A Blueprint for Building Cybersecurity Startups with Ross Haleliuk

Ernie Bio [EB]

Welcome to the Forgecast. I’m Ernie Bio, your host, and I’m pleased to have with me today a cybersecurity startup builder, product leader, advisor, and investor: Ross Haleliuk.

As many of you know, Ross is behind the wildly popular Substack Venture in Security which is followed by tens of thousands of entrepreneurs, practitioners, and VCs like me. Earlier this year, he put out his book Cyber for Builders which has become a bestseller on Amazon. That’s what we’re going to focus the podcast on today, geared towards those folks that want to be cybersecurity entrepreneurs or are early in their journey. Ross, welcome and thanks for joining us.

Ross Haleliuk [RH]

Happy to be here. Thanks, Ernie.

EB

Take us back to your childhood, the early days. I know you didn’t grow up in the United States. Give people a sense of where you came from.

RH

That is a great question and frankly, the story is still ongoing. I was born in Ukraine in the early 1990s following the collapse of the USSR. I never lived in the Soviet Union, but I was born and raised in a country that was just going through the post-Communist process of forming a stable democratic society. I grew up in an orphanage and in a very small town of about 10,000 people. My childhood was spent around cows and horses and other animals which I now haven’t seen for many years. It was a very interesting childhood.

I ended up moving to Kiev, the capital of Ukraine, for university. I studied history, specializing in the history of Russia. It was totally unrelated to technology and anything I’m currently doing.

All of those experiences in my early days taught me that you have to play the cards you’re dealt- you have to do the best with what you’ve got. It also taught me risk-taking. At the end of the day, you have to take risks and try new things. What’s the worst that can happen? As long as you have a place to live and people around you that you have a good connection with, everything else doesn’t matter.

At the age of 22, I immigrated to Canada and found a home in Vancouver. I have stayed here for about ten years and now I’m in the process of moving to San Francisco.

EB

When will you be in San Francisco permanently?

RH

Starting in June 2024.

EB

Right after RSA, excellent. That’s an amazing background. A lot of people can’t relate to that but I’m sure it’s given you a lot of resilience and the ability to take risks. I’m guessing your educational and career journeys were also nontraditional. Do you want to talk about those a little bit?

RH

As Mark Twain used to say, I never let my schooling interfere with my education. My formal degrees and credentials are fairly boring. As I mentioned, I studied history back in Ukraine, specializing in Russian history. When I moved to Canada, I did a diploma in project management and then I studied business and technology management. The formal credentials were mostly on the side of liberal arts followed by business. I picked up a lot of the learning and skills that I currently use day-to-day on the side by pursuing different projects, talking to people, and reading.

I still believe that formal education is important. At the same time, I don’t believe that what you do in life has to be defined by what you did for four years when you were 17 or 21. That’s just not reasonable to me.

EB

I couldn’t agree more.

RH
For example, back in Ukraine I wanted to go into politics. After moving to Canada, a few things changed.

First, I realized that my dreams, passions, desires, ambitions, and everything surrounding them were formed in a different environment. As my world became bigger, I had to enlarge my dreams and think bigger to do greater things.

I also learned a lot about myself and came to realize that I don’t like zero sum games. What I mean by that is if you look at academia or politics and some other fields, one person winning always requires another person to lose. I just don’t enjoy that. What I like more is games such as business, technology, and investment where you can have multiple winners. You can win and other people can win with you. That’s something that really attracted me to business and technology specifically.

I wanted to be in a place where I can quickly learn, iterate, and grow even if I get started with nothing. In some fields such as law, diplomacy, and politics, a lot depends on relationships. If you grow up in a different society and build your network elsewhere, you don’t really benefit from the work you did. In technology specifically, as long as you drive results and do something innovative that raises revenue, it doesn’t matter where you come from or what accent you speak with. That’s why technology really spoke to me.

EB

I think you may have another book in the works there that helps entrepreneurs. That was well said.

Your day job right now is leading product at LimaCharlie. Do you want to touch briefly on that before we jump into the book?

RH 

I am head of product at LimaCharlie. I’ve spent the past decade of my career focusing on product management and have worked in different industries from retail, wholesale, financial technology, e-commerce, and now cybersecurity. It’s been a fantastic experience. Several years ago, I decided that as long as I’m being paid by a company to do some work, the only thing I’m interested in doing is either operations or product management. Both of those areas are broad enough to leverage different skills and have a good balance between strategy and execution. At the same time, they’re also specific enough and give you the right amount of ownership to truly drive results.

Product is fascinating. Building products in cybersecurity is even more fascinating. It’s harder and more unique compared to many other industries. I’m definitely looking forward to continuing my work.

EB

Excellent. About two and a half years ago you started the Venture in Security blog. That’s how many of us met you. It has since become wildly successful and popular. What was your motivation to start writing?

RH

I never planned to have a newsletter. It was never something I wanted to do- instead, it just happened. The way it happened was quite interesting. When I ended up in cybersecurity, I understood very quickly that I needed to build a foundational understanding of how the industry works. I needed to understand the different players, how investors interacted with cybersecurity startups, and the different go-to-market strategies that have been successful or unsuccessful. Really, I wanted to get to the bottom of how the business side of security functions.

At the time, what surprised me was that although there was a lot of great in-depth material about the technical side of the industry, there was much less about the business side. Some analyst firms such as Gartner and Forrester do some work in that space, but their focus is mostly on specific product categories and less on the higher-level dynamics in the space.

After 4 or 5 months in the industry I had met a lot of people, read a lot of content, attended many events, and listened to countless podcasts. I was absorbing everything to understand how the industry functions and accumulated a body of knowledge that I thought others might find useful. I wrote a blog post on Medium about product management in cybersecurity. When I shared it on LinkedIn, several people reached out saying it was quite useful. I realized people were interested in learning more and that there was a demand for business-level insights into the industry. A few weeks later I wrote another article, posted it on Medium, and reshared it on LinkedIn. One thing led to another and after several months, people expected it to be a regular blog. I moved it to Substack and started publishing it as a weekly newsletter called Venture in Security, a title I chose for several reasons.

At the time, I was quite interested in the VC space and thought I might be interested in pursuing it sometime in the future. I was also fascinated by the investment and the startup ecosystem. Ultimately, I ended up deciding not to pursue the VC direction and doubled down on my operator background. The blog has been growing ever since. As of last year, I think it had just over 500,000 reads and 11,000 or 12,000 email subscribers and the numbers keep growing. It’s very encouraging to see people in cybersecurity share their emails with you because it doesn’t really happen often. Everybody typically uses ad blockers and nobody wants to share anything about themselves.

EB

When I was prepping for the interview this morning an email popped up from Venture in Security. You’re putting out material all the time.

As part of Venture in Security, as you said you decided not to go into venture capital, but you did start an angel syndicate. Maybe you can talk a little bit about that. Firms like Forgepoint come in at Series A, but there are a whole lot of investors going back to angel, pre-Seed, and Seed that are placing bets at a risky time early on in a company. Talk to us about your vision with your angel syndicate.

RH

About a year and a half ago, myself and a good friend- who is a former security engineer at Expedia and now is a CISO at a cybersecurity startup- had been talking a lot about innovation in the industry and debating where the next wave of innovative cybersecurity startups should come from.

We came to realize that there were a number of great communities bringing together security leaders and a number of CISO-focused angel syndicates like Silicon Valley CISO Investments (SVCI) in the US and Cyber Club London in the UK. But there wasn’t a similar community for security practitioners- the people actually doing the work- like security analysts, security engineers, security architects, and application security engineers. There wasn’t a place for them to become more active on the business and investment side of the industry. Our hypothesis was that since cyber security practitioners have visibility into new and forming attack vectors, threats, and technologies before they reach the CISO level, we could identify the next generation of innovative companies by getting security practitioners to invest.

Since then, we have learned several things. One is that there is a need to get more security practitioners on the business side of the industry. I believe that security architects, security engineers, and security analysts would greatly benefit the industry by working together with and advising VC firms to understand if a certain technological innovation makes sense from the technical standpoint. This is especially true at the earliest stages of a company.

When you look at Series A or Series B, there is already revenue and a customer base. There are some business metrics that you can use as a proxy to understand if the company is solving a real problem. On the other hand, when you look at a pre-Seed startup, there is probably nothing to look at- no revenue, no customers, and probably not even a minimum viable product (MVP).

At that point, to understand if the company is tackling a real problem, you need a higher degree of technological fluency. That’s where security practitioners come in. The challenge with bringing several security practitioners together and trying to co-invest as a syndicate has to do with the fact that security practitioners are exposed to security products and vendors through their tools.

For example, when they look at CrowdStrike, Palo Alto Networks, Microsoft, or other large vendors, they are not thinking about hiring, go-to-market, operations, or finance strategies. Instead, they look at products and see an agent that they can deploy and start collecting telemetry to send somewhere, and so on. The challenge with that is at the pre-Seed stage, there’s often no product to evaluate. What ends up happening is the people who are best positioned and best suited to evaluate the early version of a product don’t have an opportunity to do so.

It’s been an interesting challenge to tackle. So far, we have about 70 people in the group with various degrees of participation. We have written angel checks as recently as December 2023, when we funded an application security startup. That’s been an interesting experience.

EB

You saw a void and a need, and you guys are tackling that. That’s great.

Let’s move on to your book Cyber for Builders that you put out earlier this year. I’ve been focused on cybersecurity in venture capital for five and a half years now and I wish I had that book on day one to read through. There’s a lot of very pragmatic and good information in there. What prompted you to write it? Outside of future founders, who’s your audience for the book?

RH

The book is the natural next step for the blog. In August or September 2023, I realized a lot of the writing and articles for Venture in Security were connected organically and tied together by the theme of building cybersecurity startups. The question became: if there is already a book in the blog, why don’t I just write it?

When I started working on the book, I already had about 25% of all the work done. I needed to go through my old blog posts and use them as a foundation for a shortened, edited, and concise body of content about industry trends and building cybersecurity startups.

Over the past several years, I’ve talked to a ton of aspiring founders and early-stage founders. They tend to ask the same questions and struggle with the same challenges. At a certain point, the need to address those recurring questions became apparent, while also recognizing that there is no one right way to build a company or design a go-to market strategy. But, there are plenty of wrong ways to do it. By simply highlighting the things that people shouldn’t be doing, you can build a fairly useful knowledge base that somebody else can leverage.

Ultimately, the goal of the book was to summarize the perspectives I have accumulated over time and feature perspectives from others in the community to complement that.

EB

It’s interesting, you have six chapters in the book and the fifth chapter is how to fail a cybersecurity company. I like how it’s laid out and how you show the first principles on the industry and how it operates.

If I’m someone contemplating being an entrepreneur in cybersecurity, what’s the right background for that?

RH

That’s a fantastic question. I don’t necessarily think there is one right background. What I do think is there is a combination of backgrounds that make it right. What I mean by that is you obviously want somebody on the team with a strong expertise in cybersecurity- a practitioner who understands the technical side of the industry.

But understanding the technical side is not enough. You also need somebody who may be technical by their training or their background but has an interest in the business side of the industry, like the go-to market strategy. Sometimes, software engineers who studied computer science do have a natural interest in the business side and sometimes they don’t. Having the right composition of people on the founding team is incredibly important. There is a lot to be said about having someone who can build the product and understands cybersecurity and who understands go-to market and is interested in the business side of things.

I genuinely don’t believe in solo founders in cybersecurity. I know there are some great examples of people who are able to pull it off. But for startups, from day one you have the odds stacked against you. The question becomes: what could you be doing to increase the chances of success and reduce the chances of failure?

If you’re starting on your own, it increases the chances of failure. There is simply too much work for one person to handle. Obviously, if there is a solo founder and several founding members that can compensate for the absence of co-founders, that is a different story. But in general, it’s incredibly important for founders to have people to talk to, brainstorm with, disagree with, and collaborate with to make better decisions.

EB

I couldn’t agree more on that. We see everything from solo founders to five founders for a company. If I’m someone looking to start a company, how do I go about finding the right partner or partners to co-found the company? You hear about founder dating. Any advice in that process?

RH

It largely depends on where you’re located in the world and how your ecosystem looks. If you’re in Tel Aviv, the San Francisco Bay area, New York City, or D.C., you have access to a high level of support and resources.

That said, step one is always to look left and look right and think about people you have worked with before, have great relationships with, and know what to expect from. See what you can build together in your immediate network. Quite often, though, people don’t have anybody they can partner up with. It’s not uncommon, especially if you’re somebody who has only ever worked at smaller startups. If you’ve worked at large companies like Google and Microsoft you’re naturally exposed to a large number of people. If you’ve worked at smaller startups, you meet fewer people.

In any case, if nobody you know is interested in taking a risk and building a company, you need to go beyond your immediate network. This is when you ask friends for introductions and reach out to people in your network to ask if they know of anyone who could make a great co-founder. You can even reach out to firms like Forgepoint and other VCs to ask for introductions or to be part of future founder networks.

EB

Good point. The next question is one of the most loaded questions in this interview. Once you have your co-founders, how do you determine what problem to tackle and how do you validate that? I know there’s a lot to unpack and your book covers all of it. But for this podcast, how do you address that?

RH

It’s a very interesting question that I’ve been thinking about quite a bit recently for many different reasons. Cybersecurity in 2024 is incredibly competitive. Although from the outside it looks like there are many unsolved problems, when you take a closer look at specific market segments and areas you realize it’s not easy to find an original angle that would enable you to go to market with something unique enough for a security leader to want to have a conversation with you. It’s fairly hard in 2024 to just go out and say, “Let’s build something in cybersecurity.” If all you see is high level problems, it’s actually quite hard to find an area you can go deeper into.

I don’t think there is one right way of doing it. What I have seen work well is bringing people together who have a strong understanding of the specific domain. It’s much easier if you have somebody on the founding team with expertise in a specific area. For example, somebody who has built identity for 5 or 10 years, somebody who has worked in endpoint security for a long time, or somebody who is deeply proficient in cloud security. That domain expertise allows you to go deeper than others in the industry when you’re looking for an initial problem. However, the rabbit hole some people fall into is skipping the validation step because of their expertise and familiarity with the problem they have chosen.

One of the best ways to do it is to pick a specific area- for example, identity or product security- and go super deep to identify several problems, and then do as many validation calls and prospect and customer interviews as possible. Quite often, you will see that something is indeed a problem but is not top of mind for CISOs or security practitioners. They’re unlikely to ever invest time and effort in it.

There are so many of those second and third tier problem spaces in cybersecurity that founders may be very excited about but security leaders will never get to actually solving because security leaders are still very concerned with the same problems they were worried about five years ago. They still care about endpoint security, the cloud, compliance, and identity. It’s not deepfakes or the most advanced use cases for A.I.- it’s fairly basic problems that have been around for quite some time.

That doesn’t mean those advanced problems don’t have space and shouldn’t be solved. It’s just that if you’re looking for somebody to sign a check today, you should probably be looking at the problems that they’re worried about right now.

EB

That makes sense.

At a high level, I think about the difference between making a new market and disrupting a current market. What are some nuances on the approaches there and how do you go about thinking through problems, whether you’re disrupting something current or starting a brand new market within cybersecurity?

RH

The reality is that new markets don’t emerge as often as people think. Also, just because a company is trying to build a feature that nobody else is building, that doesn’t make it part of a new market.

That’s where many people truly get confused. They look at a specific feature set, see a very unique solution, and claim they are defining a new market. In most cases, they are competing in a market where there are many other alternatives to what they’re doing. It’s just that they are taking a unique spin on it, which makes it a unique solution. It doesn’t necessarily mean there is a new market. If the same problem can be solved by existing vendors in a different way, that problem is in an existing market.

If you have an ambition to define a new market, you have to be willing to raise a decent amount of money and spend most of it on marketing and education. That’s something that you see a lot of in cybersecurity.

Some founders assume that because they’re the only company that does X, it gives them a first mover advantage and the ability to show off something truly unique. The reality is that until you have several companies taking a stab at the same problem space and attacking it from different angles, you have to invest too much marketing money into educating customers.

Even today with AI security, if there was only one company in the space it would be fairly hard for that company to educate the market about the problem. But because there are multiple companies who have all raised a good amount of capital and are trying to educate buyers, market education is compounding and allows each of those companies to benefit.
The vast majority of founders, especially first-time founders, probably have better odds with making an existing market category better as opposed to trying to define a new market category. That’s not always going to be true but the amount of evangelism, marketing, speaking at conferences, and organizing events involved with getting security buyers and leaders to understand a new problem space is non-trivial. In addition, when you have to convince a security leader that they have a problem you’re already at a disadvantage. They’re probably going to be paying attention to the problems that they know about first before allocating time to educate themselves on your problem. What CISOs are paying attention to in 2024 is very similar to what they were paying attention to five years ago.

EB

Yeah, I couldn’t agree more. There is that sense of first mover disadvantage which you alluded to. We’ve seen that play out time and time again. I think that will continue.

If I’ve built products outside of cybersecurity, how is building in cyber different than building in other disciplines? Is it the same skill set or are there nuanced differences?

RH

It is a great question and I think it’s also a very timely one because the reality is that when we talk about product management, we often thinking about it from the perspectives of the best practices like AB testing – that we generally think about from Bay Area consumer-focused companies. I genuinely believe if you look at product management as a discipline, the vast majority of best practices come from the consumer space. People talk about launching a product and then doing A/B testing to see what works better. You don’t really do A/B testing in cybersecurity because the scale of customer deployment is so small. You may have four enterprise customers that amount to several million in annual recurring revenue (ARR). You simply don’t have the pool of people to do A/B testing.

But in a broader sense, I think the skill sets required for cybersecurity are still very similar. You need to be able to understand the market. You need to be able to talk to customers and ask questions in such a way that the answers don’t just confirm your biases, but instead help you gain a unique understanding of your problem space. You need to be able to do customer discovery. You need to be able to prioritize ruthlessly because there are so many conflicting feature requests, ideas, and perspectives.

On the other hand, what makes cybersecurity different is that buyers and users are less interested in talking to prospective vendors. I remember when I was working in the mortgage technology space, I would reach out to a mortgage broker and say, “I am building a tool for mortgage brokers. I would absolutely love to get your perspective and understand the problems you’re experiencing so that we can solve them.” The average mortgage broker would actually respond to those cold emails or LinkedIn messages because in their mind, technology vendors can take the problems they have and solve them. How awesome is that? It means they can get their perspective onto somebody else’s roadmap. As a result, they can see their problem solved by a vendor.

In cybersecurity, the average security buyer is so overwhelmed with the amount work they have to do that they’re not excited about talking to product teams. Even if your intent is to not sell anything and just have a conversation and do customer discovery, the vast majority of security teams will simply not have the time.

When they do find the time, you realize that every single company does security differently. You’re going to get 55 different feature requests and 55 different ideas that all conflict with one another. You have to find a way to identify common ground and build something that is going to be universally valuable and useful.

The other fascinating thing is that a lot of the questions product managers are asking security teams are the same questions an average adversary would like to see answered. As a product manager, when you show up and say, “Tell me about your gaps are, where you’re struggling, what’s not working, and where you get too many false positives and drown in alerts,” you are asking questions that security teams don’t want to disclose to external parties they don’t have a trusted relationship with. It becomes very hard to do customer discovery and more importantly, prospect discovery. If you already have a trusted relationship, people are much more likely to be open to talking. If you don’t have that trusted relationship, it can be quite hard to convince them.

All of those factors make product management in cybersecurity a little bit harder on every front.

EB

That’s great advice. There are very few other industries where there is an omnipresent adversary. The fact that you need to build trust with the CISO and security team is spot on.

When you think of business models versus technology, what’s your advice there? When we look at the market we think about enterprise customers, mid-market, and SMBs, and there are different go-to markets for each of those. The product could overlap two of those but usually you don’t have a product that encompasses all three. How do you think through that?

RH

At the end of the day, the companies that win solve real problems in a way that is differentiated and allows them to acquire enough customers to grow and prove their model.

When I look at the cybersecurity startup landscape, in most cases companies are started by technical founders who are looking for a technical edge. They are looking for a way to address a problem in technology that didn’t exist yesterday. For the most part, a technical insight is needed to identify an interesting market that has the potential to grow.

For example, if I look at CrowdStrike, the insight that there needs to be a way to move past signature-based detection in a world where adversaries are becoming more mature enabled the company to become what it is today, among many other things. That insight helped them start to look at behavioral detection. For me, that is more of a technical insight than a business one. I think the business model becomes incredibly important because you need to be able to execute well. But especially on the enterprise side, the vast majority of companies start with a technical insight.

On the SMB side, however, I would guess it’s more about finding the right go-to market and business model because there is typically very little cutting edge technological innovation in the SMB market. Instead, you take what already exists on the enterprise or mid-market level and look for ways to repackage it so it’s consumable by somebody who is much less technologically sophisticated.

That said, I don’t think there are many companies who are able to crack the SMB market. Huntress is definitely one example, but aside from them, I would be hard-pressed to find many venture-scale SMB focused companies. It’s usually the mid-market or the enterprise.

EB

It is challenging. It comes down to your go-to market in SMB and leveraging channel partners, which we’ll get into in a bit here.

You have your angel syndicate. Let’s say a founder has connected with co-founders, started a company, and figured out a problem set. From a fundraising perspective, should they go with a sector-focused VC? Should they go with a generalist? Should they go with a mix thereof? You made a comment in your book that sometimes sector-focused VCs miss enterprise trends because we are so myopically focused on the cyber industry. Elaborate on those two areas for us.

RH

When it comes to deciding which investors you want to work with, you have to talk to the founders of the VC firm to understand their value proposition and, more importantly, to see if they are the kind of people you would be happy to work with for the next five to ten years.

Quite often, many founders get too hung up on the brand name. The reality is that, with some exceptions, VC firms tend to have a fairly similar value proposition. It’s just that some are much more hands-on and looking to actively do introductions, help with fundraising for the next round, help with hiring, and so forth. Others are much more hands-off.

Choosing a VC partner is going to depend quite a bit on the founders and what they’re looking to get out of it. If the founders themselves have a very strong domain expertise and are looking for insight from somebody that has built companies in other spaces, it may make sense to look for more of a generalist VC. That said, I believe that at the earlier stages of a company, it usually makes more sense to work with sector specific investors. Sector specific VCs tend to add much more value at the earlier stages of companies like pre-Seed, Seed, Series A, and so on. Part of it is because it’s a time where you really benefit from CISO networks and domain expertise the most.

Once the company is scaling, it becomes almost inevitable that you want to get out of that sector focused VC ecosystem and work with generalist VCs with larger amounts of capital. But to start, sector focused VCs have the highest chances of being able to understand if what the startup is building makes sense for their specific market. They have seen many similar companies trying to do the thing over time with various degrees of success.

All said, an average founder has to understand the gaps that they’re trying to fill and, beyond capital, what they would be getting from a specific VC and whether they would be a good partner over the long term. I think about VCs in the same way I think about angel syndicates. The question isn’t who is more likely to invest in your startup. The question is who you want to have on your journey. Given where you are in your journey, who is more likely to be useful and add value?

EB
That makes sense.

One of the stats you have in your book is that $9 out of $10 in security is spent through channel partners. The power of the channel is extremely strong, whether it’s a two-tier model, one-tier model, what have you. We’ve seen it work really well and we’ve seen companies struggle with it. What makes a good channel partner?

RH

Channel partners require a lot of investment from startups. They require a lot of attention and focus. Many founders assume that simply because they have an agreement signed with a channel partner, they’ll suddenly start getting deals. That doesn’t typically happen.

What I have seen work quite well is founders starting by selling direct, then accumulating enough early customers to go to a channel partner and prove people are actually buying.
That shows an opportunity to collaborate and for partners to generate revenue by selling their product. It is also often necessary to rebuild the product so there are individual SKUs channel partners can sell to their customers. There is a lot of self-enablement and support that needs to happen on that end as well. Channel partners are not experts on the startup’s product. For them to be able to sell a product, it needs to be accessible and follow their established processes.

The other challenge is that the channel is a fairly competitive space. Channel partners have all the business reasons to resell the products they already know, and they have all the financial incentives to resell products that are not the cheapest because their commissions are higher.

In general, what makes a great channel partnership is two-way communication. Startups need a clear understanding of what the channel partner requires to sell their solutions. Channel partners need to understand what the startup offers and how it is different from the other tools they already have in stock.

EB

That’s great advice. I think a lot of founders go into it without understanding the incentive structure on the other side and that leads to bad things.

Does product-led growth work in cybersecurity?

RH

I don’t know if product-led growth works in security. Building products in such a way that incentivizes security practitioners to evangelize about solutions, try them in their environments, and talk about them at conferences certainly helps companies get additional eyeballs and word of mouth going.

Does it mean you can build a business by offering self-serve? I don’t believe that’s the case. I absolutely don’t. The reality is it’s a competitive market and an average buyer is going to struggle to understand the value proposition of a specific product and how it compares to another product. You often need to have a salesperson explaining how the product fits into the broader enterprise ecosystem, how it’s actually different than everything else, and what value it offers.

It’s quite hard prove value with security tools for multiple reasons. On the one hand, security products tend to require sensitive access to a certain environment before they start showing value. For example, if you are selling a code scanning tool, what are the odds you can get an enterprise to connect the tool to its production environment so that you can start surfacing some real findings? The chances are fairly low. Before any security tool can be adopted or even go through a proof of concept (POC), there has to be a security review and a compliance review. Somebody also has to sign off on it. It’s not as simple as creating an account, adding a credit card, and starting to pay.

There is this dilemma where product-led growth (PLG) is just not how enterprises buy security tools, but in the ideal universe PLG could be a great fit for SMBs because their deployment sizes are smaller. It could make the economics of selling to SMB work- often, as I mentioned before, you have to go through channel partners for SMBs because of how small the contract values are. You would want an SMB to be able to discover a tool, do the evaluation, get started and start paying. The reality, however, is that SMBs are not sophisticated buyers. They’re not looking for security tools. They have often no way to tell the difference between a VPN and an MDR. For that reason, SMB-focused PLG doesn’t quite work either. So, on either side it’s a tough value proposition. It’s a nice complimentary channel because it can build a community around the product, but it is not the way to grow revenue in my opinion.

EB
Totally agree. Last question before we get into our closing questions. What are the top ways that cybersecurity companies fail?

RH

The main one is falling in love with the solution over the problem. That is, trying to push a specific solution to the market instead of approaching the market for validation and understanding if there’s even a real problem. It happens way too often. People in cybersecurity often have a strong opinion about something being a problem and what an ideal solution looks like. Obviously, it’s the solution they’ve built. They’re often trying to convince investors, buyers, and everyone else that it’s a real problem despite evidence that suggests otherwise. It’s hard to tell the difference between stubbornness and the vision, but I feel like visionary founders should still have a beginner’s mindset and be willing to take feedback and reflect on it instead of just pushing their vision forward without signs that it’s actually being accepted.

EB

We also see companies that never achieve product-market fit. There might be some movement towards it, but it just never matures, for a litany of reasons. There are some investors that will give them money. To your previous point, you have a solution looking for a problem. It becomes this self-fulfilling prophecy. We see that all the time.

RH

The other piece I see way too often is trying to over-optimize for the most mature part of the market that builds tools internally. You see it a lot in the Bay Area specifically. You see a founder that is ex-Netflix, ex-Google, ex-Dropbox, or ex- one of the top cloud native companies. They fall into this rabbit hole of being biased by their own experiences. If you’ve only ever worked in those cloud native, cloud first, venture-backed enterprises and you’ve seen the same problem wherever you go, you start to pattern match. You say, “My previous company had this problem, this company has this problem, a company where my friend is employed also has this problem. This is a big enough problem and I’m going to come and solve it.”

The potential issue there is that you have to go outside of your immediate network to see if that problem is truly commonplace in the market or if it’s something that only the top 1% or 2% of companies on the planet experience. I specifically mentioned Bay Area companies because that’s where you see it a lot. If you are a security practitioner who worked for a large enterprise somewhere on the East Coast, you tend to be a bit more realistic about where the market is. But if all you see is companies that hired their own detection engineers and their own security engineers, it’s easy to become biased and start thinking that’s where the market is. That’s just where 1% of the market is. As soon as you try to scale outside of it, you’ll run into problems. The challenge is that you can actually get impressive logos and enough customers on day one because there are a hundred or two hundred of those really mature security teams. You can get some early adopters and may overinvest into building a product without realizing that the total addressable market is actually much smaller than you think.

EB

I think that happens way more than we appreciate. There’s a bias there.

Any predictions on where the market’s going for securing AI?

RH

It’s a tough one. I believe that a year or two years from now, or even sooner, we will be seeing a lot more adoption with AI for cybersecurity. Whether it’s for vulnerability management, endpoint, cloud, product security- there is going to be a lot more of it.

That said, I’m struggling to come up with any predictions around security for AI. As one of my friends put it when we were discussing this problem, it’s like trying to build airports before you know what planes are going to look like. We are trying to build security before we know to what degree AI vendors themselves will be providing security for AI. We are trying to come up with a separate security for AI category before we even know what the AI ecosystem is going to look like.

Look at past experiences in security. For example, in cloud security, it’s incredible what companies like Wiz have been able to do. But Wiz started about 15 or 16 years after AWS. It’s taken a decade and a half for enterprises to start adopting the cloud to the point where you could build a large and successful company like Wiz.

For the security of AI, the question becomes if AI adoption will be fast enough for AI security companies to grow as fast as we would like them to. Time will tell.

EB

It’s back to that first mover disadvantage and having to educate the market- educating them on something that’s a moving target right now.

RH

Exactly.

EB

It’s difficult. What is one long overdue industry change you’d like to see?

RH

I would probably say the mindset around innovation. I find the industry to be quite divided about the value cybersecurity startups offer. You often talk to security practitioners and security leaders and hear a lot of disillusionment- sometimes even negativity towards security startups. They see VCs pumping money into the industry and see so many startups.

I want us to be more welcoming towards innovation in the industry. The reality is that the number of cybersecurity attacks is growing, and the complexity of different environments is growing. We need more security people and practitioners who are willing to take risks, to propose different ways of solving a problem, and are willing to come out and say, “There is actually a better way, and this is something I have built.” The attitude towards startups outside of the startup community has to change.

The other thing that I believe has to happen is more people who are not security practitioners talking about cybersecurity. RSA is a great example, it’s coming up and there is a lot of excitement about the event. I want to see panels where somebody from sales, partnerships, or finance brings up the importance of cybersecurity from their perspective. There is an echo chamber effect when we have a bunch of security practitioners come into a room and talk about how important security is and how we need to invest in it more.

Everybody has to care about security. For that to happen, we need people who are not security practitioners to echo the message, amplifying it and spreading it across their organizations.

EB

At the end of your book, you say, “We need people crazy enough to do the work to push the industry forward, but smart enough not to get stuck in the echo chambers of investors, power users, and those who think that the industry will look the same in 20 years, just with more consolidation. We need doers, we need dreamers, and we need builders.”

I think that sums it up. On that note, Ross, thanks for writing this book. For anyone that’s thinking about starting a cyber company or is early in their journey, or if you’re an investor, you should read the book. It’s on Amazon.

Ross, thanks for your continued contributions to the ecosystem.

RH

Thank you so much. It’s been a pleasure.

Ernie Bio

All right. Best of luck in 2024 and beyond. Thanks.

Ross Haleliuk

Likewise. Thanks, Ernie.