CISO-in-Residence Frank Kim offers some advice based on his first-hand experience as a CISO-in-Residence at an early stage venture capital firm where he helps founding teams brainstorm what works and doesn’t work for security leaders.Open Modal
In the rapidly changing world of cybersecurity startups, quickly finding your killer use case can be the difference between success and failure. With so many products and solutions already vying for attention, how can aspiring founders identify the right problem to solve?
The ideation process can be one of the most challenging experiences for early stage founders. Demonstrating how a product will be used in real life situations is the quickest and most direct way to grab the attention of early adopters.
Here’s some advice based on what I’ve seen as CISO-in-Residence at an early stage venture capital firm where I help founding teams brainstorm what works and doesn’t work for security leaders.
Find a Champion
Champions are end users who provide key insight and guidance into product acquisition processes, business needs and other critical information that can help you both discover and describe your use case as clearly as possible. They can also be your biggest advocates.
Your buyer and the user may not be the same person, and it would be wise to identify both and ensure that your product meets each of their unique needs and goals. It is important to find your champion in addition to your ideal customer profile (ICP), and understand the important ways in which these two roles differ. Your ICP will typically be a CISO who will inform your product direction and validation with a top-level perspective. On the other hand, your champion will typically be someone working on the ground who can advocate for your solution from the bottom up.
End users must accept your solution and be willing to work with it for it to make an impact. Even within security, though CISOs hold the purse strings, they aren’t typically involved in the day to day use of the products they buy. As a result, they often delegate product selection decisions to their teams. This means that it is just as important–if not more–to win end users over, too. When they genuinely believe in the value you can provide to their daily efforts, you will enjoy more organic adoption and traction within a company. It is within this pool of people that you can find a champion who can help introduce your solution to the rest of their team and leadership.
To find your champion, it is important to understand who will be using your product on a daily basis. Whose job will it make easier? What department do they belong in? This is where you start.
Once you find your candidates for champion, consider who is the most curious and creative, as well as the most forward-looking and willing to imagine new approaches to old problems. In addition to these traits, this person should be a risk-taker with leadership qualities that make them capable of rallying the troops. They must be able to help their team and leaders understand that the overhead involved in adopting your solution will ultimately pay off. Again, champions must truly buy into your product if you wish to gain their advocacy. This is especially important for organizations and teams that are resistant to change or distrusting of new solutions. Though you may provide them with the tools they need to help explain and demonstrate your product’s value, how convincing they can be will rely on their charisma, influence and capacity to articulate themselves above all else.
It is also important to respect the more personal motivations of your champion. What drives them? What do they dislike the most about their job? Do they love new tech? Are they hoping to transform the culture within their organization? I also recommend finding someone with an expressed interest in innovation and product-building–someone who will not find a partnership cumbersome or inconvenient. Remember, this is a partner you will be working closely with to resolve real problems they face on a daily basis. It is important to nurture these relationships and spend more time listening to their needs than speaking yourself.
Determine the Value Proposition
Most security teams already have existing solutions for a given problem. To get your product noticed and implemented, you need a clear value proposition, and it has to be 10-100x better than what is already being done. This means going beyond providing a faster horse. On the other hand, you may have a novel approach to a problem that people didn’t even know they had. In some cases, this means finding unaddressed white space in the market. As we all know, there are many problems that existing solutions don’t cover. But can you determine if it’s a pressing enough space to dedicate your efforts to?
When pitching to a CISO, it is especially important not to focus too closely on the security value of a solution or its technical merit alone. Our internal research (named CISO Circuit) recently confirmed that CISOs currently value ROI and cost-saving above all other traits in new solutions. Ensure that, in addition to security, you also focus on the business value your solution can provide. Often, highlighting this key tangential value can turn the tide of a decision. Discover how your solution can actually help save organizations money, either by reducing man hours, rooting out dud accounts or streamlining operations.
Also, when pitching to CISOs, it is critical not to get lost in your tech and understand how you can add layers of value to their user experience. It is common for early-stage companies to prioritize their technical capabilities over the “so what” of their solution–and it often leaves those they speak with feeling overwhelmed with information. For example, simply providing a list of the detailed telemetry from various systems is meaningless without context and actionability. Security teams already have too much data to deal with. What they need is insight into how to protect their organizations. So, ask yourself how your solution can provide that additional layer of value. Remember that a CISO’s job is not to implement technical controls. Their job is to manage information risk. That’s exactly what any new solution should help them accomplish, and it is important to learn how you can distill data into easily readable and actionable information that security leaders can work with at a glance.
Stick to the Process
Ideation can feel like a never ending process of turning over rocks. For every 100 rocks you turn over, you might find just a few good ideas. Being able to decipher everything you hear and turn it into product features that create urgency is what makes it so hard.
Collaborate with as many industry experts as you can by leveraging your professional connections and network. You will want to speak with as many CISOs and prospective end users as possible for insight into market trends, challenges and unaddressed needs. Let them do most of the talking, and know when it’s time to change course or remain firm. There is a fine line between an open mind and being so flexible that you cannot close an idea.
Domain-specific investors with a large network of relevant industry insiders can help widen the pool of people to talk to. This is especially true for organizations who offer ideation processes with both in-house experts and advisory boards of enterprise cybersecurity decision-makers. In some cases, the due diligence process can include at least 3-10 calls with prospective customers without the need for a term sheet. For that reason, I highly recommend researching potential early investors thoroughly even before you have more than an idea to pitch.
Of course, independently, it’s imperative to stay curious and conduct an extraordinary amount of research on your own. You can never know enough, and needs and attitudes towards new products are constantly evolving.
Take nothing for granted, keep your mind open and, if you haven’t started already, start making those calls.