Why CIOs and CISOs should partner with tech vendor startups ? (By François Gratiolet, Business Digital Security)

What do US-based vendors such as Cloudpath, Forescout or Pindrop mean to you? Did you hear about French tech ventures such as BlueFiles or Yogosha? Have you tested or even bought these tech solutions?

A bunch of cybersecurity vendors (source: Momentum Partners Q1 2016)

According to Dow Jones VentureSource — a database that reports on global companies who receive venture capital and private equity funding, a dozen cybersecurity startups have raised each $100 million or more in funding since 2014.

The worldwide cybersecurity market (including solutions and services) is in “perpetual” growth. In 2004 it was around $3.5 billion, and according to analysts it is expected to grow from $75 billion in 2015 to $170 billion by 2020. Its CAGR (compound annual growth rate) is estimated at 7.8% for 2019, when it will represent around 5% of overall IT expenditures. The cybersecurity market remains difficult to forecast for analysts because of the growing and unpredictable nature of cybercrime.

Specialists forsee that hundreds of billions will be spent on securing workstations, smartphones and IoT devices, corporate networks and the cloud, over the next five years. Indeed the cybersecurity market is expanding in scope and size. First because of the digitalization of the value chain in many verticals. But also due to the growing adoption of the cloud, OT, and the Internet of Objects, which will ineluctably lead to the inception of new cybersecurity ventures.

Because they need to keep up with changing cyber threats and regulatory compliance requirements, chief information officers (CIOs) and chief information security officers (CISOs) are actively scanning the tech market to find solutions that can answer their expectations. However, because cybersecurity budgets are often quite insufficient, and since attracting and retaining cybersecurity specialists is still a challenge, few CIOs and CISOs actually have the means to ensure an appropriate level of security and compliance. Moreover, corporations will also have to demonstrate the ability to achieve results within budgetary constraints, and the strategic insight necessary to help growing the business. Thus, CIOs and CISOs will increasingly need to excel in innovation, technology, stewardship, and operational efficiency.

Therefore, cybersecurity startups are considered by enterprises because their products meet or exceed the features offered by brand name companies, and the cost can often be lesser than that of their competitors.

However, the same major issues are often raised: the startups could suddenly be out of business or acquired by another company, or the brand name is not big enough to justify the acquisition.

Regarding cybersecurity strategies, CIOs and CISOs should, like individual investors, watch the market and its most attractive segments continuously and carefully to capture new “opportunities”. Then, once they have identified a few promising stars, they need to gather and document intelligence on the company itself, its business model and its offerings, through researches and direct interviews with the founders. In parallel, they also need to set up a live pilot (and not a gadget POC) for a short period (two months maximum) on a very representative scope. If the pilot is too long or not relevant it will not speak to the business, and it will undermine the innovation efforts by not proving their value.

The following key questions can help raising questions :

• Who are the founders of the startup ? Are they seasoned experts in the industry? Keep in mind that being an expert does not necessarily mean one can run a company. Tech, operations, sales, marketing skills and experience must be distributed withing the founders’ team.
• How long has the startup been in business? What was the company’s revenue last year?
• How is the startup funded? What is the ratio of R&D investments? What are the next big investments? Try to analyze shareholders and understand the founders’ agenda (for instance do they aim to sell soon their venture to a large vendor?)
• Regarding the company, who manages operations? How is it structured? How many employees does it have? Where is it located?
• What is the Unique Value Proposition? What are the targeted customers’ segments? What are the tech partnerships? Is the startup providing comparative or better products than those from more established competitors? How can the given solution be incorporated into the overall cybersecurity strategy?
• What are their main references? A list of clients might be worth reviewing, and may also be interviewed upon signature of a NDA. This question shall be related to current customers’ satisfaction with the product, whether the cost is proportional to the value of the product, and if they had to do it all over again, if they would still choose this startup.
• Is the company and its founders trustworthy? Has the company been independently assessed by a third party, and has it got a market trusted certification or a qualified label delivered by local or federal information security agencies (e.g. Common Criteria, qualifications from the ANSSI in France, the BSI in Germany,FedRAMP in the US…)
• …

The purpose of this analysis is to better understand the startup, to assess business risks, and to start building the necessary confidence between the buyer and the startup. Whatever the results of the assessment, on the customer side, it’s a question of common vision with the founders, of trust, of taking risks, and of commitment.

To that end, the tech vendor startup shall be considered a real business partner, and not only a supplier among a long list, and a part of the vendor’s risk management process. However, not all startups can land on this list. Feedbacks from CIOs and CISOs will be valuable for the startup to test and enhance their product from a tech and marketing perspective.

In a true business partnership context, CIOs and CISOs will provide support to co-design new features, or even a new product according to their business requirements.

The partnership shall be managed very professionally in a project mode in order to be successful and avoid boiling the ocean. For instance, if the value is not fully perceived across the organization for whatever reasons, or if delivery is too poor and slows the adoption, then the CIOs and CISOs must be firm and immediately put an end to the partnership. This is why, strict criteria and common objectives must have been shared when starting the business relationship.

Large private and public corporations need startups to innovate and to win the cybersecurity battle, and startups need large corporations to grow and to survive. With startups, corporations will be able to use innovative solutions while protecting themselves against advanced threats targeting their business environments.