To bring PLG to cybersecurity, let’s change our hiring habits
A reflection on ways to attract the right talent to build successful cybersecurity PLG startups.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Original (and a bit shorter) version of this article was first published on TechCrunch.
I have previously talked about the reasons cybersecurity is ripe for disruption by PLG startups, and what players in the industry have embraced or are embracing this business mindset. In this post, let’s briefly chat about hiring.
For those interested in the fundamentals of PLG, check out my other posts (this one is a good start: Product-led growth in cybersecurity: past, present & future).
Factors impacting product management in cybersecurity
Cybersecurity is a complex industry
Cybersecurity is a complex discipline, with a large number of market segments, tangled vendor relationships, a never-ending alphabet soup of abbreviations, and a hard-to-grasp competitive landscape with every new product claiming a new niche. Differentiation in this market has historically been achieved by marketing efforts making it a tough job to discern what is what and who is who in the industry.
There is a multitude of reasons for such complexity, from the fact that a lot of innovation and research is driven by the military and intelligence agencies, to the fact that this complexity makes it impossible for an average customer to make purchasing decisions on their own which greatly benefits security vendors. A closer analysis of market complexity is out of scope for this article, but one outcome of this is important to call out: for a person new to the industry, it can take a long time to separate signal from the noise.
Product management is little understood in cybersecurity
Historically, cybersecurity products were launched predominantly in one of two ways:
Technical founder(s) with deep domain expertise would build a product to address security problems they faced themselves. They would then hire sales & marketing teams to sell what was already built. This is the path that the vast majority of security products have followed.
Business founders (coming from predominantly sales and marketing backgrounds) would see an opportunity to make a fortune in the industry. They would come up with an idea that fits the narrative (hype) of the day, sell the solution, and hire developers to build what they’ve already sold.
Both paths have led to similar outcomes: a sales-led, top-down approach to building products, with little room for customer discovery, empowered teams, and research into what users value. For customers, this meant that if a prospect wanted to try a security product, they would need to attend multiple demos, ensure they can hit the minimum spend requirement or otherwise “qualify” to be given access to the demo environment, go through a closely-guided proof of concept (POC), negotiate pricing, and sign a long-term contract.
Most cybersecurity companies five to ten years ago would not employ product managers; the ones that did, expected them to act more like project managers (focused on execution) or marketing managers (focused on market research, partnership, and sales).
Customer expectations are changing
Security is a traditional industry and is not the quickest to change. However, neither can preserve the “old ways” and function in isolation from the rest of rapidly changing tech.
In the past decade, customer expectations have shifted. With the emergence of products like Uber, Lyft, Skip the Dishes, and similar, people got used to quick, streamlined experiences where it can take less than 15 minutes from the moment you downloaded the app to the moment, for example, your food is delivered to your door. These changes that started in B2C, quickly proliferated into B2B: from project management tools like Asana to enterprise communication platforms like Slack, and developer tools like GitHub — users are expecting seamless, quick, streamlined experiences. Customers in the B2B space are now expecting the B2C experience.
Changing consumer expectations are impacting how people want to buy cybersecurity products as well: self-serve, without having to go through multiple demos, and negotiate pricing. This, in turn, is fueling the rise of PLG in cybersecurity.
The fundamental challenge of hiring product managers in cybersecurity
Product-led growth is more about the company mindset than it is about product. There is a lot a company needs to do to succeed in PLG; hiring product managers is not enough (neither can it be the first step). However, having the ability to attract the right talent is critical.
As I explained before, “for product-led growth to become commonplace in cybersecurity, there needs to be enough product talent with the right mindset and level of maturity required for PLG. However, cybersecurity is a deeply specialized discipline, so while the specialized security knowledge isn’t mandatory, it does help to shortcut the learning curve.”
Hence lies the fundamental challenge of hiring product managers in cybersecurity with experience in PLG:
The inherent complexity of cybersecurity makes it harder for outsiders to hit the ground running quickly. Companies understand that so they default to hiring product managers with background or experience working in security.
Product managers with strong experience in cybersecurity have no experience building effective product culture or working in PLG companies in general.
It’s not uncommon to see cybersecurity startups trying to do two things at once:
On one hand, they recognize that being resourceful, agile, and innovative is their only way to succeed. They want to embrace product-led growth, experiment with new ways to get in front of the customers, build a strong culture focused on adding value and solving hard problems, and more.
On the other hand, they value industry experience so they end up hiring product, sales, and marketing professionals from large, enterprise companies who come with already formed ideas about “how the industry works and what it takes to build/sell products”.
If you hire a bunch of experienced people from prominent cybersecurity enterprises, what you get is not PLG; you get the enterprise.
Where to look for product leaders with a passion for PLG
To see more PLG startups in cybersecurity, we need to break our hiring habits. Here are a few actionable ways to do it.
Hire people with no background in security
If you choose to only hire people with cybersecurity product management experience — you are limiting your options to those who have worked in large enterprises you’re trying to disrupt. Why do you think they’ll innovate after joining your startup?
While a strong understanding of security is most certainly important for many technical product management roles, problem areas such as product adoption, activation, engagement, and retention can most definitely be owned by product leaders with experience in other industries. Shortening the time to value looks similarly no matter the industry — don’t get swayed by the “15 years of experience” argument. It doesn’t take that long to understand the industry, and I am proud to be a living example of this.
Hire people with experience in developer tools
As cybersecurity is becoming more mature, it is starting to look more and more like software engineering. This is where PMs with experience building developer tools can add a lot of value. They often possess both solid technical background and experience with product-led growth — a powerful combination for technical security products targeting security engineers, security architects, and other technical security professionals.
Today, it’s relatively easy to find product leaders with a “PLG + developer-focused” combination.
Hire people with experience in the consumer space
B2B enterprises are about two to five years behind when it comes to customer expectations. Users today expect B2C experiences all around. If it takes you 15 min to sign up for a ride-share app and get to another part of the town, it can’t take you four weeks to get access to the cybersecurity product.
Look for product managers with strong customer empathy, the ability to make data-informed decisions, and a keen eye for user experience.
Hire people passionate about their product craft
Hire product managers passionate about their craft and about building great products. Look for those who maintain a connection with the product community, read a lot, ask the right questions, and continuously expand their network at coffee chats and product conferences.
Best ideas rarely emerge when a few folks from the same industry complain about the same problem; they are born at the intersection of experiences, ideas, approaches, and industries.
What to look for when hiring product managers for PLG startup
Among many skills and capabilities that make product managers successful, the following are five to look for when hiring product leaders for PLG startups.
Ability to build bridges
Embracing a product-led growth mindset in traditional marketing- or sales-led organizations requires a lot of change management, communication, and building bridges. The same is true for startups choosing to be PLG from day one. While good communication skills are important for anyone working on product, it is especially critical for those shaping the organizational change.
Cybersecurity is a very dynamic industry, so preserving a beginner’s mindset is a prerequisite for a successful product career in this space. Maintaining curiosity, listening more than talking, maintaining a low ego and continuously looking to improve will help to stay on top of any changes and industry shifts.
Customer discovery is a critical skill for product managers in PLG companies. To understand and deliver what users value, they need to be able to dig beyond the surface, develop continuous discovery habits, practice active listening, ask powerful questions, and draw insights from qualitative and quantitative data.
User experience is critical for PLG startups. Product managers should have a passion for good user experience and be interested in collaborating with designers, engineers, user researchers, and other professionals to make the best decisions.
Focus on metrics
People leading product in PLG cybersecurity startups should have a solid grasp of metrics relevant to product-led companies, including:
Time to Value
Average revenue per user
Customer lifetime value
Virality & network effects
Cost of revenue
It is not enough to understand what they are; what is much more critical is to understand how they all work together and impact one another, and how each one can be moved.
What to consider before hiring product managers
Product-led growth is much more than a go-to-market strategy; it is an organizational mindset that defines how the company thinks, makes decisions, and executes. Hiring the right talent is an important prerequisite for successfully embracing the PLG, but it is not nearly enough.
Before expanding the team, companies looking to adopt PLG should closely examine both their readiness for changes and the willingness to commit and do what’s required to get it right. This includes:
If a company is transitioning from a traditional, sales-led model, the company must be truly willing to disrupt itself, giving product leaders the control and the level of influence to drive revenue, user acquisition, and business growth.
Ensuring that customers are happy with the level of support the company providers, and closing the gaps (if any). For PLG to be successful, customers will need to be happy to keep using the product and not churn.
Looking for ways to align the whole organization around the PLG strategy. It’s the role of the company leadership to get all functions on board with the future vision and give them certainty about their future in this new world.
Work with sales, marketing, and customer service to ensure that they are ready to change the ways they have worked before and have what they need to succeed in the new world. Make hiring decisions to ensure that people performing and leading these functions can thrive in the PLG environment.
Being intentional about organizational design, and finding ways to reduce conflict, build empowered cross-functional teams, and foster collaboration across the company.
Hiring good product leaders is hard, but it’s also the easiest out of all the things the company needs to get right for the PLG to succeed.
Over the past five years, customer expectations have been shifting towards easy-to-use, easy-to-evaluate, and easy-to-buy solutions. The cybersecurity industry is just starting to realize the importance of embracing new ways of thinking and doing business; one example of such innovation is to move from sales- and marketing-led growth to product-led growth.
Cybersecurity companies that can get out of the short-term mindset and be open to hiring PLG product leaders without a background in security, will set themselves up for success long-term. Other B2B industries, consumer space, and developer tools can provide a healthy pipeline of product talent a product-led company will need to succeed.
Original version of this article was first published on TechCrunch.
I’ve recently switched from a product mgmt role into a Cybersecurity role in the GRC space and find this area of product fascinating as I learn more about the companies in this space. To me, my perception is some of the older or more well known companies in the space do a poor job at articulating benefits of their offering as a whole as well as onboarding and customer success etc. I see newer companies in the space addressing this head on but often they only serve one area of the market or a very small slice of the whole but it has been harder to determine leaders in the space for me compared to say email marketing platforms etc. Always love your perspective! 👍🏻