The Argument For More Cybersecurity Startups
Defense in Depth
Deep Dive
- Cybersecurity startups often succeed by gaining a few initial customers and maintaining that level, making rapid scaling difficult.
- The high importance of trust and trust-based relationships in cybersecurity makes it easier for startups to secure initial customers but harder to scale.
Shownotes Transcript
What is success in failure for a yb security start up? And why are some of these companies not a great fit for the typical V, C model?
You're listening to defense in depth.
Welcomes you defensive depths. My name is David Spark. I'm the producer of the sea series, and I have a special treat for you all, a special sponger. Guess none other than ross hollywood, who is the author of venture insecurity of you in cyber security, have been reading ross stuff. Ross, say hello to the audience.
Hi, hi dave. Hi to all the listeners. Happy to be here.
We are thrilled to here. We going to be talking about something that you wrote before we do that. I do want to mention our spectacular poor, and that would be nut security, sas security for modern work.
If you have sass applications, your environment and my guesses is everyone listening has sas applications in their environment, you're gona want to listen to what we have to say later in the show. But first let's talk about our topic in hand, ross. And that is something europe and IT. Here's my question.
Why is the cyber security started market so singular? Ross, you said that a failure of a cyber security start up often looks like success from the outside with most Better off selling early? No, so why don't the typical start up rules apply in cybersecurity? And why are more traditional unicorns insider curly, so rare? What do you think? And I know this, this is a big answer, but we are looking for a quick answer from you on this one.
Yeah, that is a good question. So first of all, I don't think that the standard drugs do not apply. I think they do apply very well. What is different about cyber security is the fact that because of the high importance of trust and trust based relationship, it's easier for startups to get this initial several customers and sort of stay at that level while they have and that forever you're coming in so that they can continue existing but not enough for them to grow rapidly and scale.
That's a really, really good point. And that does make them unique to others because of sort of how the environment Operate. And again, I can't speak for other industry, but I do understand this industry very well, as does our guest here today who we both know very well. And you do a podcast with this person, and I met him over a black hat and who Better to talk about this discussion then someone who is a VC themselves so we have the partner over a foundation capital. None other then said, travel said, thank you so much for retaining us.
Thank you for having me, David, and great to see you as well, ross.
What is everyone complaining about?
Spent my gilot of health equity said, when I look at the amount of cyber er security startups, my first thought is we have this many because we have so many organizations that are not able to deliver their own purchase security stack internally, don't know its capability and subsequently go out and seek extra luggage they likely don't need. Let's be honest, we are way over complicated in cyber security right now.
It's really not that hard to secure in a harden correctly up front. It's not why know many people who would argue with someone on that one, but let's spend to this comment car lane of I D say quote many times. I feel like these CS are the only market participants that are getting value from how confusing the solution landscape has become. IT certainly isn't the security leaders, and in most cases, it's not the vendors as they struggle mightly to deferential themselves, start up focusing on systems that help security leaders make quick risk mitigated purchasing decisions could be an important new frontier in the industry. So these are really sort of ambitious opinions here, ross, what you take on what spenser says, he says, hey, we're overcomplicating IT and I would love that to be true, but I fear it's not and cares comment of, well, only the VC are making money here.
So the way I think about IT is that there aren't really that manning cyber ocurred the startups. And I know most of the people in the industry will disagree. But think about IT this way.
There are about what four to six thousand companies. Is that a lot? I think IT is.
But and and for somebody who has worked in the industry for a long time, IT is certainly much more than they had twenty years ago. IT is true. But what else has changed into plus twenty years?
There was no public cloud at twenty years ago, like amazon launched AWS in like two thousand and four, two thousand and five. There was no iphone like IT was. IT was launched in two thousand and seven.
There was no widespread adoption of the I. O. T. Social media has entirely started, like facebook started in two thousand and four. So the world has changed.
And with that, so did the number of companies in any industry. You look at financial technology, like over thirty thousand companies. You look at marketing technology like the same, like thirty, forty to fifty thousand.
You look at H. R. tools. My point is this, if cybersecurity is indeed and everybody's problem, then having four to five thousand startups is probably not as many.
In fact, I would argue that we do need cyber security companies. We need more cyber security companies. First of all, we need to have a way to innovate as fast as the adverse do, right? They continue to invest their effort into developing technical capabilities.
We need to do that to, on the defense, how we do IT true security to startups. We need a way to educate the market about the new problem spaces, about the the best practices. Like, for example, the M, F, only became a best practice because there are so many great companies, because companies like due would go out and would educate the market races with the educate security leaders and would make IT incredibly easy to implement.
There are also many other reasons for startups to exist. One of them is that they're laying the foundation for others to succeed in this space. They're not that many starts. That's my point.
That's a good argument, right? There are right, said I saw this to you. I like this argument and and by the way, we've seen numbers all over the mark.
You said like between four to six thousand, I think there's some between thirty five hundred and forty five hundred regardless. And this because I talk to a couple analysts firms regarding this that have actually been accounting, I don't think that number really means anything. It's really the solutions that are being provided. I mean, that's really the market you're looking at, right? Said that's correct.
And I think the advantage here and and where I disagree with spends in and care is the advantage of having these solutions is so that we can go after the threat actors. And we have some significant threat actors that we're dealing with. And ross can point IT out some of the ways that those thread actors have become more and more advanced in their approaches.
We have to stay just as accessible and you know, dealing with those approaches and try to find ways to defend against them. The second point that i'd probably add to all of the great points that ross mentioned, I think there's a big debate in the security community about platform versus best breed. And I think part of that is being highlighted in these two comments from spending care.
And look, I am squarely on the point that best breed is the right approach and cyber security. And the three reasons why. The first reason is that at the end of the day, the sea is a very technical buyer group and they usually have multiple other people under them, so they actually have the ability to go and use the whole multitude of tools to go after different pieces of the problem and have the best tool for every specific pieces.
The problem. The second point that a highlight is these threat actors are very, very unique. They're particularly smart and how they go after environments. And as a result, you actually do need the best tool that's available.
And the the third point at highlight is that there's actually dollars at work in that if a thread actor gains access to underlying data and is able to exculpate that data, there's a real loss. There's a loss of somebody y's privacy. But at the end of the day, there's at some point a loss of actual monetary value. And when those situations are happening, you don't want to compromise. You are in the business of trying to buy the best tool that has the best bills and whistles that are available so that you can go and protect against these in the various state actors.
Why are they behaving this way?
Allen ton son, who's working at a steff start up himself, said, got most cybersecurity started, lacked the go to market town at the top but more importantly, they do not hire the proper sales teams to execute mozos believe the product will sell itself. That's only one key part of the overall greedier IT takes to go public or to be attractive to get a positive exit.
I know both of you have strong opinions on this to you in second, but let me read a really a west comment from alumina, who said the lack of goat to market is one of the reasons they relied so much on poc. Selling features rather than business value is a common thing amount the so called unique. Unfortunately, IT doesn't cut anymore.
Perhaps they never did, but now it's plain to see. So both of them complained, hey, maybe they are creating great products, but they don't know how to sell to the market. What do you think said, I am throwing a very broad brush, dear, summer good, summer bad. But in general, how do you see the cyber players playing?
I think both of them have unique points of view. I think Allen point that security startups, and maybe i'll be very specific and saying, security founders typically lack the go to market talent at the top and don't recognize how important go to market talent. Sometimes they do, as Allen points out, think more about the product. And the fact that the product is so unique will in itself kind of sell IT to seasons. And they don't realize that there's a whole process actually getting a product to ultimately be a purchase able solution.
I think the most important thing that I like to highlights, least with the founders I work, but to a more technically oriented, recognizing that sales and marketing is its own sub verticals within a company, and you want to get high quality talent to go in, bailed out those two functions in my recommendation for founders were listening to this is, is really around empathising with the other person empathising. An understanding why sales talent exists, why marketing talent exists, what the cesar is really looking forward from those individuals. And then recognizing that there are cross functional roles like sales engineer, which is a role that sits between engineering and sales and is able to actually explain the product to .
a customer segment, are IT rush. You have written about this a lot. What are the common problems you're seeing with startups and go to market? I think .
fundamentally, the number one problem is the fact that IT is incredibly hard to evaluate cybersecurity tools. Well, a lot of the cyber security innovation is deeply technical, and the value of those tools is incredibly hard to analyze, because the value of the tools is hard to analyze, IT is also incredibly hard to communicate. So what we are seeing in the market is the struggle to communicate the value of the cyber security innovation to the technical buyers. And then on the technical buyside IT is the struggle to understand how is one tool Better than the other.
Like if you are looking at two E D R vendors, how can you objectively analyze the efficacy of the stools? The reality is you can not at, yes, you could potentially do your very, very best, try to emulate all the possible attacks, see, have each of the tools response and and hoped that tomorrow they're going to respond in the same way and they're going to continue keeping you safe. But then fundamentally, you are still making a bet that this vendor is good and IT doesn't matter how you think about IT, there is no way for you to objectively, danson for all, say that this tool offers a Better coverage than decider to and because such objective comparison is not possible, companies a resort to to marketing bozen having to generate that buzz in all other ways. And that is what I think is causing this, what some sisters describe as M. S.
In the industry, well, fortunate, get about reviewing IT like through c there are many sea shows who buy the product having their environment and they still don't know if it's working at the level that they paid for. Sid, you're not in your .
head one hundred percent that that happens. And sometimes they don't even deploy the product. Forget about going where that works. They haven't even deployed .
IT that I can tell you that definitely will work.
And I ve seen those situation.
How often is that? I mean, they pay forward. They don't deploy you because I know i've seen this happening in other industries. But like how often have you seen this happen?
I can tell you on the board beat inside because I see this, uh, a bunch of board beings, the larger companies. When I talking about fortune five hundreds, my hunch ten to fifteen percent of the products they buy.
they don't even reply really ten to fifty. So literally is throwing .
ten honesty IT might even be more.
What do you think.
russ? I think what makes the problem even voice, is the fact that even if you do, do your very best and if you deploy the solution at the moment when you buy IT, the tools evolve and the coverage deventer offers also evolves. So the only way you can stay up to date with the security coverage that the specific product offers is if you continue going back ever several weeks or ever several months or however long that is and making sure that everything is still being configured the right way, you're still utilizing the best coverage the ender can offer. But that doesn't happen too often.
Before I go into further, I do want to tell you about absolutely spectacular s sponsor and that nudge security. Let me answer your question. How big is your sas attack service? You probably don't know the answer unless you've been using a great solution like node security.
You can find out with node security, their patented approach to sas discovery find to all sas account ever created by anyone in your organization, including general AI apps on day one of your free trial. You don't need any prior knowledge of an APP existent and no agents are plugins or network proxies are required for each sass have discovered you'll see a list of all the users, the M, F, A coverage as the so enroll status, breach history and more. You'll also have a full inventory of all APP to APP o auth connections, scopes and risk res with the ability to revoke risky grains with just two clicks.
Note security also includes playbooks to automate tedious, time consuming tests like user access reviews, employee off boarding and more. You can actually take control of your sas security posture with note security. Why do you take advantage of this?
Start a free fourteen day trial over at nudge security 点 com slash c series, that's important. Include the flash. So series, when you go there. N U D G E, nudge security, nudge security document slash, see. So series, check them out.
Who's losing out there?
So john g. Shendy of cognition and code, we typically see several cyber security, started solving the same problem, Operate in parallel, and generate enough revenues to survive. Now, why others may fail, one reason is a lack of understanding from investors.
I cannot tell you the number of industry to say I don't know what your product is about, so i'm going to stick with what I know. In my opinion, this mind set is why the me too and different companies offering a variation of the same quote solution fund IT. And by the way, we've seen this many times one company takes off and then everybody wants to buy more of that kind of company in that issue.
We seen that many times, jarrard blue of direct defense said. If IPO was your only plan, trouble is on the rising. And we are unfortunately starting to see the cracks in the foundation because of IT.
Unfortunately, we are going to see a ton of collateral damage, workforce firings because of poor planning, irresponsible spending and bloated valuations. Bloated valuations, we see a lot said i'm going to start with this last comment, care by jarred about bloat valuations. Do you think the valuations are bloated? I know you would love them to be nice and high, but let's get the truth out of you. Do you think they are bloated.
actually have preferred that they're low because at the end of the day, I am trying these companies and i'd prefer them to be .
no time to watch you know you to be loved, don't you?
No, we we don't. I mean, at least at a foundation, that's not our goal. We want to build long term sustainable businesses. And if you have companies that are well over valued, that makes IT very, very hard to build a long term sustainable business. You know, when you have a downwind happen and employees are impacted with their equity shares.
all you so i'm going to walk me through the details. Some company has evaluation of x million or billion. Who knows? The whole market thinks it's bloated, but they're promoting IT.
They put up press releases for this. What is the negative impact of that? Walk me through that.
that kind of three things that make IT hard. One, when you have bloated valuations, you also have to hit specific revenue targets. So you're sitting in board beatings, and i've said in many board beatings with where valuations were much higher than they should be in rep, obviously went through that twenty one and twenty two and you're having to tell the founders that you have to hit x revenue threshold or y revenue threshold.
And that's very stressful for everybody, not just the founders of executive member. The second issue ends up being that most new employees, when they being hired, they look at the foreigner uses and they look at the value the company and they like this, is going to a get turned around. It's gonna a downward and my equity shares will not be worth what they are worth.
That makes IT very hard to get to convince somebody to join the company. Then the third thing is that, let's say, you do figure everything out and you start to grow, but you are not growing at that pace that you are expecting. That first point that I highlighted, you may actually have a very good business that's well over valued, but it's still has to go through some type of downpour. And that's very, very uncomfortable for all parties when there's a downturn that happens. Customers realize IT, partners realized IT, investors realize IT and of course, employees realize IT.
Very wise explanation, think you said aren't now want to talk to you, ross, about what john shendy says here, which is this sort of this me too, behavior of products. One kicks IT and always there's a ton more. Now there is the the thinking of, well, I only need two, three, four, five percent of the market to have an extremely success. So business, why not chip away? But at that, like is that a legitimate way of thinking of building the sort of the next startup?
I will probably go in, in a completely different direction trying to answer this question. And I will ask you, how many social media apps do you use? I used quite a few.
I have signal. I have whats up I have linked in. I have, well, I don't have facebook message or but I used to have facebook message.
So there are like you slack, it's a lot. Do all of them need to exist? Like some might argue that well, we just need like one social media APP d APP, and that's IT.
But that's not really how the market works, right? The new answers and the differentiation is important. So let's not apply the same idea to cybersecurity.
When you look at the same category, you typically see companies that from the outside look very similar or almost the same. The same is, are they truly the same? Often it's those differences in approaches that turn over time into different products, different directions uh, the company can take and so on.
And so fourth, the chAllenges that companies are not great at communicating their differences. And that, I think, goes back to the previous question we have discovered, is that it's the communication of value that they they go to. Market strategy is the positioning that seems to be suffering. But at the same time, I do believe that having five or six products of the same category is incredibly important because IT is competition that forces innovation, its competition that forces new approaches to develop, its competition that forces companies to lower their Prices to improve the quality of the products they're offering in the market in which only one venture is tackling. One problem, the end death is high as we end up with when they are looking and and that is bad quality, and we don't want to do IT in cyber security.
No one said I could be easy.
Genome tech of evidence said, quote, cyber security is a very clustered space with many good products, many mediocre products, and most often the customer requires good configuration and hygiene key, not a stack of a collective solutions. This is an argument against best of breed, said.
I'm going to throat to you on that, but most of these companies will not survive, Richard rushing, who's a CEO over at motorable mobility, said code IT is always harder than IT looks. Given these macron economic headwinds in the industry, this will not be the faint at hard. Also, I do come from the world where I used to get us.
Is that company still in business, do not write off companies that are struggling, understanding how they will make IT through these issues and watch costly. We all know the warning signs of trouble. So first, one of the comments that I ve heard, by the way I sit and this one, just weird ted, about a year and a half ago from a few c sources, I look at platform plays solely because I can't train my staff on twenty different products that I have started to hear.
Then the other thing is a big argument as well. You know, the platform they have, the integration of a lot of people, well, doesn't really happen that. Well, that i've heard all so as well now.
But going to richer russians coming. I really support this line of, hey, guys wanting to start up tough. It's really, really tough. I know you see that all the time, said, yes.
IT is incredibly difficult, David. I think that is the the hardest experience you can have in your career as big a founder. IT, just every day is a roll coaster, and there's fires everywhere, and you are trying to blow out those fires.
And every time you think something in's working, something else stops work. IT. And the number of times i've had to you know how those conversations with founders is, I don't think there's a day that goes by that those conversations don't happen well.
And also, I have to feel and I feel this myself in my own business, is there is something I know I want to do. I know this would be successful, but I am dealing with so much today, but I can't even put my hand on that. And i'm sure your founders have that problem all the time too. Yes.
all the time. And and the most important point for for many of these founders that I have to push them to think about this, get to the fifty thousand foot level, make sure that you have some opportunities, step out of the city, greedy the data day problems, and try to understand where you're taking this company. Six months from now, a year from now, five years from now, where we going, where's the ship added, not just what's happening today, tomorrow.
next week. That's a very, very good point. And IT is hard to get a mired in the data. You know there's no question everyone can fill up the hill hours a day of doing whatever that doesn't sort of makes you look productive.
Does that not sound very much like a being a security leader, right? You could be doing all kinds of different things. You could be being very busy.
You could be tackling your data day fires. You could be helping people to to achieve goals that may not be as important to achieve. Or you could take a few steps back and you could ask yourself, okay, what are the truly important problems? I to sol and tuckle those first.
Yeah so let's get to the the comments here, this first one from saying and and I think this line is the key. The customer requires a good configuration and not a stack of a collective solutions. I think the relationship, the partnership relationship, which we hear from all the time, that's what they want.
They don't want to be sold product. They want a partnership. Are you seeing more startups understanding ing the critical ally of that kind of relationship? Ross.
I am starting to see IT more and more often. And I think IT comes down to to several factors. First of all, IT comes down to the buyer behavior, and those buyers themselves are emphasizing as important in some companies, running a security program has been substituted for shopping.
And in those kinds circumstances, when you see security leaders just saying, hey, I just need the tool x to cover my pokemon chart. IT kind of doesn't matter how much effort IT is going to take to implement the solution, but in in my mind, those cases are really the past. Today, security leaders are incredibly programatic.
And one of the things that they are looking at when they're buying or considering to buy a product is the total cost of ownership. How much effort is, is going to take for me to adopt this tool? How much effort is that going to take for me to train my employs?
How much effort is going to be to keep you up to date? And again, just buying tools and and stacking them up on top of one another is not going to solve all, all the problems. We definitely have to simplify the the architecture.
We have to try and and as much as possible, avoid the ever growing complexity of the stack. We have to allocate enough time for the tooling to mature and not just replace IT. Every year and a half, there are many pieces that come into play, and we are now understanding IT, and we are now prioritizing the right thing. So I can only see IT moving in the right direction.
ross said. You too have slam so much knowledge for our audience. I greatly, greatly appreciated. But now i'm going to ask you for the question of which quote was your favorite and why I think .
the best one for me was from Allen. And at this point that most cyber security start up lack the go to market talent at the top. I I find myself repeating that again and again.
And we are a community where most security startups are started by very technical founders. And those technical founders, they they just don't own empathy with the fact that sales and marketing requires high quality talent. And there's a whole process close these deals. It's not purely just whoever has the best has written the best code wins. And I think that's a really important point to highlight.
That is a good line. Whoever are written the most code doesn't necessarily win. Alright, ross, your favorite quote and wig.
I would probably say Jerome quote about the fact that the customer requires good configuration and hygiene, not just a stack of a glegg solutions. You see IT all comes down to user experience. I think when I look at the the companies in cyber security that do becomes successful, I keep seeing one pattern repeat itself all all over again.
It's the user experience is the easy of views. It's have easy IT is to configure the solution have easy IT is to to buy IT have easy IT is to do IT B, A, C have easy is to keep IT configured and and maintain the currency of the product. It's those factors that are very, very far away from having the best detection capabilities.
It's those factors that win deals and it's those factors that, in my view, more founders should be prioritising. Historically, cybersecurity hasn't had the best U. X. But we again, I think we are now starting to realize the importance of IT because we have seen the companies that offer a great experience tend to get adopted more frequently, tend to get a Better reviews and tend to have sesas have much Better feedback. And if angle zed with their peers saying that, hey, this is a great product, you should try IT.
I love that. And what a great spot to close. Thank you very much, rosin.
And i'm going to let you guys have the last word. But first, I want to thank our sponsor. That would be nudge security.
Remember, nudge security dot com sas security for modern work. Please check them out. They been a phenomenal one to the CEO area.
They were also the winner of our second season of the captured the CEO competition. right? You guys have your own show, please. I want to hear about that please. Of people are not reading rosses blog venture and security.
I mean, the amount that you write about and the research you do on IT is phenomenal ament in complete and other all of you, ross, with that blog. So if you're not already currently subscribe and reading, you should be falling, ross, on linked in. By the way, we'll have a linked to all of that on our site. Guys, please make a plug for your show and we'll get you some listeners over there.
okay. So if you are interested in learning from the absolutely best and some of the most successful founders globally in cybersecurity, have they built companies, have they took products to the market? Have they exited at billions and billions of dollars valuations? Have they got their companies from like hundreds of millions in revenue to billions dollars in revenue? Check out inside the network.
It's a fantastic podcast to be launched several months ago, and it's been a great success so far. If you're interested if you're inspired ing founder or an early stage founder, you're interested in learning how to build cyber security companies and what to look for. Check out my book, cyber for builders on amazon.
which is doing very, very well, said anything to add to that?
No, just we're really, really excited to have inside the network launch. You know, the goal is really to provide another way for founders to learn. And we've had some great guest who have come on dog merit, the most recent person.
He was the four macy of flunk y today, the c of heavy at rics. And we've had the betrayal parait, the technical fond of crowd strike. Talk about his journey.
John gelsen was the first year at all zero. Talk about his journey. Ron gulo is the founder of tenable, and marty rush, who was the founder of source fire. So some fantastic.
I guess I love that. You know, for the non cyber security, this is show called how I built this. And that sounds like it's kind of the same thing.
I love that model to hear because what's amazing is nobody expects IT to grow at the level that is when they start. So it's always that that thing that what was that germ, how that started to, how I exploded. And then there is any single company that that went on a straight line.
There is always bands and curse of always. And that's always a fascinating part of the story. Very exciting that you guys are doing this.
We will have a link to their podcast as well on the post for this episode. So thank you very much said thank you very much, ross, and thank you all. And we greatly appreciate your contributions and for listening to defense in depth.
We've reach the end of defense in depth, make sure to subscribe so you don't miss yet another hot topic and cyber security. This show thrives on your contributions. Please write a review, leave a comment on, linked in or on our site.
See so series dot com, where you will also see plenty of ways to participate, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at David at CEO series dot com. Thank you for listening to defense in depth.