tl;dr: Infosec technology is unusually hard leading to longer development cycles; sales cycles are much longer, and founders are older and more mature than most in consumer startups. All of this makes infosec startups more risky and expensive to build, which is highly uncomfortable territory for many seed VCs.
2015 was the year of the data breach, and in 2016 individuals and companies are starting to do something about it. However, this hasn’t — as you might expect — led to an explosion in information security startups. The current Spring 2016 cohort of Mach37 — of which my company, PCPursuit is a member — has only 6 companies. And keep in mind, this is at the top information security accelerator in the world. It’s not that there isn’t a market need for information security solutions, or a lack of investor interest. It’s a lack of quality companies, and the current funding environment may be why there is less innovation in this area.
To begin with, information security products are harder to build than most other products. Building a mobile app can be really simple — it’s almost like snapping together Legos in an indoor playground. By comparison, there is real, fundamental engineering work involved in building most information security products. This stuff often has to touch bare metal — after all, malware does. It’s a fundamentally different type of software development, which is much harder, takes far longer, and requires much more experienced and specialized talent than building almost any other kind of software.
Information security isn’t something that newly minted college grads can graduate and start doing effectively. As with most things, it takes 10,000 hours to get pretty good at infosec. That means 5 years of full-time experience. And “pretty good” isn’t the sort of top expertise that you need to have unique insights in the industry and form a company. Most people who have the very most unique insights and best innovations are very old relative to the founders typically funded in Silicon Valley, and have a lot more experience. They’re in different life stages — often with kids, mortgages, and high six-figure salaries. This isn’t universally true —for example, CANTact was created by Eric Evenchick, who is in his early 20s — but it’s generally true. It’s hard when you have a wife and kids and a mortgage to ditch your $750k/yr job as a CIO (which one of the founders in my cohort has done) to pursue a startup dream.
Once you have built a new security product, you then have the challenge of selling it. Very few companies want to be the first customer of an information security company. However, if you have developed something truly innovative, the federal government is usually interested and if it solves a big enough problem, they’re even willing to become your first customer. However, closing deals takes exactly as long as you would expect — it is the government, after all.
So, to sum up, there just aren’t that many game-changing ideas worth funding and building, it requires an unusually high degree of sacrifice from founders willing to do it, and the talent required to build infosec companies is more expensive. When you consider that there is effectively negative unemployment for senior security engineers (every established company in the space is hiring like mad), and engineering salaries for this segment are the highest in the technology industry, it takes far more capital to get off the ground than, say, a messaging app.
How, then, do most information security companies get off the ground? It’s not venture capital. There are very few investors who truly “get” the space. For example, one founder told me of a Silicon Valley seed VC, not normally active in the space, who would only invest if he agreed to a $50k salary. Since this would mean taking the kids out of private school, it was a non-starter. He turned down the investment, and instead raised (at a lower valuation) from investors more familiar with the space. His company is now the hottest and most successful company in their information security market segment.
Instead, a lot of information security companies are bootstrapped through services revenue. You can practically hang out a shingle and have business, the demand is so great, and you can bill all the hours you can work at $250 per hour. Obviously, not everyone can do this — you need connections and you need to be qualified — but not everyone can be an infosec founder either. Most early stage founders I know are bootstrapping through services revenue. We’re one of the companies that isn’t, because — given my 13-year Microsoft background — I know that the greatest leverage comes from building software, and given my experience bootstrapping Cuddli, I know how distracting it can be. I’m also in a place where I can do it — I don’t have kids and can sleep under my desk. However, the calculation could change if we can’t raise a seed round on acceptable terms—my co-founder owns a condo, and doesn’t want to sell it. The siren song of services revenue may become impossible to resist. [EDIT: A year later, it has — we couldn’t raise without building a complicated enterprise product and getting through the sales cycle first, so like most new infosec companies, we pivoted to unrelated boutique consulting to pay the bills.]
What does this mean to you? If you’re a founder who is thinking of jumping into information security because it’s a hot area, validate your assumptions with experts in the field. There is very little new in information security; most ideas are old ones, rehashed and repackaged. Our product, PCPursuit, is a truly groundbreaking technology innovation that can grow to massive scale and there just aren’t very many of those. And if you’re a seed investor who is interested in information security, throw out everything you know about consumer and SaaS startups. The best opportunities are pre-product and pre-revenue. It’s like investing 15 years ago: the stuff is actually hard to build, the sales cycles are long, and the people needed to do it are expensive. You can’t just throw $150k at a couple of Stanford grad 22 year olds — brilliant though they may be — and expect success.
For our part, to achieve maximum leverage and focus exclusively on product, we may well need to raise a million dollars — and do so without a single sale, a dime of revenue, or even a finished product! However, once you see the incredible, game-changing product we’re building at Mach37 Demo Day on June 14, we think you’ll be eager to write us a check. Hope to see you there!
