Not Every Groundbreaking Idea Needs to Become a Billion-Dollar Startup

Good morning everybody. Thank you so much for coming to Bides SF 2025. We're really excited that you're here. Um I'm going to introduce Mr. Let me say this right Ross Helock. All right. Now what he's going to be presenting today is not every groundbreaking idea needs to become a billion dollar startup. We have approximately 30 minutes. Um, right behind me they have put up the QR code for what we call Slido. So if you have questions instead of speaking to us directly because we are recording audio and video, you can place your questions on Slido. I'll read them if we have time towards the end. Okay. All right. Well, please sir, take it away. Let's do it.

Yes. Uh, thank you so much for coming everybody. it it always is quite a bit of pressure following the keynote speaker. So, uh I will try to do my very very best. Uh today uh as it was said uh what I'm going to be talking about is the fact that not every groundbreaking idea in cyber security has to become a billiond dollar startup. Uh now uh several things about me to make me seem credible and to make it feel like I have the reason to talk about what I'm going to be talking about. Uh I have done a bunch of different things in my career. Uh primarily focusing on product management and go to market. Uh born and raised in

Ukraine, moved to Canada, then moved to uh to the US to San Francisco. Career-wise uh had an interesting journey from fintech to wholesale retail uh uh and and obviously ending up in in cyber security. today uh adviser and an angel investor uh published uh a book about building cyber security startups uh talking a lot about the business side of the industry and the venture side the goto market building startups and so on and so forth and also myself building a cyber security company today uh before we begin let's let's have a few notes about the state of cyber security as an industry and many of you have probably seen this slide or maybe a variation of this

slide. So, uh it only highlights the most important or the biggest or uh the highest traction security companies. There is about 4,000 more. And so, if you think about the number of security vendors, it is hard not to think that we've got a lot. uh we have a cyber security startup essentially covering every single problem out there and also a bunch of startups creating problems or covering problems that do not exist. But either way, it does look like the market is crowded and cyber security is most certainly in the air. Everybody is talking about security. Uh Cisco is becoming a cyber security company. uh as you can see on the screen uh from the acquisition of Splunk to Duo Security

and Open DNS and SourceFire and many other options Cisco has rapidly been transforming from a networking company into a security company. Google is becoming a strong cyber security player. Uh again the Viz acquisition is the largest acquisition this uh tech giant has made in its whole history. If you look at the numbers like comparably, it is literally almost the sum of all the other big acquisitions that it has done. Like that's impressive. That most certainly puts security as in into the headlines. And obviously if you have been following the news from vis to Splunk to Juniper networks to dark trace recorded future and on and on there are billions and billions and billions of dollars that

are are being invested are being are essentially exchanging the the hands in the security space which naturally means that investors are excited. It's no wonder that VCs are excited about security and that there is so much pressure for venture scale exits. Now what is venture scale? We hear the word venture quite often. We hear the words venture scale and I don't think we discuss enough what it actually means. And so the way I the way I often look at it is that venture scale is essentially a potential for a startup to grow to grow very quickly and return high amounts of capital at uh very impressive uh multiples. So if an investor invested a million dollars, getting back 20, 30,

40, $50 million is exactly the desired outcome from their perspective. So venture scale is the ability to generate significant returns and to do it within a relatively short period of time, anywhere between 5 to 10 years more or less. So what is the state of affairs in the industry? I would say that venture scale venturebacked startups quite often win. If you look at or if you look at any of the companies you know uh any of the companies you know as a large player like be it Crowdstrike, Viz, Sentinel Van or any any absolutely any other uh vendor. It sounds like being venturebacked is the the only way uh to win, the only way to compete and the

only way to deliver value and to solve security problems. And it kind of makes sense, right? Since buyers are enterprises, security startups have the pressure to be enterprise ready from day one. Now there is no such pressure in many other industries. In many other industries, companies can start by selling to SMBs and smaller companies and then expand from it. in security. However, uh Octa started by selling to enterprises. Crowd Strike started by selling to enterprises and and many other companies. V started by selling to enterprises. And when you sell to enterprises first, you need a robust product. And the only way you get a robust product is by having enough capital so that you can hire a big

enough team and you can invest in R&D. Uh selling to the enterprise customers requires significant investment. uh the procurement cycles are slow and and uh well very slow. It can take a year a year and a half for for a startup to go through that cycle. And so obviously there is a need for the company to have enough capital to exist for that long to compete. Founders need two things. They need time and they need people. And the best way to buy time is to have enough money on a bank account. The best way to hire the best people, the highest class people, the most experienced people is to have the money on the bank account.

And so cyber security founders go to market and raise capital from VCs. Now here here is the harsh truth. Most security startups are tackling problems that are too small for the venture scale outcomes. And let's talk about it. The venture model requires the problem to be big and it requires the number of people experiencing this problem to also be large and it requires those people to have deep pockets and pay a lot of money for solving the problem. Now in security most problems are fairly niche. A certain number of companies that match a certain criteria will experience the problem where uh if you're a manufacturer, you will your tread profile is going to be very different

than if you are a a SAS vendor. If you are a cloud provider, your tread profile is going to be different than if you are a retail vendor and so on and so forth. And for that reason, the target market is generally much smaller than what many VCs expect and what many VCs require in order for the venture model to work. Now, this also means that the VC model can often be harmful to security startups because many of them have absolutely no way to ever satisfy the requirements needed for them to succeed and to actually return the amount of capital that VCs require. And what follows is that if we accept that we see path is the only way to

building security companies, we also have to accept that the large number of problems that we experience in the security industry as practitioners is never going to be solved because there is simply not going to be a fit for the venture model. Obviously, that is not a great assumption. There are hundreds and probably more problems that are not venture scale problems. And uh Kane and Ramy have written a fantastic article about what they define as subventure scale security problems. Uh it's it's amazing that Kane is sitting right next to me. Uh so Kane uh definitely a shout out for the great work and and for putting together this piece. Uh some of the examples they list

is endpoint vulnerability automation. Uh it's the fact that the EDR tools give uh give a security practitioners the ability to get vulnerability data while MDMs have the ability to update packages. But there is often not an easy way to tie those two together and that is something that they have built in Canva. There is the need to solve the downstream HRIS problem where a lot of the identity updates originate in the human resource management systems and often times when those updates get processed that causes challenges for security teams and and for IT teams that need to be solved. There is the need to often essentially rely on the interaction with end users to triage and investigate

alerts. And that can be done by integrating with Slack that can be done by integrating with with other uh solutions. And the way it is often accomplished is by using a sore platform and by putting in a lot of effort and that is something that again Ramy and and Kane discussed in in their piece as an example of a subventure scale problem that needs to be solved. Now there is definitely more than three and even their article lists many more. And the part that is important is that niche problems present a lot of opportunities. They present a lot of opportunities for startup founders to actually do something impactful and uh to solve problems they're passionate about and

also to gener to generate revenue and frankly make money for themselves. So founders shouldn't ignore niche ideas. They shouldn't default to this is how to build a company and they shouldn't think of venture as the only way to do it. And today we are going to be talking about different models that some of which are alternatives some of which are sort of derivatives of the venture scale. The number one model is obviously the traditional VC path like this is the default way. This is the way everybody starts a company. the way everybody's thinking about how to build a startup and and most startups generally follow this route right you get VC funding VC funding provides access for rapid

scaling it it provides an opportunity to scale hiring it provides an opportunity to scale the go to market strategy and uh this is a well suited strategy for many companies but not for all their benefits and obviously and and their drawbacks of following this strategy on the benefit side this this path that C path does provide a lot of capital for growth. It provides networks for hiring. It provides opportunity for partnerships. It provides opportunity for uh market access. It gives industry credibility because having a Techrunch article talking about how the startup just raised money from VCs is most certainly a great thing to share on LinkedIn and to celebrate. But the reality is that all of that all of those

benefits, they do also come with drawbacks. They come with drawbacks of having high pressure for scaling and growth. Uh such that many cyber security startups simply end up getting run into the ground trying to pursue uh that path. Uh companies are often forced to expand too quickly more quickly than their runway would would allow them. There are exit pressures, there's founder dilution, there is the loss of control. There are times when uh pursuing this path is a good idea and there are times when when it isn't. In short, if the market opportunity is massive, if the company needs the first mover advantage, if it needs a significant GTM investment, like that is the right way to do it. If however the

founders want a long-term control over the strategy over growth, if the market is too niche or if it is slow moving, there may be reasons not to do it. There's the second model which is often talked about as an alternative to the VC model and it is the bootstrapping model. I call it the hard way. Uh the bootstrapping model focuses on profitability from day one and on finding a problem that companies are willing to pay for solving at the time when the company started. So it requires lean operations, cost control and efficient capital allocation. It often relies on providing services and starting the company by by offering services and then scaling into into a product and investing in development.

uh there are not too many examples of those companies in the security space. Uh I'm sure uh many of you have heard and and have probably personally used Thinks Canary Harun startup that is widely known in the security community. Harun was profitable since year since year one. At this point they have over 2,000 paying customers just under 20 million ARR which is by the way more than many VC backed startups. and uh they are deployed on all seven continents which is a great achievement. Enzyme a relatively new company in network security space is another example. There are pros and cons as with everything. On the pro side the founders get to retain full control of the vision of the

execution and ultimately the direction in which the company is going to go. There is no pressure for unrealistic exits. there is no pressure for unrealistic growth and they get to decide how they want to go about uh building the company and at at at what pace they can focus on building a profitable niche business. On the cons however it is hard it's hard because the growth is much slower like right if there is no injunction of capital it takes time you have to you have to generate money before you can reinvest them and that is obviously that does require much more effort than than being venturebacked and and having that capital provided to you. uh it requires

early revenue which is also something that many companies are not able to pursue unless they start by offering services. It's often harder to attract talent because again uh many people like the techrunch articles. There are reasons to pursue and not to pursue it. Uh bootstrapping is a great option to pursue when uh venture scale isn't necessary when there is no massive investment needed from day one and when the uh founders have an existing industry relationship uh with a large number of practitioners or strong networks and obviously if the market opportunity is massive there may be reasons to raise capital. Now the third model the Silicon Valley small business model in security it's not as commonly seen. Uh the whole concept is

that uh you raise you start the company by raising the first round and then you go from there and work towards the future in which you never raise the next round again. Uh this is still a relatively new uh path. I don't know of any startup that has exist that has explicitly acknowledged that that is the the path they're pursuing but there are frankly plenty of startups in the security space that have raised one or two rounds and then turned the company into a fairly successful business. Uh again there pros and cons. On the pro side pursuing this path gives founders full control over vision and execution. There is no pressure for forced exits or unrealistic growth and

it allows companies to focus on efficiency and essentially choosing their own way. On the con side, most investors that would invest in that first round, they do want a an impressive exit. They do want hyperrowth. Uh traditional uh the the idea itself like the model itself, it requires VCs to believe that this is the right path to pursue and generally most investors do not. So this is more of this is still despite being popularized as the new way of building companies especially now with AI that companies can essentially attract a small amount of capital and then uh raise once and never raise again. Realistically speaking uh very few investors will actually agree to do that because the VC

model does imply following a certain path and this is not the path. uh when to pursue, when when not to pursue. If the market values efficiency over hyperrowth, that could be a good option. If the startup can operate profitably with a small team, if the startup can uh leverage automation AI, that is also another option. And there are also reasons not to do it. If the market is hyper competitive, trying to bootstrap often doesn't lead to good results because the startup would then be just squashed by their competitors. And if the market favors aggressive expansion, the same idea. Uh there are plenty of of reads and articles about the SVSB SVS model. I frankly find it

incredibly interesting. Uh lastly, uh there is the services model. uh services constitute over 50% of the cyber security industry and it is often given how often we hear about large security companies getting exits and attracting a lot of funding. It's often hard to it's often too easy to forget that the majority of security companies are actually services companies and many of them are doing fantastic in terms of uh obviously in financial terms but also in terms of the impact they're able to make on solving the actual problem. Also, most of the merger and acquisitions in the security space actually happen in the services space. Again, something that is very easy to forget. There are benefits and

challenges of building a services company in security. On the benefit side, founders are able to start generating income quickly. Uh they can start lean and uh avoid ask going out and and asking VCs for investment. But then on the on the negative side, the services companies do tend to have lower margins comparing to SAS. They the scaling process is much more labor intensive. The scaling is often linear. They need to uh hire more people as the number of business the amount of business they do expands. It is harder to fundra. It is harder differentiate. It is harder to differentiate. And now of course uh VCs are starting to also become excited for the first time

probably in in the history about the services space right VCs are starting to talk about the services uh the the AI enabled services the services as software and frankly what I have been telling a lot of the founders and a lot of people in a lot of the people in my network this may be probably the only time when you can start a services company and and it would be a venturebacked company and you can actually convince VCs to write you a check and and to do So if that is something that you have been considering, it's definitely the time. Uh and yes, as I've said, VCs are hoping that AI will change the economics of the

services and so that now AI enabled services may break this traditional link between revenue and hiring more staff. it lead to it would lead to lower operational cost and as a result the bet is that more and more startups by using AI can automate a lot of the manual work and thus achieve a venture scale in the space in which it wasn't uh possible before the however only the time will tell if that will actually happen because if even if AI is able to change the economics of service delivery the question is how will it actually impact the market there have been fair bunch of fairly impressive companies that have been automating have been automating

their service delivery have been able to achieve probably 95 97% of automation and they still have not dominated the market. So the question is will this change with AI? That is an open question. Now not everything has to be a business and in this last part of the talk I would like to quickly cover several areas that have nothing to do with building a business. Uh nonprofits, conference talks, getting involved with standards bodies, open source projects. There are times to pursue each of those, right? If the if the mission is uh public good focused, if it's not for profofit driven, start a nonprofit. And there are plenty of examples of uh uh people who have done it quite well.

There are plenty of examples of people who have started who have given talks. If an idea is an early stage idea and if you're just looking for feedback, just give a talk. If the topic is valuable but not enough for a standalone business, do that. Why not write a blog, do share some research if the technology would benefit from broader adoption and there is not necessarily uh there's not necessarily a need to monetize it or if the people want contributions from the open uh community, start an open source project like Spire is a great example. Uh there are standards bodies that are also a good way to get involved with the communities. And so I have definitely

overestimated the number of slides I can cover in 30 minutes. So I'm going to nicely skip through some. Uh but again, how do you how do you decide uh which of those options is the best for you to pursue? Think about your motivations. Think about what it is driving uh you and and your decision- making. Is it money? Is it passion? Is it the desire to have impact? Is it the desire of a certain lifestyle? Think about the second the first order of consequences uh for each of those decisions. Remember that there are different ways to be successful and remember that 10% of 100 million is actually the same than 100% of 10 million. That is something that

many founders in the security space particularly in the services realize. Remember that there are plenty of options right? You can have a high impact play and yeah you may not uh make a lot of money. You can also start with the high impact play where you make no money and then end up building a a 2.7 billion security company the way the Marty Rash and and the team have done with Snort. You can also start by giving talks and uh sharing research and then build a company around it the way the signal founder have done and and uh by obviously offering a lot of insight uh for the community but also building a product that I'm sure many of us use in

this room. Remember there are hundreds of niche important security problems that do need to be solved. Not everything has to be venture scale. Not everything has to be venturebacked. But all of those problems need founders and they need people addressing them. Thank you.

Wow. Wasn't that amazing? Okay, so we do have a couple questions from the audience. Sir, I'm just going to walk over and connect with you. You did pretty good. You wrapped up in perfect timing for the questions. Such a such a strict team of organizers. They just force you to do everything on time. I love this question. I have a very big passion for AI. So, what is the future of AI? Sir, I feel like I am being asked to solve the problems that uh millions and billions of people around the globe have not yet been able to solve. Look, I think the future of AI is bright. Uh I I don't think I have the kind of insight

that anybody else would not be able to offer. I think it's going to transform transform some areas of security specifically. It's going to be absolutely irrelevant in others and only the time will tell which is which right today everybody's uh uh the good news is that I think people are generally very optimistic and they're trying to use it in in in places where it does matter in places where it actually makes a difference. I also think that there are some of the use cases and I'm not going to be calling out the specific ones because I I have friends building companies in those spaces. There are some of the use cases where it probably isn't the best the best uh way to to

solve the problem, but at the end of the day, I think the future of AI is better than the future of AI in security. Thank you. What do you think about taking money from corporations? I think it comes down to the problems you're trying to solve and uh the kind of terms you're getting and uh the the role the corporation would be playing. So uh obviously if you again you can you can look at it from this perspective. If you are trying to become a part of an ecosystem of players let's just say you're looking at uh some of the identity security leaders and you would like to be on their marketplace or you believe that there is going to be that

that is going to be a great distribution channel for you then getting a small amount of money from uh say octa ventures may be a good idea. Now uh maybe you believe that the same is true for uh some of the like large endpoint security companies out there and you believe that you can leverage you can partner up you can leverage their networks that is also a good idea. I think many people often overestimate the amount of impact that will have. Uh I I have personally again if you're thinking about cloud providers and and just CSP platforms marketplaces there is definitely a way to build billion dollar companies in that in by just like latching on to their distribution

channels. I don't know if that is true for security where in security being on the marketplace of octa or crowdstrike or any of other security uh company isn't really the key to success like you still have to do all the leg work and people aren't just going to buy because you're on that marketplace. So again it kind of depends what you're trying to do. uh I think many people get uh venture get uh money from uh corporate venture funds believing that if they do so the chances that that company's going to acquire them will go up. I have personally heard like I have had this conversation with many people from from CBC's and the answer I would typically

get it doesn't really work that way because at the time when the company is making the decision of whom to invest into they're just making an investment decision by the time they are looking to buy somebody maybe in the same space they will be looking to either buy a leader or buy maybe a company that is not doing all that well and it is frankly just cheap to to acquire and they wouldn't necessarily pursue the acquisition In fact, as it in the same way as it works for VCs and it works for many other things in life, uh when the potential acquirer knows too much about the company, they may probably be less likely to buy because they would know

they would know everything and how it all works. We have a plethora of questions. So, if we could actually put up uh Ross' QR code to his LinkedIn, that would be helpful. Um let's see. The final question is who is funding 100% of the 10 million firms? Uh, sorry, say that again. Who is funding the 100% of 10 million firms? I'm not sure I fully understand the question. 100% of the 10 million firms. So, if it was if it did refer to this slide. Yes. Uh, this one. Uh, I don't who is funding? So I I think the thought process here was more that if the founders can preserve 100% of ownership and exit the 10 million then

they would get to divide the 10 million and many of the service companies have done precisely that. I have some friends who have sold their services companies and they have done tremendously well because they've never taken any external funding. Now there are some again there are some types of investors but I would say mostly the angels like if you're thinking about making the best decision uh that isn't going to haunt you uh years later with just take some friendly capital from people who believe in you and people in your network maybe security practitioners others other exited founders and in that case you there are still financial instruments where you can arrange it in such a way

that you're not losing the ownership in your company and you're retaining 100% % of it. Wow. Thank you so much, Russ. Um, wasn't that amazing? Audience, what a great job did he do. Out of all the applicants for presenters, we picked him as one of our headliners. So, we want to give you from Besides SF 2025, a little special gift to thank you for your time. We really appreciate you. Give him a round of applause. Right. You did a great job.