Product-led growth in cybersecurity: past, present & future
Thoughts about what’s required for product-led growth and if cybersecurity startups can keep up
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Cybersecurity is a growing market
The ever-growing number and increasing complexity of cyber threats, ranging from phishing and malware to ransomware and zero-day exploits, make cybersecurity a lucrative field for startup growth.
According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021, surpassing both 2020’s total of 1,108 and the previous all-time record of 1,506 set in 2017. An independent global survey of 1,100 cybersecurity professionals found that in 2021, ransomware attacks hit 80% of the organizations surveyed.
This increase in the number of security incidents corresponds with greater investment in cybersecurity startups. 2021 has been a record-breaking year for cybersecurity startups that raised $29.5 billion in venture capital last year. This is more than double compared to the amount raised in 2020 ($12 billion), and more than 2019 and 2018 combined. This is big.
More than 30 startups achieved $1 billion-plus valuations, including the likes of Wiz, Noname Security and LaceWork, compared to just six startups the previous year.
Likewise, total M&A volume soared to over three times what it was in 2020, with $77.5 billion in deals in 2021 across 286 transactions. This is up from $19.7 billion in 2020 across 178 transactions.
Source — TechCrunch
Product-led companies are taking tech by storm
Another trend that happens outside of security is the rapid growth of product-led companies.
For those new to the term, product-led growth (often abbreviated as PLG) is a company mindset in a broad sense and a go-to-market strategy that defines a product as the main vehicle for business growth. Unlike the traditional, sales-led approach where the goal is to “close the deal” (get the customer to buy/upgrade the product by taking them through different stages of the sales cycle), PLG involves giving customers the ability to solve their problems and get as much value as possible, at every interaction with the product. They get so much value that upgrading to a higher tier becomes a no-brainer.
Because product-led growth is more about the mindset than it is about the product, it’s not always easy to say from the outside what companies are pursuing this strategy. But, there are some clues about who is not doing it. If a company is hiding the price of their products, requires people to attend demos before they can get started, or doesn’t offer the ability to “try before you buy” — you can be pretty confident they are not PLG.
Product-led companies have been taking the tech world by storm with Slack, Asana, Trello, GitHub, and many others leading the way. Most recently, PLG has enabled startups to not just survive, but thrive during the pandemic. As Itxaso del Palacio, a partner at Notion Capital points out, the pandemic has expedited the adoption of the cloud & SaaS by the large enterprises, who can now start using the SaaS products without having to go through the lengthy sales cycles.
Blake Bartlett from the OpenView Venture Partners put together a great PLG Market Map. This list has many logos but it is by no means exhaustive.
In this article, I will attempt to go over the factors that impact the adoption of the PLG approach by cybersecurity startups, and highlight the common points of failure.
How common are product-led companies in cybersecurity?
CB Insights’ cybersecurity market map from 2020 provides a non-exhaustive list of companies in the cybersecurity space.
Getting access to the product
I have analyzed how easy it is to get started with the products offered by each of these companies.
Detection and response
The detection and response market segment includes products enabling companies to detect and respond to threats.
The only EDR from the list with fully transparent pricing was Microsoft Defender for Endpoint.
All Categories — Summary
It’s sometimes hard to assess what companies are pursuing the PLG from the outside. However, there are some indicators:
Fully transparent pricing is listed on their website
The ability to get started with the product without having to talk to a salesperson
The presence of a free tier (not a temporary “free trial” but a free tier with some basic functionality available at no cost and with no expiry date)
The presence of the free trial
Of the 60 products referenced by CB Insights, below are the only nine that met three or more of the above criteria.
What is required for PLG?
Only 9 out of 60 listed companies (15%) were able to meet the basic criteria of transparency we established. This naturally raises many questions beyond the simple “why”:
What is it about cybersecurity that makes sales-led strategy a more common choice?
Will this change soon?
The part that follows will attempt to answer these questions but before we do, we will want to understand what are some of the prerequisites for the PLG.
Perception of value & time to value in cybersecurity
For the product-led growth to work, a person needs to be able to understand the value he or she receives from a given product, and experience this value as quickly as possible (in other words, the time to value needs to be short).
I would like to experiment and categorize all security products into two very broad buckets:
Products that are intended to solve a broad “problem of security” (i.e., “keep one secure”)
Products that are intended to solve a smaller, well-defined problem (i.e., “allow people to do X”)
Security is complex (I know, this doesn’t sound like an explanation but please stick with me here). When I install an antivirus X on my laptop, do I feel more secure than I did before?
It’s easy to get into an existential debate: if we have not been breached, why do we need a security tool? Or, if we have been breached, why do we need a security tool? (i.e., it didn’t help anyway). Products that are intended to solve a broad “problem of security” (i.e., “keep one secure”) are generally sold, not bought. They are bad candidates for the PLG as people don’t want to pay for something the value of which they can’t see. The result: endpoint detection & response, antivirus, next-gen antivirus, and other similar product categories generally rely on the sales team for the distribution.
Products that are intended to solve a smaller, well-defined security problem (i.e., “allow people to do X”) have a clearer value proposition and therefore, they are often more suitable for the PLG.
Examples from the previous discussion include:
“I want to easily organize my passwords & share them with others securely” (1Password)
“I want to automate workflows & connect security tools” (Siemplify)
“I want to enable people to log in without entering passwords” (Trusona)
It is not enough for users to be able to realize the value of the product, it’s important they can do it quickly. A person creating an account should be able to get started with the product in less than 30 seconds, instantly understand how it works and what problems the product is capable of solving.
To shorten the time to value, product teams in security need to think about the user experience, not just technology, which leads us to the second point.
User experience in cybersecurity
Cybersecurity has evolved from secret projects of NSA, DoD, and CIA, and the culture of hackers — knowledge-hungry tinkerers who were looking for ways to test the limits of technology. As such, it is a deeply technical space that requires a specific skillset. To illustrate the case in point, one can look at the number of abbreviations in this industry: EDR, XDR, NDR, MDR, SOAR, XSOAR, AV, IR, DF, DFIR, FIM, DLP, and these are just a few of the many product/service types!
Historically, security companies were started by professionals deeply familiar with security. From the perspective of the technical founders, the most important part was that the product works and that other technical people can understand it. Companies that ended up becoming successful have also relied on a strong marketing/sales force whose job was to package a very technical product and present it to not-at-all technical people so that they can nod their heads & sign a multi-year contract.
As user experience has not been the area that either technologists or salespeople paid much attention to, most security products are hard to navigate and are more complex than they should be. While this wasn’t the issue before, when contracts were signed for 1–5 years ahead and expectations around user experience were quite low, now the times are different. Google, Uber, Asana, and other people-centered companies have changed the expectations around user experience. Even in B2B space, people now expect a B2C experience.
Another factor that makes user experience critical for PLG companies is the lower than before switching costs. As product-led growth generally leads to month-to-month subscriptions and pay-for-what-you-use models, it is no longer an option to “trap” a user in a horrible product for 5 years. The idea that “a security product doesn’t need a nice user interface” is no longer acceptable.
An additional factor that I would like to call out under user experience is pricing transparency. Cloud platforms such as GCP and AWS as well as developer-centric products like Stripe, Twilio, and Auth0 have changed the expectations about pricing transparency. It is no longer acceptable to “contact sales for pricing”; decision-makers want to see low-effort ways to gauge the cost of the product before ( often — instead of) attending a series of sales calls.
Cost of revenue & user economics in cybersecurity
In his LinkedIn post, Hamid Palo (ex-Atlassian, ex-Trello) recently highlighted another important criterion: low cost of revenue.
Getting the cost of revenue as close to zero means several things, but first and foremost it’s about lowering the customer acquisition cost. Ironically, this is also what the cybersecurity industry has been really bad at:
Marketing budgets in the cybersecurity space are high. Here is an anecdotal evidence: there appears to be an obsession in the industry with sponsoring racing competitions which, supposedly, symbolizes the speed of security incident response. Most of the largest brands in the space including CrowdStrike, SentinelOne, Darktrace, Kaspersky, SessionGuardian routinely sponsor F1 and other racing competitions.
Most importantly, traditionally companies in the industry have been selling directly to CISOs (chief information security officers) who lead the security efforts. Going all the way to executive leadership required large budgets for invite-only events, conferences, dinners, and negotiations. Recently, this has led to what some industry insiders are calling “vendor overload” — “more than a thousand companies pitching security tools and solutions. That is far too many for any CISO to evaluate properly and still do the rest of the job”, as explains Taylor Armerding.
It would not be fair to simply call these issues out without also explaining why this is happening.
Security is a complex space and it is evolving daily: adversaries develop new capabilities and exploit new vulnerabilities, developers and researchers in R&D labs come up with new technologies, and people require more and more tools to do their job. With all these changes, it is no longer possible for any single individual to 1) truly comprehend all possible attack vectors (where the threat can come from), and 2) find an “all-in-one tool to keep us safe”.
The results are the sprawl of security tools and the fact that marketing becomes the main differentiator.
“As we look at things, small organizations are using on average between 15 and 20 tools, medium-sized businesses are using 50 to 60, and large organizations or enterprises are using over 130 tools on average,” Chiodi said. “This is just massive!”,
Brad Sowell at BizTech
Lastly, let’s look at economics.
For PLG, the product becomes open to anyone to sign up. Therefore, the cost of goods sold (COGS) has to be as close to zero as possible for this model to make sense. Any customization, on-prem implementation, and white-glove support have to be eliminated. Handholding users is expensive; customer enablement (support documentation, how-to guides, community-driven support, etc.) and self-service (signup, upgrades/downgrades, cancelation, etc.) become critical for the PLG to maintain the COGS as low as possible. For the same reason, multitenancy is recommended while the underlying infrastructure needs to be cost-effective and highly scalable.
All this is almost the opposite to the traditional “enterprise security” companies requiring lengthy contract negotiation and volume discounts, and offering high touch, white-glove service, manual onboarding and training, and sales-driven upselling.
As Hamid points out,
Since your cost of revenue has to be low and your customers are mostly self serving, you’re not going for anything sales-assisted right away. You’re getting your customers to a place where they HAVE to have your enterprise edition, and then upselling them. This means clear JTBD for your enterprise product and strong pricing and packaging. You need to know the tipping point, get your customers there, and that’s when you reach out. It’s about customer needs and creating them, not PQLs or MQLs or SQLs.[PQL stands for Product Qualified Lead, MQL — for Marketing Qualified Lead and SQL for Sales Qualified Lead; these are different stages of the traditional sales funnel — note of the author].
Since you’re not going for a massive upsell right away, your goal is to have your customers naturally grow into your enterprise edition, then expand. Again, low cost of revenue, expansion has to be automatic and needs driven. You expand via additional seats and additional products. Target NRR of 150%. UiPath is 145%, Snowflake 158%.
Building a PLG product requires a deep knowledge of the customer’s needs and wants, and motivations that drive their purchasing decisions. This, in turn, is only possible with empowered product teams, strong user researchers and a mindset of continuous discovery habits (something Theresa Torres is probably the most known for championing). In other words, product-led growth is not conducive to the “build it and they will come” mentality that plagues many tech companies.
Can product-led growth be the future of cybersecurity?
Any industry predictions tend to age badly. However, having analyzed several trends in the space over the past year, I believe that we are seeing early indicators that the future of security has the potential to be people-centered and product-led.
People-centered cybersecurity means that security companies will have to shift their “humans are the weakest link” mindset to instead use empathy and design products with human behavior in mind. It’s still all too common that you can hear security professionals complain about users’ inability to “be reasonable and think about security at all times”.
It might be more effective to design with human weaknesses in mind, similarly to what other industries like construction do really well (your building developer put the rails on your balcony instead of a sign “remember to be careful when looking down from the 10th floor”). In any case, this is what I hope is going to happen.
There are a number of reasons why security is a good field for product-led companies to thrive; I would like to specifically call out two of them:
Selling to CISOs is expensive and ineffective. As I have mentioned before, CISOs are overloaded with vendors trying to get their foot in the door “for a quick demo”. It’s becoming harder and harder to arrange these demos, and even when they do happen — it’s rare to see some real results, especially if the vendor is an early-stage startup without solid reference customers and multi-million backing from the venture funds. Taking the product-led approach, on the other hand, opens the ability to “land and expand” (gain traction at the individual contributor level and then expand the list of products the customer can leverage).
Technical folks are gaining more ability to recommend solutions. It is becoming more and more common for security engineers to play with the product in their home lab and then recommend it at work (for this to happen, the product needs to be freely available and not gated by five demos or pre-qualifying calls). The examples of Auth0, Segment, and Twilio are showing that targeting technical individual contributors can lead to multi-billion-dollar businesses.
In many of the cybersecurity market sub-segments, we are seeing emerging product-led players. On top of the above-mentioned Auth0, JumpCloud, Altitude Networks, 1Password, and others, more companies appear to be emphasizing the PLG as a part of their overall mindset (not just the go-to-market strategy). This list includes:
Tines — no-code automation platform for security teams in the so-called Security Orchestration, Automation & Response (SOAR) space.
ThreatKey — a security data platform enabling teams to quickly identify and remediate security issues in SaaS applications.
It is still early to say what will the future of these efforts look like. Any transition takes time, and while nothing is inevitable, there are enough signs to be optimistic that the future of cybersecurity can, indeed, be product-led.