Ross Haleliuk
More posts from Ross Haleliuk
Trust is fundamentally about a sense of safety, familiarity and assurance that “everything will be fine.” Faith is built as we address our doubts and the questions that make us wonder if we can rely on someone or something to be there when we need them.
The process of vendor selection in cybersecurity is not very different. What’s different are the questions people ask and the clues they are hoping to find.
What problem is this company trying to solve?
The No. 1 question people ask as they learn about a new tool is: “What problem is this company trying to solve?”
It is on this first step that many startups fail. Intentionally or not, cybersecurity marketing rarely makes it easy to understand what the product does, and equally importantly, what it doesn’t do.
In the rare cases when a company is clear and transparent about where it stands, we’ll see security practitioners getting impressed.
Action items
You should make it easy for people to understand where in the security stack the product fits, what it does and what it does not do. Make it easy to access your help center, technical and API documentation and other materials so that people can quickly build a mental model of your offering.
Does it actually solve it?
The fact that someone is trying to solve a problem does not mean they are actually solving it. There is a lot to be said about the importance of social proof, but the tough part is that security teams often do not want to disclose what solutions they are using and how they fit in their environment, as adversaries can use this information to accomplish their goals.
There are, however, other ways to provide real user feedback and prove that the company does what it says it does:
Action items
Collect customer testimonials and make them easily accessible. If you don’t have any paying customers, ask if your design partners would be comfortable going on the record as users of the product.
Make sure that your testimonials are real and truthful, and that the person who provided the quote is prepared to be randomly pinged by prospects with questions. A good security team will do its due diligence and talk to other customers, especially if the startup doesn’t have an established reputation yet.
Have an easily accessible online community where people can ask questions, talk and send direct messages to one another. It is very common for security professionals to DM their peers to get some unfiltered feedback about the vendor.
Will this company be around a year from now?
It can get incredibly expensive to try and implement new security tools, and organizations are not looking to replace their security stack every year. At the same time, the vast majority of cybersecurity companies are startups, and startups come and go all the time.
One of the most important questions a potential buyer has during the purchasing process is whether the company is likely to be around a year or two from now.
The easiest proxy for this is access to funding: While having access to capital does not necessarily mean that the company will be able to survive, not having it does imply that it won’t.
Action items
On your website and in public-facing materials, mention if your company is venture backed, and if possible, list your investors. This is especially useful for early-stage startups that don’t have any customers, as it acts as another source of social proof.
In demos and calls with prospects, be transparent about where you are as a company and your plans for the future. Sooner or later, the truth will come out, so being upfront will help you earn respect and increase the likelihood of the company taking a chance with you.
Is there a real product? How does it work?
In many industries, it is possible to build an empty web app with some easy flows, launch that as an MVP and start getting customers. Cybersecurity products are more complex, take longer to build and little to no value can be delivered by a half-empty web app.
Security teams usually have a lot of experience working with startups and they know that early-stage companies typically take shortcuts to get to market quicker. Naturally, they need to understand to what degree these shortcuts can impact the value the product offers, and if the startup itself can become a “trojan horse” for bad actors due to its weak security maturity.
Action items
The best way to build trust at an early stage is to start with an open source version of your product that prospective buyers can inspect. While this level of transparency will be quite costly, young startups (say, one year old) will find it very hard to be taken seriously by enterprises if they have no solid reference customer base or design partners.
For a product that must remain proprietary, it is a good idea to implement elements of product-led growth, such as free trials and a self-serve experience, to let security practitioners evaluate the product before they kick off the traditional purchase process.
Make API and technical documentation accessible so that security practitioners can understand how the product works and test it on their terms.
Encourage people to ask questions, submit feature requests and report gaps or bugs in your online community. Be transparent about what the product does not do so that people don’t have to waste their time testing scenarios you cannot (or are not planning to) support.
Can I trust the founders and the team?
There are many important factors that a security team will look at when evaluating a new vendor. However, trust is personal, which is why vendor evaluation is mostly about deciding if they can trust the people behind the startup.
Action items
On your website, dedicate some space to talk about the team: who they are, what brought them together to solve this problem, what they know, where they’ve accumulated their expertise, etc. Look for ways to communicate credibility through people’s stories.
Make it easy for your customers to understand what drives the founders to do what they are doing. Did they experience the problem themselves as practitioners or did they get excited about “hot” valuations in the space and decide to make lots of money?
Answers to these kinds of questions shouldn’t be stated outright; they should be communicated between the lines in the founder’s bio, how they talk, behave and what they pay attention to.
Remember that in security (and in life, in general), transparency is key. By openly talking about what works and what doesn’t, being honest about gaps, whether they can be addressed and how long it would take, and by being truthful, startups can build long-lasting trust and earn goodwill much quicker.
Can I rely on them for support?
It is well understood that startups can’t have everything figured out and there will be gaps. Most importantly, even if everything is working well, given that every company has unique security needs, new requirements and feature requests are inevitable. A major question on customers’ minds is: “Can I rely on the team for support?”
Action items
Make sure your response times are short, regardless of the communication medium. Security teams will look at online communities (Slack, Discord or whatever the company is using) or check public GitHub repositories and the like. It won’t work if there are many unanswered questions or if it takes the team days or weeks to help a user stuck with a problem.
Remember that one of the core differentiators that startups can offer is their ability to provide a good level of support quickly. It may take large enterprises weeks to review questions and support tickets, startups can be much more agile. Seeing that the team is helpful, transparent and responsive can help them trust you sooner.
Invest time in building a comprehensive knowledge base about the product, how it can be used and the like.
How much does it cost?
Decisions about vendor selection are made within the constraints of security budgets. Companies are not simply looking for the best tool, but the one that solves most of their problems while being within their budget. I believe in pricing transparency, but I also understand the desire to have a conversation and/or to get the prospective customer to request a quote.
Whatever path they choose, they must get the pricing information easily and without any hassles. Departing from this principle increases the chances that the security team will waste their time and effort (and subsequently, money) testing the tool only to learn that it does not fit within their budget.
To address concerns like these, make it easy for security teams to understand how much a solution is going to cost and estimate future pricing based on changes in their situation.
Savvy vendors are always looking for shortcuts and ways to completely bypass important steps of the buying journey. That makes sense, since the less time it takes for the prospect to convert into a paying customer, the more money the company will make. What makes less sense are the methods some companies choose to employ to get there.
When the concept of “time to value” became well understood in the cybersecurity industry, many companies realized that what they are actually selling is a warm and fuzzy sense of safety.
The value of these offerings is naturally hard to communicate. The value of a security automation platform is easy to understand: If the time spent performing manual tasks before implementing the tool was X, and the time spent on it after the tool is X minus 5 hours or X minus 25 hours, that’s fantastic.
If the product is selling “security,” it is hard to tell if it’s valuable: Are we okay because nobody is trying to go after us, or is the product doing its job? Maybe we’ve been breached 10 times already, but this magic all-knowing tool didn’t tell us about it.
There is no way to tell, so the smart security providers started adding meaningless charts and dashboards to show how much the product has “stopped and prevented.” While these graphics often look impressive, they do not communicate value, as most customers have no idea what they are looking at and why they should care.
Unfortunately, it’s possible to build trust by pretending that something is there when it isn’t. That is why we are seeing companies celebrate pay-to-play awards, finance getting their “featured” content in pay-to-play magazines and so on. I hope that buyers will become better at recognizing these tricks and we as an industry put some checks and balances in place to weed out the unethical players.
It is important to keep in mind that trust is built over a long time but it can be lost in an instant. Companies looking for shortcuts are likely to lose credibility and reputation in the community even before they can get any traction, which will likely be the beginning of the end of their journey.
Comment