4 Qualities of a successful cybersecurity startup
PART 1 of 2
We’ve all heard that cybersecurity is a hot sector. Worldwide information security spending reached $76.9 billion in 2015 according to Gartner. With the continued increase in frequency and severity of breaches, security spending is expected to reach $170 billion by 2020. VC money is therefore steadily pouring into cybersecurity startups ($93m in 2015, up from $8m in 2011, for UK based companies alone), and the number of cybersecurity startups is rapidly increasing.
As Program Director of CyLon Labs (Europe’s first Cyber Security focussed accelerator/ incubator) i’ve spoken with hundreds of cybersecurity startups (the good, the bad, and some ugly!). I have tried to isolate some common traits and strategies of successful startups that are unique to, or particularly hold true for the nuanced world of cybersecurity.
- Cybersecurity is a complex ‘negative goal’, so you need to know your value proposition
Simply put, proving that a person has access to a file can easily be done by getting the person to verify the content of the file. However, suppose you need to prove that another person can’t access this same file. Now you have to figure out all the different ways that one could access the file (other than legitimately) and then prove that this person cannot access it. It’s a classic case of asymmetric warfare: there may be hundreds of doors in for the attacker to gain entry, but the defender will need to ensure all these doors are both known and secured. For this reason, cybersecurity casts a wide net and includes everything from authentication to access control.
For founders, understanding where your product fits into the overall security ‘stack’ is critical when explaining the value-add to customers and investors. Cybersecurity is a very fragmented market with many players (see Periodic table of Cybersecurity) and often an enterprise will use over a hundred different niche solutions to secure each ‘door’. Each will be managed either internally in the SOC (Security Operation Centre) or through a Managed Security Solutions Provider (MSSP).
Its also important to articulate why your product is different. Differentiation can be through verticals, features, usability, channels, pricing or sales methodology for example.
Entrepreneurs must articulate their value proposition and differentiators: know where they are on the stack, where they bring value and how the product integrates into the customer’s workflow.
2. Domain expertise + Technical expertise = powerful combination
Security is often classified in the ‘deep tech’ category and many startups use complex techniques including machine learning/ AI or the blockchain. However, the problems they address are in fact, relatively simple (for example, giving people the appropriate access permissions). When this technical expertise is fused with deep domain or sector knowledge, it can be a powerful combination.
James Cameron of Accel Partners says generalised security products are on the rise, but believes that vertical specific applications of cybersecurity (e.g manufacturing, healthcare) are under-hyped and an emerging area. Take for example, Mentat Innovations, a CyLon graduate that spun out of mathematical research the founders were conducting at Imperial College. Mentat is applying cutting edge machine learning and anomaly detection, to securing IoT (Internet of Things) and CNI (Critical National Infrastructure). It does this by flagging malicious activity against a background of shifting legitimate behaviour on devices. They have bold ambitions to take on the healthcare and manufacturing market next, verticals which have been largely missed in the ‘big data’ analytics age.
Like all other startups, ideas often come from a problem statement. But how often can you say that the Russians are trying to hack your home PC?! Experience often plays an important part in cybersecurity and we tend to find a disproportionate amount of cybersecurity founders who have deep domain expertise acquired in government, industry (e.g defence, financial institutions) or through a vast amount of personal research.
To be continued…. CLICK HERE FOR PART 2/2