The lifecycle of a eureka moment in cybersecurity

It takes more than a single eureka moment to attract investor backing, especially in a notoriously high-stakes and competitive industry like cybersecurity.

eureka moment cybersecurity

While every seed-stage investor has their respective strategies for vetting raw ideas, my experience of the investment due diligence process involves a veritable ringer of rapid-fire, back-to-back meetings with cybersecurity specialists and potential customers, as well as rigorous market scoping by analysts and researchers.

As the CTO of a seed-stage venture capital firm entirely dedicated to cybersecurity, I spend a good portion of my time ideating alongside early-stage entrepreneurs and working through this process with them. To do this well, I’ve had to develop an internal seismometer for industry pain points and potential competitors, play matchmaker between tech geniuses and industry decision-makers, and peer down complex roadmaps to find the optimal point of convergence for good tech and good business.

Along the way, I’ve gained a unique perspective on the set of necessary qualities for a good idea to turn into a successful startup with significant market traction.

Just as a good idea doesn’t necessarily translate into a great product, the qualities of a great product don’t add up to a magic formula for guaranteed success. However, how well an idea performs in the categories I set out below can directly impact the confidence of investors and potential customers you’re pitching to. Therefore, it’s vital that entrepreneurs ask themselves the following before a pitch:

Do I have a strong core value proposition?

The cybersecurity industry is saturated with features passing themselves off as platforms. While the accumulated value of a solution’s features may be high, its core value must resonate with customers above all else. More pitches than I wish to count have left me scratching my head over a proposed solution’s ultimate purpose. Product pitches must lead with and focus on the solution’s core value proposition, and this proposition must be able to hold its own and sell itself.

Consider a browser security plugin with extensive features that include XSS mitigation, malicious website blocking, employee activity logging and download inspections. This product proposition may be built on many nice-to-have features, but, without a strong core feature, it doesn’t add up to a strong product that customers will be willing to buy. Add-on features, should they need to be discussed, ought to be mentioned as secondary or additional points of value.

What is my solution’s path to scalability?

Solutions must be scalable in order to reach as many customers as possible and avoid price hikes with reduced margins. Moreover, it’s critical to factor in the maintenance cost and “tech debt” of solutions that are environment-dependent on account of integrations with other tools or difficult deployments.

I’ve come across many pitches that fail to do this, and entrepreneurs who forget that such an omission can both limit their customer pool and eventually incur tremendous costs for integrations that are destined to lose value over time.

What is my product experience like for customers?

A solution’s viability and success lie in so much more than its outcome. Both investors and customers require complete transparency over the ease-of use of a product in order for it to move forward in the pipeline. Frictionless and resource-light deployments are absolutely key and should always mind the realities of inter-departmental politics. Remember, the requirement of additional hires for a company to use your product is a hidden cost that will ultimately reduce your margins.

Moreover, it can be very difficult for companies to rope in the necessary stakeholders across their organization to help your solution succeed. Finally, requiring hard-to-come-by resources for a POC, such as sensitive data, may set up your solution for failure if customers are reluctant to relinquish the necessary assets.

What is my solution’s time-to-value?

Successfully discussing a core value must eventually give way to achieving it. Satisfaction with a solution will always ultimately boil down to deliverables. From the moment your idea raises funds, your solution will be running against the clock to provide its promised value, successfully interact with the market and adapt itself where necessary.

The ability to demonstrate strong initial performance will draw in sought-after design partners and allow you to begin selling earlier. Not only are these sales necessary bolsters to your follow on rounds, they also pave the way for future upsells to customers.

It’s critical, where POCs are involved, that the beta content installed by early customers delivers well in order to drive conversions and complete the sales process. It’s critical to create a roadmap for achieving this type of deliverability that can be clearly articulated to your stakeholders.

When will my solution deliver value?

It’s all too common for entrepreneurs to focus on “the ultimate solution”. This usually amounts to what they hope their solution will achieve some three years into development while neglecting the market value it can provide along the way. While investors are keen to embrace the big picture, this kind of entrepreneurial tunnel vision hurts product sales and future fundraising.

Early-stage startups must build their way up to solving big problems and reconcile with the fact that they are typically only equipped to resolve small ones until they reach maturity. This must be communicated transparently to avoid creating a false image of success in your market validation. Avoid asking “do you need a product that solves your [high-level problem]?” and ask instead “would you pay for a product that solves this key element of your [high-level problem]?”.

Unless an idea breaks completely new ground or looks to secure new tech, it’s likely to be an improvement to an already existing solution. In order to succeed at this, however, it’s critical to understand the failures and drawbacks of existing solutions before embarking on building your own.

Cybersecurity buyers are often open to switching over to a product that works as well as one they already use without its disadvantages. However, it’s incumbent on vendors to avoid making false promises and follow through on improving their output.

The cybersecurity industry is full of entrepreneurial genius poised to disrupt the current market. However, that potential can only manifest by designing it to address much more than mere security gaps.

The lifecycle of a good cybersecurity idea may start with tech, but it requires a powerful infusion of foresight and listening to make it through investor and customer pipelines. This requires an extraordinary amount of research in some very unexpected places, and one of the biggest obstacles ideating entrepreneurs face is determining precisely what questions to ask and gaining access to those they need to understand.

Working with well-connected investors dedicated to fostering those relationships, ironing out roadmap kinks in the ideation process is one of the surest ways to secure success. We must focus on building good ideas sustainably and remember that immediate partial value delivery is a small compromise towards building out the next great cybersecurity disruptor.

What do CISOs want from cybersecurity vendors right now?

As COVID-19 spreads across the globe, what challenges are CISOs and other cybersecurity executives dealing with and what things they don’t want to be dealing with at the moment?

CISOs cybersecurity vendors

The challenges

According to the results of a recent YL Ventures survey, their main priority now is to establish fully remote workforces in as short a time as possible and as securely as possible.

“Now is not the time to present CISOs with anything other than solutions to directly help these processes, ideally in a ‘plug and play’ type format. Expediency and simplicity have never been more crucial, and anything that does not serve these purposes will be disregarded as ‘noise’,” the report noted.

They also have much less time for exploring new vendors and solutions, especially for anything that is currently a non-critical matter.

Finally, as the economy takes a hit due to COVID-19 and the widespread “shelter in place” directives, cybersecurity executives can expect some of the previously allocated cybersecurity budget to be cut and the funds redirected towards measures that will keep the organization afloat.

Building goodwill

To companies providing cybersecurity solutions, the polled executives advised to avoid sales pitches that involve fear-mongering, to dial down cold calls and emails, and to concentrate on nurturing existing relationships.

“Messaging ought to be geared towards impacting an enterprise’s bottom line or community, rather than attempting to fearmonger or stoke panic over a situation already causing CISOs enough anxiety,” YL Ventures explained.

“Cybersecurity executives feel quite unanimously about the marketing frenzy and, according to our sources, are compiling a ‘black list’ of vendors guilty of using this tactic.”

Companies should concentrate on discovering what they can do to help their existing customers and discussing their customers’ experiences. Not only will this improve customer relations, but also provide helpful information that can inform the vendor’s future plans.

Last but not least, vendors should consider making goodwill gestures.

“Profiteering off of a world-wide tragedy will do vendors little service in the eyes of prospective customers. 41% of the CISOs we consulted with praised technology companies using their services to help other businesses and advised entrepreneurs to follow in their lead instead,” YL Ventures noted.

Supporting local clinics or emergency organizations pro-bono or with free tools or getting involved in real-world aid initiatives is a good way to build goodwill.

“This is also an excellent time to consider revising payment methods by instituting deferred payment options to accommodate new budgetary constraints,” the polled cybersecurity executives pointed out.

What are CISOs’ most pressing cybersecurity challenges?

CISOs are increasingly preoccupied with digital transformation, migration to cloud environments, and data governance, a recent YL Ventures survey has shown.

The Israeli venture capital firm polled almost 40 cybersecurity executives at leading enterprises from its own Venture Advisory Board, and discovered their pain points when it comes to dealing with the increased complexity brought on by the current state of affairs.

Cloud security concerns and solutions

47 percent of the pollees said that their most pressing concern is the human capital shortage and operational gaps, followed by cloud security-related challenges (37%).

21% of the respondents expect the human capital shortage to intensify in the next five to seven years, due to low enrollment in relevant academic fields. Many also said that the accountability and level of responsibility associated with currently open positions often deter the few graduates that do qualify.

Their solution to these problems is looking for ways for automation to relieve the pressure on overworked employees, tapping into new and diverse resources of talent, recruitment, and training alternatives, and investing in human capital and training.

“In fact, CISOs are now spending the largest portion of their budgets on human capital after concluding that even the best-of-breed tools do not yet sufficiently address their most pressing cybersecurity issues. This is especially true for newly emerged threats and when CISOs require more customizable and tailored capabilities for their organization’s needs,” the analysts shared.

Their cloud-security related challenges include picking the right tools or partners to support their cloud migration and maintenance of cloud security (especially if multi-cloud infrastructure is involved).

pressing cybersecurity challenges

They are particularly worried about maintaining in-depth visibility into cloud assets and about avoiding misconfigurations that could result in data breaches.

“Participants (…) are more interested in addressing their cloud concerns through the acquisition of one security solution to cover their multiple environments instead of relying on those furnished by their different cloud providers or by disparate cloud security solutions. Nevertheless, a small number expressed interest in the security products and features of native platforms and remain open-minded to what cloud vendors might offer down the line,” the analysts noted, and pointed out that they may not have to wait long as cloud vendors have recently begun to launch multi-cloud management capabilities of their own.

Data security, privacy, IAM and SOAR

Respondents are want to strengthen controls around data lakes and understand data flows within their organization. They searching for better data loss prevention (DLP) solutions and customer Data Subject Access Requests (DSAR) solutions.

“CISOs are searching for products that can deliver granular consumer data to meet the growing demand from regulators to enable customer DSAR. This poses a difficult challenge, as most organizations lack clear visibility into their dataflows and, due to a lack of available solutions, are forced to manually source these requests on a case-by-case basis,” the analysts found.

Identity and Access Management (IAM) solutions that are adequate for meeting the needs that come with increasingly complex enterprise infrastructures and highly mobile connected devices are also difficult to find, they say, and some CISOs have decided to building their organization’s IAM capabilities internally (i.e., by customizing existing IAM solutions and filling in remaining gaps with internally- built solutions).

Finally, many of the respondents realized that total security is impossible and have decided to focus some of their attention and budgets on incident response, SOAR (Security Orchestration, Automation and Response), and detection and response.

“Our respondents are determined to minimize the time taken to deal with vulnerabilities and breaches, improve their detection capabilities, and issue faster remediation. Many are open to, or already outsourcing, such capabilities to meet this need. For those looking to keep these capabilities internal, this segment of the industry is a perfect candidate for automation solutions, as automating incident response can leave valuable security practitioners available for tasks that require a greater deal of in-depth thinking,” they concluded.