How to build a security tool that sells
In my experience as a CISO in the industry, as well as in my current position as CISO-in-Residence at YL Ventures, an early-stage, cybersecurity-focused venture capital firm, I have been fortunate to provide founders with guidance and insights into the customer decision-making process and help them match unique solutions to tangible problems.
The greatest challenge in my position is helping founders change their paradigm. CISOs are constantly inundated with solutions that are often designed without ample consideration for what CISOs really need (hint: it’s not another dashboard). Founders should listen, rather than assume. The optimal approach would be to ask the CISO what her priorities are, who the various stakeholders are and what other tools exist in her stack, before pitching a solution based on unfounded assumptions. Over time, I compiled a concise list of what founders should focus on when building security solutions that CISOs will want to buy.
Define your target market
First, define your ideal customer. If you target a small to medium business (SMBs), ask yourself – will the customer be forced to roll off your product when they feel they’ve “outgrown” your solution? If your target customer is an enterprise, however, you will have to contend with a larger budget, complex business processes, deeper compliance and vendor security requirements and a need for more specific product capabilities.
While threats may seem agnostic, they impact organizations of different sizes on a different scale. Determine if you’re focused on B2B or B2C businesses, as they differ in what CISOs may be looking for based on the risks they prioritize. Your pitch should focus on specific use cases, be as tailored to the buyer’s requirements as possible and steer clear of broad-risk statements, suggesting that your product solves everything.
Target multiple potential buyers, not just the CISO
Today, executives and C-suite decision-makers are acutely aware of the implications of cyber-attacks on organizational assets and customer data and take a more active role in the security solution budgeting and procurement process. Show these actors how your product is business-aligned and what non-security capabilities your product has that business leaders can leverage to meet their own organizational goals. When I was the CSO at Looker, we focused on security solutions that met multiple needs across the company, even helping other organizations. Security or compliance functions are important to other departments such as IT or Legal, so you should consider having multiple-buyer and influencer approaches before you start marketing your product.
…but don’t forget the CISO!
An example of a successful cross-departmental approach is targeting the Head of DevOps and the CISO. Availability is a key metric for DevOps, whereas security controls may add friction that may lessen uptime. Empower the CISO to not be viewed as a cost center but rather a business enabler. CISOs will need to sell, manage and deploy your product, and designing an effective tool that serves the entire organization integrates with business processes will help them do so.
Additionally, ensure that your product has several specific use-cases, and valuable secondary functions like increasing CISO influence, enhancing user security awareness and contributing to security culture. Unfortunately, I’ve met many startup teams that were solely focused on the technological benefits of their product, ignoring the bigger picture.
Focus on the value you will provide
The easier your product is to deploy and show value, the better chance you have of a sale. The best product demos ensure that deployment is easy, results are generated quickly, and that the customer experiences an “Aha!” moment every single time. Providing value shouldn’t be a question, and neither should your product’s ability to find security issues; the only question that should be asked is – how many security issues will it find? If you haven’t finetuned your exact and defined value, you may not have landed on a compelling, differentiating product that will have market traction due to its features (but maybe due to its price).
Additionally, think about the customer’s needs and their environment. Will your product use an agent or be agent-less, and do you know if your customer prefers a simpler deployment with less overhead or a deeper monitoring use case that an agent may offer? Did you consider whether your product will be SaaS or customer-hosted? How might the customer’s current and future compliance requirements change this? A good rule of thumb is to research thoroughly and think like your customers. For example, a great tool that deploys and focuses on discovery will become a liability for the CISO if it lacks remediation processes.
Focus on the CISOs’ risks, and less on defining yourself through your technology. You should also consider amplifying your value as a startup founder. Feature the advantages of working with a founder company, including innovation, access to founders for feedback and progress on specific requested features and access to technical talent who deeply understand the product.
Make your tool play well with others
CISOs will want to know how your product is deployed and configured at your other customers’ organizations and seek shared knowledge to enhance their own product. This is truly the definition of a “platform,” and a real differentiator. The CISO will need to fully understand what data they are sharing, how it is used and protected and what benefits lie in sharing it.
Many CISOs will be open to sharing as long as the benefit outweighs their own data sharing risk. Your tool shouldn’t stand alone and should communicate with other tools in the CISO’s portfolio. Make it possible and compelling to build against it using an SDK or a flexible API-centric approach. Think about what potential customers are accustomed to, ensuring that your tool can integrate across the entire security stack to other reporting, workflow, and orchestration tools in the CISO’s environment.
Lower costs, greater value
CISOs are burdened daily with complexity. If your tool outperforms and – ideally – replaces two or more legacy tools, CISOs will see its value and will not consider it to be another tool in an already bloated security portfolio. It is entirely acceptable for the vendor to ask the CISO about the budget allocated to this type of solution. You should try to fit into that number and make pricing as predictable and forecastable as possible. It would also be beneficial to assess the budget threshold, beyond which CISOs would need CFO approval to proceed. CISOs don’t want to constrain deployment to save money, but if the CISO will need to recruit or train more people in order to use your tool – your prospects aren’t great.
Low noise/high alert
Dashboards are important but should not be required to be viewed to provide your key service. Your tool should provide actionable intelligence on high risks, filter out unnecessary noise and either bang the security team over the head when it identifies an issue or, where comfortable, remediate the security problem automatically and transparently. Prevention technology works well but fails to address activities taking place beyond the perimeter of your defenses – where most cyberattacks originate. It also fails to detect the threats that have penetrated your defenses and are moving laterally through your networks.
Detection and response, however, are critical to maintaining a healthy security program, allowing the CISO and security teams to resolve threats before they cause critical harm. Additionally, when responding to events or problems – speed matters. Your tool should rapidly assess, analyze and remediate with minimal human intervention in order to validate that the security problem hasn’t already been exploited.
If founders focus on these seven guidelines at the earliest stages of their product journey, they will have a more holistic understanding of what their customers need. Interactions with potential customers should be viewed as relationships with valued partners, building trust rather than selling.
Fostering these relationships can provide founders with immeasurable value from day zero. If CISOs like your offering, they’ll recommend it to other CISOs – an infinitely more reliable sales pitch than your deck. CISOs may also be inclined to hop on as company advisors or, possibly, follow-on investors who will support you through your startup journey. After all, CISOs have seen it all, and know what works – and what doesn’t. Their insights, coupled with strong technology, a sound business strategy and experienced partners and investors to guide them, will help startups succeed in building a product that CISOs will want to buy.