Security startups aimed at solving enterprise problems face a tall hurdle: the first few clients. Done right, the initial traction builds momentum that leads to continued success.
A lot of compelling security startups struggle to get traction.
Similar to investors looking for strong returns by investing early in startups, enterprise security leaders have an opportunity. Find, champion, and help compelling startups get traction. It’s good for them. It’s good for the industry. And done right, you reap remarkable returns for your organization. You might even find it benefits your career.
A few weeks ago, Chris Camacho (LinkedIn), the Chief Strategy Officer of Flashpoint, joined us on Startup Security Weekly (episode 19). During the conversation he shared his experience as a security leader in the enterprise working with startups. I was instantly impressed with the detail and steps he followed.
I asked Chris to share more on the process -- now with insights from both sides of the desk. Here’s what you need to know.
As a former Information Security Executive, what was the important lesson about budget versus funding you learned?
One, always start with analyzing the right outcome for everyone. If you see an opportunity to solve a problem in a way that benefits one or more people or teams, that is the best way to build a case for more investment. For example, when evaluating threat intelligence vendors, I would consider first those who would supply contextual information that teams even beyond my security team needed -- physical security, supply chain, and so on -- as the further helps make the case for the budget investment as well as the potential human hours needed to make the change.
A lot of this starts with building the right internal relationships not only with your team, but with the leadership team, as well as leaders on other teams across the enterprise. Learn from anyone you can, truly understand and consider their challenges and concerns. Especially in larger organizations, if you can make a strong case for a new approach to security, and can educate your peers and leaders as to the company value and the value they will derive, the funding can be found.
Why are external relationships important to building internal security technology and team structures?
One of the most critical components of good security and threat intelligence is information sharing, whether that is formalized in sharing communities, or sharing groups like we provide at Flashpoint or even ISACs. In addition, peer-to-peer information sharing and best practices are pivotal. If I learned a lesson in best protecting the enterprise from a certain threat or threat actor, I would share that with my peers so that they could apply it as it worked for their organizations; and vice versa.
Many times, you learn about new solutions, namely startups, that are often drowned out by the noise of goliath security vendors. At that point, pay heed to the problems they are solving and, as per the above, determine if they might help you and your peers across the company achieve their goals more securely.
More than just direct industry peers, keep an eye on the people you respect. There are a lot of influencers in our industry that aren’t necessary CISOs or in technical roles; if you see them move to another vendor, or move from being an end user to a vendor, the likely have spotted something special. Inquire with them about why they moved, and take 10 minutes to learn about the offering.
As a decision maker, how do you evaluate and dig into the focus of that startup, and why is that important?
It’s challenging at first to determine the viability and market need of a startup, especially early on before there are a lot of use cases and industry guidance. But much like the advice given to people moving into a new home, take one room and make it truly yours, make it the most put-together room in the house, and it will set the path for the rest of your move and set-up. Startups need to think about market evolution in the same way. Find a vertical, or a specialty, that truly differentiates you from the noise -- even if others claim to do what you do, you know what you do best. Focus on that area until you are able to build validation points, and that adds to more adoption that eventually turns into market presence.
At Flashpoint, for instance, our first three clients were big financial services institutions, and we focused on their specific needs with our capabilities of deriving intelligence from the Deep & Dark Web as no one else can do, and now we work with seven of the 10 largest global financial institutions, and we’ve used the same strategy with over other specialized vertical - tailoring to their needs, and encouraging sharing within our FP Collab intelligence community so they can learn from each other and tell their other peers. That’s how we’ve grown to more than 100 customers in the short time we’ve focused on the commercial space.
If you want to work with a startup, how do you partner with them to get through the procurement process in weeks instead of the dreaded 12-18 months?
When you’re a startup, doing business with a large enterprise comes down to four elements:
-
Be flexible in pricing; sure, we can get funding, but it takes time. Work with me up front and I can make things go faster. This also means making a pledge that if they demonstrate value to you and others, you’ll up their fees in the future -- help them get traction in turn you get value. But don’t hold them hostage.
-
Make sure they bring their team to work with you. That probably means facetime with their CEO and founders, and most startups will put the CEO and founders at the forefront anyhow -- the good ones, at least. You’ll use this internally to demonstrate commitment and a reason to get going.
-
Honor the two-way street of the relationship. Build the relationship and help create the proof they need. But then you also get access to features and support you need.
-
Logistics -- work with everyone to streamline the process. Caution them about pushing back too hard. And look for ways to speed the process internally, too. This is usually where it gets killed if you’re not careful.
Is it worth the effort? Absolutely. Here’s why.
When I decided to leave the financial industry and look for new opportunities, I was immediately inundated with recruitment from peers, CEOs, venture capitalists, and others within my network. Having a good understanding of the security landscape given my background, I already had immediate knowledge of the companies on my short list and who might be the best fit for me and, more important, delivered the best solution in the market.
I was pleasantly surprised at how many vendor and industry peers reached out to me when I left a large financial institution for a startup -- Flashpoint. The excitement and support I received from these relationships I had nurtured throughout my career were immediate validation I made the right decision.
The first week I joined Flashpoint, I was able to provide immediate guidance and strategy based on what I knew my peers needed. Sometimes startups build products based on what the company thinks is needed without ever validating that the need actually exists. An approach of designing offerings to market need and demand, which heavily relies on decision-maker input, is what will make a company successful. This has been critical for Flashpoint as we have pivoted to delivering Business Risk Intelligence to enterprises with actionable and meaningful information derived from the deep and dark web.
Having been a buyer of services and technology for most of my career, I know how hard it is to win and maintain business with any vendor, large or small. Given that knowledge, I urge startups to always innovate. Hire the best people and continue evolving your core business and offering, and continue to include your customers and other decision-makers in your planning. Without this and other approaches, there’s a high risk of being seen as disruptive, only to later be seen as diminished by another company because your solution or strategy didn’t evolve.