How Can Cyber Startups Win Customers and Influence CISOs?

Written by

It is notoriously hard for startups to break into an established marketplace, and there are additional challenges for cyber startups, who aim to sell into a world that is focused on secrecy and access control. 

So how can startups succeed within a culture of risk management rather than the more common “move fast and break things” approach to innovation? In a recent CyLon Insights report “Signal From Noise: How to Win Customers and Influence CISOs”, we surveyed CISOs and senior security decision makers from across the CyLon network. We asked CISOs for practical advice and insights in three fundamental areas:

  • How to get a new product in front of CISOs;
  • How to conduct pitches and conversations with CISOs;
  • How startups can make sure they are providing what CISOs really need.

How to get the right attention
CISOs are sometimes proactively seeking out a specific solution or technology, and many look to cyber accelerators, attend demo days, and spend time “round the edges” of security conferences, in small innovation zones rather than the main expo strip.

Programs such as CyLon were noted as one of the most-mentioned methods of finding product “gems”. By keeping up with cyber accelerators, events and funding news, CISOs are essentially outsourcing the first stage of finding new vendors to other experts, and then selecting from within an already-approved bunch.

Specifically, CISOs mentioned that they make a note of startups winning cyber awards, and use resources like Cyber Startup Observatory and M&A updates from consultancies such as Momentum Cyber

Some of these sources of attention cannot be impacted by even the most proactive startups, but it is important for startups to focus marketing and sales energy, time and budget in the right place. This means attending the right events (Ignite, BlackHat and RSA Conference to name just three), applying to appropriate accelerator programmes and networking.

As one might reasonably expect, no CISO finds their next purchase from a cold-call or a cold-pitch, so startups would do well to steer clear of more traditional product sales techniques. If a pitch can be put into a clear and succinct email rather requiring an in-person meeting, that is always the better approach, according to those we spoke to.

How (not) to pitch
An overwhelming proportion of cybersecurity pitches miss the mark. Three quarters of the CISOs we heard from said less than a quarter of the pitches they receive are “very good”.

Unfortunately, startups seem to be falling at the first hurdle since it’s not just a matter of poor presentation or pitching style; the most common mistakes are the fundamentals of selling a product. CISOs frequently see pitches with unclear messaging and many reported the common mistake of failing to specify what differentiates the product from others.

Few CISOs have noticed gaps around business plans in pitches, and only a small number reject products because the business seems too risky. It is obvious that startups are good at selling their business ambitions, which has become a key element of any pitch deck, but a lot of improvement is needed on communicating about the product and the use cases.

The most common reason we heard for why a CISO rejects a product is because it doesn’t actually solve the problem they were expecting it to. When asked open-ended questions about the common mistakes they see in startup pitches, CISOs freely offered comments about confusing or unhelpful information, including:

  • Clarity on market problem, urgency, willingness to pay and how pervasive the market problem could be
  • Tech focus not business solutions
  • Unclear value and real-world application and quantification of efficacy
  • Doesn’t actually tell me or show me what it does
  • Assuming knowledge or lack of knowledge in the audience

What was clear was that startups need to do more work to understand CISO priorities, business challenges and product requirements so that they can pre-emptively answer the questions CISOs have before they even have to ask.

How to solve real business problems
Telling a technology startup to stop focusing so much on technology seems like counterproductive advice, but this is exactly what CISOs unanimously said would improve communication between themselves and technology vendors.

Time and time again, CISOs we spoke to petitioned startups to “focus on the business problems” rather than selling their technology.

In interviews, the decision-makers explained what they meant in more detail. The key, they said, is to answer the question “how does my product help the cybersecurity team?” and not “what does my product do?”

A startup might think it’s obvious why it is helpful for a CISO if a product “stops advanced threats”, but simply stating a product feature (or result) does not explicitly explain the business value.

It’s also important that startups address the pressure on CISO’s resources when they make their business case, since this is one of the main motivators and priorities across many sectors. Vendors should demonstrate the business value, rather than just give a list of technical specifications.

Closing remarks
For a new cybersecurity vendor or startup, getting the attention of CISOs who are overwhelmed with pitches might seem like the crux of the challenge, but the tips to stand out from the crowd are easy to implement: no sales calls, appropriate networking and succinct methods of communicating the important product features.

The harder hill for vendors to climb is how to approach cybersecurity the way that CISOs do: as a business problem, with opportunities for greater efficiency, cost-savings, and valuable business insights.

To truly create a synergy between a company’s cybersecurity team and technology vendors, conversations need to shift from focusing on technology innovation to a deeper engagement with how these technologies will support and improve the business strategy moving forward.


This is part of a blog series provided by CyLon, who find, grow and invest in the world’s best emerging cyber businesses, via its tailored acceleration programs in London and Singapore. Since 2015 CyLon has supported more than 80 companies and has a portfolio of international companies valued at more than £400m. 


What’s hot on Infosecurity Magazine?