Piloting Our Startup During Cybersecurity Factory’s Pilot Summer
We (Chris and Ling) were one of the two Cybersecurity Factory teams and are running the company Oblivilock. We are Ph.D. students in computer science and up to this point have spent our days coming up with ideas and coding them up. During Cybersecurity Factory, we didn’t write a single line of code. What was more surprising to learn was that this was the way to start a successful company. This post is about how Cybersecurity Factory supercharged our professional network and helped us go from having a research project to having a company in one summer.
We wanted to start a company to bring our research to a commercial market. Our backgrounds are in applied cryptography and hardware. In a nutshell, our research was on a particular algorithm that makes cloud storage more secure. At first, the algorithm wasn’t practical, but over the course of the last few years we and others made it (arguably) practical. So, the idea was, we have this great (clean security, reasonably efficient) technology in a hot area (cybersecurity). Let’s try to bring it to market where it can have real impact!
Rubber hits the road
From our first meetings on day 1 we quickly realized a great algorithm is not necessarily a great business idea. More to the point, our algorithm didn’t seem to have a value proposition in today’s market. In fact, even if it had no performance overhead and no adoption barrier, it’s still not something people would buy. It was the classic run before you can walk problem: we were selling running shoes (strong security that only made sense if you already have reasonable security) when most companies didn’t have even basic security (like encryption and logging).
Whirlwind Tour of Our Summer
After realizing we had to change plans, we decided to accomplish one main goal during the summer: develop a product with a good value proposition. To do this, our day to day became the following feedback loop. (1) Come up an idea and try to justify it to ourselves (by looking at competition, mapping out its use cases, building a pitch deck, etc). (2) Present the idea with mentors/customers/other contacts in our network and improve it. (3) Repeat with new insights from meetings. This process was insanely human-feedback oriented, which brings me to the first major lesson:
Lesson 1: Networking can drive innovation
A big lesson from this summer was that building a product involves more development of our professional network than of the underlying technology. CSF helped tremendously here, and introduced us to a multitude of people in the security and related spaces (from industry mentors, entrepreneurs and venture capitalists to potential customers in different segments). This group was essential in getting us to think differently about our ideas: how can we build something that will make a customer more successful?
In particular, we want to call out and give a huge thanks to our mentors. The program gave us access to a large group of mentors from Day 1. Our mentors were top notch — for example, we were advised by Will Bechtel (Director of project management @ Qualys), Harold Moss (Sr Director of Strategy for Security @ Akamai) and Justin Somaini (Chief trust officer @ Box) to name several. Crucially, the mentors were from the industry. We spoke academia, not industry, so every meeting taught us something new about how to interpret and push forward our ideas. All in all, we spoke to over 50 different people/groups over the summer and our mentors were essential in bootstrapping that process. By the end of the summer, we had met enough people in enough segments to be able to critique our ideas on our own, which made us much more productive.
Lesson 2: A good product idea is one that can seed a conversation
The biggest problem with our initial direction actually wasn’t the algorithm’s lack of use case: it was the narrowness of the idea. If we only sold this algorithm it was hard to keep a conversation going. This motivated our first pivot, which was to integrate other state-of-the-art crypto algorithms into a single platform that would give C, I, A (confidentiality, integrity, availability) of remote data. [Our original idea only did the ‘C’]. This made it easier to have discussions with mentors and potential customers, because they typically would care about one of these three at least.
What we found was that the algorithms themselves didn’t matter much. Most people understood and needed some form of basic CIA through (for example) encryption (‘C’), checksums (‘I’), or backups (‘A’). The main purpose of pitching the algorithms turned out to be starting the conversation so that we were all on the same page. It was never the case that one of these algorithms struck gold itself. Although this meant our algorithms weren’t the right way to go, it gave us a lot of insight into what people needed across the board, and motivated our second pivot.
Lesson 3: Go to the market
A final lesson we learned was that if we can’t get the market to come to us, then we go to the market. In the second pivot, we completely changed our thinking and came up with a product more in line with current need in the market. Specifically, the idea was to take a market and solve a hard problem that was inherent in competitor solutions (spoiler alert: we found one). We knew the market for the technology existed (because the competitors were getting customers) and were banking on getting better market penetration than our competitors. The most complicated crypto algorithm in our current direction is an algorithm that has been around for 30 years: clearly a big change from what we came in with!
Concluding Thoughts
To summarize the above journey: The summer in Cybersecurity Factory forced us to think about the business and people problem first. We met and talked to more people this summer than we did during our entire Ph.D. study. Even for people in the research community who don’t want to pursue start-ups long term: we can’t recommend this program enough. What you get is an extremely important perspective that you can use to gut check research projects. Of course we would love to build a successful company, but if nothing else, we know our experience will inform our research for many years to come.
