4 Qualities of a successful cybersecurity startup

PART 2 of 2 (Part 1 here)

3. Know your prey

Unsurprisingly, larger enterprise have the highest demand (in $ terms) for security products. This is because there are higher rewards to be found either financially, through the theft of IP, or for a hacktivist to cause disruption. Within the enterprise, cybersecurity falls within the ‘risk management’ paradigm.

The typical approach to sales thus far, has been similar to selling insurance. But a reliance on fear, makes it difficult to establish a lasting and trusting relationship. For this reason, market validation tends to come either through experience (see point 2) and/ or extensive interaction with customers. Most startups that have got the validation piece right, have relentlessly worked with CISOs/ CIOs and security teams to get feedback on their products, or indeed have been a spin out of a real problem that existed from their previous roles (eg. Ripjar, Panaseer, Torsion). This makes the integration into the customer’s platform and processes more seamless and minimises friction in the sales cycle, which is often up to 18 months.

Enterprise customers prefer to have comprehensive ‘IBM-like’ solutions, which can be integrated within their existing systems and are built by proven experts. This makes it all the more challenging for a startup to establish credibility. To overcome this, successful strategies startups have deployed include getting smaller reference customers, such as challenger banks (interesting article referenced by Sam Myers of Balderton Capital on avoiding the ‘elephants’ or ‘rabbits’ and hunting for the ‘deers’ http://bit.ly/1SSuwIN), as well as tie ups with distribution channels (including MSSPs or System Integrators). Getting into a reputable accelerator which already has existing relationships with potential clients will also help give an additional boost. CyLon for example works with BAE Systems and Raytheon and startups have gone on to partner with these companies in various ways.

4. In it for the long haul

As articulated in the Techcrunch article (“Cockroaches vs Unicorns” http://tcrn.ch/1RaFWY4), time to exit for most Cybersecurity unicorns (or cockroaches depending on your perspective), are much longer: OpenDNS’s aqcuisition took 10 years and Lancope’s took 14 years. Even the relatively ‘quick’ IPOs of Fireeye and Palo Alto Networks took over 7 years. This takes a certain level of tenacity, resilience and flexibility from the founders (… qualities of the much endeared cockroach!). It may be necessary to switch into consulting mode in downturns and see through volatile economic/ funding cycles.

Not only is the time to market longer, but the MVP cycles are notably longer for the obvious reason that no one wants a half baked security product, when issues like National Security are at stake. The canonical ‘Lean Startup’ methodology simply doesn’t stand up as well in the security industry. Take Fireeye, which was born out of an advanced malware threat faced by DARPA in 2004. The MVP construction period lasted 4 years and the first iteration of the product wasn’t even until 2006.

In short, founders need to prepare for and accept that it takes longer to achieve MVP, longer to raise funding, longer to sell to enterprise and a longer time to exit. This isn’t to say that M&A opportunities don’t present themselves along the way, or that entrepreneurs will not take said options, but founders must be prepared to (at least psychologically) go all the way.

The cybersecurity startup ecosystem has its own set of unique and complex challenges. These challenges are becoming more and more manageable as resources for early cyber startups are sprouting up in Europe. These include early stage funds focussing on cybersecurity like Amadeus Capital, Paladin Capital and C5 Capital. Accelerators like CyLon are also helping grow the ecosystem. As the ecosystem matures, successful startups such as Sophos, Digital Shadows and Darktrace, funds and accelerators as well as the corporate and financial community, will play an important role in supporting new entrepreneurs and startups. The UK government has also played a proactive role with the announcement of a £1.9b fund to invest in cybersecurity, set up 13 Academic Centres of cybersecurity excellence and is addressing the skills gap by new and innovative training programs to equip the future generation of cyber warriors — and potential entrepreneurs!

Syed (Riz) Noor is the Program Director of Cyber London (CyLon), Europe’s first cyber security focussed accelerator and incubator | @riz1noorsy | https://uk.linkedin.com/in/s-rizwan-noor-30405229

Applications for CyLon’s 3rd cohort are open until 27th March, apply directly on F6S.com