Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Over 2,475 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.

Get your copy of "Cyber for Builders"

Hiring top performers from large cybersecurity enterprises looks like a good idea

Building a startup is hard, be it in security or any other field. There is always a never-ending stream of urgent work, a myriad of conflicting priorities, and a limited amount of time to get all this done. What makes matters worse is that despite all the effort, all the sleepless nights, and all the personal sacrifices of founders and early employees, relatively few cybersecurity startups grow. The harsh truth is that behind the scenes, the very same companies that make splashes in the media announcing new rounds of funding and celebrating the evolution of the industry, are struggling to gain traction, acquire customers, and find product-market fit. 

It’s no secret that nothing is as critical to the success of an early-stage company as having the right team. Most experienced entrepreneurs, investors, and industry insiders will agree that a lack of the right experience, right skill set, right attitude, and right perspectives can be detrimental to the team. The reality, however, is that every team is missing something - an important skill, experience, or perspective. For example, few first-time founders are familiar with the intricacies of fundraising and hiring, and even experienced entrepreneurs will likely have areas they are less comfortable with as not every learning from their past company will neatly translate into their new startup. As early-stage startup founders do the gap analysis and look at what’s missing on the team, they almost inevitably start thinking about how different things would be if they could attract experienced people who solved similar problems before and can do them again. 

Not surprisingly, founders often turn to top performers from large cybersecurity enterprises. Many of them have impressive stories to share, such as: 

• “I increased channel sales eightfold in four years, going from $100M to $800M”.

• “I oversaw expanding the product in new areas and increased the revenue 3x reaching $350M by introducing a new line of business”.

• “I signed 25+ large enterprises with an average contract value of $1,500,000 in 12 months”. 

Imagine getting a Head of Product for one of the products at Palo Alto to join your startup. Or, a former Director of Sales from Splunk, a Head of Strategy at Zscaler, or a Head of Partnerships from CrowdStrike. It is human nature to strive for something we don’t have and to look for a magic solution to our problems. Recruiting experienced leaders from large cybersecurity vendors certainly looks like a game changer with the potential to unlock new opportunities and transform the business. Imagine what a sales leader that closed 25+ large enterprises with an average contract value of $1,500,000 in 12 months could do for a startup. Just one such contract could be a game changer for many seed-stage companies. Or, think what a product leader that expanded the product in new areas and increased the revenue 3x could achieve for a pre-seed startup struggling to gain adoption. 

Not every company can craft a story and offer a compensation package compelling enough for senior executives at large vendors to take the plunge. But, most can certainly find a way to poach people a few levels below - high-performing product managers, top sales leaders, and well-regarded engineers. The core assumption is that bringing experienced star performers from an established company can bring much-needed expertise and enable cybersecurity startups to grow. 

In most cases, hiring top performers from large cybersecurity vendors is a mistake

The main reason why hiring experienced leaders and top performers from large cybersecurity vendors rarely brings great results for startups is simple: what makes one successful at an established company is very different from what makes one successful at a startup. 

Sales at a startup is different from sales at a large vendor

Sales at a startup are different from sales at a large vendor. At large, established cybersecurity companies, salespeople get a lot of inbound outreach. Prospects who are actively looking for solutions, contact established vendors because they are familiar with their brand and know that industry leaders can be trusted. It is not uncommon for prospects to contact sales teams of large vendors and ask them to bid on their projects. 

Selling solutions at a startup is entirely different. Since the company is not yet established, it is the job of the salesperson to convince the prospect it can be trusted - not an easy task to accomplish in an industry where everything is based on trust. Moreover, since startups champion new ideas, selling their products requires educating prospects about the problems the company is solving, and only then offering a solution. 

Since sales at a startup are vastly different from sales at a large enterprise, each requires different skills to be successful. To succeed as an individual contributor at a large enterprise, a salesperson needs to be good at executing a well-rehearsed playbook, managing projects, building relationships with the top largest enterprises, and knowing how to navigate complex procurement processes. At a startup, an individual contributor focused on revenue has to first and foremost be an agile educator. They need to be ready to hear “No” most of the time, adjust messaging and approaches every few weeks as the company iterates on its positioning, and see their prospects go silent and disappear at a rate not common for established vendors. Not only that, but a salesperson working at a startup has to be willing to do everything needed to move the deal forward - there are often no pre-sales engineers, no perfectly designed sales collateral, and no well-oiled training machine for new hires. 

On the leadership level, the difference between what makes one successful working for an established vendor and operating in a startup is even more pronounced. A revenue leader at a large cybersecurity vendor is focused on executing a playbook and optimizing the sales process, making it more scalable to drive new customer acquisition and upsell. A lot of the focus is on recruitment, coaching, and relationship-building, both within and outside of the company. At an early-stage startup, a sales leader has to learn who their customers could be, understand how the product could be sold, and test different go-to-market strategies. Most startups rely on founder-led sales until at least the Series A round, or sometimes, seed. At Series A and later, sales leaders at a startup are usually focused on building out a repeatable sales process. They rarely get the same level of resources as they do at large companies, and therefore they have to learn how to do a lot with little. If a revenue leader from an established vendor doesn’t understand the nuances of an early-stage startup, they are likely to overhire, and there’s little worse than having a large sales team struggling to hit their quotas because there is no product-market fit (it creates a spiral that, if not addressed, can crash the whole company). 

One of the most common assumptions early-stage founders have is that hiring a revenue leader with a large network in the enterprise space can enable them to easily sell their product to Fortune 500. The reality is quite different. It is true that a good salesperson with a strong network of security buyers can move from one large vendor to another (say, from Splunk to CrowdStrike), and start selling products of their new employer immediately. The same isn’t true for early-stage startups. This is because security leaders at large enterprises aren’t usually looking to buy from early-stage startups - a fact that makes hiring a well-networked sales leader much less useful than many founders realize. This reality does change later in the company lifecycle when the startup matures and becomes more enterprise-ready. However, in the early days of the business, no revenue leader with great connections can help the company bypass needing to sell to early adopters, learn, and iterate on its go-to-market approaches.  

Product at a startup is different from product at a large vendor

Similar to how an early-stage startup shouldn’t hire a salesperson before the founders are able to sell the product themselves, the role of a product manager (PM) at the pre-seed, and sometimes even seed stage is usually played by one of the co-founders. As the company is looking to scale, the question of hiring the first PM usually comes up. Product managers working for large security vendors usually position themselves as the best candidates for these roles. There are several reasons why that is the case: they have a good ability to think strategically, a solid understanding of the market trends, and experience building products for the world’s largest enterprises which is so appealing to early-stage founders. 

The problem remains that product management at a startup is different from product management at a large vendor. 

At a large company, product leaders operate in either a very high-level strategy and executive leadership layer, a mid-level people and project management layer, or a low-level execution and project coordination layer. In each of these, the majority of the time is spent on building and maintaining relationships, acting as a bridge between different teams, initiatives, and departments, and moving smaller pieces of large initiatives forward. Product leaders get the ability to aggregate vast amounts of usage data, complementing it with best-in-class industry research, and an ability to interview Fortune 500 customers. Moreover, when they prioritize what to build, a lot of the time is spent making sure that their largest customers are happy. Senior product managers usually split their attention between strategy and execution, but most of their day is spent removing blockers for the teams they oversee, coaching junior PMs, ensuring that product requirements receive sign-offs from different stakeholders, communicating status updates, and occasionally talking to their largest customers. Junior product managers are responsible primarily for execution and ensuring that software developers are not blocked, and features are delivered on time. 

When the company is already known as a market leader in a certain area, product managers have two jobs to do: ensure that existing customers are happy with the products they are using, and build new features to unlock new opportunities. Keeping existing customers happy typically means avoiding risky changes, and prioritizing feature requests from large enterprises. Building new features and products, on the other hand, comes with the ability to interview existing customers, develop a deep understanding of their needs, discuss the proposed new product at many levels, review it from all possible angles, and only then plan the execution. 

Many great product management practices are useless to people building early-stage startups. There are no Customer Advisory Boards (CABs), no experts to talk to, no thousands of users to A/B test new ideas on, and often no core product around which one can continue expanding and adding new capabilities. Not only that but prioritizing a single feature means allocating 100% of the whole company’s development capacity to build this one capability. Opportunity cost is high, the risk is high, and uncertainty surrounding product decisions is through the roof. 

Product leaders at a startup need to have the ability to build hypotheses and test them quickly with little resources. Skills of customer discovery are absolutely critical, which include: 

• An ability to find people to talk to. This may include talking to a few customers, but even more importantly, it means reaching out to and learning from those who are not customers and may not have any connection to the company. 

• An ability to find patterns, challenge their own assumptions, and break down the complexity of the industry as a whole, the market segment the company operates in, and the problem area it is tackling. 

• An ability to make decisions with little information. There is no research, no analytics, and no short feedback loops. 

• An ability to set the vision, and be willing to refine it or change as new information comes up. 

Taking products from zero to one at a startup is very different from being a product person (be it an individual contributor or a leader) at a large security vendor. Founders who don’t understand this difference can end up hiring product leaders who will ruin their company - not intentionally, but by seeking signals and making decisions that made them successful in a different environment. 

Software development at a startup is different from software development at a large vendor

Not surprisingly, software development at a startup is also different from software development at a large vendor. 

Engineers at large companies are used to having product requirements upfront, refined, and solidified before the development begins. This doesn’t mean they don’t know how to handle changes; it’s the pace of changes that is different. At a large cybersecurity vendor, engineers need to navigate scope creep, and powerful stakeholders affecting the formerly “finalized” product requirements. At startups, especially at the pre-product-market fit stage, not just requirements but the whole roadmap can change often. 

To say that software developers at startups need to be willing to adjust and thrive in an ever-evolving environment is not to say anything. They must be willing to work without clear directions, prototype solutions with little guidance, and understand the problems they are solving deeply. Moreover, there is no time to look for the most robust ways to solve the problem, perfect complex abstractions, or engineer for a future that may never come. What matters instead is speed of execution, an ability to be scrappy, and iterate often, by improving new features that are there to stay, and retiring those that are no longer relevant. 

Software engineers at early-stage startups must be comfortable making product decisions. In other words, while large vendors will typically have many levels of product managers writing detailed product specifications, and UX/UI designers providing mockups for every screen, at a startup, engineers need to be comfortable making many of the day-to-day decisions without having to ask for the founder's help. 

How hiring people used to different contexts can ruin startups

Although in this piece I am primarily discussing the problems surrounding hiring the top performers from large cybersecurity vendors, the same challenges apply to recruiting people from other complex environments such as the government, intelligence agencies, and large corporations. Someone who has been a top-performing CISO or a Deputy Head at an intelligence agency can fail miserably at an early-stage startup simply because what made them successful in their prior role, doesn’t set them up for success in a different context. The same is true the other way around: a successful, high-performing early-stage entrepreneur would most likely fail miserably if they were to join a three-letter agency in a leadership role. This isn't the rule as many people can learn and adjust, but first and foremost they must understand the need to change (and many don't).

Understanding the context and constraints of an environment is critical to propel an initiative to success. The challenge is that most people are quite bad at thinking from first principles and separating the outcomes of their decisions from the context in which they were made. As a result, they often repeat the same patterns that work well in a different environment, even after their circumstances are no longer the same. It is this dark pattern that, if left unchecked, can completely ruin cybersecurity startups. 

When founders hire top performers from large security vendors, the government, or intelligence agencies, they tend to give them a strong ability to shape the company's strategic direction and make path-altering decisions in their day-to-day work. Some new hires understand that they must learn to operate in this new context, and take their time to learn the market and the business the company is in. Challenging everything one knows and embracing the beginner’s mindset is not easy, but it can be done. The sad part is that in an attempt to preserve their ego and to demonstrate impact quickly (after all, they were recruited as a star that would shake things up), many of the people joining startups immediately start proposing changes and big pivots. Many of these decisions end up burning capital, pursuing dead ends (such as chasing Fortune 500 enterprises when the startup merely has a beta version of the product), and ultimately pushing the company downhill. 

It is not unusual to see the formerly star performers from large organizations fail to get anything done after they take leadership roles at a startup. One of the most common reasons this happens is the amount of resources and support at their disposal. Being an executive at a large security vendor, for instance, means having many smart people who can take care of the small, tactical tasks. At an early-stage startup, being a Head of Marketing doesn’t mean coordinating work of copywriters and event teams; it means writing articles and, looking for event venues, arranging food delivery, and standing at the front door to check people in. What is even worse than failing to execute is starting to hire more people before the time is right. Following the previous example, if the new Head of Marketing at a startup gets frustrated that there is no one to “do the work”, they might push for hiring a social media manager, an events coordinator, a copywriter, and a list of other people. When hiring isn’t done smartly and startups start expanding the team too early, they end up greatly shortening their runway. It gets even worse if you consider that oftentimes, these star performers from large corporations are themselves being paid quite a lot, which burns precious resources and further reduces the amount of time the company has to find product-market fit and get on a growth trajectory. 

Where to look for talent for early-stage cybersecurity startups

There are several places where, in my opinion, cybersecurity startup founders should be looking for talent. 

As Anthony Bettini, Founder and CEO at VulnCheck, previously Founder and CEO at FlawCheck and Founder and CEO at Appthority, mentioned in my book “Cyber for Builders”,  “On the topic of hiring, my suggestion would be to only hire in-network referrals, as long as you possibly can. That's an unpopular opinion because it's slower - possibly dramatically slower, but I think it's better. 

If you're able to hire in-network referrals, it's likely to be a better match for both you and the candidate. As much as you believe you know their capabilities, they likely believe they know your capabilities. Your recruiting costs are lower (no recruiting fees) and the anticipated retention is higher because there is a preexisting relationship established based on mutual trust. Separately, if you can't convince any of the stars you've previously worked with to come work for you, perhaps there is something wrong with your pitch, mission, vision, or company. It would be good to hear this from people you would expect to otherwise be excited about the opportunity. 

When you hire someone you don't know, who isn't a referral from people on the team, there is a lot more pressure on getting the screening of the candidate right. On the other hand, when you hire someone in-network, there is a lot more pressure on getting the pitch right, which is a better task to spend your limited time on. Obviously, if an organization is smaller and suddenly raises $100M in funding, which is expected to be spent in 2 years, hiring only through in-network referrals is a non-starter. But in this case, perhaps the fundraising strategy is wrong, not the hiring one.” - Source: “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup”

There are two categories of people I think early-stage cybersecurity startup founders should be hiring first: 

• People who are entrepreneurial, results-driven, and with a high sense of ownership. I have witnessed that those who help an early-stage startup grow the most are hungry, regardless of where they are in their career. This hunger can be seen in their life stories, through side projects, and through the impact at their past work. 

• People with experience building startups. This doesn’t necessarily have to be experience building and exiting a multi-billion dollar company, neither does it mean being a co-founder. Instead, what matters is that they know how to take risks, make decisions with limited information, prioritize while taking into consideration limited resources, and move fast. If their previous company failed, they should be able to critically reflect on that experience, not just make themselves and their contributions look great. 

Lastly, having covered why in many cases, hiring top performers from large cybersecurity vendors is not the best idea, there are still strong reasons why founders should be looking to recruit people from established organizations. First and foremost, they are used to operating at a much larger scale and can bring perspectives, experiences, and ideas that early-stage entrepreneurs are lacking. Few founders, for example, have an understanding of what it takes to set a foundation for the internet-level infrastructure, or how to work with channel partners. To be successful at a startup, people from large, established organizations should: 

• Understand the difference between operating at a large company, and doing their work at a startup. Better yet, they should have some startup experience under their belt. Bringing on board a person who has worked at a startup before joining a large corporation is very different from recruiting someone who spent a multiple decades-long career in large, complex, and bureaucratic environments. 

• Come with the beginner’s mindset and be prepared to learn, unlearn, and relearn, and earn trust and respect in the new environment. Most importantly, they must have a bias for action. Most decisions are reversible and do not need excessive analysis and preparation: startup employees must be willing and able to move fast, learn by doing, and iterate as needed.

• Be resourceful, and be ready and willing to work as individual contributors. At an early stage, being a “Head” or a “VP” of a functional area means both establishing the strategic direction and doing the ground-level work. Executives from large security vendors looking to hire and manage people, establish processes, and shape strategy but unwilling to get their hands dirty and check the product for bugs, organize an event, write posts for social media, and act as copywriters for the company blog, won’t go far. I am a big believer that anyone looking to become a Chief Revenue Officer (CRO) or Head of Sales at a startup, should be willing to sell the product themselves; anyone looking to be a Head of Engineering should be willing to ship a new feature themselves; anyone applying for a Head of Marketing should be good at creating content, configuring social media campaigns, and organizing webinars. 

At the later stages of the company, say, Series B, C, D, and beyond, after the startup has achieved product-market fit and validated some hypotheses about being able to scale, it makes sense to start hiring people who are solely focused on management, hiring, processes, and other critical areas. In the beginning, however, anyone with a leadership title should be willing to do the work themselves. 

Closing thoughts

Whether or not hiring top performers from large cybersecurity vendors, the public sector, and the military is a good idea will always depend on the circumstances. What matters is the skills, abilities, attitude, and character of the person in question, and their willingness to learn and do what it takes to be successful in a new environment. Some people can make it, and others can’t - this remains true just about anything else. 

Startup founders must understand that simply because someone was successful working at an established organization, they may not necessarily be a high performer at an early-stage startup (more often than not, the opposite is true). It is also important to be honest about the motivations for hiring people from large organizations, and realistic about the difference these hires can make, especially for a pre-product-market fit company. No matter how big the sales leader’s rolodex is, most large enterprises won’t buy from a pre-seed or seed-stage startup that is still iterating on its early version of the product and looking for product-market fit. No matter how much experience an engineering leader has launching products used by hundreds of millions of people, most early-stage startups won’t be able to prioritize setting the foundations for the future that may never come, and those that will, are likely to unnecessarily overengineer their product and waste precious resources. 

Recruiting well-known stars to the leadership team is another factor that rarely has as much impact as people think it will. For example, having a former NSA director as a founder will likely compel prospects to take a call and do a demo, but it won’t automatically enable the company to win against the competition and succeed. In short, building startups is hard work, and anything that looks like a shortcut to success, most commonly isn’t, be it product-led growth, backing of a top-tier VC, or hiring a top performer from a large cybersecurity vendor. 

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate.

If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share