Our thesis on cybersecurity

Security startups can be measured along two fundamental metrics: differentiation (novelty) and customer urgency to buy.

Some areas of cybersecurity have high urgency to buy (e.g. anti-virus, firewalls) but are highly competitive spaces with low differentiation between competing products. Unless you have a novel product it’s incredibly hard to win marketshare in an established market even if you can demonstrate incremental improvement over competitors.

On the other hand with an entirely novel product startups often struggle to sell — it becomes akin to selling insurance against a disaster the buyer thinks will never happen. Unless the buyer sees a real need for the product now it becomes a recipe for long sales-cycles and low conversion.

The startups we’ve been most excited about are the ones with genuinely new products but going after pain points that are very real for buyers. What we ask is how concerned are the buyers about the risks the startup is going after?

Is it an area where they’re particularly concerned about security weaknesses (e.g. phishing), an area where they’ve been compromised in the past (e.g. sql injections) or one which has been in the news a lot?

Solving the Issue

Security products need to either tackle the problem at hand directly (i.e automatic intervention) or give guidance that gets actioned in practice.

Moreover the value they add has to exceed the perceived downside. Any action which has the potential to disrupt legitimate usage will inevitably get push-back from other stakeholders within the business.

We’ve also seen many reporting tools which while in theory help identify vulnerabilities, in practice get ignored due to the level of false positives. For us products have to genuinely improve security in practice rather than being put in place for compliance reasons or as security theatre.

The Consumerization of Cybersecurity

We believe strongly in the consumerization of enterprise when it comes to usability of products and this it especially true in security. While for many enterprise products the consequence of poor usability can be frustrated staff, for security products poor usability results in users avoiding using them or even finding work-arounds.

Many large corporates would be surprised to discover the novel ways their engineers have found to disable anti-virus on their machines because they were fed up with the performance impact.

Good UX is a fundamental requirement for good security software.

Data and Network Effects

More so than most areas of enterprise software, cybersecurity lends itself to network effects. The more customers you defend the more exposure you gain to real-world attacks — invaluable information for strengthening the product for the entire customer base.

While not applicable to all security startups, where this virtuous loop can be incorporated into the product via machine learning or other approaches it can become a huge catalyst for growth in the long term enabling the product to automatically improve as usage increases.