Conventional wisdom dictates that startups should speak to as many customers as possible before building their product. Cyber startups pursue this guidance with a competitive zeal, more so than I’ve seen in any other industry. There is a good deal of merit in this advice, customers can help define your solution and help you better understand your market. Yet, I’ve come to believe that this technique of validating one’s idea also comes with considerable risk which I would like to explore here. I know that there are a number of strong teams out there in the process of ideating. For them, I’d like to offer an alternative approach to validating your startup idea.
As the title suggests, I’d start with speaking to fewer CISOs.
Cyber startups are known to parade the number of validation calls they perform with CISOs. Often they present this in a slide during investor meetings. Their perception is that the more CISOs they manage to engage to validate their idea, the better. But more is not necessarily merrier. More can often mean riskier.
Over the last few years we have observed waves of security startups that are founded, with the same idea, within a very short period of time. We observed this in the DSPM space, the SOC Automation space, the Security Stack Optimization space and the LLM Security space as well as others. It is no coincidence that these waves of companies are being founded within such close proximity of one and other. In my opinion, it is a result of early-stage teams journeying the same meeting circut with the same group of CISOs. In other words, founders are speaking into an echo chamber of ideas. This process is sometimes initiated by founders themselves accepting conventional wisdom, but other times these processes are being offered to founders by investors. In both cases, I would caution founders from taking this journey.
These CISOs are discussing the same problems that they are experiencing with multiple startups. In some cases, they are also discussing new and interesting ideas they heard from a startup they previously spoke to. The result is incredible congestion and competition in very early markets. Startups shouldn’t be afraid of competition, competition can be beneficial in a number of ways. What we are seeing though is beyond healthy competition. There are often 15 companies pursuing the very same idea. By speaking to as many CISOs as possible at this stage, Cyber startups are risking being part of yet another wave. Or, risking inadvertently catalyzing a new wave that is based on your unique idea.
CISOs are able to tell you about problems that they are facing in their day-to-day work, but are not necessarily best positioned to describe the problems of the future. For startups who are only beginning their journey now, knowing today’s problems is somewhat too late. It will take that startup at least two years to develop a product mature enough to sell to enterprises, therefore starting to build a solution that will only be ready in 2 years, for a problem that exists today is arriving too late to the game. There are likely a number of other companies who have predicted the existence of this problem years earlier and are better positioned to meet demand with a mature solution.
How should startups validate then? While this could be an entire blog post itself, and perhaps one day it will be, I would just offer a few things that I have seen work better than the CISO circuit.
Think about the future rather than the present. In other words, rather than trying to find evidence of problems that exist today, think about how the tectonic plates of the tech industry will move over the next few years, and what problems will arise in this new reality. Let this future world infrom your vision for what security problems may exist.
Look back through your past experiences and the pains you felt as a practitioner. The best ideas are the ones really experienced in the field. Try to revisit these problems with a clean and clear perspective and consider why they have not yet been solved and whether there is still an opportunity to solve them.
Consider what your area of deep expertise is and where you and your team have some sort of competitive advantage. This is always a strong position to start your ideation.
Obviously, Startups need to speak to their future customers. But this should be a constrained effort. Speak to a few, trusted, potential customers who you know have real domain expertise in the market you are building in. Be cautious about allowing their feedback to overinfluence your direction, rather consider it as one of a number of datapoints.
Ultimately, I do not believe that strong ideas arise as a result of some analytical ideation or validation process. These types of processes lead teams to ‘group think’. Founders rather need to use a combination of their past experiences, intuition and ability to forecast to come up with something truly appealing and unique.
The post Sometimes its better to speak to fewer CISOs appeared first on TLV Partners.