Bob Walters, former CEO of Teros (acquired by Citrix), desribes the process of founding a security start-up in three stages, as reported by John Katsaros from the Internet Research Group in today’s newsletter:
“Bob’s got this great way of simplifying a lot of stuff — in this case we’ll call it Walters’ Law of Startup Security Company Valuation. Walters’ Law basically says that there are three stages of valuation — Stage 1 is proving that there are vulnerabilities. Stage 2 is showing that the “threat” knows enough about the vulnerability to allow exploit (as evidenced by a small number of incidents) and Stage 3 is actual widespread exploitation. The premise of Walters’ law is that if you get to stage one and can convince people that there is a vulnerability, you’re probably able to get beta customers and raise some venture money (there’s a lot of venture investors out there dying to get in on the latest big thing and they’re sure to bite at the chance to get in on the ground floor of a new threat). If you can convince people that there is a serious threat due to the vulnerability, then Walters points out that you’re probably able to find a moderate number of “careful” customers who have big enough concerns about a specific threat and are willing to purchase — not huge sales numbers but enough to make a security company look credible. And then of course there is Stage 3 where real world exploits are publicized and customers are in panic mode (think Spam circa 2004 and Spyware circa 2005). While it’s elusive and hard to predict, Stage 3 is where the big money is for startup liquidity. But most security companies struggle to get to Stage 2 where they wait and wait hoping for the worst (bad guys taking advantage of a vulnerability causing lots of customer pain).”
Compare this to the first three stages in Geoff Moore’s Technology Adoption Lifecycle (from “Crossing the Chasm”). Stage 1 would map to the beginning of the curve, selling to innovators and visionaries, stage 2 maps to the early market characterised by early adopters who understand the business case, and stage 3 corresponds to the ‘tornado’ leading to widespread adoption by the early majority (once a solid base of reference customers have been established and the company has ‘crossed the chasm’).
It seems these models are aligned. So now that you know how simple it is, get out there and start a security company! :)
The Tipping Point: How Little Things Can Make a Big Difference
The Long Tail: Why the Future of Business Is Selling Less of More
Founders at Work: Stories of Startups’ Early Days
iWoz: From Computer Geek to Cult Icon: How I Invented the Personal Computer, Co-Founded Apple, and Had Fun Doing It
Atlas Shrugged
Stick and Rudder: An Explanation of the Art of Flying
Yahoo! Hacks
The Monk and the Riddle: The Art of Creating a Life While Making a Living
The Art of Innovation: Lessons in Creativity from IDEO, America’s Leading Design Firm
The Fountainhead
0 Responses to “Starting a Security Company”