5 Signs the Cyber Security Startup You’re Joining Might Not Exist Next Year

Every year reams of new companies emerge in the cyber security marketplace. It’s a space which fosters innovation, and venture capitalists are eager to back novel companies that might prove to be the next big thing. With the potential for billion-dollar exits[i], it’s no wonder individuals and VCs, alike, are eager to put their stamp on the space with a new tool/product/platform/approach to a problem. And there’s plenty of opportunity to do it: Security is a never-ending battle against new (non-security) technologies introduced into businesses, armies (sometimes literally) of cyber criminals with an abundance of time and resources, and seemingly limitless vulnerabilities—from human error to flaws in code to open ports or unmanaged devices on the network. In short, there are many problems to solve and many passionate people who want to solve those problems.

Fueled by digital transformation, cyber security has made its way onto the agendas of quarterly board meetings, mainstream media coverage, and finance balance sheets. This confluence of events has smoothed the transition from practitioner to entrepreneur-with-a-big-idea for many. The market is bursting with possibility, and each year daring individuals take the risk to quit their (probably quite secure) day jobs and build something new. This means that every year there are dozens of new companies and even more nascent companies for job seekers to join. From engineering to engagement specialist, sales to SOC analyst, product manager to platform developer, there’s no shortage of hiring in cyber security. (There is, however, a human resource shortage given how rapidly the field is growing.)

For job seekers, especially those with technical skills, the employment options are vast. Everyone must weigh their personal proclivities and preferences to decide if startup life is for them. It’s not for everyone. Nonetheless, the opportunity to join a startup, help build something from the ground up, enjoy the perks of a well-funded field, and potentially cash out comfortably in under ten years’ time is alluring.

Having listened to hundreds of vendor briefings in the last 9+ months, backed by many years in previous security roles, and bolstered by Ed’s insight and experience, I’ve learned to spot the signals that differentiate the billion-dollar acquisitions and IPOs from the companies that get sold in a fire sale or simply shut their doors after several years in the red. If you’re thinking of joining a startup, whether it’s your first time or your fifth, here are five “gotchas” to look for to avoid job dissatisfaction, excessive stress, and the need to find another job before you hit your first-year anniversary.

No unique value prop

To level set, “unique” means “one of a kind” or “sole.” You can’t have something that’s “very unique” or “highly unique” or any one of several modified uniques. Therefore, regardless of the company's product or service category—be it network security or IAM or encryption—the company should be able to clearly explain why it is unique, i.e., why no other company can do what it does.

This is tricky, because, realistically, for every company in a category, there are likely several (at least) other companies that do something similar. This can be true on a feature-by-feature basis or it can be true more generally, as in, the security problem they’re trying to solve. Either way, if the company cannot define why it is unique, potential customers won’t be able to see the value proposition and sales will be scarce. The result? No long-term viability.

On almost every briefing Ed I hear:

  • Our product saves time
  • · Our product solves complexity
  • Our product reduces cost
  • Our product shrinks the attack surface
  • Our product offers full network/endpoint/data/application/etc. visibility

See the problem? There is nothing unique about any of these statements because every startup says them! A company’s product or service should approach a problem from a new or different perspective, or why exist at all?

That said, for every security category defined by industry analysts, you can find a small handful to dozens of companies competing. So maybe the product or service isn’t unique on a feature/functionality level. That’s OK! But if that’s the case, the company story should be.

One of the first things Ed’s taught me about startup vendor briefings was to ask about the company’s story: what it was that made the briefer get up one day, quit their job, and start a new company from scratch. What is their individual story that drives their passion?

This personal story has become even more necessary after hundreds of briefings because, honestly, a lot of companies sound the same via their standard presentation deck. Maybe the company’s uniqueness is something in the founders’ pasts. Maybe it’s their beliefs. Maybe it’s their wacky personalities. Whatever it is, find that and you’ll understand how the company will compete. Without that, with only a we-save-time-money-effort message, the company isn’t going far fast.

A “too unique” value prop

Call me a hypocrite, but just as concerning as not having a unique value proposition—even if that story is wrapped around some crazy experience that led to the ideation of a company—is a product/service that does something so radically different that no one else is doing it. Is it possible that no one else has thought of the company’s particular solution? Absolutely! Is it probable? No. If the company’s offering is just ahead of its time, is the product or solution at least addressing an identified problem? Have others in the industry expressed a need to fix X?

For example, in the late 1980s, organizations started noticing a need for a new capability that could monitor and control bi-directional traffic in and out of networks. Networking had evolved beyond the “trusted” and permissive internal network which minimally connected to the outside. This technology, of course, is what we now know as the first-generation firewall. But pinpointing who, exactly, created the first firewall is a challenge. If you were to approach certain security luminaries credited with the invention, most of them will say the seeds were sown somewhere else or that others were developing parallel capabilities. In other words, it was a known problem emerging because of networking trends. And it wasn’t relegated to one individual who saw this and said, “I must build a commercial product!”

Said differently, a problem creates the need for a tool, but for a commercial product to be viable, the problem must be bigger than on person’s needs. Is it possible that a startup with a crazy idea is soon to be an industry-wide problem? Could be. But too often we see startups fixated on a small issue that won’t sell commercially or is really just a feature of an established product. In these cases, anyone working for the company should be concerned about its future.

Micromanagement

This section should go without saying, and of course applies to established enterprises as much as it does tiny startups: If the founders—no matter how smart or prescient they are—insist on everything being done their way and don’t take outside advice or guidance (or worse, disregard it), run in the other direction.

Startups are all about ingenuity and innovation; a startup that hampers innovation from anyone except a select few executives is bound to fail. Creating something from scratch requires unconventional thinking. Building a product with a unique value proposition demands experimentation and contrarianism. Nothing truly new and novel is ever introduced without some skepticism or objection. Therefore, build teams must be empowered to try and fail at new things—things the founders haven’t yet thought of—so they can be market ready.

If you get a sense that the company is built around “my way or the highway,” find another company that encourages out-of-the-box thinking.

Ephemeral messaging

Have you ever visited a company’s website and thought, “that looks interesting,” only to come back a few months later to find something entirely different? The company's main message has changed. The product description has changed. What was listed as their product no longer seems to be available or is dramatically different than it was two months ago? While evolution and refinement are mandatory, especially in a startup where the company is finding its footing, concerns arise when messaging seems to change every ten seconds.

OK, “ten seconds” is hyperbolic, but is it not uncommon for Ed and me to talk to vendors every 2-3 months, and there is a not-insignificant percentage of vendors that have a different message every time. They can’t seem to nail down what they’re selling or how to talk about it. They test wholesale new messaging instead of A/B testing with a select audience. In short, they just don’t appear to know who they are and are pulling at strings to figure that out publicly instead of taking time to define who and what they are.

For these startups, Ed and I ask the company to tell us who and what they are, succinctly and without describing the product or service. If they can’t, we offer examples and ask them to try again. If they still can’t, we give them an assignment to go off and think about it.

While marketing and messaging should be progressive, it should never be ephemeral—here one day, gone tomorrow. How a company communicates what it is and what it does foreshadows its success and is not something to be taken lightly.

Dismissive or aggressive attitude toward competition

Every company has competitors. Even if the company is a unicorn and sells a product no other security professional has yet thought of but hordes of people are clamoring for, there is competition. The competition might not be a similar product or even a compensating control. The competition could be budget, it could be preconceived notions, it could be inertia. But there is some competing factor for every product or service on the market, especially when it’s a new idea.

If you’re interviewing with a startup and you ask, “Who’s your competition” and company representatives answer, “We don’t have any real competition,” beware. This company has no idea what it’s up against and will struggle. Maybe they’ll have a future reckoning, but right now they’re not going to be able to handle the inevitable objections by buyers and therefore will succeed only in limited cases, likely through small sales with former customers or friends of the founders.

Similarly, if the company is overly aggressive about its competition, for instance, bashing the competition on the website or in marketing materials, know that the publicly available materials are likely the company’s only perceived way to win deals. Every company should be able to demonstrate its value without diminishing others. Comparisons? Yes, buyers need to know points of differentiation, but these comparisons can be done in a respectful way, without making every other company in the space sound stupid.

Can you imagine Roger Federer saying, “I have no true competition” before a Grand Slam? Or when asked about his strengths against an opponent replying with, “His backhand is weak, he is slow on clay courts, and he has no mental resilience after a failed point”? No, because he doesn’t need to! He knows he is a great tennis player and is aware of his own strengths and weaknesses. He might say, “He has better footwork than I do” or “My serve is faster and more accurate than his” for a given match, but stating facts is very different than dismissiveness or aggression and, when displayed by a company, should signal a weakness in overall design and demeanor.

The wrap up

Startup life is fun and exhilarating, and the free lunches, company-paid healthcare, and onsite massages won’t hurt. But be mindful of company coffeeshop discounts in exchange for an environment that hasn’t yet nailed its product space, messaging, or company differentiation. Don’t accept unlimited vacation days in lieu of creativity and the ability to personally contribute something meaningful to the security community.

There are many great cyber security startups, and likely one that is hiring (if you’re looking). But just like founding a company is a risk, joining one with grim prospects is, too. It can be a real drag to be stuck in a place where you don’t see a future, where you’re not valued, and where you’re always fighting against the tide. Consider these five concerns when evaluating a startup and see if you have a different view of the vendor afterward. You’re sure to find several that pass the test with flying colors.

_____________________________________________________________________________________________

[i] https://www.cbinsights.com/research/cybersecurity-billion-dollar-exits-infographic/