CISOs and security leaders shouldn't invest in startups
The best investment is buying the product itself
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I was on the Our Code to Cloud podcast with Tim Chase! I discuss challenges in the cloud, focusing on enablement over enforcement, and the fast-changing threat landscape. Go check it out!
This week, I’m discussing a trend I’ve seen increase recently: CISOs and security leaders personally investing in security startups. Specifically, I’m talking about security leaders investing money in exchange for equity in the company. There are different versions of this. Some do it through syndicates, some do it personally through angel investing, and some do it through a fund on the size. Not surprisingly, security is again late a tech trend. Specifically, this was inspired by technology leaders who have regularly angel-invested in tech startups. Further fueling this is the general increase in cybersecurity VC investing. As a result, VCs are contacting security leaders for their perspectives and expertise as part of the investment and diligence process. This has naturally triggered the question: if VCs are asking for expertise, why don’t we, as security leaders, invest ourselves?
In my opinion, this isn’t a great question to ask. In short, security leaders aren’t professional investors, and this is actually detrimental to startups that take their money. There’s more to investing in a startup than investing money into it. Rarely can an investor just invest in a startup without doing any additional follow-up work.
For context, before leading security at startups, I was a VC investor for 3.5 years and ran a cybersecurity incubator for 4 years during my PhD. I can tell you that investing in a successful startup is more than just giving it money.
Security leaders need to focus
To say the least, investing in security startups is distracting. In order to be successful, you need to constantly be sourcing good startups to evaluate. After meeting with the company, you need to think about the product and team and justify your investment. Of course, this is easier if you’re angel investing by yourself, but it becomes more complicated in syndicates and funds as there are more requirements around investment justifications. It’s no surprise that people do this as a full-time job with a large staff, let alone something on the side.
Given the changing threat landscape and increasing expectations of the job, cybersecurity leaders probably have their hands full with their day jobs. As a result, investing sends a mixed message to the company and their reports. Not to mention that investing is a different skillset than operating as a security leader.
Investing in startups creates a complicated message
One reason/argument for investing in startups is that these security leaders want to support new products that solve the problems that they actually face. Recently, the security market has been flooded with tools, and many of them don’t actually solve the problems that security leaders face.
However, this rationale is problematic for several reasons. First, investing as a one person or small group doesn’t necessary mean that these are the problems that other security leaders will also face. Second, investing doesn’t necessary mean that the product will be successful. Successful startups are more than just successful products. Next, this assumes that many cybersecurity problems can be solved with tools alone. For example, keeping up the threats in a fast changing development environment will likely require a security team to have more software engineering skills. Tools likely can’t solve that problem. Similarly, tools are meant to be a means to solve a problem and rarely are the solution itself.
Another area of complication is around the security leader’s own consumption of a startup product he/she invested in. The goal of investing in a product is to show a sign of confidence that the product has a market. However, it creates a complicated situation for the security leader’s team and the startup. Will a security leader’s team be pressured to buy this tool? What if the current tool is actually better because it is more mature than the startup tool? What signal does it send to VCs and others when the security leader doesn’t buy the tool but instead buys a competing tool or continues to use the current tool? It might not directly create a conflict of interest, but it creates some signaling issues and conflict. A security leader should buy a tool that is best for the company, but what does that signal to the invested startup when it’s not chosen?
Another argument is that it might create competition with their current tool, and it provides alternatives for the team to explore. However, should team members feel obligated to spend time on a product whose success ultimately benefits the security leader and not even the company? Although it’s ok for a consumer to invest in a product he/she might use, cybersecurity startups are different because the security leader is tasked with buying the product that would be in the best interest of the company not just himself/herself. The problem arises because there’s a conflict between the security leader’s personal interest (investment in the startup) and the security leader’s company’s interest (mitigation of the company’s security risks). If these two interests align, that’s great, but it’s not clear if they always or even often do.
It seems like there are many unanswered questions here that as a security community, we need to address.
An alternate method to support the startup
To be clear, this newsletter is focused on discussing why security leaders shouldn’t be investing in cybersecurity startups. However, they can advise the startup although there might be some conflict if the startup gives them equity. They can also suggest to VCs on what areas they should invest.
I believe the best path forward is for the security leader to buy the product and pay the list price! If there’s a product they really believe in, they should ensure that it survives by paying a fair price and not asking for too many discounts. This shows positive signaling for the startup and also gives them revenue at the same time. In addition, they can refer it to others in their network and provide free marketing.
The survival and success of a startup are dependent on its customers and revenue. By buying the product, the security leader is showing the ultimate support.
Takeaway
I believe the current trend of security leaders investing in startups is problematic and creates more conflict than it’s worth. The security community has been seen a huge uptick in security products, and I understand security leaders’ frustration seeing products that don’t actually benefit them or seem to be relevant. However, investing in cybersecurity startups doesn’t seem to be the answer. We might need to look toward DevOps tools to see how we can better support useful tools and products.
There are so many things that are wrong with this thinking that it’s hard to choose where to start, but I’ll jump in with the one point I agree on. Investors, whether angels or seasoned VC’s should not invest unless they’re ready and equipped to support the company in more ways than simply extending their networks. Beyond that, the rest of this is garbage. Let’s first tackle the easy one, the perceived conflict. There is a thing called corporate governance that addresses this. Disclose your investment and recuse from decisioning. Are we suggesting experts in marketing shouldn’t invest in martech they believe in? CIO’s shouldn’t invest in enablement tech or business applications they feel will be transformative? CEO’s shouldn’t… well you get the point. Next, the point suggesting that the best way for security leaders to support technologies they believe in is to buy it at full price? You sound more like an obedient shill to the VC community, not a recovering VC. “Just pay full pop on an emerging tech!”. The stage at which a company might attract an “angel”, is generally a stage where design partnerships, support in product positioning, and finding right sized companies willing (because they see potential) to incubate are needed, not a moment to pay full pop that you might not realize full value from in a year or longer. There is so much more nonsense in this piece, but I’m out of energy, this was exhausting to read.