Should I buy from a security start-up?

To prevent and detect incidents and breaches security solution providers have to continuously innovate in order to keep up with the evolving methods and tools of cyber criminals. While most established security vendors have R&D departments that push defensive technology forward, promising innovation in the security industry often also emerges from young and small start-up companies.

Some of these new players deliberately position themselves as a start-up (think of sexy new technology and cool place to work) whereas others realise that the term start-up in the security market might also evoke negative associations (think of shaky product from a company that doesn’t yet know how to pay salaries in 3 months).

Start-up companies can be in different phases of their evolution: some are in the pre-product-market-fit stage and still exploring how to deliver value, some have already found a valid value proposition and are in the process of making first customers (hopefully) super happy and others are already taking additional investor money in to scale production and sales up. In any case, when engaging with a young company you should try to figure out in what stage they’re in to set everyone’s expectations straight.

Apart from an innovative solution (which is probably the main driver of your interaction with them), start-ups have the following advantages over more established players:

• • The team will have full dedication and focus on one single product and do everything to make it outstanding.
  • As an early customer you’ll most likely get full attention of the company including direct interaction with their CEO and product team as well as a say on roadmap and prioritization of features.
  • Potentially they’ll have some flexibility in pricing for early customers. That said, you should be willing to pay for the value you get as the young company is clearly looking for revenue streams and is also seeking to validate their pricing model.

Clearly, there are also risks when buying from not yet established players that can be mitigated to some extent:

• • The product must solve your problem and provide value to you as a customer even if the solution is in an early stage. Product value and quality usually can be fairly well tested in a proof-of-value (POV) phase. Clear specifications and mutually agreed upon success criteria are essential. Young products usually do their job well, but are initially lacking enterprise features (integration, management, reporting, scalability etc.). Make sure to also specify and test these as necessary – ideally in a pilot with real users.
  • Start-ups come with risks regarding company viability. If you can predict a start-up company’s future then you definitely should change jobs and become an investor. For the rest of us, we’ll have to check the founders’ profiles, look at the investors backing them, talk to reference customers, potentially even engage deeper into a due diligence process to assess the economic and technological risks. Inability of the start-up to provide the service over the agreed term should be explicitly talked about and planned for. Exit clauses including roll-back scenarios or code escrow are potential measures to reduce negative impacts.

Whether you can actually buy from a start-up company also depends on your company’s rules of engagement, culture, or more generally speaking, your position in the technology adoption cycle. Maybe your organization is actively endorsing cooperation with young companies and open to buy from not yet established vendors, maybe your company will only buy once the product is in or beyond early majority phase, i.e. has an enterprise ecosystem in place, well established local distribution and service organizations and shows up in analysts’ reports.  Either way it’s well worth looking beyond the Gartner quadrants.