Frankly Speaking 10/6/20 - Differentiating in a crowded security market

A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.

Oct 06, 2020

If you were forwarded this newsletter, you can subscribe here. For more regular updates,

Wow… a lot happened this week with the debate, Trump’s coronavirus diagnosis, etc. It seems like months since I wrote my last post. COVID has made me realize the parts I enjoy and don’t enjoy about working from home. I worked from home regularly during my PhD, so I’ve developed some habits to remain productive. For sure, I don’t miss the commute, but I do miss having the choice of WFH. Right now, I do it every day as opposed to just days where I have to focus on getting work done. Like with everything in life, things are better in moderation.

Anyway, I would love to hear people’s discoveries on what’s best done at home vs. the office.

LET’S BE FRANK

When I tell people I did a PhD and now invest in security, they ask how I can differentiate companies in such a crowded market because honestly, most security companies sound similar, even to me.

However, despite this, I still believe this is the best time to start a cybersecurity company. Here are some reasons why:

Cybersecurity budgets are growing unlike other IT markets. There’s plenty of problems to solve, so the market doesn’t seem to be contracting anytime soon.
Lots of public interest because of high-profile breaches. Also, public cybersecurity companies are performing well during COVID.
Plenty of VC interest, so there’s lots of available funding. Honestly, if you’re an LP and one of your funds isn’t investing in security, I would be asking why and encouraging them to do it. There are a lot of potential acquirers and many good exits for cybersecurity startups recently.

Many companies ask me: There are over 4000 cybersecurity companies. How do I differentiate myself? How do I get customers to engage my product? I’ll provide some observations based on recent successful cybersecurity company exits.

The question boils down to this: how do I convince the CISO I’m solving an urgent issue?

I want to be explicit here. Messaging your company and the product properly is critical early on. More specifically, non-critical issues can become critical issues through proper messaging. So, it’s no surprise there’s a major emphasis on GTM for cybersecurity companies — getting traction in an efficient and predictable manner. Of course, not all GTM strategies are equal, and some will be more expensive than others.

In my last blog post, I discussed that CISOs prioritize compliance-related issues. What are other ways to get a CISO’s attention?

Focus on a new IT trend.

Cloud, cloud-native, and Kubernetes security have been hot as of late. There have been a lot of acquisitions and high valuation fundings, like Snyk, Twistlock acquired by PANW, Portshift by Cisco, Octarine by VMware, Redlock by PANW, and the list goes on. The reason is that CISOs need to figure out security for these technologies fast and sometimes without notice, and consequently, legacy security vendors need these capabilities at a similar pace to stay relevant.

Solve a critical datacenter security problem for the cloud.

Some examples of this are identity, vulnerability management, and data security. This is similar to the reason above. Companies are moving to the cloud, many times without consulting security, and security needs to figure out these fundamental problems quickly.

Be a thought leader in a complicated space.

CISOs don’t have time to build a team and figure out how to tackle complicated security issues because they have too many priorities. Ask any CISO. If an issue is too complicated and isn’t a compliance issue, it is deprioritized. To combat this, a startup can become a thought leader in the space. They can provide security research and services to help companies solve their problems in a resource-efficient way. They can also hire authentic leaders who understand the problem space, which builds trust. Endpoint companies like Cylance and Crowdstrike did this earlier to help companies with incident response and as a result, gained the trust of companies for their product.

Build an easy-to-use and cheaper product.

Similar to the reason above. CISOs have limited bandwidth and time to solve issues. If your company can provide a product that has lower deployment and maintenance costs, it’s more attractive to a CISO because many of the legacy products require high service costs to deploy and maintain including headcount on the security team. CISOs are only willing to put in the time if the issue is absolutely critical.

Find another persona/buyer to put pressure on the CISO.

In other words, put external pressure on the CISO and possibly find another budget source. CISOs have limited budgets and resources to spend on issues, but if someone else is willing to take on some of the load or just provide additional pressure, CISOs are more likely to provide. For example, legal sometimes puts pressure on privacy and data governance. A CTO or CIO does this for cloud technologies, and developers have for cloud-native security issues.

This is by no means a comprehensive list, but just some patterns I’ve seen. With that said, hopefully, this shows why I’m so focused on understanding cloud and cloud-native security. It is an urgent CISO, which means there’s high strategic value in the industry — GTM happens with lower friction.

All VCs are looking for efficient business because it drives value. In security, an efficient business requires an efficient GTM motion, so it’s important to figure out the GTM strategy early on.

This leads to two main open questions this week:

Other than the ones above, what are other ways to create urgency around a security product?
Are there other ways to efficiently drive value in a security business?