Few aspects of the cybersecurity industry evoke more polarizing reactions than the use of venture capital to fund startups.
On the one hand, startup founders seek the attention of investors with the ferocity of authors searching for publishers. Without investment capital, new companies cannot grow properly, especially if their technology requires a period of long stealth development in advance of any customer revenue.
On the other hand, security practitioners tend to exhibit lukewarm, even hostile, emotions toward investors. This should not be surprising when one considers that venture capitalists might be viewed as growing rich by betting on technologies required to protect citizens and business from attacks.
One fact that everyone agrees on, however, is the staggering growth of the aggregate investment being made in this segment. According to Statista, the size of the venture capital market for cybersecurity grew to over $21 billion USD, up from roughly $9 billion just one year before.
Another fact everyone agrees on is the common interest held by investors, founders, and practitioners: Investments eventually lead to good solutions. Technologies being funded range from methods to rid the world of passwords to machine learning that predicts where the next threats will occur. Everyone benefits if these investments succeed because the risks of attack are increasing on a daily basis.
The ongoing conflict in Ukraine, for example, introduces nation-state offensive cyber campaigns directed at business and civilian groups around the world — perhaps to target enemies, perhaps to just create chaos. New commercial security products and services will be necessary to mitigate this potentially hazardous and growing risk.
My team has met with over 2,000 cybersecurity startups during the past few years, many of which are supported by venture capital. In the course of our work, we've come to recognize three primary factors that seem to correlate with commercial success in the cybersecurity marketplace. When I share my observations with venture capital teams, however, they often do not match up well with the typical investment evaluation formula. Most venture capital teams tend to obsess on factors such as aggregate market size for a given company, the problem being solved, the types of competitors that exist, and so on. While these are important issues, I do not think they are the primary drivers of success.
Accordingly, below is a summary of the three factors that my team and I use in our work to advise security practitioners on which startups are worth considering for long-term partnership.
Factor 1: Belief System
When we ask a founding team what they believe and why they started their business, their answer is often wrapped in some muddled description of what they do. This vacuous and circular reasoning of starting a company "to stop threat X because the world needs to stop threat X" is insufficient to connect with customers at a visceral level.
In contrast, consider the belief system of retired Army general Keith Alexander, co-founder of IronNet Cybersecurity, which recently completed a successful SPAC. If you ask founders such as Gen. Alexander why they started the company, they will point to their lifelong commitment to protecting their country, whether in uniform, on the physical battlefield, or across virtual networks.
Such personal belief systems connect with buyers. In fact, a useful exercise for founders is to explain why they started their company without ever mentioning their product. It is a delightfully painful experience because it exposes the real purpose behind their company. Good luck to the startup that can only cite making money as its reason for being.
Factor 2: Attention to Design
When we ask a startup to describe their company, we usually see one of two approaches. On the one hand, a team will lead us into PowerPoint hell with chart after chart of buzzwords, disjointed clip art, and meaningless quotes. The platform diagrams in these presentations are usually haphazardly cut-and-pasted from the engineers, as if the technology is some afterthought.
On the other hand, we sometimes find a startup that understands the value of design. In such cases, we see a carefully crafted story, developed from top to bottom with the combined inputs of the platform developers, marketing team, and leadership group. When done right, the only word that comes to mind is elegance. And it is not just the elegance of the technology but also of the overall story.
Take SentinelOne, for example. When we first met this now-public company, we were struck by their attention to detail in explaining their behavioral analytics. This technique involves establishing which behaviors are considered normal and then sounding an alarm when something looks unusual. It was obvious to us that considerable time and effort had gone into developing their crisp messaging.
And just like quality, design elegance in any solution (think Apple) is hard to define — but you certainly know it when you see it.
Factor 3: Domain Knowledge
Finally, we always ask founders to share their experience in the domain their new company addresses. The worst responses come from serial entrepreneurs hopping aboard the security bandwagon from some unrelated area. Cybersecurity is a complex arena, and poor domain knowledge will eventually catch up with inexperienced founding teams.
The best responses come from startup leaders who have committed their lives to their chosen discipline. A favorite question we like to ask is whether a founder would continue doing what they are doing for free. Only a select group of founders can honestly answer yes to this question — and these are the ones to bet on.
Consider Sanjay Beri, founder of Netskope; Nir Zuk, founder of Palo Alto Networks; and Ken Xie, founder of Fortinet. Each of these successful entrepreneurs would certainly continue doing exactly what they do now, even if they never earned another penny. Buyers connect with this type of domain passion, and investors should take this essential factor into full account.