Investment in cyber security startups is increasing, but what will make a company the next big success story?
We’ve all heard cybersecurity is a hot sector with worldwide information security spending reaching $76.9 billion in 2015 according to Gartner. With the continued increase in frequency and severity of breaches, security spending is expected to reach $170 billion by 2020.Venture Capital money is therefore steadily pouring into cybersecurity start-ups ($93m in 2015, up from $8m in 2011, for UK based companies alone), and the number of cybersecurity start-ups is rapidly increasing. With that in mind, highlighted below are four of the common traits and strategies that are particularly relevant in the world of cybersecurity.
Cybersecurity casts a wide net and includes everything from authentication to access control. For founders, understanding where your product fits into the overall security ‘stack’ is critical when explaining the value-add to customers and investors. Cybersecurity is a very fragmented market with many players and often an enterprise will use over a hundred different niche solutions to secure their organisation. It’s also important to articulate why your product is different. Differentiation can be achieved through verticals, features, usability, channels, pricing or sales methodology for example.
Entrepreneurs must articulate their value proposition and differentiators: know where they are on the stack, where they bring value and how the product integrates into the customer’s workflow.
Security is often classified in the ‘deep tech’ category and many start-ups use complex techniques including machine learning/AI or the blockchain. However, the problems they address are, in fact, relatively simple (for example, giving people the appropriate access permissions). When this technical expertise is fused with deep domain or sector knowledge, it can be a powerful combination.
Like most start-ups, ideas often come from a problem statement. Experience often plays an important part in cybersecurity and we tend to find a disproportionate amount of cybersecurity founders who have deep domain expertise acquired in government, industry (e.g. defence, financial institutions) or through a vast amount of personal research.
Unsurprisingly, larger enterprises have the highest demand (in terms of price) for security products. This is because there are higher rewards to be found either financially, through the theft of IP, or for a hacktivist to cause disruption. Within the enterprise, cybersecurity falls within the ‘risk management’ paradigm.The typical approach to sales thus far has been similar to selling insurance. But a reliance on fear makes it difficult to establish a lasting and trusting relationship. For this reason, market validation tends to come either through experience and/or extensive interaction with customers.
Most start-ups that have the validation piece right have relentlessly worked with CISOs/CIOs and security teams to get feedback on their products, or indeed have been a spin out of a real problem that existed in their previous roles.Enterprise customers prefer to have comprehensive ‘IBM-like’ solutions, which can be integrated within their existing systems and are built by proven experts. This makes it all the more challenging for a start-up to establish credibility.
To overcome this, successful strategies start-ups have used include securing smaller reference customers, such as challenger banks. Getting into a reputable accelerator which already has existing relationships with potential clients will also help give an additional boost.
As articulated in this Techcrunch article, time to exit for most cybersecurity ‘unicorns’ are much longer. OpenDNS’s acquisition took 10 years; Lancope’s took 14. Even the relatively ‘quick’ IPOs of FireEye and Palo Alto Networks took over seven years. This takes a certain level of tenacity, resilience and flexibility from the founders. It may be necessary to switch into consulting mode in downturns and see through volatile economic/ funding cycles.Not only is the time to market longer, but the minimum viable product (MVP) cycles are notably longer for the obvious reason that no one wants a half-baked security product. The ‘Lean Startup’ methodology simply doesn’t stand up as well in the security industry.
In short, founders need to prepare for, and accept that, it takes longer to achieve MVP, longer to raise funding, longer to sell to enterprise and a longer time to exit. This isn’t to say M&A opportunities don’t present themselves along the way, or that entrepreneurs will not take said options, but founders must be prepared to (at least psychologically) go all the way.The cybersecurity start-up ecosystem has its own set of unique and complex challenges, though these are becoming more and more manageable as resources for early cyber start-ups emerge in Europe. These include early stage funds focussing on cybersecurity and accelerator programmes helping grow the ecosystem.
As the ecosystem matures, successful start-ups, funds and accelerators - as well as the corporate and financial community - will play an important role in supporting new entrepreneurs and start-ups.The UK government has also played a proactive role with the announcement of a £1.9bn fund to invest in cybersecurity and set up 13 Academic Centres of cybersecurity excellence, along with addressing the skills gap with new and innovative training programmes designed to equip the future generations of cyber warriors.