The cyber security products market seems to be a never-ending stream of companies emerging on the scene to solve an unsolved problem, remedy an issue from a unique angle, or define an untapped market segment. Every year we see clusters of companies launch in a new category. In recent years it’s been endpoint detection and response (EDR), cloud access security brokers (CASB), zero trust, deception technology, security orchestration, automation and response (SOAR), and the list goes on the farther back in time you go. Some of these products and companies hit it big, growing over the years into a household name, and some get gobbled up through acquisition by a well-known enterprise. And while the technologies and problems they address vary from one company to another, they all have one thing in common: they begin as a startup.

There is no one formula for founding, building, and running a cyber security company, but many startups seek venture capital (VC) investment to get off the ground floor. From financial investment to advice on messaging and positioning, a VC firm can be a treasure trove of information for eager founders. .406 Ventures is an early stage technology investment firm that has helped many recognized security brands rise from their humble beginnings. With deep expertise as business owners, operators, board members, managers, and (of course) investors, the team has a honed perspective on what makes startups successful.

Recently I spoke with Greg Dracon, .406 Partner and cyber security practice lead, and Rob McCall, Associate and cyber security practice member, about the security startup market and how companies seeking investment—and a growth strategy partner—can best position themselves.

Market evaluation

There are thousands of cyber security vendors, and not only startups look for investment, strategic advice, or go-to-market support. How does .406 sort the wheat from the chaff? Most investments (upwards of 70% in .406’s case) start with the team's personal and professional networks, explained McCall. Tapping into friends, colleagues, industry advisors and board members, prominent CISOs, and end users allows them to find companies solving identified market problems at the ground level. That’s not to say an unknown commodity cannot earn the attention of a VC, but having a warm lead or soft intro from a trusted source helps companies break through the noise and may give the VC an extra bit of confidence in a founder. In short, never underestimate the necessity of a strong network.

With so many companies developing cyber security products, it can be hard to surface the crystals that will become diamonds over time given the right market conditions, even if they come with a strong recommendation. “This is the hardest part of our job,” said Dracon. “Security used to be based 100% on the technology—is it more effective than existing solutions? How does it work?—but today, cyber security is more mainstream and needs to solve business problems alongside technology problems. When evaluating companies for investment, we need to see that the founders not only understand security, but that they have a good understanding of how to build a successful business and that they’re just as focused on sales and marketing as they are building a product or platform.”

The platform is also a key component; Dracon said that while point products can fill a gap and grow into an extensible solution, as investors and partners, .406 wants to work with founders that see the bigger picture: how a company and its platform can be extended over time, build additional value for customers, and is sustainable as market needs change (which they will).

Outstanding characteristics

A promising product idea and mutual network connection may secure an initial meeting, but no VC is going to award millions of dollars to an entrepreneur simply because someone spoke well of them. "To consider an investment,” said McCall, “we need to see a combination of good technology and a founder with vision. Is this person a former operator that lived the problem day-to-day and now wants to build a solution? Do they understand the market holistically, from real and perceived competitors to market opportunity? Are they capable, adaptable, and receptive to change based on external factors? Are they willing to take advice and constructive feedback? Can they inspire and lead a team?”

Dracon built on this last point and added that the willingness to work with a team is key: “Successful entrepreneurs come from all different backgrounds. Management teams that work well together, have similar principles, have mutual respect and trust, and have good leadership capabilities are more likely to see success. Acknowledging one’s own weaknesses and seeking to hire those with complementary skill sets is very important to us as a CEO characteristic.”

Other important, albeit less tangible, characteristics .406 looks for in a startup is a founding team with passion, integrity, and a commitment to sticking it out through tough or unpredictable times. The road to success will rarely be easy, and founders who approach building a company realistically but with wholehearted dedication are more likely to turn their idea into something big and sustainable.

But there is a catch: Both Dracon and McCall said that .406 is not looking for “quick flips.” Though cyber security is a highly opportunistic market and founders hope to make millions off an acquisition, acquisition shouldn’t be the primary reason or overly analyzed when building a company, at least not for founders who want to work with .406. Dracon and McCall told me that the firm has a saying that goes something like: “Build the company as if you’ll own it forever or you will.” If you build something valuable and sustainable, opportunities to monetize will inevitably surface. True enough, there are easier and faster ways to make money than developing a cyber security tool to sell in an overcrowded market.

Throwing your pitch

When I asked Dracon and McCall for their “top tips for pitching a VC,” they originally alluded to three pieces of advice. Those three bullets turned into six, and given their experience and fact that they listen to nearly two thousand (!!) pitches every year, they could probably come up with more. But here are the top 6 things to keep in mind if you’re thinking of approaching a VC:

1. Use your network to try to find a connection to the VC firm and ask for an introduction. With thousands of companies knocking on their door, an endorsement from a mutually trusted source will help you bubble to the top.
2. Be targeted about which firms you’re approaching and do your research. Different VCs have varying interests and areas of expertise. Make sure your company fits into the VC’s strategy and get to know a little about each person you are pitching. Align backgrounds and experience and make it personal—because a startup is more than business.
3. Know your market thoroughly, including the competitive landscape, market sizing, trends, target buyers, and potential partners. Demonstrating this knowledge will show the VC that you’ve invested in the business side of your company, not just the product or technology.
4. Get your back office in order. From your financials to your sales deck to answers about operating procedures and team members, a VC wants to know the company they’re investing in is organized and is capable of managing a successful business, not just building a better widget.
5. Be open, honest, and respectful. Your eventual VC is going to be a partner in addition to financial supporter. They want to learn your expertise and vision, but also need to see and hear that you’re willing to accept critical feedback, that you are truthful in representing the company, and can course correct when necessary. Acting like a know-it-all, dismissing the knowledge of others, or misrepresenting the company or market opportunity will be apparent and won’t serve you well.
6. Treat meetings as a two-way evaluation. The VC may be the one supplying the influx of cash, but that means they’re going to be by your side for many years to come. Do members of the team have the right expertise and sector focus to help your business? Do they know your market inside and out? What does the rest of their portfolio look like? Will they have enough time to dedicate to your company?

The wrap up

Most cyber security startups and many established players seek outside investment. Approaching and pitching a VC firm should be treated as seriously as which features and functionalities you will include in your product(s). You’ll need a solid foundation and a lot of business savvy to earn investment from a top-tier VC, so do your homework! And look for a firm that will be more than just a financial backer that can get you name recognition.

If you’re thinking about pursuing an investment, you can learn more about the process in this video featuring Maria Cirino, .406 Ventures’ Co-founder and Managing Partner, or connect directly with the team.