Inverted crossing the chasm problem in cybersecurity: what founders and investors need to keep in mind
Crossing the chasm problem - what it is, why it matters, and what it means for founders and innovators looking to build the next generation of cybersecurity products
It’s not a secret that building cybersecurity products and taking them to market is hard. I have previously discussed this problem at length from many angles—from the challenges of product management to explaining the role of trust and its far-reaching consequences for the industry, to name a few.
In this piece, I discuss another aspect that impacts how our industry operates, namely the inverted crossing the chasm problem. I look at what it is, why it matters, and what it means for founders and innovators looking to build the next generation of cybersecurity products.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Lastly, over 3,225 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.
Crossing the chasm as a concept
If you’re familiar with the concept of ‘crossing the chasm’ and know how it works, you can skip this paragraph. If you aren’t - I see no better way to explain it than to share an excerpt from the Wikipedia page on the topic:
“Crossing the Chasm is an adaptation of an innovation-adoption model called diffusion of innovations theory created by Everett Rogers, The author argues there is a chasm between the early adopters of the product (the technology enthusiasts and visionaries) and the early majority (the pragmatists). Moore believes visionaries and pragmatists have very different expectations, and he attempts to explore those differences and suggest techniques to successfully cross the "chasm," including choosing a target market, understanding the whole product concept, positioning the product, building a marketing strategy, choosing the most appropriate distribution channel and pricing.
According to Moore, anyone with an innovation or new product should focus on one group of customers at a time, using each group as a base for marketing to the next group. The most difficult step is making the transition between visionaries (early adopters) and pragmatists (early majority). This is the chasm that he refers to. If a successful firm can create a bandwagon effect in which enough momentum builds, then the product becomes a de facto standard, by creating a complete solution for one intractable problem in one business vertical before building out services in adjacent verticals and expanding on from there.” - Source: Wikipedia.
For anyone in the startup space, I highly recommend reading Geoffrey A. Moore’s book titled ‘Crossing the Chasm: Marketing and Selling Disruptive Products to Mainstream Customers’.
Inverted crossing the chasm problem in cybersecurity
In security, startups are faced with the inverted crossing the chasm problem. To put it simply, while in other industries SMBs are the first and large enterprises are the last to adopt new solutions, when it comes to security, the opposite is true. In security,
Startups often first sell to the most sophisticated in terms of their security maturity enterprises (unless they choose to build their own solutions instead)
Then they reach out to enterprises in regulated industries (think of the challenges in tackling the hardest part of the market first!)
For most startups, this is where their market ends since most other companies are neither highly mature when it comes to their security, nor highly regulated, and hence they are fine with just buying well-understood solutions from incumbents. This is precisely the meaning of ‘crossing the chasm’ in cybersecurity.
The lucky few companies that reach the mass market become billion-dollar players.
Selling security products is harder than selling other solutions: security teams at large enterprises are notoriously risk-averse, and yet they are innovators and early adopters. This dichotomy creates a barrier to adoption many startups find themselves unable to bridge. To make matters worse, because most security problems are fairly niche, there is often no path to mass market adoption (and therefore, no opportunity for a startup to cross the chasm).
Selling security to enterprises
By their nature, large enterprises are rarely early adopters of new technologies. Usually, a new idea needs to first gain traction with agile, fast-moving early adopters such as individuals, and small and mid-size businesses, and only then, after it has sufficiently matured, companies can hope to get attention from Fortune 1000 enterprises. Be it new productivity software, new customer relationship management (CRM), or new marketing management software, it tends to follow the SMB > mid-market enterprises > large enterprises adoption path.
The cybersecurity industry breaks this rule. This is the case because large enterprises:
Have the most complex and technologically diverse environments.
Are especially hard to secure due to all the complexity.
Have a lot of revenue and brand equity to protect.
Have the talent to evaluate, adopt, and maintain security solutions (doing this requires access to people with highly specialized skills).
Are frequently publicly traded companies, and as such they are under a lot of scrutiny from the regulators to adhere to an ever-growing list of compliance requirements.
While the above factors mean that large enterprises are greatly incentivized to buy cybersecurity solutions, they don’t change the core nature of procurement in these organizations. This means that companies buying security are risk-averse, slow-moving, and highly complex when it comes to their purchasing requirements.
Large enterprises are the holy grail for security startups. First, having a single F500 customer can be game-changing as it can unlock an ability to use them as a reference customer and get attention from others. Second, contract sizes at large enterprises are enormous: although it can take a long time to get the product deployed, a single customer can bring millions in annual recurring revenue. Third, companies serving enterprises have the highest chances of getting acquired by the so-called platform players. While as I’ve discussed before, Palo Alto isn’t going to buy everyone, it is certainly more likely to buy companies whose target market aligns with theirs.
Since large enterprises tend to move slowly and require a lot of trust to even consider working with a startup, most security startups won’t be successful going after F500 on day one. Those that are, tend to have access to well-established CISO networks, pre-existing relationships with buyers, or other competitive advantages not available to their rivals. Most early-stage companies, on the other hand, have to start with mid-market enterprises first, prove themselves, and only then seek expansion. Examples of companies that went after Fortune 500 from day one and succeeded are Sourcefire and Wiz.
Selling security to SMBs
Small companies don’t understand cybersecurity risk, and because of that, they are generally not interested in paying for security solutions. Unlike large enterprises, they have much less revenue and brand equity to protect, and with some exceptions, most aren’t subject to complex requirements and government oversight.
For a security vendor to sell to this kind of market, the company would need to make its unit economics work. Theoretically, there are two ways it can be done: by pursuing product-led growth (PLG), or by going through channel.
Since the deployment sizes of small and mid-size businesses are low, startups can’t hope to build a profitable business if they have their salespeople spend many weeks trying to close a customer that brings 25 endpoints. Product-led growth, in theory, could solve this problem by
Making the product is easy to procure in a self-serve manner. This way the company could drastically decrease its customer acquisition cost by avoiding hiring expensive sales teams.
Making the product is easy to adopt. This way the company wouldn’t have to hire support teams to guide prospects through trials as that also wouldn’t make sense given the small deployment size.
Those who believe that SMBs can buy security through the PLG motion are usually left disappointed. This is because as Yogi Berra pointed out, "In theory, there is no difference between theory and practice, but in practice there is". Since SMBs aren’t sophisticated buyers, they often can’t tell the difference between, say, a VPN, a password manager, and a managed detection & response (MDR) firm. To someone not familiar with security, this problem would be exacerbated by the way marketing in security works. I’d guess all three of these companies (VPN, a password manager, and MDR) would have websites claiming “We help you secure your company” - with no other details of how it’s done.
The reason PLG doesn’t work for selling to SMBs is that they need to first be educated about security. Content and evangelism can help, but that can only do so much. This is where the channel comes in. Managed service providers (MSPs) and IT consultants are perfect distributors of security solutions:
They have a pre-existing trusted relationship with customers (they know their needs, and can easily identify when someone would benefit from a security solution).
They have (at least in theory) the skills to evaluate, adopt, and maintain security solutions.
They are looking for additional ways to generate revenue (IT services operate on slim margins and have been commoditized).
They are in the position to educate customers about security (and thus overcome the biggest obstacle to security sales).
Companies such as Huntress which recently raised $150M in Series D funding, at a valuation of $1.55B, are perfect examples of what the channel makes possible in the SMB space.
Selling security to individuals
I won’t be discussing selling security to individuals because 1) consumer-focused security isn’t really a real market, at least not yet (and probably not anytime soon), and 2) I discussed this problem before. Suffice it to say that the only security solution that gained mainstream adoption among consumers was virtual private networks or VPNs. Ironically, the reason it happened has little to do with security: individuals get VPNs to watch pirated movies and stream films outside of the US, and in some countries, to watch adult content and access sites blocked by the censors.
Implications of the inverted crossing the chasm problem in security
Traditional product management strategies don’t work in the same way
A lot of what is known as “product management best practices” comes from the hyper-growth experiences of consumer Silicon Valley companies such as Meta, Google, Instagram, and the like. The idea is that founders and product leaders can subsidize user growth, leverage referrals, growth loops, and virality to scale the number of daily active users (DAU) quickly, and then figure out the monetization. Although in theory, this approach sounds quite compelling, it breaks down when one tries to apply it in cybersecurity. This is because the vast majority of what we think of as cybersecurity is based on enterprise sales with long product evaluations, slow adoption cycles, and a heavy reliance on trust for purchasing. The inverted crossing the chasm problem makes selling security different from selling marketing, sales, human resources, finance, and other types of B2B software. Founders need to keep this in mind when evaluating their go-to-market strategy and deciding how they are going to go about designing distribution channels for their startup.
Sales are heavily reliant on trusted relationships
Sales in security are heavily reliant on trust, and there are few to no shortcuts one can take to go around this reality. Pre-existing relationships, warm introductions from peers, recommendations from channel partners and analyst firms, established CISO networks - the influence of these factors is only becoming stronger as the number of tools (and hence the amount of noise CISOs are dealing with) continues to go up.
Many companies end up co-existing in the same market segment for a long time
I have previously discussed why there are so many vendors in security (and why we need more but that’s a different story altogether). The inverted crossing the chasm problem in security directly leads to more companies. Let me explain.
If a new company starts by selling to small and medium-sized businesses, it needs to sign hundreds or even thousands of customers to get to a simple milestone of, say, $1M ARR. For that to happen, their product needs to be tackling a problem that is 1) widespread in the market, 2) that people are willing to pay to solve, and 3) understood so well that customers don't require more explanation. Another way to get to that $1M in ARR is to have 2-5 enterprise customers. Because contract values in the enterprise space are much larger, security startups don’t necessarily need to tackle a widespread industry problem - even building something incredibly niche can still create good growth signals for investors who will proceed to provide capital. This is partly why as I’ve previously explained, security startups don’t quite fail the same way as companies in other industries, and they can linger around for much longer than some would argue they should.
We’re advancing state-of-the-art but not state-of-the-practice
The inverted crossing the chasm problem skews the attention of the industry to be centered on further advancing the state of security at the top 5-10% of the already mature enterprises. Meanwhile, the majority of the market which has little incentive to buy security solutions to begin with, sees very little innovation. Fewer startups targeting SMBs means less spending on marketing and educating buyers about the importance of security, and less market education means less demand. It’s a closed loop that amplifies the ever-growing divide between the cybersecurity haves and have-nots.
Cybersecurity companies become acquisition-focused
Most security startups fail to cross the chasm and hit the mass market for two reasons:
If they are tackling an important problem with a large total addressable market (TAM) but fail to grow into a large company, it is usually because of the amount of trust required to sell to Fortune 1000.
If they are tackling an important problem that isn’t as common or as well understood outside of the most mature enterprises, they often fail to grow because of the small market size.
The latter is hard to fully predict: sometimes, being ahead of time means that the company gets to define the direction of the innovation and be the first to shape a new market. More often than not, however, it means that the startup will burn VC money (assuming they raised some) only to pave the road for someone else who will come after them and capitalize on their achievements.
The former, namely the trust factor, is the main reason why the typical flow of innovations in cybersecurity looks as follows:
Startups act as research and development centers incubating and validating new ideas, only to fail to get mass market traction.
Large vendors acquire leading innovators and integrate them into their platforms. This allows them to leverage the trust they’ve built and plug these new additions into their well-established distribution channels.
For those interested in reading more about how trust shapes what’s happening in the industry, check out Venture in Security deep dive titled “Why there are so many cybersecurity vendors, what it leads to and where do we go from here”.