What cybersecurity entrepreneurs can learn from Alon Arvatz’s book about Israel and its role in the global security market
In this piece, I am sharing some thoughts and reflections after reading the book called "The Battle for Your Computer: Israel and the Growth of the Global Cyber-Security Industry" by Alon Arvatz.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
If you haven’t read "The Battle for Your Computer: Israel and the Growth of the Global Cyber-Security Industry" yet, you should
In this piece, I am sharing some thoughts and reflections after reading the book called "The Battle for Your Computer: Israel and the Growth of the Global Cyber-Security Industry". The author of the book, Alon Arvatz, is an alumnus of the Israeli Defense Forces Unit 8200, a co-founder and CEO of PointFive, and a co-founder of IntSights which was acquired by Rapid7 for $350M. Alon’s track record and his vast network in the industry make him a perfect person to write a book about the Israeli cybersecurity startup ecosystem.
What makes this book particularly interesting is that it isn’t a one-person recount of the events or a summary of their knowledge. Alon talked to 40+ entrepreneurs and industry leaders from Israel, the US, and all over the world, and leveraged this collective expertise to put together the most comprehensive read about his country’s security space. People whose perspectives are incorporated into the book include Gil Shwed, Shlomo Kramer, Nir Zuk, Gili Raanan, Alon Cohen, and Mickey Boodaei, neither of whom need additional introductions.
Those who regularly read Venture in Security, know that I am a huge fan of the Israeli security ecosystem and the monumental role this small nation plays in the industry globally. I’ve previously written several pieces, fully or partially dedicated to this topic, including:
"The Battle for Your Computer: Israel and the Growth of the Global Cyber-Security Industry" goes well beyond the high-level thinking shared in my articles and into the deepest and least explored areas of the subject.
Seven lessons cybersecurity founders can take from the book
Better user experience trumps being first to market
It’s common for cybersecurity entrepreneurs to think that to succeed, they must be first to market, even though there is plenty of evidence that isn’t the case. The opposite is often true: a company that develops a new kind of product or an approach to solving a security problem needs to spend a lot of resources to generate demand and educate the market about the reasons why what it offers needs to exist. Startups that follow, have the advantage of selling to people who already have some familiarity with what the company is proposing. Moreover, a startup that’s first to market, needs to invest a lot of effort in research and development, which requires capital and results in trade-offs in other areas.
The fact of the matter is that Ford wasn’t the first car, the iPhone wasn’t the first smartphone, and Google wasn’t the first search engine. Cybersecurity isn’t an exception to the rule. Take the company that started the security vendor market as we know it, Check Point. In his book, Alon explains that “Check Point didn’t invent the idea of a firewall; in fact, Kramer [ one of the Check Point co-founders ] recalls, one of the first things that Shwed [ Kramer’s co-founder ] did in his investigation before launching Check Point was to subscribe to a mailing list for firewall managers. But what Check Point proposed was a simple, easily installable product - and that made all the difference”.
Cybersecurity founders need to keep in mind that technology isn’t the only differentiator, and in a world where most security products were built without users in mind, focusing on great user experience might be the very thing that can move the needle and enable them to win against the competition.
It’s not the best idea that wins, but the most capable people
“I won’t invest in ideas or products, I’ll invest in people. Ideas are overvalued, and people are undervalued. My experience tells me that when I meet an entrepreneur, it doesn’t matter what they’ve got for me on day one; in two months, everything’ll look different, so why would I waste energy on what’s just a temporary stage of a project’s life cycle? I prefer to leverage my time as an investor to understand the element that isn’t going to change dramatically, and that’s the people I see in front of me”. That’s how Gili Raanan, founder of Cyberstarts and one of the people Alon interviewed for the book, describes his approach to investing. Gili’s words describe the approach I’ve embraced over a decade ago, that everything is about people. Everything changes: people’s circumstances, resources they have access to, political and economic conditions, and the world around us. What doesn’t change as much is what constitutes the essence of who people are - their core, their values, and their character.
I believe that over the long term, the drive, strong character, resourcefulness, and perseverance will always outperform those who can only work well if they are given all the ingredients they need to be successful. Cybersecurity is full of examples of that being true - most successful security entrepreneurs I know have had something to overcome, something to fight for, something to stand for. Regardless of the stage they are at, you can see the passion, the drive, and the sparkle in their eyes - that’s when you know that they are still in the game.
To build a platform company, you have to think about building a platform from day one
Alon retells the story of Palo Alto Networks, a company that started with Nir Zuk’s dream of “consolidating everything that the cybersecurity industry was doing into a single, comprehensive solution”. It’s easy to think that this is more of a realization that a founder of one of the world’s largest cybersecurity companies wants to put into writing after the fact, rather than truly a thought that predates the inception of the business. However, actions speak louder than words, and given that Palo Alto has been able to expand into new markets, and bring a lot of cybersecurity solutions under one roof in a way that scales, it is clear that Nir and the team were indeed thinking big from day one.
To build a successful startup, entrepreneurs need to find a way in, often referred to as a wedge. Most commonly, this means solving one problem better than anyone else on the market and expanding into other use cases from there. Regardless of how the company starts, to build a solid platform player, founders have to think about building a platform from day one. This is especially the case today, when new solutions need to be designed for internet scale, built API-first, and function as interchangeable components of security infrastructure.
There are several reasons why building a security platform is going to get even harder than it is today. As both the scale of deployment and the amount of data grow, it will become critical that security platforms are built as such from the ground up. The M&A strategy is going to become trickier. Everyone who built a complex, large-scale solution knows that stitching APIs from different vendors, with different limitations, different underlying assumptions, and different architecture is incredibly hard, and although it can work in the short-term, it doesn’t result in the scale and robustness as a family of solutions built to work together from day one. Additionally, not every market offers the opportunity for platform creation, and to compel customers to adopt a new tool, the startup needs to replace an existing solution from the stack, not come as a net new addition. All this means that entrepreneurs who will get to reshape the way security is delivered will need to think big from the very beginning of their founder’s journey.
There is more to security than what the eye can see
In his book, Alon dedicates a solid amount of time to discussing the little-known area of the industry, namely offensive cyber technology. He outlines the complexity and the ethical challenges surrounding this invisible part of the market, touches on the history and strategic focus of the leading players in the field, including NSO, FinFisher, Gamma Group, Hacking Team, Toka, and Paragon, and covers the role of regulators in ensuring that highly impactful technologies do not end up in the wrong hands.
I found this part of the book the most informative for a few reasons. First, although I am quite familiar with the history and the current state of the Israeli cybersecurity ecosystem, I knew very little about the offensive side of the market. More importantly, I find it fascinating how little we as an industry discuss offensive security. I don’t mean the attackers or the red teams; I am talking about nation-states all over the world who for various reasons want to track the activity within their borders and keep an eye on their citizens. Many countries don’t have access to the right talent and capabilities to do this themselves and instead rely on products from Israel and other advanced nations.
I won’t pretend that I know enough about the offensive cybersecurity market to have a well-formed opinion about its future or the challenges it experiences, but I found Alon’s book to be a fantastic overview of the topic. It serves as a reminder that there is a significant part of the market that doesn’t discuss its value proposition on LinkedIn, doesn’t have large booths at industry conferences, and doesn’t list customer testimonials on its website. However, just because we don’t hear about offensive security companies, it doesn’t mean that they don’t exist.
To increase your chances of success, you want to be where the networks are collocated
A few years after the global pandemic it’s easy to see that access to opportunities has been democratized. Founders can build companies from anywhere, hire people located on another side of the globe, and raise capital from investors they’ve never met in person. These changes cause many people in the technology space to dismiss ecosystems such as the Bay Area and Tel Aviv as no longer important; that, in my opinion, is a big mistake.
Among many reasons why Israel became a global cybersecurity powerhouse, one stands out the most: the country’s size and the fact that the tech industry is largely concentrated within the greater Tel Aviv area. The Israeli cybersecurity and technology community is small which means that everyone knows everyone else, if not directly, then through a friend or a friend of a friend. Everyone is interconnected: people who served in the military together, see their friends start companies and help them as early investors or employees. Everyone is everyone else’s relative, friend, friend of a friend, colleague or ex-colleague, angel investor, venture scout, or advisor. In this environment, people help one another succeed, and not because they have something to gain from it, but because that’s how things roll here. In the US, the closest we have to this environment is the Bay Area. Similar to Israel, everyone in the Bay Area is interconnected and people are willing to support one another, knowing that the pie is big enough for everyone to have a piece.
Being a member of Unit 8200, Unit 81, Unit Matzov, or Unit Mamram in Israel is similar to being an alumnus of Netflix, Uber, Google, or Facebook or a graduate of Stanford. People from tied-knit networks know one another, trust one another, help one another, start companies with one another, and invest in one another's pursuits.
Some places like New York and Washington, DC have their own strong networks in cybersecurity – nowhere on the planet can one find as many enterprise CISOs as there are in New York, or as many cyber-focused government employees as there are in DC. What makes Tel Aviv and the Bay Area unique is that aside from tied-knit networks, both places have a large percentage of tech entrepreneurs, and a strong ecosystem to support their high-risk ventures.
All this is to say that in the post-COVID world, people can be anywhere and still build a great company, there are and will continue to be advantages in being where the technology, and in particular - the cybersecurity innovation ecosystem is.
To build strong security defense companies, founders must understand how the offense works
As I explained before, “The pace of innovation in cybersecurity is tied to two factors: tech innovation in general, and activity on the offensive side (commonly the nation-states). The actors on the offensive have the initiative and are often better motivated. This external force makes cybersecurity unique, as someone smart on the other side of the wire is actively trying to break into something a company is building or trying to defend.
Product cycles in security are short, and to get closer to innovation, it is important to be closer to the offense. What is discussed in offensive security circles today, will be discussed in defensive circles tomorrow. This is one of the reasons why it is hard to invest in cyber part-time: a cybersecurity investor needs to be a part of the security community, attend events to see what’s being talked about, and stay on top of recent developments, from business to technology while also understanding what the threat actors are doing.” - Source: Investing in cybersecurity: a deep look at the challenges, opportunities, and tools for cyber-focused VCs
Cyber defense is the response to the actions of attackers, both malicious actors and read teams. For that reason, to build strong defensive capabilities, founders need to understand how offense works.
The Israeli cybersecurity industry is a testament to the importance of understanding the offense. The vast majority of the security companies in the country are started by the alumni of the IDF Unit 8200 - a military unit focused on offensive security; although some players were founded by the defense-focused Unit 81, Unit Matzov, and Unit Mamram, the numbers are not comparable. The imbalance makes intuitive sense: because the offense is typically ahead of the defense, people exposed to cutting-edge offensive tools and capabilities are able to anticipate what attacks will be seen in the private sector a few years later, and launch companies to defend against them. By the time these startups are out of stealth with a working product, the demand for what they are offering may already be there. Those working on the defense side, are often forced to deal with today’s issues, and therefore find it harder to stay ahead of the curve.
Every nation, every company, and every founder needs a crucible
Although only several chapters of the book are dedicated to talking about the reasons Israel became known as one of the cybersecurity capitals of the world, in my view one of the core ideas is that every nation, every company, and every founder needs a crucible. They need something to overcome, something to fight for, and something to stand for.
When researchers, government officials, and business leaders look at Israel, they often attribute the country’s success to the fact that Israelis are resourceful, resilient, creative, and focused. What many forget is that these character traits were not gifted but emerged as a response to the harsh environment. The State of Israel, a country of nine million Hebrew speakers, with a tiny market, and in the permanent state of war, did not rise as a global technology superpower despite all these issues; it did so precisely because of them. To survive, Israel had no choice but to invest in its defense capabilities. To build and sustain successful technology businesses in a tiny market, it had no choice but to start companies that target US customers from day one. To attract foreign investment capital, to encourage foreign corporations to open research and development (R&D) centers in Israel, and to solve many other challenges, the nation had to become creative. When people have to do a lot with little, make impossible goals happen with limited resources, or even fight for their very survival, they have no choice but to become resourceful and creative. As someone who grew up in an orphanage on another side of the planet, bootstrapped a profitable small business at the age of 20, moved to Canada in his early twenties without speaking a word of English, and built a career in product despite having no degree from a prestigious school or background in computer science, I know the value of survival instincts too well.
On the other hand, when resources are plentiful, nations, companies, and people get too comfortable, and that’s when they typically start to decline. This is why I think having too much capital poured into security over the past several years has made many startups lazy: they didn’t need to care about business fundamentals such as customer acquisition cost and profit margins, and instead, they had nearly unlimited amounts of money to spend. The current market is a much-needed crucible that will bring new energy, and naturally lead to more creative ideas in the industry.
The future of cybersecurity is diverse Israeli-American founding teams
The more I think about security startups, the more it becomes apparent to me that the future of the industry won’t be built by Israeli or American founders, but instead - by Israeli-American founding teams.
Nobody can outcompete Israel when it comes to starting new companies. Israeli entrepreneurs are scrappy hustlers, ready and willing to do what it takes to get a new idea off the ground, cutting corners where needed, mobilizing all the help they can get, and working 24/7 until they start seeing success, only to then double down and do more of what works. No venture capital firm comes even close to the Israeli VCs if we look at the value they provide to startups at the earliest stages (investors in the Bay Area are almost there but still not quite). Top-tier Israeli VCs don’t just write checks - they have in-house teams to help their portfolio companies with everything from product, go-to-market strategy, fundraising, recruitment, legal, and finance, to introductions to customers and design partners. Given how small and tight-knit the Israeli, and especially the Tel Aviv tech scene is, it’s no wonder that it is considered to be the best place on the planet to start a security company.
The same mindset and access to the resources, frequently however, turn into a liability when the company needs to scale. Given all the support provided by VCs and ecosystem partners, many startups don’t develop the ability to ideate and test their own ideas. The scale of the problem is compounded by the fact that most Israeli founders come from the same background. Many get their start at the Israeli Defense Forces, and then either immediately go on to build their own company, or work a few years for other security startups in Tel Aviv before launching a new venture. When everyone comes from a similar background, talks to the same people, gets the same advice, and develops the same strategies, it naturally limits the imagination and makes it hard to think outside of the box and come up with new ideas. Moreover, their ability to be resourceful, look for shortcuts, and cut corners, which are all critical at the early stage, start to backfire when the company is looking to scale into a large player: that’s when systems, processes, and strategic thinking are needed.
The solution, in my view, is to look for opportunities to build a diverse yet highly capable founding team from day one; having Israeli entrepreneurs start companies with those outside of Israel, especially American founders, can be a perfect way to execute this. Of the wide range of examples when this worked well, the most famous one is Palo Alto Networks, co-founded by Nir Zuk, Rajiv Batra, Yuming Mao, and Dave Stevens. By bringing different perspectives and ideas to the table, by having people on the ground in both Israel and the US from day one, and by finding ways to leverage the best Tel Aviv and Bay Area/New York networks and ecosystems have to offer, one can build a truly unstoppable company.
Recommendation
I cannot recommend Alon’s book highly enough and I am thankful to Chris Hughes who originally sent me the book’s Amazon link. If you are interested in learning about the history of the Israeli cybersecurity ecosystem and want to understand what turned a small island-nation in the Middle East into a global cybersecurity superpower, this book is for you. If you are interested in understanding the industry trends, and what the future of cybersecurity may look like, you should also add "The Battle for Your Computer: Israel and the Growth of the Global Cyber-Security Industry" to your reading list.
Needless to say, I am in no way affiliated with the author and this review is simply an attempt to share a book I found both educational and highly enjoyable with others.
Happy reading!