Bits, Bytes, & Barriers: A Start-up’s Blueprint to Stand Out in Digital Defense

The current state of technology worldwide has made cybersecurity solutions a necessity over the past decade rather than a mere optional value addition. This necessity applies to not just larger organizations managing trust for millions of users but also small startups storing personally identifiable information of their user base.

Technology shifts, such as the internet, the smartphone, cloud computing, and now AI, have led to an increasing span of cyber attacks across different cyber assets. At the same time, these shifts provide opportunities for tech entrepreneurs to push the limit and build groundbreaking security solutions. To understand the upcoming trends in enterprise cybersecurity software, let us first look at how the industry evolved. 

The cybersecurity industry is almost half a century in the making

The commercial cybersecurity industry has been growing rapidly for almost half a century and shows no sign of slowing down. At the helm of the ARPANET, a predecessor of the Internet, the “Creeper” was the earliest rendition of a computer virus, operating independently of human control. Thankfully, the “Reaper”, the earliest version of an anti-malware program created by the inventor of the email, eliminated the Creeper.

While both B2C and B2B cybersecurity software were blooming during the 80s, the most powerful security systems were in the hands of the government, responsible for protecting both the software and hardware of the emerging enterprises of the 20th century.

The internet, the cloud, and the smartphone are the three tectonic shifts that forever changed the face of entrepreneurship around cybersecurity. The rising access of the general public to the internet after its onset in the 90s paved the way for cyber attackers to penetrate systems that seemed a distant dream before. With government systems unable to cope with the rising frequency of attacks, entrepreneurs coming out from the recently established big techs found an opportunity to create an industry.

Bottom-up thinking led to the creation of consumer-grade antivirus and antimalware software. However, this approach of creating single-dimensional products for both consumers and enterprises proved detrimental. Cyber attackers evolved, and their tech evolved with them. No matter how antivirus software was updated, attackers always seemed to be one step ahead.

Inefficiencies in on-premise models laid the foundation for cloud computing in the early 2000s. The digitization of businesses created the need for shared computational resources and reduced complexities.

While legacy antivirus players profited, some nifty technocrats noted the need to ringfence enterprise systems. One such company, Palo Alto Networks, launched a highly intelligent “enterprise firewall” as their first product. Riding the wave of cloud computing, it became a catalyst for migrating legacy on-prem infrastructure to cloud platforms, providing trust and security for digital assets. Today, Palo Alto Networks is the largest cybersecurity company in the world.

When smartphones became popular amidst the world’s largest recession, the interactions between end-users and enterprise applications on the cloud became mainstream. Companies needed a way to open the doors of potential customers onto their applications without compromising security. This paved the way for Okta, an identity and access management company, to build products enabling security between the application and the user, such as single sign-on and multi-factor authentication.

Constant innovation and the creation of large companies in this field have made cybersecurity a playground for the next generation of entrepreneurs.

Security has become a must-have for all organizations

Over the past decade, the importance of security has evolved from being a less emphasized requirement to becoming a crucial priority for both enterprises and organizations. This shift has been propelled by several factors, including the widespread adoption of external software and applications, the growing volume of data usage within enterprise and mid-market companies, and the digital transformation of the employee lifecycle. As a result, cyber-attacks and data breaches are no longer just technology concerns but also significant business risks.

Furthermore, regulatory constraints and increased awareness among end consumers have heightened the demand for more effective cybersecurity solutions and products. Cybersecurity startups have experienced a substantial surge, with numerous entrepreneurs launching innovative solutions. Investors have recognized the potential in this sector, making enterprise security SaaS a prominent focus for investment.

Security holds varying levels of importance for different roles within an organization. The following summarises how diverse user personas approach and view different products in this context.

Going downward in the organizational hierarchy of security personnel, from CISOs to data engineers, translates to decreasing contract values. The go-to-market strategy also transitions from a pure-play sales-based approach driven by an executive network to a product-led open-source approach, building credibility around a nifty product.

Consequentially, an expanding market drives further innovation in this space 

Security in the digital realm is of utmost importance for specific industries, while it lurks as an implicit necessity for others. These sectors encompass a wide spectrum, including banking and financial services, information technology, manufacturing, healthcare, retail, government, telecommunications, media, entertainment, energy, utilities, and defence.

Enterprise cybersecurity software’s Total Addressable Market (TAM) quantifies organisations’ cumulative investment within these prioritized verticals to fortify their digital defenses.

By adopting a top-down approach, one can gauge the TAM to be approximately USD 350 billion, representing a colossal and steadily expanding opportunity for enterprises.

Intriguingly, the cybersecurity market is far from homogenous; instead, it is highly fragmented, with a substantial portion of cybersecurity resources allocated towards in-house product development or the engagement of external experts.

Surprisingly, the collective revenues generated by the top 8 cybersecurity firms merely scratch the surface of the global cybersecurity spending pie. Given the vastness and fragmentation of this market landscape, cybersecurity presents an alluring domain for entrepreneurs seeking to embark on new ventures and craft innovative solutions.

Nonetheless, considering that cybersecurity revolves around a singular objective with numerous avenues of approach, it becomes an arduous challenge for emerging companies to carve out a distinct competitive advantage or a clear path to success within this industry.

Cybersecurity entrepreneurs have to be creative to capitalize on this opportunity

After evaluating over 100 cybersecurity startups in India and the US, we’ve realised that the only way a new startup can capture the cybersecurity market significantly and differentiate itself is via moats that catalyse trust with security teams. There are four such moats:

Cross-sell motion

Established cybersecurity stalwarts initiated their journey by crafting a select few products, gradually amassing an initial clientele of enterprises. Over time, they expanded their product portfolio, strategically offering new solutions to their existing client base, bolstering their Average Contract Value (ACV).

The allure of a comprehensive, all-encompassing cybersecurity solution lies in its ability to create customer loyalty, shifting an organization’s focus away from security concerns and towards other revenue-generating endeavours.

Many startups in this domain have embraced a similar trajectory, leveraging this approach to achieve substantial growth and significantly elevate the barriers to client switching. Notable examples include companies like Palo Alto Networks and Fortinet. Conversely, a few well-established enterprises like Akamai have augmented their ACV by incorporating cybersecurity offerings into their pre-existing suite of synergistic services, such as content delivery and cloud operations.

Since many of these comprehensive solutions have already attained a full-stack status, the landscape has become increasingly challenging for newer startups seeking to replicate this level of diversity and scale.

Distribution and Domain Expertise

Another prevalent approach to achieving scalability entails developing case studies within specialized domains, building a reputation for domain-specific expertise, and securing additional clients within that niche. A notable illustration of this strategy is exemplified by Leidos, a comprehensive engineering platform that has cultivated a deep well of knowledge and proficiency in specific sectors, such as defence. Leidos collaborates closely with defence firms and government entities to safeguard their digital assets.

Similarly, many versatile cybersecurity solutions have meticulously crafted robust security offerings tailored to the unique demands of critical verticals, including fintech, healthcare, and retail. This has restricted the manoeuvring space for emerging startups aspiring to scale through this method, as the landscape in these domains is already well-saturated with established expertise and solutions.

Ease of Use

Given the inherently technical nature of cybersecurity products, their utilization often proves challenging for individuals lacking specialized cybersecurity training. This creates a notable opportunity for startups offering products and tools with ease of use, straightforward deployment, and comprehensibility.

One striking example of this competitive advantage can be found in Okta, a company that honed its focus on a specific category – identity and access management (IAM) – and developed products renowned for their user-friendliness. This strategic emphasis on usability propelled Okta to attain widespread adoption within the IAM sector.

Similar arguments hold for companies like Drata and Vanta in Governance, Risk Management, and Compliance (GRC) products. These firms have elevated their Average Contract Value (ACV) by delivering an exceptional user experience by automating compliance processes for standards like SOC2, ISO27001, HIPAA, etc. Their success is underpinned by a commitment to simplicity and usability, setting them apart in the competitive landscape.

Integrations

Another pivotal factor that contributed to Okta’s success was its extensive array of integrations with SaaS applications. By offering organizations the ability to bolster security on widely used enterprise applications seamlessly, Okta enhanced user experiences and established a compelling acquisition incentive.

In a landscape where the utilization of SaaS applications continues to surge, the prospect of offering such integrations emerges as a potent mechanism for newer companies to attract and retain customers, potentially becoming a synergistic driver for their growth and success.

AI will increase the efficacy of identity protection and cloud security software

The objective of bad actors in cybersecurity has shifted from spreading malware and breaking systems to entering systems in stealth and getting access. Over 70% of adversary activity was identified as malware-free in 2022 compared to 40% in 2019, indicating a move beyond malware to get initial access and persist.

Access brokerage has taken off over the last two years. All these are indications of increasing interest and propensity for identity attacks. Identity and Access Management continues to remain a top priority for organizations. While tools in this space have undergone significant and rapid technology transitions, Artificial Intelligence is the key to creating foolproof privilege access and identity management systems. 

With the ability to find patterns in data quickly and efficiently, AI will enable accurate and real-time detection of threats with much fewer false positives. AI-based security tools serve as an opportunity for upcoming entrepreneurs to redefine legacy cybersecurity tools by building smarter tools capable of making adaptive decisions to eliminate live and new threats based on threat data collected over the last two decades.

AI can significantly improve identity protection with the ability to model the digital behavior and intent of every employee within an organization as well as every customer of a company. Penetration testing becomes robust, and strategic decision-making by CISOs becomes much more informed with AI-driven simulations of social engineering attacks. With data and cloud becoming the most critical digital assets in an AI-first world, startups building unique data and cloud security solutions have great potential to scale globally.

---

The persona of founders building cybersecurity tools has also been changing consistently. Unlike at the beginning of the millennium, when cybersecurity tools could be built only by industry veterans who had strong relationships with clients, understood the space, and had access to enormous datasets, the coming decade presents an opportunity for young and highly talented entrepreneurs to leave their mark in the security industry.

While enterprise sales will remain the preferred go-to-market strategy for most experienced founders, the increasing acceptance of open-source security software will allow product-led growth for security tools built by founders right out of college and build credibility. Trust is key within the cybersecurity ecosystem, and an open-source strategy allows you to create that trust with strong evangelizers in the tech community and without any prior experience to show your credibility.