My name is Kai Roer and I am a co-founder of a European security startup, and these are my confessions. I hope you will learn from my struggles, and appreciate the choices startups make when security matters. I will share experiences from my own startups (my first was in 1994), and things I have learned by watching and advising numerous other startups around the world.
My company, CLTRe, assesses, builds and improves security culture for customers worldwide. We have a value adding channel partner strategy, which means companies offering security related services to their customers add our products and services to their own. By partnering with service providers around the world, we are effectively reaching markets we would not be able to reach on our own, thus making this a very effective strategy for our company.
Working with partners involves certain risks, of course. There is the occasional partner who’s only interest in short-term profits, using questionable sales tactics to close deals without any understanding of the customers’ problems nor how our products can help them with it. These partners generate unwelcome noise we have to fix – if we learn about it. This, I assure you, can be expensive for us, and the customer, and may result in fire-fighting we prefer to avoid.
Here is one example of how we mitigated that risk. A potential partner, in an undisclosed country, reached out to me to explore partnership opportunities. They sent us much more information than is normal at an early point in the process, including CVs of key team members.
My initial thought was that them sending this information in was likely the result of a business culture that’s different than that in our country. At that point in time CVs did not matter, so I did not open and peruse them (besides, opening email attachments from strangers is a really bad idea).
Instead, I asked my local contacts what they knew about the company (it is a small country, so this was a first check of whether the company is a serious player or not), and whether they knew the persons whose CVs I had received. They did not know anything about the company, nor about the people there.
So, I did some digging through online public records, and it took only a few minutes to discover information about suspicious activities and contacts in strange places. As it turned out, the company was a father-and-son consultancy (nothing wrong there), with bank accounts frozed by government (red flag!) due to insolvency (another red flag!).
All this information was on my desk in a matter of minutes after starting the initial vetting of the potential partner, and all the information was a matter of public record – available to anyone who cares to look for it.
I still wonder about that potential partner’s rationale. Did they mean to scam us out of some money? Could it be that they were serious, and saw us as a potential life-line to bring them out of bancrupcy? I don’t know, because I never pursued that opportunity. What truly puzzles me, though, is whether or not they ever considered that we would be checking up on them before even talking to them?
We live in a world where information is easily available to anyone who knows how and where to look for it. Due diligence is a must, and should be expected. If you know that some information could reflect badly on you, the least you should do is to disclose that information up front.
I don’t mind if you have history – I mind if you don’t learn from your mistakes, and I really mind if you believe we will not enquire about you and your company before we start talking about the potential deal with you. We are, after all, a security company.