Four cybersecurity startup dilemmas and what they mean for security founders and the industry in general
Looking at four cybersecurity startup dilemmas: cybersecurity founder dilemma, cybersecurity customer dilemma, cybersecurity fundraising dilemma, and cybersecurity startup valuation dilemma
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Join 10,000+ leaders shaping the future of the cybersecurity industry
While each cybersecurity startup is undeniably unique, they all operate in a world of patterns, rules, and systems. By analyzing these systems, it becomes possible to anticipate potential challenges and opportunities based on the backgrounds of founders, the types of customers they are building solutions for, the way they approach fundraising, and other factors.
In this piece, I am looking at four cybersecurity startup dilemmas and what they mean for security founders and the industry in general.
The cybersecurity founder dilemma
To launch a cybersecurity startup, the founding team must have three critical skills: software engineering which is essential for developing the technical product, security domain expertise which is needed to make the product capable of solving security problems, and business acumen required to turn the company offerings into a business. Although all three are equally important, the former two, software and security expertise, take much longer to develop. For that reason, it is common for technical cybersecurity founders to launch startups without any understanding of the business, in the hope that eventually they will figure it out.
People who possess a combination of software engineering and cybersecurity experiences tend to come from one of two places:
Cloud-native, tech-forward, venture-backed product companies and large enterprises that hire security engineers, security architects, and other technical security practitioners with an engineering mindset. Software product companies see security as a core component of their offerings and therefore are willing to invest in recruiting, developing, retaining, and leveraging the top cybersecurity talent. A few non-software enterprises with mature security teams such as Target, Walmart, McDonalds, and several big banks, can arguably also be considered a part of this category.
Intelligence military units such as Unit 8200 of the Israeli Defense Forces and its equivalents in the US Armed Forces, and special civilian government agencies such as the National Security Agency. Both types of institutions are focused on safeguarding nation-states, conducting offensive operations, and gathering intelligence to advance the interests of their countries in the global arena.
There are many differences between these two categories of organizations. The most obvious one is the area of focus: while product companies such as Datadog, Dropbox, Cloudflare, Google, Meta, and Apple have strong cyber defense teams, the government with its monopoly on force possesses unmatched cyber offensive capabilities. Moreover, while the product companies, many of which are centered around San Francisco and the Bay Area are known for their willingness to pay top dollar for the expertise they need, the military and cybersecurity government agencies attract those looking to make a difference in their community and serve their country.
Despite the differences, people who work for tech-forward enterprises and the military units have one thing in common: they are mostly exposed to how security is done in the top 1-5% of most advanced and mature institutions globally. These 1-5% are the minority of the market with access to the resources (money and talent) to invest in strengthening their security posture, develop innovative approaches, and build their own tools.
On the other hand, the most painful problems and the biggest opportunities for innovation are not found in the military or tech-forward companies. Instead, they are found in three other parts of the market:
Traditional, analyst- and compliance-focused enterprises such as banks, retail stores, oil and gas businesses, and multinational corporations.
Small and medium-sized businesses (SMBs) such as retail stores, restaurants, law and accounting firms, and construction companies.
Municipal governments and publicly-funded organizations such as museums, schools, hospitals, utility providers, business registrars, archives, and treasuries.
The trouble is that most of these organizations do not have large security budgets, and they do not hire security practitioners with engineering skills and a mindset that would enable them to build custom tools.
It is precisely this misalignment that leads to what I call a cybersecurity founder dilemma: while people from cloud-native companies and government agencies tackle cutting-edge problems and think about the promising future, the less futuristic, mundane problems experienced by the mass market continue to persist. Since neither software engineers who specialize in security nor security practitioners with engineering skills get to work at SMBs, local governments, and the like, their problems remain largely unknown to those who would be most suitable to solve them.
The cybersecurity customer dilemma
The cybersecurity founder dilemma is deeply intertwined with the cybersecurity customer dilemma.
Although people in security like to say that "security is everybody’s problem", the reality is that not every company places an equal emphasis on security, and relatively few have a budget large enough to make them an attractive target for security startups.
The cybersecurity market looks as follows:
Fortune 1000 companies with a dedicated CISO and a large security budget. Since the government continues to implement regulations that promote security among publicly traded companies and punish cyber breaches, this segment is likely to continue investing in security.
Mid-market enterprises. Companies in this bucket exist on a continuum. The bigger the business the more likely it will have a dedicated leader in charge of security and a solid security budget. The reporting structure varies greatly: some organizations have CISOs or VPs of Security who report to Chief Information Officers (CIOs), in other businesses CISOs report to Heads of Technology, and some treat security as one of the responsibilities of the IT organization and do not hire dedicated security leaders.
Small and medium-sized companies. These also exist on a continuum. While a few (especially those building software products) may have CISOs or security managers, the vast majority fall somewhere between having nothing at all and delegating their security needs to a third-party contractor.
Cybersecurity startup founders know that Fortune 1000 enterprises are where the money is in the industry. This understanding makes many people want to sell to the top of the market - the small percentage of companies who have large budgets, large deployment sizes, complex environments, and a constant need to strengthen their security posture.
The challenge is that these enterprises are not the early adopters of new technologies.
Selling to the top of the market is not easy: most will exclusively buy solutions that are
"Enterprise-ready", which means the absence of impactful software bugs, the ability to support complex hybrid (cloud + on-premise) environments, and fulfill data residency requirements of different parts of the business, and robust access controls, to name a few.
Beloved by the analyst firms and recognized as category leaders.
Sold by the channel partners the enterprise is working with.
Naturally, most startups don't fit these requirements when they are at a pre-seed or seed stage. With a few exceptions such as Palantir and Anduril, building a company that targets the government or the top largest enterprises on day one is not a viable option. This is because they would take the startup for a ride, and drown it in complex product evaluations spanning many months or even years.
Smart founders know that for them to build an enterprise-ready solution, they need to have the ability to get a lot of product feedback, frequently iterate, and quickly mature their offerings. The only way to do it is to start by selling to customers who can make buying decisions quicker, are willing to take a chance on a startup, provide feedback, and are ready to sometimes deal with bugs and gaps in the experience. In other words, most startups looking to sell to Fortune 500 and Fortune 1000 need to start by getting customers from Fortune 10000.
The trouble is that the further the company moves away from the Fortune 1000 crowd, the more likely it will realize that the problems of the mid-market, its today’s customers, are quite different from those of the upper-market, or tomorrow’s customers. Founders must keep an eye on their goals and make decisions that take into account both their present-day needs and the future direction. Moreover, they need to realize that although there are 33,185,550 small businesses in the US alone, the overwhelming majority of cybersecurity startups are all attempting to target the same 1,000-5,000 enterprises. It’s no wonder that buyers in these organizations feel overwhelmed and confused about the number of tools.
The cybersecurity fundraising dilemma
Any founder will say that one of their goals is to prevent dilution and preserve their ownership in the startup. On the other hand, in the eyes of many entrepreneurs, the more investment capital they can secure, the better it is because that will give them more runway, the ability to hire more people to build and sell product, execute more marketing initiatives, and so on.
Most early-stage cybersecurity startups do not generate profit and require venture capital to test their early hypotheses, design a business model, scale the company, and hopefully find a way to earn money. There are several reasons why that is the case. First, many cybersecurity companies need to invest in research and development (R&D) before they can launch the product. Without that, they would not be able to build the so-called “secret sauce” - intellectual property or technologies that make their offerings valuable to the customers. Common types of R&D investments include threat intelligence, malware research, detection engineering, as well as integrations with other solutions. Second, given that most cybersecurity companies are selling to enterprises, they have no choice but to make their products “enterprise-ready” before they can hope to close their first deal and start generating meaningful revenue. Unlike business-to-consumer (B2C) solutions that can often start by selling a product built using no-code tools, business-to-business (B2B) players are required to make larger upfront investments early on in their journey.
If these were the only challenges, however, I think we would see many more bootstrapped security companies than we have today. One of the biggest reasons why most cybersecurity startups require venture funding is the fact that product adoption in the industry heavily relies on education and trust.
New learnings disseminate at a somewhat similar speed, regardless of the industry. What’s different about disciplines such as cybersecurity and biotech, is the timeliness of information. When a new virus, biological or computer, is spreading, parties responsible for prevention, detection, and response, need to know about it as early as possible. In cybersecurity, being late to learn about new attacks or threat actors can almost immediately lead to negative consequences. In other industries, the urgency to stay on top of innovation is lower. For example, a company that is late to adopt a new marketing or engineering best practice may lose its competitive advantage over a few years - enough time to rectify the miss.
In order to spread the information about new security needs, and generate demand for security solutions, cybersecurity startups have little choice but to invest in educating companies about the emerging threats, their significance, and why they should care. Naturally, such education requires an upfront capital investment.
Another factor that forces security startups to raise money from angels and VCs is the heavy reliance on trust in the buying process. When a new approach or a new type of solution emerges, it takes a long time for it to gain adoption. Every product evaluation (Proof of Value or Proof of Concept) can take many months, and closing a deal even longer. Because trust has a geographic dimension, any efforts to get traction are typically local: a US-based enterprise will gladly buy security from an American or an Israeli startup, but a German firm will prefer a German security provider, an Australian business will typically want to buy from an Australian security company, and so on. All this combined means that by the time a new solution is understood by the buyers, a company that originally invested in a new approach, idea, or solution, will have tens of copycats attempting to do the same, in their own markets, or industry verticals. One way to avoid this is to build the product in stealth mode, raise enough capital to be able to move very fast, and then press on gas and unleash the sales machine to get as much of the market as quickly as possible before the competitors are able to replicate what the startup is doing.
Although it doesn’t always work this way, it makes sense that a cybersecurity company with more money can hire more top talent, build a better product faster, and go to market quicker. Over time, the advantages accumulate: the ability to ship more code can lead to the startup releasing a larger platform before its competitors who may get stuck offering smaller, less appealing features, and so on.
The cybersecurity startup valuation dilemma
Another part of the cybersecurity funding dilemma is how much to raise. Founders looking to get investment must understand what I call a fundraising triangle: valuation, dilution, and the capital raised. The three numbers are interlinked, and altogether they inform the fourth number - the minimum acceptable exit.
In every priced funding round (a round that has a valuation, which typically means any funding round led by venture firms), the startup is roughly going to give away 20% of the company in exchange for an agreed-upon investment amount. For instance, a company that raised $5 million, would typically give away 20% of the company in exchange for $5 million, making the post-money valuation $25 million. Note that this isn’t always the case and the actual deal terms will vary greatly; the 20% isn’t a rule, but rather the most common practice, at least in the United States.
The interconnectedness between the valuation, dilution, and capital raised means that founders often assume that they should be raising at the highest possible valuation. Not only does it stroke their egos (being a founder of a company worth $1 billion sounds much cooler than a company valued at $250 million), but taking this approach allows them to get as much capital as possible without giving away too much of their ownership. For example, a founder that raises a $50 million round is likely to give away 20% of the company in exchange for $10 million, but if they raise at a $200 million valuation, they would potentially receive $40 million for the same 20% of the company. Although looking at it from this perspective is tempting, it’s also a wrong angle that leads to bad financial decisions. Another factor that needs to be considered during fundraising is the minimum acceptable exit amount.
At the earliest stages of the startup, company valuation is a magical number based on the consensus between the founders and investors. If the entrepreneurs have a big vision and a great track record, and if they can produce FOMO (fear of missing out) on the investor side, they can typically raise a lot of money at a sky-high valuation. However, as the company progresses and moves on through Series A, B, C, and beyond, the valuation becomes a very tangible reflection of the company’s value, as measured by the revenue, user growth, financial forecasts, and other hard numbers.
The amount of money founders should raise is directly connected to their ideas about the potential exit, how much revenue the company can potentially capture, whether or not it can go public, etc. Before we go further, it’s worth establishing three other factors that are a reflection of how the cybersecurity market functions:
Any company looking to go public in the security space should have an opportunity to generate at least $100 million annual recurring revenue (ARR) and maintain impressive growth (ideally, 25%+) year over year for the years to come. Most markets aren’t big enough for these numbers: without calling out specific problems I’ve seen startups in the industry are tackling, most companies in today’s known product categories are too small to get to $100 ARR. In cybersecurity, IPOs are truly only available to platform companies.
When it comes to acquisitions, the lower the acquisition amount, the easier it is for the transaction to go through. Not only that, but acquirers make their buying decisions based on bands: a company with $1 million ARR is going to be worth roughly the same as the company generating $2 million; a startup that generates $11 million is roughly the same as the one that brings $17 million, and so on. Once a new threshold is crossed (think $1 million, $5 million, $10 million, $25 million, etc.), the buyer is going to be willing to pay more for the business.
The earlier the investor, the higher the exit multiple it will need to make the economics of its fund model work. A seed-stage VC would probably expect a 5-10X return or more while the one who funded Series D is likely okay with 2-3X.
These factors have direct implications for founders' fundraising and exit strategies:
If founders think they have an opportunity to go public (at least $100 million ARR and double-digit growth rate), it may make sense to raise at a high valuation, grow as fast as possible, and get to the unicorn status quickly. Then, assuming they can grow their revenue and keep the market excited about the future, the IPO may be possible. The reality is that the vast majority of cybersecurity startups will not fit this model.
If the founders think that they are unlikely to end up with a platform capable of going public, it may be smarter to raise less money so that they don’t become too expensive (skip that unicorn status). If the company is growing but preserves a modest valuation, it is much more likely to get acquired (acquisitions under $250-300 are much easier than those above that number).
There are many possible permutations of how things can turn out. In theory, founders could decide what path they want to take and optimize for that outcome. In practice, it is easier said than done. Most founders who are from day one trying to optimize for a smaller outcome, may not be as ambitious and capable to execute to make the company a success to begin with. The best way to approach the future is to make decisions that allow founders to keep their options open (unless they decide to burn bridges and go big for an IPO from day one). At the earliest stages when the level of uncertainty is the highest, having an option for either acquisition or an IPO is ideal. As founders learn more, they should be able to see which of the two is the most realistic and optimize their decisions for the outcome they are looking to achieve.
Regardless of what path the entrepreneurs end up choosing, they must understand that:
Nobody can predict the future but optionality trumps one path unless the level of confidence that that single path can be successful is incredibly high.
Focusing on solving a real customer problem is more important than dreaming about future exit scenarios.
Most VCs are incentivized to only fund the most ambitious entrepreneurs shooting for the stars.
The math is hard, and trade-offs between the valuation, dilution, and investment capital are real.
It’s common for startups to get to very high valuations quickly and by doing that, become too expensive for someone to buy them. If it’s done intentionally because the company is going for an IPO, that’s great, but if not - it can be very unfortunate.
Size and the fundamentals of a product category matter. Some markets are too small to allow a company to go public, and unless founders pivot their focus, they likely won’t be able to overcome the limitations of their category.
One of the challenges I have observed in the tech industry is that most founders tend to only focus on the first-order consequences of their decisions. This is a big mistake because every decision leads to a consequence which leads to another consequence and on and on and on. For example, founders that come from tech-forward companies want to make big, bold bets on new paradigms of the future, and push the boundaries of what's possible in the field of security. They love building advanced tools for cloud-only and cloud-first companies, selling to tech-forward players with their own detection engineers, security engineers, and application security teams. They enjoy solving exciting and intellectually stimulating problems, so they end up building solutions that only work for the top 1-5% of the industry, thus limiting their total addressable market (TAM) to 250-500 companies. Then, they have the propensity to get themselves in a deadly spiral:
They gain traction quickly by selling to Silicon Valley startups, and get blindsided about the market size.
That encourages them to raise a lot of money at a high valuation and hire a large sales team only to realize that the TAM of cloud-only and cloud-first companies is not big enough to sustain growth expectations.
If the company cannot find a way to expand its TAM to more traditional enterprises, its growth is likely to slow down.
When the growth slows, it may become harder to raise the next round or lead to a down round.
If the company gets too expensive, it may become un-acquirable.
This is just an example of the areas founders should consider; what matters is that they go beyond looking at the immediate results of their decisions and consider the second, third, fourth, and fifth order of the consequences. Not to get into analysis paralysis, but to expand their thinking about the problem and allow themselves as much optionality as possible.
Cybersecurity entrepreneurs are faced with many dilemmas, and how they choose to navigate them will define not only what kind of companies they end up building, but how the future of the security industry will look like. People who make strategic decisions must understand both the trade-offs and the consequences of their choices.