CISOs and security leaders shouldn't invest in startups
Relevant repost given recent news
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve been traveling, so I have a backlog of writing to get through. So, here’s a repost, which I found relevant given this article about Cyberstarts, a VC firm that has heavily “relied” on its CISO network. I would recommend reading the whole article, and I find this well-written and researched. I also found the response to be interesting.
I do think it’s valuable to have a CISO perspective on problem-solving for security startups, and I do think more companies in general need a cybersecurity perspective on their boards. However, CISOs aren’t involved in the day-to-day, and good security organizations tend to have autonomous organizations that should make more bottom-up decisions, especially as security is becoming more engineering-focused. As a security community, we should agree on some standards for how a CISO engages a company.
Either way, in terms of valuing a company, it should be up to the VC and/or acquiring company to do their homework. Of course, this makes it harder, but that’s part of the job. Similarly, in order for a company to scale, they need to make sure they are actually solving a real need. Honestly, I think companies are better off talking to those who are running the specific functions themselves rather than the CISO as they have better perspective on what the real problems are.
This week, I’m discussing a trend I’ve seen increase recently: CISOs and security leaders personally investing in security startups. Specifically, I’m talking about security leaders investing money in exchange for equity in the company. There are different versions of this. Some do it through syndicates, some do it personally through angel investing, and some do it through a fund on the size. Not surprisingly, security is again late a tech trend. Specifically, this was inspired by technology leaders who have regularly angel-invested in tech startups. Further fueling this is the general increase in cybersecurity VC investing. As a result, VCs are contacting security leaders for their perspectives and expertise as part of the investment and diligence process. This has naturally triggered the question: if VCs are asking for expertise, why don’t we, as security leaders, invest ourselves?
In my opinion, this isn’t a great question to ask. In short, security leaders aren’t professional investors, and this is actually detrimental to startups that take their money. There’s more to investing in a startup than investing money into it. Rarely can an investor just invest in a startup without doing any additional follow-up work.
For context, before leading security at startups, I was a VC investor for 3.5 years and ran a cybersecurity incubator for 4 years during my PhD. I can tell you that investing in a successful startup is more than just giving it money.
Security leaders need to focus
To say the least, investing in security startups is distracting. In order to be successful, you need to constantly be sourcing good startups to evaluate. After meeting with the company, you need to think about the product and team and justify your investment. Of course, this is easier if you’re angel investing by yourself, but it becomes more complicated in syndicates and funds as there are more requirements around investment justifications. It’s no surprise that people do this as a full-time job with a large staff, let alone something on the side.
Given the changing threat landscape and increasing expectations of the job, cybersecurity leaders probably have their hands full with their day jobs. As a result, investing sends a mixed message to the company and their reports. Not to mention that investing is a different skillset than operating as a security leader.
Investing in startups creates a complicated message
One reason/argument for investing in startups is that these security leaders want to support new products that solve the problems that they actually face. Recently, the security market has been flooded with tools, and many of them don’t actually solve the problems that security leaders face.
However, this rationale is problematic for several reasons. First, investing as a one person or small group doesn’t necessary mean that these are the problems that other security leaders will also face. Second, investing doesn’t necessary mean that the product will be successful. Successful startups are more than just successful products. Next, this assumes that many cybersecurity problems can be solved with tools alone. For example, keeping up the threats in a fast changing development environment will likely require a security team to have more software engineering skills. Tools likely can’t solve that problem. Similarly, tools are meant to be a means to solve a problem and rarely are the solution itself.
Another area of complication is around the security leader’s own consumption of a startup product he/she invested in. The goal of investing in a product is to show a sign of confidence that the product has a market. However, it creates a complicated situation for the security leader’s team and the startup. Will a security leader’s team be pressured to buy this tool? What if the current tool is actually better because it is more mature than the startup tool? What signal does it send to VCs and others when the security leader doesn’t buy the tool but instead buys a competing tool or continues to use the current tool? It might not directly create a conflict of interest, but it creates some signaling issues and conflict. A security leader should buy a tool that is best for the company, but what does that signal to the invested startup when it’s not chosen?
Another argument is that it might create competition with their current tool, and it provides alternatives for the team to explore. However, should team members feel obligated to spend time on a product whose success ultimately benefits the security leader and not even the company? Although it’s ok for a consumer to invest in a product he/she might use, cybersecurity startups are different because the security leader is tasked with buying the product that would be in the best interest of the company not just himself/herself. The problem arises because there’s a conflict between the security leader’s personal interest (investment in the startup) and the security leader’s company’s interest (mitigation of the company’s security risks). If these two interests align, that’s great, but it’s not clear if they always or even often do.
It seems like there are many unanswered questions here that as a security community, we need to address.
An alternate method to support the startup
To be clear, this newsletter is focused on discussing why security leaders shouldn’t be investing in cybersecurity startups. However, they can advise the startup although there might be some conflict if the startup gives them equity. They can also suggest to VCs on what areas they should invest.
I believe the best path forward is for the security leader to buy the product and pay the list price! If there’s a product they really believe in, they should ensure that it survives by paying a fair price and not asking for too many discounts. This shows positive signaling for the startup and also gives them revenue at the same time. In addition, they can refer it to others in their network and provide free marketing.
The survival and success of a startup are dependent on its customers and revenue. By buying the product, the security leader is showing the ultimate support.
Takeaway
I believe the current trend of security leaders investing in startups is problematic and creates more conflict than it’s worth. The security community has been seen a huge uptick in security products, and I understand security leaders’ frustration seeing products that don’t actually benefit them or seem to be relevant. However, investing in cybersecurity startups doesn’t seem to be the answer. We might need to look toward DevOps tools to see how we can better support useful tools and products.