something that VCs are uniquely good at).
Similar logic applies to CISOs. Security leaders get pitched constantly by founders who are convinced they’ve uncovered a critical blind spot responsible for 99% of all breaches. CISOs know that startup narratives are inherently self-serving and often disconnected from operational reality. When CISOs see that more than one company is tackling the same problem, it gives them confidence they’re not getting sold a solution in search of a problem, and helps make sense of a market that otherwise feels like noise. Another way in which CISOs look for second opinions is by evaluating recommendations from different places. It’s great when a peer recommends a product, but it’s much better when the same product has won some award, was recommended by Gartner, and has good reviews online and in private communities. All these are really just different forms of getting a second opinion.
Industry analysts (Gartner, Forrester, IDC, Informa, etc.) also look for second opinions. One company can get recognition as a “Cool Vendor” but it can’t make a category. Once a second or third player emerges, the conversation shifts because that creates a reason to write a report, spin up a market guide, or draw a box in a quadrant. That’s when CISOs start to get budget approval and when they start to ask their teams, “Why aren’t we looking at this?” Ironically, many cybersecurity founders view competition as a threat when, in fact, especially in the early days, it’s the thing that makes their company real. In cyber, the second opinion is what makes the first one sound much more credible.
Reflecting on my investment decisions through your concept of second movers, I think your analysis identifies a fundamental pattern that extends beyond cybersecurity.
You called out some patterns:
• Security teams are "overwhelmed, chronically understaffed, focused on endless alerts"
• First-movers must educate about "theoretical" risks
• Second movers arrive after "a breach, compliance mandate, or peer reference"
What if this isn't unique to cyber but is how ALL organizations handle prevent vs. react? I think the same dynamics appear in manufacturing (specifically quality control), healthcare (preventive medicine), and construction/infrastructure (the maintenance vs. repair cycle).
The pattern seems to be:
1. Organizations get trapped in firefighting mode because that's what's visible and rewarded
2. First movers try to sell the organization that they should "work on tomorrow's problems" to teams drowning in today's crises and issues.
3. Only external forces like breaches or regulatory mandates create enough pain to break the cycle
4. Second movers arrive just as the market tips from "theoretical risk" to "urgent need"
This cycle reminded me of a famous MIT paper "Nobody Ever Gets Credit for Fixing Problems That Never Happened." (https://web.mit.edu/nelsonr/www/Repenning=Sterman_CMR_su01_.pdf) The paper proposes the explanation for why organizations underinvest in proactive improvement is the conflict between two reinforcing feedback loops:
The "Work Harder" Loop (Reactive): Problems (e.g., incidents, alerts) consume resources, which reduce the capacity for improvement, leading to more problems. This is the state of being "overwhelmed" that you describe in security teams.
The "Work Smarter" Loop (Proactive): Investing in improvement reduces future problems, freeing up resources for more improvement. The benefits of this loop are delayed, intangible, and suffer from a faulty attribution problem making it difficult to justify the initial investment.
This attribution problem is key. The “value” of the first-mover's solution is basically a non-event - a breach that does not happen. Because this benefit is invisible and its cause is ambiguous, the buyer cannot justify the immediate cost (in money and time) of implementing the solution. The "theoretical risk” does not generate enough pressure to break the "Work Harder" cycle.
So, looking at second-time founders through this lens I think it may explain their success. Second-time founders:
• Time entry for when the firefighting loop is about to break
• Package prevention as reaction which the org is biased to invest in. E.g,("reduce analyst workload" vs. "prevent future incidents"
• Using their connections and networks you mentioned helps them overcome the "nobody gets credit for problems that didn't happen" problem
Would be interested in your thoughts on how these may be linked.