Controlled Flight Into Terrain: How Not To Succeed At Cybersecurity Startups by Georgia Weidman

okay hi everybody I'm Georgia you might know me from my book yes this is really old yes the new edition is coming out basically as soon as my boss over here uh approved my training requests because I want to get the latest oscp materials to make sure I'm teaching to the new test kind of thing so there is a new edition coming so if you win the no storage raffle maybe save it for a few months and buy my new book four note whichever um you might also know me I'm typically a mobile security researcher sometimes I do speaking and training I haven't done much of that while covid like I went a speaker at RSA right before covet shut

down and this is my first talk after that so I'm yes sweating profusely in terrible fear so hopefully this doesn't go really terrible but I'm also a lot of people don't know this will that be called a Serial entrepreneur I founded a consulting company and I founded a product uh startup so instead of droning on today I about mobile security and why we suck at it I'm going to talk about how not to succeed at doing the cyber security startup and throughout the talk I have little quotes from you know I wrote some people in my network and asked them for you know pithy quotes about startups and advice for showed up Founders so if you

don't know we're on he found it tenable so like nessus so they actually have a very interesting trajectory they bootstrapped for 10 years so tenable was founded in 2002 and they didn't take Venture Capital if you don't know what that is we'll talk about it in a little bit they didn't take Venture Capital until 2012 so 10 years of bootstrapping but then they did raise 50 million dollars in that first round uh raised some more money and in 2018 they did do their IPO so they are a publicly traded company you can buy nessa's stock which I am probably going to do with my next paycheck um so from Ron he says the pitching companies should only take five slides

um there's actually um a slide later on that says don't listen to any advice from anybody basically but uh so this is if your Braun does do angel Investments again if you don't know what it is we will talk about it so if you ever find yourself pitching Ron I've given you some advice definitely only use five slides because that's um you know what he thinks you should do but it turns out this worked really well because it worked really well with my next slide because the five slides you're typically going to use in a startup pitch are these five up here for building a company so you will pitch a lot as a startup founder to potential

investors to potential customers startup pitch contests accelerator demo days you name it you're probably if you're a Founder going to spend a lot of time up here if you're like me and get nervous well I've found there's not really anything you can do about it you're just gonna be nervous and you're gonna have to suck it up um so anyway um different venues are gonna have different time lengths typically it's shorter than even this 25 minute talk usually somewhere between like three and eight minutes for the pitch so a little bit shorter so that helps so anyway your typical five slides that are suggested there's like five slide rules that have this um I mean the main thing is a

problem you're going to start a company typically you want to solve some sort of problem if you're a cyber security practitioner you probably know a lot about problems you see them every day so you probably have a few ideas just off the top of your head of pain points that you have and how you might be able to solve them so the problem statement is kind of like the big like start of of the pain point and then your solution would be um you know what you're go what you and your company are going to do to solve that problem um so once you've built Your solution or have a you know idea for your solution

at all and all your friends have told you how wonderful it is and how it's going to be great you're going to make a billion dollars um then you know you might want to start looking at founding a company and one of the things that's definitely going to come up is this thing called total addressable Market but as far as I can tell is mostly entirely made up the only real rule for total addressable Market is it needs to like everything in startups needs to be a hockey stick it needs to go up and to the right so you know you're massively growing all the time that's really you know obscene growth like the thing that makes the

least sense about startups to me is that if uh if you're making money like if you're profitable you're doing it wrong which this is business we're supposed to make money right but if you're profitable you're not growing fast enough you should be spending that money hiring new people like spending it on sales and marketing etc etc so a lot of things about startup don't make sense but my most of the math about startups is entirely made up and this is something that I had a lot of trouble with when I was starting because I you know wanted to make financial documents that actually were somewhat grounded in reality but the truth is they're usually not actually for mine for total

addressable Market I did uh all the people who buy pin testing products and security products so the necesses of the world and all the people who Bry uh mobile device management and Enterprise Mobility management and multiplied them together and got my total addressable Market which was in the billions and looked great on the slides but I certainly have not sold anywhere near billions of dollars worth of of anything but yeah you basically want to convince you know potential investors that you are going to sell a lot and that there is a market there for you to do so uh unfortunately the next two parts are a little bit harder traction and team uh we can't just you know sit

at our desk and come up with a great idea to convince potential funders that we have traction I mean traction is a really big one and it's again another really big pain point for startup Founders because typically you know your funders want you to have you know built your team got at least a minimum viable product hopefully even have people paying to use it before they invest in you and before you have any money we'll talk about money in a couple of slides um but I mean that's really hard to get to that point because you know people have to get paid and whatnot you know people have to eat so it's a real pain

point of getting the amount of traction they want you to have I mean of course there are there are exceptions to every rule in this um so I mean certainly there are instances of you know if you've seen that Silicon Valley show where he basically just has an idea for Pied Piper and they're going to give him 10 million dollars he should have taken it and there should have been no show like he's just taking the money um that's all I have to say about that um so anyway um so traction yeah you're good they're gonna you wanna get like everybody you know asks them to uh use your product like as a beta for like a dollar or

something get some traction um you know anybody you can get to sign on that you can put on your slide deck that you know like you know I would go to Jamie and be like hey can you say you're using my product and can I put it on my slide and then I'd be able to put Ivan on my deck and I yeah it would look good um you know the line between like you don't want to lie but everybody in startups kind of embellishes a little bit so if you don't you're not going to win any pitch contests um also like at the early stages particularly your team can be um a proxy for some of the traction like

if you have a really good if you have like an advisor that has sold a couple companies in the past or has a lot of sales experience if you have a team that's very impressive to the people who might be funding you that can be a proxy for attraction as well but we will talk a bit more about team later on all right some of you may know Marcus Carey from the startup Community as well uh he wrote the tribe of hacker books I think he's best known for but he also is a sometimes startup founder went to the same startup accelerator as I did and he had a company called threat care that was acquired by

reliacquest so yay success I was not actually an investor in his company though sadly and his quote is there are no rules so again I'm up here giving you my idea of some rules and best practices but um again for every uh you know one of those bullet points that you are going to be able to find an exception where someone was successful doing exactly the opposite so you have to find what works for you um you know it may take a lot of trial and error I think you know a side point from this was don't be too entirely set in your ways be ready to Pivot um another good advice for like startup

Founders is fail quickly or fail early so if what you're doing isn't working be ready to Pivot and do something else quickly rather than you know digging in your heels so you know be flexible as a startup company which I realized we as cyber Security Professionals typically are not um but you know it is what it is all right building a company okay this is based I'm based in the US so these are U.S terms the LLC or Schedule C um but I talked to Jamie right before this and he says you guys have similar things or so pretty much the same deal here in Canada I think so one of the first decisions you'll probably make after you've you

know figured out what you're gonna build um is what kind of company you're going to be in the US where typically LLC or a C Corp um LLC is a lot easier a lot less paperwork you can do it online for like 100 bucks um the taxes are a lot simpler and all of that so why would you not want to be an LLC um being a C Corp if you're going to take institutional investment so if you get past like Angel Investors which we'll talk about this a couple slides from now I wish I would stop hitting the microphone um you they are going to expect you to be a C Corp um that's just you know what they expect

so you will you can start out as an LLC and migrate to a C Corp if you get to that point I mean a lot of startups um never get to the institutional investment part um you know they're just so successful they don't need it or they do fine with angels or you know they even just bootstrap so you may not ever find yourself actually needing to be a Schedule C so it's certainly reasonable to be an LLC first and then change because again it is a lot easier with paperwork and stuff and there's going to be enough going on that you know if it's one more thing you don't have to think about right now fair enough right so as

far as management and HRC the unfortunate thing is this is going to be you and your co-founders um you know you don't have to have HR until you're 50 people management you know if you're like me and you're more of a practitioner type I hate managing people I hired a CEO specifically to do the hiring and firing and all that managing of people stuff because I don't like it it you know it gives me the willies but unfortunately like you're gonna have to take on a lot of this responsibility early on you're probably unless you get really lucky just not going to have you know the money to fill all these kinds of positions early on so

you're going to be left you know having to pick up some of that Slack um a really big one is sales and marketing so again if you're anything like me yeah sales and marketing is not something that I'm good at and I made the mistake of picking a CEO that I could relate to like technically we understood each other but there was a problem with that like if if you're like sales and marketing if whoever's going to be in that role that very important role of sales and marketing because after all like unlike you know cyber security where you know our goal is to be like lead and make people come to our talks um in the startups your whole goal is

like making money you actually have to make sales so that's a very important rule so if the person you have in that role doesn't make you cringe as an introvert you probably have the wrong person because you need to you need somebody who has that personality that at least for me and I know a lot of others you know typical cyber security practitioners I mean really just makes them want to run and hide um but that was definitely a mistake I made I think somebody who was probably just as much on the Spectrum as me as my CEO and he couldn't you know we when we went to events we stood in the corner together so I had someone to talk

to but we weren't out making sales and things um so yeah so it's not uncommon to have um you're going to have a go to market plan early on um so how you're going to make sales when you haven't made them yet but going back to like that total addressable Market you know they're going to be like these are the customers we're going to go after um so establishing that your problem like this is say you know I was going into a company like this would be the person like this manager or if it's a tool like for an individual practitioner which a lot of us are going that route where you know we've built a hack tool

and now we want to make it a product but still like our typical buyer is going to be like the individual on say the pin test team um we have to think about you know costs on that like if we want them to be able to like put in their card and buy it themselves you know we're going to be talking like maybe a thousand dollars at the most 500 is better um obviously the more your product costs more money you make but also like they're going to have to get like I wouldn't be able to buy say like a ten thousand dollar product without asking Jamie as well as tapio and like a lot of

other people so that would take time and they would have to ask their people and there would you know be more a lot more to the sales cycle so that definitely you know comes in so if you're again if you're going to be selling to like an individual practitioner definitely you have to think about like what are they going to be able to buy with the least amount of like oversight and the least amount of like red tape and again if somebody in the department buys it you have to figure out who that someone is who the advocate in the company is who is going to understand that pain point that same problem statement that

you have and be able to understand like your solution and be able to Advocate into that company that has a lot more going on besides buying security products probably uh who's going to be able to advocate for you um and again if you're a big expenditure you know the bigger expenditure you have you know you want to be in budget and um you know you're looking at bigger sales cycles that you know are going to be in next fiscal year as opposed to like next fiscal quarter you know as it gets bigger because you have to get um up more and more approvals um so every investor will figure that everybody knows like three to five

people somewhere in security like I said you know I'll go to Jamie and say hey can I even say they're using my product or better yet can I even beta my product and tell me how it sucks and how I can fix it um so investors are going to assume you have you know three to five people I ran into the you know a problem of being afraid to ask people as a startup founder you can't have any shame anymore call in all your favors get everybody to help you but anyway uh investors assume you have like three to five people that will uh agree to trial your product and say you know this is good so they're really going to be

looking to see this is how we get you know our first paying customer this is how we get our first three to five paying customers to sell we get 10. they definitely want to see growth um this is how we get our first 100 paying customers um so yeah just having like three to five I mean certainly it helps like having three to five like trials especially if they're like big name companies um that the investors may have heard of um you know that does give you um some credibility there but definitely you want to beat your own Rolodex definitely like anybody you know do the spamming thing you know have no shame get ask

people to help you do not be like you know I think we we have a problem in cyber security we don't like I mean we don't like business a lot of the times you know we think that's uncool um and we also like almost like it's a bad Bad Thing To Succeed you know if you're like you know you want to be like Elite and underground and whatever so if you're like working for the men and making money and and making sales and whatnot then you're uncool so but you got to put all of that aside like actually grown-up people realize that like making money and stuff is actually good so you kind of have to put aside

you know some of the mentality I think a lot of us grow up with you know in the cyber security community in order to be successful in business um so yeah um there's this big one fitting your company into a customer's budget line item okay so this is something you might want to keep in mind because you want to be Innovative right we all want to be building like the newest coolest things but if your customers don't have any way to pay for it like if it's not in their budget it makes it that much harder um for them to to buy it it's 10 minutes all right um like I'll just give a little aside so uh

mobile device management Enterprise Mobility management don't really like them they don't they're not I don't think they're very helpful in terms of security but that's a whole different talk but when they first came out they had the absolute perfect Market because everything had just changed from everybody's bringing blackberries to everybody's bringing Androids and uh iPhones to work so everybody pretty much you know the bigger companies had a line item in their budget for a Blackberry best server but they didn't need it anymore because the blackberries were being phased out rapidly by the iPhones and the Androids so there was actually money in people's budgets for the Blackberry Biz but but here was something that the problem being we need

to manage mobile devices of the Android and iOS variety and the Blackberry beds is specifically for the Blackberry so their solution was mobile device management and early Enterprise Mobility management and it was a great Market because again there was a line item there it is very very difficult if you have to create a new Gartner category at every customer you go to I know because I did it and it was difficult being you know not mobile threat events but not really traditional pin testing but being like you know a completely different category I mean it was difficult all the people all the time are like yeah I totally get this this is totally a problem we

totally need to solve it but then when it came to like finding somewhere in their budget for it even you know at a small price you know it a lot of times it's very difficult so if you can find a place where you can fit yourself into the customer's existing budget basically you want to instead of being completely Innovative if you can do something if you can solve a problem better or cheaper that they already know that they have then that is you know your ideal way to get yourself in the door and then maybe do something completely Innovative you know as like your second product or something um so yeah um definitely like skills yeah that's good all right we

should go on to the next slide all right quotes from Founders you probably don't know this guy unless you've like seen him wandering around behind me he's very well known in the startups but not you know he's not in really in cyber security um so this is Michael one of my longtime advisors so everyone will tell you their version of The Truth Listen to all of them but find your own truth so I already kind of touched on this I I like to say that you know when I talk you know Michael's voice comes out sometimes I mean he kind of took the the raw materials of me and turned me more into what's acceptable for a startup founder

um so but you know he's on the Spectrum too so that helped um you know because he's kind of had to make the same transition but basically what Michael is he is the founder of a startup that I am invested in but uh he's basically a professional advisor so he advises a lot of different companies will talk about advising in in just a moment um but he is basically one of the people who hangs around a lot of accelerators and stuff and helps startups but he's one of the good guys we'll talk about the bad guys too but anyway all right need to get moving funding a company first rule of startups other people's money oh my God I wish I had done this

when I started doing a startup I had savings I do not anymore when Jamie found me I was driving for ubereats I'm not kidding I was that broke um I did a couple things wrong I didn't take a salary you know you think you're like well let's pay everybody else but if I take the salary this money I could have reinvested and I invested my own Savings in the company so yeah the company was basically eating my money everybody in the company was eating my money it you know it led to financial problems things are a lot better now partially because Jamie hired me and I make money again um and a lot faster rate it's it's

interesting in your day job you don't talk about like go quit your day job and start a company but you know it's kind of interesting getting paid every two weeks regardless so I mean don't necessarily just throw that away but anyway so yes definitely like but even Michael like you know from the last slide you know he will admit to the fact that he's put like over a million dollars of his own money in his own company there's a very very hard like if you're struggling and you just need to get over a hump you know it's very hard not to put your own money in it if you have it um but definitely like try to find other

options I mean bootstrapping we mentioned that tenable bootstrapped for 10 years that basically means the money that you're making from your sales um you're putting back into the company I mean that's a perfectly reasonable way to run a business I mean it may not be that hockey stick startup trajectory but not everybody has to be a startup the accelerators will tell you this the only way to to exist is to be a startup but there's plenty of like small businesses or big businesses that do bootstrapping never took venture capital and everything's great and they're probably better for it two minutes okay I better hurry um government grants um yes talk faster government grants are awesome uh

non-dilutative funding like they won't want stock so definitely taking government grants if you can get them darpa's cyber Fast Track is certainly not around anymore that's where I got my start but there are things like small business Innovation funds sbir um in the US I'm sure there's something similar here Silicon Valley Innovation products going to accelerators they usually are going to take a percentage of your company but they may give you money and they will give you their Network and give you a like micro MBA friends and family and fools so this will make for a bad Thanksgiving if you fail I know um crowdsourcing I mean this works better for Consumer products um the angel investors

um so that's like where I'm at you know where I make a small investment I mean there's a lot of uh like Angel groups um particularly like if you went to a university there's probably like an angel Alumni Association and you don't necessarily have to have gone to that University to do it um and then you know institutional venture capital and private equity and we need to hurry um so I wanted to get everybody's quote in this is Dave Merkel um he was CTO of FireEye he also calls himself the first lady of Herndon um basically it's a long quote he did not take my advice on being pithy but basically you know the long and the

short of it um is that everybody's story has luck you know people don't tell it that way later you know they kind of tell it as it was predestined but um definitely there's a lot you have to stick around long enough to have the luck is another one of Michael's quotes and they're going to throw me off this stage but very quickly I want to talk about advisors and mentors typically you know if you're more technical typically the founder becomes this CEO but you might want to consider moving over to this founder and CTO Rule and bringing on somebody who has more experience in business and particularly sales you know somebody with a more outgoing

personality investors really don't like singer single Founders so if you have any friends at all um consider making them a co-founder typically early on you're not going to have need for a full like Financial person but there are people who do fractional CFO that's like what they do for actual CFO for startups so we probably have something like that um a really big part though is advisors you know people who throwing me off can I have like one more minute okay um all right so people who um so these are people you're not going to pay up front which is great because you probably don't have a lot of money but for like one percent of the company or

um you know whatever you you work out um you know they will put their name on the slide you know as traction or proxy for traction as well as you know help you out um there I mean there are some advisors who just hang out at startups and just you know take one percent of every company they can find you never hear from them again so that's the bad on the other side you have really really great uh advisors like Michael who are not going to be there for just this startup they're going to help you move they're going to be at your wedding they're going to help you with the next five startups um so you know you can find really great

people for that um and that's you know we're not unfortunately we don't have time to talk about accelerators but a lot of what you're going to get out of accelerators aside from like the micro MBA you know you do learn about running a startup but is getting their Network and meeting a lot of potential advisors so our last quote what was I thinking uh actually attributed to Michael's roommate but uh every startup Ever every startup founder ever has said that at some point all right so we're not gonna get to talk about accelerators and incubators so that was really the last thing they really want to get me off the stage but anyway so obviously this talk

went longer than I thought unfortunately but I'm gonna try and give like a 50 minute version sometime next year but thank you guys for your time we don't really have q a but I'll be here for the next couple hours