The New Security Playbook: How Open Source and Freemium Can Fuel Rapid Growth in Enterprise Markets

By Ken Elefant, Partner, Sorenson Ventures

That the world has become a more dangerous place is no surprise to anyone who follows the cybersecurity industry. More devices, more data and more surface area, unfortunately, means more vulnerabilities to attack. I’ve been investing in the cybersecurity space for more than 20 years, and I’ve never seen the market move faster than it is changing today.

Bad actors are notoriously creative in coming up with new ways to take advantage of weak digital defenses and cybersecurity lapses. That’s why no one should be shocked when we read about the next massive Solar Winds, Microsoft Outlook, or Equifax data breach. It will come soon enough.

What may be a surprise, however, is how much the business of creating a successful cybersecurity startup has changed over the last several years. Let’s take a closer look at how the security market has evolved and why yesterday’s security playbook no longer works as effectively in today’s fast-paced security environment.

As recently as a few years ago, enterprise security companies could rely on a tried and true strategy to succeed. It went something like this: Build well-functioning products to help large organizations protect valuable assets. Hire a team of experienced security salespeople. Use relationships and trusted referrals to gain access to CISOs and other key decision makers at target customers. Ring the bell as orders came in. Protecting digital systems isn’t optional, and enterprises would typically spend generously to keep their assets safe.

Of course there were competitors, but if your startup combined solid products with a good go-to-market plan and experienced, well-connected marketing and sales team, you had reasonable chances for market success. CrowdStrike, CyberArk and Palo Alto Networks all followed this well-worn path to become industry heavyweights in their respective categories.

Fast forward to 2021. Security founders–and investors–can smell opportunity in the need to defend increasingly critical data assets and systems. Where there is opportunity in the technology industry, there are startups, funding, and competitors, Literally thousands of them.

Enterprises are increasingly moving production workloads to the cloud. Almost every large organization, whether it’s a business, university, or government agency, uses AWS, Azure, or Google Cloud in addition to VMware. For example, big companies these days run analytics, store customer data, integrate with key suppliers, and manage critical operations all in the cloud.

Although cloud transitions can significantly increase productivity and business velocity by allowing enterprises to better focus on core competencies and competitive differentiators, it doesn’t come without its drawbacks. From a security perspective, operating in the cloud means enterprise perimeters are no longer easily defined. How do you protect your data and digital assets when they are amorphous and constantly moving around the globe in hard to track digital bits and bytes?

Data is replicated across many locations. Developers create new applications with extraordinary efficiency. Partners, suppliers, and customers all act in tight unison to reduce costs and delivery times. With all of this frenetic, cloud-induced activity, it’s increasingly difficult to keep cloud configurations, access policies, and privacy controls up-to-date.

Need cloud security? You have more than a dozen options from which to choose. Threat intelligence? Take your pick from any of the 50-plus providers. Network security? More than one-hundred vendors will happily take your order, some of whom handle even the most obscure network security requirements.

The market has become so competitive that enterprise security customers literally can’t escape. Everyone involved in the purchase process, from the CISO all the way down to the security analyst, is stalked on LinkedIn, Instagram, and Facebook. Buyers are bombarded with dozens of daily emails from startups, and big companies alike, peddling cybersecurity wares. Even the poor Chief Security Officer who seeks a moment of respite with a quick game of Scrabble online is overwhelmed with ads for the latest and greatest vulnerability assessment, SIEM, and access management products.

How do these changes impact enterprise security startup founders? In one sense, the answer is simple: The old enterprise software go-to-market playbook no longer works in today’s market. Startups can’t rely on useful products and relationship-based sales to establish market dominance and competitive differentiation. The security world is moving too fast and attack surface areas have become too massive for traditional approaches to work effectively.

Over the past two decades, I’ve been fortunate to have worked alongside some of the most experienced and creative cybersecurity founders from companies like Bridgecrew (acquired by Palo Alto Networks), Prolexic (acquired by Akamai), Gigya (acquired by SAP), Octarine (acquired by VMware), CarbonBlack (acquired by VMware), and AlienVault (acquired by AT&T), among many others. I’ve studied how these entrepreneurs not only innovated in technology areas to meet rapidly growing security threats but also created new product and go-to-market strategies that aligned well with the way organizations discover, try, buy, and use products and services in today’s environment.

I’ve distilled five key lessons from my experience into a short, but effective, playbook that can provide a useful guide that significantly increases the chances for success for up and coming cybersecurity startups in today’s market:

1) Open source community matters.
Build open source products that are accessible–free, well-documented, and fast to install–and easy to use. Be sure they address urgent, hair-on-fire use cases and provide immediate, quantifiable, and tangible results to security practitioners. Don’t forget to build mechanisms to promote sharing and spread among target users. Virality should be built into the product. For example, Bridgecrew first focused on making its open source infrastructure-as-code product, Checkov, useful and easy to share in the community leading to more than one-million downloads and an acquisition by Palo Alto Networks.

2) Commercialize gracefully.
Gradually ease free, open source users into paying customers by incorporating smart pricing strategies that align well with additional high-value services and capabilities that are critical for companies that need more than basic functionality. In one example of this, Octarine provided DevOps teams visibility into cloud-native environments to help identify risks with a freemium solution. When security teams wanted to enforce policies in container and Kubernetes environments, they could seamlessly subscribe to an upgraded, commercial version of Octarine’s product to handle the need.

3) Influencers aren’t just for Instagram
Use key influencers to stimulate interest, activity, and wide-spread community adoption in freely available, easily accessible tools that can be tried and tested by grassroots security practitioners. Don’t leave community adoption to chance. Cloudknox, for instance, has enabled several key partners, such as AWS, Microsoft, Okta, and Splunk, to provide an end-to-end cloud security solution that includes multi-cloud permissions management. This approach helped Cloudknox vastly increase their distribution and market awareness. Influencers can be individuals, or, as in this case, they can be more formal channel partners. It doesn’t matter what shape the “influencer” takes as long as they can help the startup achieve its strategic objectives.

4) Know your customers
Keep your ear to the ground to understand user sentiment and market dynamics. Constantly talk to security practitioners and potential users to immediately identify when community uptake on open source technology has reached the growth inflection point. For example, when Snyk started in 2015, there were already many competitors that helped developers validate open source libraries. The difference was that Snyk understood that developers needed a seamless approach that made the process easy and free to get started. The result was that Snyk quickly attracted a critical mass of users and became the market leader in the space.

5) Find critical mass. Step on the gas.
Once you have just enough users, you’ll want to amplify adoption by efficiently spending marketing dollars on programs that deliver big bang for small bucks. The best founders know that they need to measure the entire funnel, from open source downloads, to activation, to weekly active users, to paying customers, to expansion within customers. Snyk, once again, provides a good case study here. They used a product-led growth sales and marketing strategy that quickly expanded their audience by adding capabilities to find and fix vulnerabilities in containers, application code, and infrastructure as code.

Equally important is knowing which critical mistakes to avoid. Here are a few of the most common ones that I see in security startups.

First, don’t assume that free open source products will gain attention and rapid adoption. The market is complex, competitive, and crowded. It’s hard for even the best products to be found. Products that don’t solve urgent problems, provide immediate value, or make security practitioners company heroes won’t have the necessary viral quotient to spread between prospective users without massive marketing and sales muscle. The foundation for market success ultimately depends on devising effective product strategies.

Second, be sure your pricing and packaging align with user interests. I’ve seen too many companies destroy promising open source technology by implementing pricing for their commercial products that was summarily rejected by users. What seemed like strong momentum was cut short, and ultimately killed, by bad pricing and packaging.

On the flip side, if you combine the right pricing strategy with a great product, the impact can be transformational. Duo Security, for example, started by providing free, seamless two-factor authentication for enterprise Android and iOS users. Once usage took off at companies, Duo bet that the enterprises would pay for dashboards and policy enforcement that helped manage their mobile users. They were right and priced their products accordingly. The result was a $2.3 billion Cisco acquisition that validated their approach.

Finally, don’t waste time focusing on products and services targeted at buyers who don’t have the budget, urgent need, or technical implementation skills to buy and succeed with your products. This is the reason we haven’t seen open source or freemium solutions take off in the IoT security market. The budget, urgency, and implementation complexity currently preclude companies from using an open source strategy to quickly acquire users and commercialize their technology with extended products in this segment.

Cybersecurity is a hot market for all of the wrong reasons: Hackers are taking advantage of more opportunities to inflict huge damage on unprotected organizations. It’s unfortunately true that the digital world is an incredibly and increasingly dangerous place.

The flipside is that cybersecurity market opportunity will expand rapidly for the foreseeable future. It’s a crowded and competitive market, but smart entrepreneurs can take advantage of the evolving strategies described above to dramatically increase their chances for success.