Startups that target mature security enterprises should be especially careful about their fundraising strategy
Discussing how the target market impacts fundraising and exit strategies and why raising capital at a unicorn valuation before there is a sufficient evidence of a large market can hurt the company
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Also, over 1,575 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
Understanding how the target market impacts fundraising and exit strategies
The two types of companies with cutting-edge security needs
There are many great discussions about fundraising strategies out there. One of the topics that don’t get enough attention is the impact of the company’s target market on its fundraising strategy.
When building a startup, one of the most critical factors that impact the ability of the company to succeed is the so-called product-zeitgeist fit, or to put it simply, the right timing. This is why it often looks like companies that become successful were able to predict the future and get ahead of others in building the solutions to satisfy the future demand.
When the need on the market is plain and obvious, many entrepreneurs jump to address it at the same time. In spaces like this, it’s often too late to build the company because of the number of competing solutions. One way to anticipate where the future is going is to work at or observe the work of organizations that are ahead of the curve when it comes to their security. I like to categorize these into two buckets:
Nation-states that have a monopoly on force, and subsequently, access to offensive capabilities not available (and not permitted) to others. Examples include government agencies (NSA and FBI in the US), and military divisions (Unit 8200 in Israel and the Air Force in the US).
Cloud-native, venture-backed leading software companies that operate at exceptionally large scale and face problems that are years ahead of the problems experienced by the rest of the industry.
Although people from both categories are likely to start companies, it is the latter who typically become early adopters of the new security products. The military and the special agencies build the technologies they need internally, which allows them to accomplish their clandestine objectives without having to rely on civilian tools. The tech startups and cloud-native SaaS enterprises, on the other hand, typically build products that are within their core competencies, and buy the rest, including security.
How raising a lot of capital at high valuations can hurt a company
When a startup competes in a well-defined, well-understood mainstream market, the pool of potential customers is big, and a large amount of capital, if deployed well, can enable the company to scale fast (assuming it can outcompete a sea of other players). On the other hand, startups that choose to target mature security enterprises have to be very prudent about raising VC capital and negotiating valuations.
I previously discussed the different levels of maturity of security teams. I do see that the industry is becoming more engineering-centered, and I have a high confidence that over time, this shift will redefine the way security is done. The challenge is that this evolution will take time. The total addressable market (TAM) for products built for security engineers, security architects, detection engineers, automation engineers, and other deeply technical, engineering-centered practitioners is much smaller than some people realize. Based on what I’ve seen, I would estimate there are tens of service providers and maybe a few hundred SMBs and enterprises globally that have the right talent to, say, build their own detections, and develop custom security tooling in-house. It’s a random number with nothing to back it up, but we aren’t talking about thousands and hundreds of thousands of companies here.
The TAM of mature security teams is growing daily as more and more companies realize that simply deploying tools and hoping that they will magically take care of all security problems isn’t working. This evolution is happening slowly, and I think it may take more than five, ten, or even twenty years for the rest of the market to catch up. On the other hand, we have to recognize the fact that many enterprises have been forced to rely on help from service providers to augment and extend their security capabilities. Instead of bringing security in-house, more organizations are now going back to outsourcing select areas of responsibility.
The market reality has direct implications on what fundraising strategies may be feasible.
A story that gets repeated too many times
It is quite common to see stories that unfold as follows.
A new company started by entrepreneurs who think ahead of their time finds several design partners with highly sophisticated security teams and validates that there is indeed a demand for what it is building. It then makes a natural assumption that since security is maturing, the rest of the industry will be catching up soon. This story is enough to get the attention of great VCs. The company raises a seed round at a high valuation. This works well for the founders: selling ~20% of the company for $10+ million sounds better than doing it for, say, $3.5 million.
The company is expected to deploy the capital it raised, so it invests in building the product and expanding sales to other mature enterprises one by one. The metrics are looking good - a lineup of impressive logos convinces VCs that there is a big opportunity in the market, and they pour even more money at a very high valuation. Founders are celebrating because they can start scaling their company.
This is where everything starts to fall apart. Investors who put in a lot of capital at a very high valuation are expecting that the company can easily continue acquiring new customers with the speed they’ve done it before. Founders who by now have read “Crossing the Chasm”, have some ideas about ways to expand their target market and move past the early majority. Yet, things are not working as planned.
Founders start to realize that they built their solutions for power users and the rest of the market is nowhere as advanced and sophisticated as the customers they’ve onboarded so far. The sad truth is that the majority of enterprises don’t have enough talent to build and maintain advanced tooling. This realization forces the startup to work on expanding its TAM, which means changing the messaging and making the product accessible to less technical users.
The more the company invests in the nice UI, the more it dilutes the value proposition for its initial group of advanced customers. The mature teams who were the original early adopters, are waiting for exciting advanced capabilities which are being pushed further and further away into the future to accommodate user experience enhancements for the mass market.
As investors are starting to become worried, they pressure founders to show some revenue growth. Revenue growth can come from several sources: acquiring new customers, upselling the existing customers with new capabilities, and raising the prices for existing customers. The new customer acquisition isn’t going all that well as the company has exhausted the pool of potential customers with mature security teams. Upselling the existing power users is hard as all the engineering effort is directed at making the product easier for less sophisticated users; there are simply no new features to upsell them with. The startup has no choice but to start raising the prices for its existing customers. After the price increases are implemented, the investors see the numbers go up, while the customers are beginning to evaluate other options. Given that early adopters have the technical talent, they can build their own tools even if the product in question has no viable commercial alternatives on the market. Companies that end up in this spiral of death don’t end well.
Many startup mistakes are easily reversible, but raising capital at a unicorn valuation without a clear path to the revenue that will justify it is usually not one of them.
Addressing the problem by designing and implementing the right strategies
By now some people might assume that companies looking to target mature security enterprises with an engineering mindset, cannot be a VC-backed business and they should bootstrap their ventures instead. This isn’t exactly the case. Instead, they need to develop and implement a suitable fundraising strategy, look for ways to expand their total addressable market, and be creative about finding the most effective and cost-efficient fundraising options.
Consider a more conservative fundraising strategy
Building a startup is hard, and there are certainly no perfect answers: what is right and what is wrong is highly contextual and dependent on many factors, one of which is the target market. Although companies can educate the market, and thus contribute to its evolution, there is no magic way to accelerate the maturation. Simply hiring more salespeople won’t cut it either: as the saying goes, you can't produce a baby in one month by getting nine women pregnant. What the startup can control is its fundraising strategy. A more restrained, or what some would call conservative approach to fundraising can often be a better fit for products that target maturing markets.
If the company is targeting the top few percent of the advanced users on the market, while betting on the fact that the rest of the industry will mature within the next 4-7 years, it would be smart to not rush to get the unicorn valuation as soon as some VC offers it. Instead, the startup could do some of the following:
Work to estimate the speed with which its total addressable market (TAM) is expanding, the trajectory of that expansion, and what its customer base could look like in several years.
Instead of simply looking at TAM as a number, try to think about what specific types of organizations who aren’t ready to benefit from the startup’s offerings today, would become good prospective customers in a few years, and what would need to change for that to happen.
Identify & clearly state all the underlying assumptions for these hypotheses.
Assuming there is a potential for this maturation to happen, think if today's market size is big enough for the company to get some early adopters, how many fundraising rounds it will take until the market expands, and if it’s reasonable that the company can hit the necessary milestones in between.
Be conservative about the valuation in the first several funding rounds until it is clear that the pool of potential buyers is large enough to justify a billion-dollar player. Timing is everything: if a startup that promises to secure space travel becomes a unicorn over half a decade before space travel becomes a thing, it will need to find a way to show strong metrics for these five years to avoid down rounds - something that may be very hard to do when the market simply isn’t there.
As the new information comes in, review your assumptions and adjust them accordingly.
Build for the broader market and make the advanced use cases possible
To move the industry forward, we need companies to evolve their thinking about security going from the basics to the mature state. This evolution takes time, hence startups targeting exclusively highly proficient users are essentially being penalized by the mainstream market which prefers less sophisticated, one-size-fits-all tooling.
One way to solve this problem is to build a solution with a broad audience in mind and make the advanced use cases possible, instead of building products exclusively for 1-2% of the market. The majority of buyers lack enough talent and are therefore looking for “set it and forget it” products. Instead of trying to fight the reality and ignore this market by exclusively building advanced tools for power users, it may be smarter to build products that almost anyone in the broader market can use with little effort. The startup can then make advanced use cases possible for the small percentage of power users looking to leverage the full power of their offerings.
Look for creative ways to get to the customer
When startups raise capital at lower valuations, they have less money to spend and as a result, they need to find ways to be creative about designing innovative go-to-market (GTM) strategies.
When most founders targeting mature security teams hear that they should try different approaches to GTM, their minds immediately go to product-led growth. I have discussed this topic before, and I would recommend that anyone interested in getting deeper into product-led growth check out some of these articles.
Product-led growth sounds like a Holy Grail: we’ve seen how well it worked in other markets such as developer tools and DevOps, and it’s tempting to picture that security teams will start buying cybersecurity products by clicking “Buy Now” and putting in their credit cards. The truth is that before product-led growth picked up among developers, we had 20 to 40 years to build a massive pool of highly qualified, proficient, and mature software engineers. As time went by, many started to gain purchasing power and recommend solutions that help them do their jobs. In security, we are still at the very early stages of developing that talent, not to mention that there are and will always be more software developers than security people. Product-led growth can indeed be a great way for security startups to get some initial traction, and later to supplement the top-down sales channel, but it won’t magically solve the GTM problems.
Looking for creative ways to get to the customer starts with a deep understanding of the problem, who is affected by it, the value position of the solution, and what the buying process looks like (who is involved, at what stage, what power do they have, etc). Many of the emerging areas of security live at the intersection of multiple domains (human resources & security, data science and security, analytics and security, etc). Therefore, some security products can be sold by targeting people from other departments such as HR, software engineering, and data science, to name a few. Every organization’s offering is unique, and a one-size-fits-all approach won’t work. What matters is that founders continue to experiment and look for ways to get their solution to the market in ways that are more cost-effective than trying to get CISOs to sit through more demos.
Closing thoughts
All venture-backed startups should be strategic about raising and deploying capital; this is especially true for companies targeting mature, 1-3% of engineering-centered security organizations. By employing more conservative fundraising strategies, building for the broader market while enabling the advanced use cases, and constantly looking for creative ways to find prospects and convert them into paying customers, they can extend the runway and greatly increase their odds of success.
Really good insights. On the "getting creative in go to market" front, an additional path to expanding the number of "mature enterprises" is to think beyond direct sales to larger enterprises at also consider service providers (MSSP/MDR) who may have the technical expertise to deploy a technology across their customer base. The GTM motion will probably affect how you build the product (multi-tenancy, etc), but can lead to a bigger TAM.
The core narrative is the description of an (apparently) successful crossing of the chasm, followed by a much more apparent failure in continuing to innovate, thus alienating its alpha customers.
In practice, there are other forces pressuring the founders through this process. They will be coerced in expanding the TAM, but they will also be approached for acquisitions meanwhile. This is how many ventures end up in the hands of the big players in the cybersecurity industry, and don't ever publicly fail the innovation vs. TAM expansion tradeoff that you described.
There's also the push to become a platform rather than staying a standalone tool. This would naturally force some level of innovation that may or may not appeal to the alpha customers without eroding value propositions so much.
Overall I find this less of a cautionary tale for the founders about cybersecurity. I find it more of a cautionary tale for founders in general: understanding that funding also unlocks new responsibilities, and that often means to execute things differently to deliver on the implicit or explicit promises made to VCs. I find it of a very generic type of naivety to believe that there are value proposition and GTM autopilots for VC-backed startups. But maybe there's a founder out there in cybersecurity that believes it, but would they be smart enough to be reading your post? :)