Why Starting a Business for a Big Payout is a Big Mistake, Part 1

With economic market uncertainty, cybersecurity companies are struggling with how to plan their exits. Often, security vendors are founded with the idea that they'll become the "next big thing," either through an acquisition or IPO. But as the market cools on the mind-blowing numbers of years past, companies need to rethink their strategies. 

In this two-part article, we'll look at why founding a company for a big payout is a bad idea, and what to do if you're running a company that is ready for the next step.

There is no doubt that cybersecurity is a lucrative field, and one that is primed for innovation. Due to our ever-increasing reliance on technology, companies’ digital attack surfaces are constantly expanding, necessitating the development of new and better-equipped security products and services. These factors, combined, are the lure for many talented technology-focused professionals to want to join the field. And in certain cases — given the right conditions  — some try their hand at starting a company.  

Many a cybersecurity vendor company has been founded by a frustrated tech or security worker who wished they had a specific tool to help them accomplish their work with greater ease and accuracy. As a former analyst, I can’t count the number of times vendor briefings started with some form of, “When I was working as a cybersecurity analyst/engineer/operator, I wasn’t able to accomplish [X] with the tools I had at my disposal. I went looking for it in the commercial market, but nothing did what I needed it to do.  I started my own company to build [X] and solve the problem of [Y]” 

In my mind, a gap in the market is a good reason to build a product and a company. That is, as long as others agree there is a gap that needs to be filled. As the proverb goes: Necessity is the Mother of Invention. 

However, with the security industry growing at such a rapid pace, and the money that continues to flow into the field despite an economic downturn, some enterprising technologists have fast tracked their product idea into a quest for the life-changing sums of money that have resulted from acquisitions and/or IPOs. In these instances, the goal is the exit, not the creation of a great product or service.

Growth of the cybersecurity market

Anyone who has been in security for a few moments has watched its astronomical growth. Let’s go back just a decade or so  — and that’s not even close to the beginning. In 2012, the global security market was valued at $61.8 billion USD. At the close of 2022, the market was valued at $153.65 billion USD and is projected to reach $172.32 billion by the end of 2023. So we know market demand exists.

Looking at the acquisitions market, SecurityWeek reported that 455 cybersecurity M&A deals were announced in 2022. Of those deals, only 62 announcements included financial details, but the total transaction amount for those disclosed deals equaled $63 billion USD. Yes, your math is right. That’s mind blowing. Not to mention tempting for anyone who thinks their big idea will be a big hit with end users or a bigger company looking to expand its product portfolio. Entrepreneurs and would-be entrepreneurs who have big bucks on the brain need only reference acquisitions like Sailpoint (~$6.9b), Datto ($6.2b), Mandiant ($5.4b), any many other “unicorn” deals. 

As for initial public offerings (IPOs), the last year or so has been rough on all types of companies. But if we go back just two years, you’ll see that cybersecurity companies that were able to complete an IPO did very well for themselves. 

Seeking cybersecurity innovation

Without a doubt, cybersecurity needs innovation. What it needs most is new methods and tools that are effective and efficient against cyber attack, unauthorized access, and data leaks. The betterment of the industry should be the real goal. Exit money that accompanies a valuable product or service should be the cherry on top. 

Yet, we live in a capitalist society, and there's nothing wrong with striving for financial success while developing a product or services that benefits cyber defenders. The problems arise when the goal is financial success instead of a good product. We have and will continue to see companies founded for financial gain. Some of them will be commercial hits; others will die before they secure a seed round.

Because the security of organizations’ infrastructures is critical to daily life, it is my personal opinion that technological advancement should be the primary purpose behind innovation. Monetary gain should be a result of a good product or service. It is easy to think, “If a product/service is valuable, it will therefore be a commercial success.” But we all know that isn’t that case. Many good ideas never take off — or take off years after they were first introduced to the market. And many bad ideas sell well because they’re wrapped in shiny packages, because certain investors back them¹, because some analyst or conference declares the company or category the next industry-saving innovation…

Starting a company and building the products and services it sells is hard work. While money doesn’t always follow success, founders who build a company focused on an exit are doing a great disservice to the industry — they’re selling a false promise. They may also end up harming thousands or millions of people, if they’re not careful.  

Not to mention, talk to any cybersecurity founder about their journey and you’ll hear the same thing: Founding a company isn’t for the faint of heart. Your life will be disrupted for years. Your personal finances may be impacted. Your personal relationships surely will. Everything takes a backseat to the business. If that isn’t reason enough to go in with altruistic goals, I don’t know what is. 

And fortunately, some innovators will take their turn at starting a company because they want to change cybersecurity for the better. They want to help the good guys. They want to stop the bad ones. They will pour their blood, sweat, and tears into their companies because they want to make a difference. Some of them will end up very, very rich. The good ones should.  

The wrap up

While it might be tempting to dream of a future where a great idea turns into a financial windfall, this is not an easy path — nor is it guaranteed. Many honest efforts by talented founders have resulted in company closures or acquihires instead of the coveted cyber fame and fortune.

In the next article I’ll detail some of the steps founders need to take to get from the proverbial “two-founders-in-a-garage” to a successful IPO or acquisition. Given the amount of work required, any entrepreneur with dollar signs in their eyes might want to pause and decide if the risk is worth taking. 

1

While too much to take on in this post, the reality is that many cybersecurity companies get funded because investors see a big or quick return on their cash, not because the technology or category of technologies is valuable.