The cyber security products market seems to be a never-ending stream of companies emerging on the scene to solve an unsolved problem, remedy an issue from a unique angle, or define an untapped market segment. Every year we see clusters of companies launch in a new category. In recent years it’s been endpoint detection and response (EDR), cloud access security brokers (CASB), zero trust, deception technology, security orchestration, automation and response (SOAR), and the list goes on the farther back in time you go. Some of these products and companies hit it big, growing over the years into a household name, and some get gobbled up through acquisition by a well-known enterprise. And while the technologies and problems they address vary from one company to another, they all have one thing in common: they begin as a startup.
There is no one formula for founding, building, and running a cyber security company, but many startups seek venture capital (VC) investment to get off the ground floor. From financial investment to advice on messaging and positioning, a VC firm can be a treasure trove of information for eager founders. .406 Ventures is an early stage technology investment firm that has helped many recognized security brands rise from their humble beginnings. With deep expertise as business owners, operators, board members, managers, and (of course) investors, the team has a honed perspective on what makes startups successful.
Recently I spoke with Greg Dracon, .406 Partner and cyber security practice lead, and Rob McCall, Associate and cyber security practice member, about the security startup market and how companies seeking investment—and a growth strategy partner—can best position themselves.
There are thousands of cyber security vendors, and not only startups look for investment, strategic advice, or go-to-market support. How does .406 sort the wheat from the chaff? Most investments (upwards of 70% in .406’s case) start with the team's personal and professional networks, explained McCall. Tapping into friends, colleagues, industry advisors and board members, prominent CISOs, and end users allows them to find companies solving identified market problems at the ground level. That’s not to say an unknown commodity cannot earn the attention of a VC, but having a warm lead or soft intro from a trusted source helps companies break through the noise and may give the VC an extra bit of confidence in a founder. In short, never underestimate the necessity of a strong network.
With so many companies developing cyber security products, it can be hard to surface the crystals that will become diamonds over time given the right market conditions, even if they come with a strong recommendation. “This is the hardest part of our job,” said Dracon. “Security used to be based 100% on the technology—is it more effective than existing solutions? How does it work?—but today, cyber security is more mainstream and needs to solve business problems alongside technology problems. When evaluating companies for investment, we need to see that the founders not only understand security, but that they have a good understanding of how to build a successful business and that they’re just as focused on sales and marketing as they are building a product or platform.”
The platform is also a key component; Dracon said that while point products can fill a gap and grow into an extensible solution, as investors and partners, .406 wants to work with founders that see the bigger picture: how a company and its platform can be extended over time, build additional value for customers, and is sustainable as market needs change (which they will).
A promising product idea and mutual network connection may secure an initial meeting, but no VC is going to award millions of dollars to an entrepreneur simply because someone spoke well of them. "To consider an investment,” said McCall, “we need to see a combination of good technology and a founder with vision. Is this person a former operator that lived the problem day-to-day and now wants to build a solution? Do they understand the market holistically, from real and perceived competitors to market opportunity? Are they capable, adaptable, and receptive to change based on external factors? Are they willing to take advice and constructive feedback? Can they inspire and lead a team?”
Dracon built on this last point and added that the willingness to work with a team is key: “Successful entrepreneurs come from all different backgrounds. Management teams that work well together, have similar principles, have mutual respect and trust, and have good leadership capabilities are more likely to see success. Acknowledging one’s own weaknesses and seeking to hire those with complementary skill sets is very important to us as a CEO characteristic.”
Other important, albeit less tangible, characteristics .406 looks for in a startup is a founding team with passion, integrity, and a commitment to sticking it out through tough or unpredictable times. The road to success will rarely be easy, and founders who approach building a company realistically but with wholehearted dedication are more likely to turn their idea into something big and sustainable.
But there is a catch: Both Dracon and McCall said that .406 is not looking for “quick flips.” Though cyber security is a highly opportunistic market and founders hope to make millions off an acquisition, acquisition shouldn’t be the primary reason or overly analyzed when building a company, at least not for founders who want to work with .406. Dracon and McCall told me that the firm has a saying that goes something like: “Build the company as if you’ll own it forever or you will.” If you build something valuable and sustainable, opportunities to monetize will inevitably surface. True enough, there are easier and faster ways to make money than developing a cyber security tool to sell in an overcrowded market.
When I asked Dracon and McCall for their “top tips for pitching a VC,” they originally alluded to three pieces of advice. Those three bullets turned into six, and given their experience and fact that they listen to nearly two thousand (!!) pitches every year, they could probably come up with more. But here are the top 6 things to keep in mind if you’re thinking of approaching a VC:
Most cyber security startups and many established players seek outside investment. Approaching and pitching a VC firm should be treated as seriously as which features and functionalities you will include in your product(s). You’ll need a solid foundation and a lot of business savvy to earn investment from a top-tier VC, so do your homework! And look for a firm that will be more than just a financial backer that can get you name recognition.
If you’re thinking about pursuing an investment, you can learn more about the process in this video featuring Maria Cirino, .406 Ventures’ Co-founder and Managing Partner, or connect directly with the team.