Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
3 Predictors of Cybersecurity Startup Success
Before investing, venture capitalists should consider a trio of business characteristics that seem to correlate with commercial success, based on meetings with over 2,000 cybersecurity startups.
May 12, 2022
5 Min Read
Source: baona via iStock
Few aspects of the cybersecurity industry evoke more polarizing reactions than the use of venture capital to fund startups.
On the one hand, startup founders seek the attention of investors with the ferocity of authors searching for publishers. Without investment capital, new companies cannot grow properly, especially if their technology requires a period of long stealth development in advance of any customer revenue.
On the other hand, security practitioners tend to exhibit lukewarm, even hostile, emotions toward investors. This should not be surprising when one considers that venture capitalists might be viewed as growing rich by betting on technologies required to protect citizens and business from attacks.
One fact that everyone agrees on, however, is the staggering growth of the aggregate investment being made in this segment. According to Statista, the size of the venture capital market for cybersecurity grew to over $21 billion USD, up from roughly $9 billion just one year before.
Another fact everyone agrees on is the common interest held by investors, founders, and practitioners: Investments eventually lead to good solutions. Technologies being funded range from methods to rid the world of passwords to machine learning that predicts where the next threats will occur. Everyone benefits if these investments succeed because the risks of attack are increasing on a daily basis.
The ongoing conflict in Ukraine, for example, introduces nation-state offensive cyber campaigns directed at business and civilian groups around the world — perhaps to target enemies, perhaps to just create chaos. New commercial security products and services will be necessary to mitigate this potentially hazardous and growing risk.
My team has met with over 2,000 cybersecurity startups during the past few years, many of which are supported by venture capital. In the course of our work, we've come to recognize three primary factors that seem to correlate with commercial success in the cybersecurity marketplace. When I share my observations with venture capital teams, however, they often do not match up well with the typical investment evaluation formula. Most venture capital teams tend to obsess on factors such as aggregate market size for a given company, the problem being solved, the types of competitors that exist, and so on. While these are important issues, I do not think they are the primary drivers of success.
Accordingly, below is a summary of the three factors that my team and I use in our work to advise security practitioners on which startups are worth considering for long-term partnership.
Factor 1: Belief System
When we ask a founding team what they believe and why they started their business, their answer is often wrapped in some muddled description of what they do. This vacuous and circular reasoning of starting a company "to stop threat X because the world needs to stop threat X" is insufficient to connect with customers at a visceral level.
In contrast, consider the belief system of retired Army general Keith Alexander, co-founder of IronNet Cybersecurity, which recently completed a successful SPAC. If you ask founders such as Gen. Alexander why they started the company, they will point to their lifelong commitment to protecting their country, whether in uniform, on the physical battlefield, or across virtual networks.
Such personal belief systems connect with buyers. In fact, a useful exercise for founders is to explain why they started their company without ever mentioning their product. It is a delightfully painful experience because it exposes the real purpose behind their company. Good luck to the startup that can only cite making money as its reason for being.
Factor 2: Attention to Design
When we ask a startup to describe their company, we usually see one of two approaches. On the one hand, a team will lead us into PowerPoint hell with chart after chart of buzzwords, disjointed clip art, and meaningless quotes. The platform diagrams in these presentations are usually haphazardly cut-and-pasted from the engineers, as if the technology is some afterthought.
On the other hand, we sometimes find a startup that understands the value of design. In such cases, we see a carefully crafted story, developed from top to bottom with the combined inputs of the platform developers, marketing team, and leadership group. When done right, the only word that comes to mind is elegance. And it is not just the elegance of the technology but also of the overall story.
Take SentinelOne, for example. When we first met this now-public company, we were struck by their attention to detail in explaining their behavioral analytics. This technique involves establishing which behaviors are considered normal and then sounding an alarm when something looks unusual. It was obvious to us that considerable time and effort had gone into developing their crisp messaging.
And just like quality, design elegance in any solution (think Apple) is hard to define — but you certainly know it when you see it.
Factor 3: Domain Knowledge
Finally, we always ask founders to share their experience in the domain their new company addresses. The worst responses come from serial entrepreneurs hopping aboard the security bandwagon from some unrelated area. Cybersecurity is a complex arena, and poor domain knowledge will eventually catch up with inexperienced founding teams.
The best responses come from startup leaders who have committed their lives to their chosen discipline. A favorite question we like to ask is whether a founder would continue doing what they are doing for free. Only a select group of founders can honestly answer yes to this question — and these are the ones to bet on.
Consider Sanjay Beri, founder of Netskope; Nir Zuk, founder of Palo Alto Networks; and Ken Xie, founder of Fortinet. Each of these successful entrepreneurs would certainly continue doing exactly what they do now, even if they never earned another penny. Buyers connect with this type of domain passion, and investors should take this essential factor into full account.
About the Author(s)
CEO, TAG Cyber LLC
Dr. Edward G. Amoroso is currently chief executive officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as senior vice president and chief security officer of AT&T from 2004 to 2016.
Ed has been adjunct professor of computer science at the Stevens Institute of Technology for the past 27 years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as an instructor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.
Ed holds the BS degree in physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he serves as a Member of the Board of Directors for M&T Bank. Ed's work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Latest Articles in The Edge
Redesigning the Network to Fend Off Living-Off-the-Land TacticsFeb 23, 2024|7 Min Read
Privacy Beats Ransomware as Top Insurance ConcernFeb 23, 2024|5 Min Read
Library Cyber Defenses Are Falling DownFeb 20, 2024|3 Min Read
Enterprises Worry End Users Will Be the Cause of Next Major BreachFeb 16, 2024|2 Min Read