ARTICLES

Note to Cyber Startups: The First $3M is the Hardest

One of my favorite books from the Awesome Eighties was Getting by on $100,000 a Year (and Other Sad Tales) by business writer Andrew Tobias. The implication of the book’s title, coined four decades ago, was that a hundred-K should be an impressive enough salary to keep even the toniest Upper West Side Yuppies pretty well fed. We all remember, however, that for many of the spoiled brats from that era, $100K was just not enough to get by.

I mention this book and the whole 100K-thing not because it has anything to do with cyber security or with modern startups, but that it has everything to do with the challenge of using absolute numbers in any estimate. You can see from my title that I am going to make a special fuss about three million dollars – and as I type the words, I can feel the embarrassment of reading this in 2061. (Note to future self: I hope $3M is still a nice take.)

That said, I have come to the broad conclusion, based on having reviewed thousands of cyber security startups over the past five years as a TAG Cyber analyst, and prior two decades as the CISO for a Fortune 10 company, that when a startup reaches $3M in annual revenue, it can take comfort in the fact that it will likely have the ability to go to much higher levels of business. Let me explain why I picked that number – and why my conclusion should hopefully resonate.

Cyber security analysts (and anyone else working in an analytical field) take on complex problems by breaking them into smaller pieces. We thus analyze companies by breaking them into the constituent pieces that support their mission. This might involve three product lines, or perhaps a pipeline of development, marketing, and sales. It can also involve professional service support for one or more major customers.

But in every case, when we look at a startup company, we always want to see evidence of meaningful revenue, with a high chance of recurrence, and with sufficient customer diversity to protect against unexpected business cycle bumps. We’ve learned that $3M in revenue is good evidence of all three requirements. Interestingly, we’ve not seen this target threshold differ much in importance between services, products, and platforms.

Let’s start with meaningful revenue. What we mean here is that the startup should have enough paying customers to support a reasonable portion of their operations. Whether well-funded by venture capitalists, guided along by a rich angel, or bootstrapped through sales (healthiest case), a company generating $250K every month from sales enjoys a stable, on-going base for dozens of salaries and non-trivial platform investments.

Next is recurring revenue. Startups would like to see general revenue trending upward, but all will experience the normal ups and downs of the business cycle. If a start-up has $1M in revenue, then danger exists that it can easily swing temporary to zero – and this calls into question viability, as well as willingness of investors to stick with a company. At $3M, however, the normal cycle-based swings will keep things comfortably away from zero.

Finally, there is customer diversity. Cyber startups sometimes get lucky and pick up a customer who is willing to try out their platform. We’ve seen these engagements range from tiny one-time payments for POCs to higher, ongoing fees for a larger relationship. What we’ve never seen however, is a startup with only one customer paying $3M. This level of revenue always dictates a diversity of paying customers – which is vital for subsequent growth.

Take for example the demo mirage. We often see tiny startups with ten or more fancy logos of Fortune 50 companies. They tout these engagements as evidence of massive potential growth. But we know that big companies are usually nervous about deploying goods from little companies into production. So, they often do a paid 100-K POC. A start-up would have to do 30 of these to hit $3M, so again – that threshold requires more than just POCs.

Look – I understand the somewhat arbitrary nature of $3M as a revenue target. And I understand the arithmetic of the well-funded stealth operation with little or no revenue that unveils to high demand and skyrocketing growth. But these are exceptions. Stealth teams eventually must make money, and just as Houston relaxed when the Shuttle cleared the tower, investors should feel good once their investment has hit $250K per month.

For those of you who have cleared this goal – nice job. Now it’s time to vault Geoffrey Moore’s famous chasm. But for those of you still driving toward this objective, I can offer this: You will find that once you pass the magic number, subsequent growth will be easier. Mind you – this does not imply that it will some lay-up. It just implies that it will be easier. Companies in this category should agree: For cyber security startups, the first $3M is the hardest.