The resignation of Target’s CEO last May, after cyber attackers accessed the payment records of 40 million shoppers and Q4 profit declined 46 percent from the year before, was a watershed moment. Corporate officers and directors now had a concrete example of how cyber threats can hit the bottom line – and of how they will be held accountable.
As cyber threats increase – a recent study noted that attacks rose 48 percent this year, with more than 100,000 cybersecurity incidents every day – company directors have responded. Security reviews by the board are becoming standard practice. CEOs are becoming fluent in the language of cybersecurity. CISOs – Chief Information Security Officers – are in high demand and may become directors themselves.
But what will make the board choose your solution? As a cybersecurity entrepreneur, you must understand and answer the questions that company directors are asking.
“Is our company secure? How secure are we?”
Company directors want to know one thing: “What’s the chance that what happened to Target – or to JPMorgan Chase or to Home Depot or, most recently, to Sony – will happen to us?” But the current tools for reviewing security risk are outmoded. On average, a cyber attack takes 229 days to detect. Multi-week penetration testing and vulnerability analysis cannot keep up when developers push software and application updates nightly. Today, company leaders not only need to test systems: They need to test processes, people, and configurations – and must do so on a continuous basis.
Many of the best cybersecurity solutions gather ongoing data and signals from the dark web – the underside of the Internet, invisible on search engines and inaccessible to most users, where cyber criminals communicate – and then correlate the data, match the data to internal markers, summarize the findings, and recommend industry-specific adjustments in risk protection. They also deploy new tools – seamlessly integrating several data feeds – to detect the cyber attacks that have already penetrated the company and suggest how to contain and remediate them. If you can credibly tell directors how secure their company is down to a number and update the number in real-time, they will want your solution.
“Why should I hire you for a single need when a big company can meet them all?”
Most boards prefer one-stop solutions. They would rather entrust technological problems to a single vendor who can resolve issues up and down the stack than parcel out the tasks piecemeal and hope that the puzzle fits back together. But cybersecurity is different from other technology industry segments. Boards want “best-in-breed” cybersecurity solutions because in the event that a cyber attack is successful – as cyber attacks inevitably will be – directors want to be able to say that they did everything they could.
So if you create a very strong point solution, you will get traction – especially if you start with a customer space where the need is pressing. In industries like financial services and digital health, where consumers entrust providers with especially sensitive data, you will find early adopters of new solutions. The median financial institution, for example, already spends as much as $2,500 per employee on cybersecurity. And after the recent breach at JPMorgan Chase, the nation’s largest bank, the search for better solutions will only intensify.
Once you develop a strong solution and build a base of early references, you can expand to an adjacent area where your circle of competence naturally extends. Through this step-by-step method, you may eventually persuade directors to adopt an integrated solution that you’ve developed that meets all of their cybersecurity needs. Palo Alto Networks and FireEye, both founded within the last ten years, have used this approach to rise to the top.
“How credible are you?”
Because cybersecurity is a serious business, you must build your credibility early. Find individuals who inspire confidence – a CEO who has built a security company before, a retired senior FBI official, a VC with a track record of picking winners – and get them to join your board. Most important, get those first ten or fifteen customers. If your solution is good – even in an industry as secretive as this one – people will notice.
Just remember that it is your job to get them to notice. As a cybersecurity CEO, your job is not only to build: It is to sell. Cybersecurity customers value best-in-breed solutions, but given the noise level in the market, you will not succeed with technical wizardry alone. Develop a crisp and memorable message to stand out, and make bold statements if you can back them up. For example, Area 1 Security* says: “We will never allow a phishing email to enter your company.” Successful firms overlay great security products with great marketing to create confidence in their solution.
It’s All About Trust
Cybersecurity is being elevated to the top of the agenda in boardrooms around the world. Directors are worried, and they should be. There are only two kinds of companies today: Companies that have been breached and know it, and companies that have been breached and don’t. For a matter as sensitive as securing company data – often the company’s most precious asset – at a time when the productivity of knowledge workers depends on access to that data across locations and devices, boards need a solution that they can trust.
So internalize the questions – and you will be on your way to becoming the next great cybersecurity company.
Ted Schlein is a general partner with Kleiner Perkins Caufield & Byers. Earlier in his career, he brought to market the first anti-virus software for commercial use at Symantec and was founding CEO of Fortify.
*Area 1 Security is a KPCB portfolio company.