Mar. 23, 2020

Advice for Cybersecurity Startups on How to Engage with CISOs in the COVID-19 Era

By John Brennan

Having spoken with many of our friends in the global cybersecurity community over the past several weeks, we've pulled together some thoughts and advice for how startups can best help their customers (and themselves) during this time of unprecedented uncertainty.

Open Modal

Unforeseen headwinds can strain the balance of any ecosystem, even one as robust as that of the cybersecurity community.  For some time now, we’ve been observing both enterprises and startups work diligently to cope with the effects of the COVID-19 outbreak, as each prepare for what is likely to be a prolonged period of uncertainty.

Given our unique position in this ecosystem, our hope during these difficult times is to  contribute positively to the communication and collaboration between cybersecurity entrepreneurs and the customers that they serve. In our role as investors, our portfolio companies lean on us for value-add support and domain expertise, while the broader cybersecurity community, including the many customers in our network, come to us for our perspective on early stage cybersecurity in Israel. These relationships, built over years and rooted in trust, are as important as ever.

And so, over the past two weeks, I’ve spent a lot of time speaking with our portfolio companies, our advisors and our many friends in the cybersecurity world to understand how they are feeling, how we can support one another and how we should coach our portfolio companies to cope with COVID-19’s commercial fallout.

Without discounting the severity of the current situation, we remain cautiously optimistic about the longer term viability of the cybersecurity space, and while that may be of little comfort to founders facing short runway or executives overwhelmed with high priority tasks, my recent conversations have produced some insights that will hopefully serve all of us well in the weeks and months to come.

In that vein, I’ve consolidated advice from our CISO community, many of whom serve as YL Ventures Advisors, on how entrepreneurs can best navigate their relationships with current and prospective customers during these trying times.

Each CISO with whom I’ve spoken has had his or her own reaction to the current situation, but there are certain themes that seem to be universally touted. After consolidating their feedback and advice, I’ve distilled the following guidance for any cybersecurity company thinking about how to engage with customers during this outbreak:

We’re all in this together

  • Everyone (not just you) is adapting to a “New Normal” – many of our advisors have been pulled into task forces to facilitate paradigm shifts in the way their companies do business.  Imagine having 5 calendar days to implement work-from-home guidelines for a workforce of 25K when no such policy previously existed (while fending off aggressive vendors…). There is an immense strain on IT bandwidth right now, especially on security.  Be aware that whatever value you are selling is a small piece of the puzzle for any customer with whom you hope to work. Also remember that your customers are adjusting to working from home, finding childcare alternatives, dealing with at-risk family members, and a whole slew of common issues.  We are all in this together.
  • Budgets are in flux – priority one for most security teams is taking care of the immediate.  Most CISOs with whom I’ve spoken acknowledge that (1) budgets will suffer to some extent, (2) now is not the time to make new purchases, and (3) it’s not clear what the quantitative impact will be on security spending.  It’s too early to know for sure, and it’s hard to make decisions right now on where to allocate funds. Be patient.

Think about long term brand perception

  • Cold calls are not welcome – while most CISOs don’t love cold outreach to begin with, this is a particularly bad time to be spamming the market with your value proposition.  Surely you’ve seen security executives posting on LinkedIn about blacklisting vendors who continue to solicit under the current circumstances; if the influx of tone-deaf communication continues, this trend will only worsen.  CISOs are simply in no position to manage cold calls as they race to support enterprise-wide workforces.
  • Don’t ambulance chase – while it’s a hard time in general to break the ice on new relationships, it’s certainly not a good idea to do so with a panic-driven pitch.  Tactics that lean heavily on COVID-19 messaging are being especially ill-received right now. Even if your solution’s value DOES fit well with the current narrative, focus on value and let customers draw their own conclusions about why your approach is as important as ever.  CISOs talk to each other – and this fear mongering will only hurt your reputation across this tight knit community.
  • Build goodwill – Though the situation is difficult, it does present an opportunity to stand out as a positive contributor.  Public statements and contributions with positive messages and impact are welcome. Consider producing webinars or other types of free content to share useful information.  Consider supporting local clinics or emergency organizations pro-bono. Find ways to build relationships without focusing on sales. As one of our advisors put it, “When the dust settles, the question will be: did you help? Or were you bugging everyone to hit your numbers?”

Strengthen existing relationships

  • Focus on providing value and forget about short-term revenue.  Customers are stretched and stressed. Don’t haggle over things like cost per seat or other metrics that might normally make for a good and honest negotiation.  Do whatever you can to help your current customers; they need it, and they will appreciate it.
  • Leverage your existing relationships to discover what your customers truly want and incorporate that feedback into your product roadmap.  As one Advisor said, “ask me what feature or value would make you more appealing to us when we come back from this outage. That’s an email I might reply to.”  In general, this is a good time to focus on product and R&D; while ROI on GTM activities will be blunted in the short term, dollars into R&D will continue to improve your business.
  • Take time to think about what the world will look like once this difficult period is over: “What can you perceive about the way consumers will behave, and how we will work?  Can you anticipate what the new normal will be, and design for that?” These are valuable conversations for security teams.
  • Talk with customers about their experiences throughout this difficult time. Ask questions about what they are seeing and learning.  Share what you’re hearing as well. It’s a tough time to talk dollars and cents, but security professionals (like all of us) are open to talking.  This is a good time for information sharing.
  • Facilitate communication.  One way to bring value to your existing relationships is to introduce them to other customers in similar situations.  We all have much to learn from each other, especially now. Be liberal with your network, and try to provide value beyond your core offering.

Make no mistake – there are tough times ahead.  There is no reason, however, for your company to weather the storm alone. If you have investors and advisors, lean on them.  While you have likely been singularly focused on your company’s success, others will have a broader view, and their input on budgets, customers, governance, and any number of issues will be valuable inputs to your decision making processes.  This post is mainly about customers, but there are other relationships (e.g. follow-on investors) that also require strategic thinking. At YLV, we have already had these conversations with each of our companies. Our go-forward plans are prepared to withstand difficult days, but our conversations have been full of resilience and solidarity.

We will certainly get through this, and we will very soon again be thriving.  Actions now will not soon be forgotten, and the challenge that each cybersecurity startup now faces is how to build the best business possible, while doing right by the security community.  These goals are not mutually exclusive, and I would encourage all cybersecurity vendors out there to keep both in mind as we move forward together.