First Impression Tips for Security Startups

First impressions matter for people as well as companies. When a security a startup courts customers or partners, it can easily miss the precious few opportunities to set the right tone for subsequent discussions. Having been on the receiving end of a fair number of security startup pitches as a potential customer and business partner, I’d like to share a few tips for making the right first impression in such interactions.

Research Before the Initial Contact

Let’s start with the basics: Perform background research on the organization and individuals whom you’ll be persuading before you initiate contact. I’m surprised how often startups haven’t taken the time to prepare for the discussion and begin the conversation with a phrase like “Tell us about yourself and the challenges you face,” instead of demonstrating that they prepared for the conversation and signaling that the potential relationship is important to them.

In one example of the wrong way to approach a prospect, some person with an infosec title asked to connect to me on LinkedIn. I’m not particularly selective on that site, so I accepted the request. Within minutes, I received a long, canned email that began with the following:

“Thank you very much for connecting on LinkedIn. I assume that you are interested in Product Name Redacted in regards to significantly increasing IoT System Security in IT/OT and if so there is some good additional information in this e-mail.”

It’s a pity when a company loses the opportunity for a meaningful interaction so early in the process. Before reaching out to the potential business partner or customer, do you homework and open with a statement that demonstrates your understanding of the other company’s business and the person’s roles and objectives.

The need to do such homework might not apply when the initial contact is informal and unexpected. Perhaps you meet someone at a social function or a trade show and strike a conversation. However, in some cases, startups that exhibit or attend events can get a sense or a formal list of who might be there, and can perform preemptive research on the targeted companies or individuals.

Establish Your Credibility Early

As you start speaking with the prospect, make it easy for the person to find a reason to take you seriously. Displaying your understanding of the individual’s needs helps with that, but it’s not enough. You need to establish credibility with the other party, assuming that their default state will be that of skepticism. This is especially important for a startup, since its representative generally doesn’t benefit from a well-known brand of an established company.

Why do you believe you or your company should be taken seriously in the discussion? Here are some ideas for your consideration:

  • Have  worked for a company that had similar information security needs as the firm you’re engaging in the conversation? If selling an incident response product, for instance, talk about your expertise performing IR work in an enterprise setting.
  • Do you have experience working for or with the types of organization to which you’re pitching your solution now? If you’re meeting with a healthcare organization, it’s worth mentioning the relevant experiences you might have had in this industry, say with HIPAA and HITECH requirements.
  • Maybe you’ve been involved with other, better-known security companies before joining the startup? For instance, if you’ve held a key role at a successful network security firm, explain how that experience is relevant to your new endeavor.
  • Perhaps you’ve worked for a respected government agency in a role relevant to your startup’s area of focus? Like it or not, organizations such as the FBI and NSA have infosec brands that can reflect positively upon the individuals who used to work there.
  • Were you referred to the person by someone they know? Do you have a common friend or former colleague? A shared connection can help break past the initial defensiveness of someone who’ve heard too many irrelevant sales pitches.

I’m talking about first impressions here, so you only have a minute to present a signal that might appear superficial in another context. Many security professionals hesitate to praise themselves or aren’t allowed to share the details of their earlier projects. However, briefly touching upon your strengths and relevant experience in the beginning of the conversation will set the tone for the rest of the discussion. If the listener doesn’t know who you are or why they should listen to you, they’ll have a hard time paying attention to what you have to say.

Customize Your Elevator Pitch

Startups know about the importance of the right elevator pitch, which is a pithy statement about the company that could be delivered to an investor, partner or customer in the span of a brief elevator ride. The most effective elevator pitch is not only succinct, but has also been customized to the situation and delivered with the understanding of the other party’s needs.

The pitch should clarify the nature of your product and outline its key benefits from the perspective of the other party’s needs. This helps the listener confirm that they are about to engage in a discussion that’s relevant to them. Does your technologi minimize the effectiveness of client-side exploits? Or maybe it helps enterprises find intruders by sifting through security logs? Perhaps it blockades adversaries’ command and control activities? Whatever the benefit , make sure you don’t sound like every other security firm that touts solutions for high-level needs such as compliance, risk management, threat analytics or cloud services.

Clarify how you’re different from other products on the market that the listener might perceive as being similar. Your approach to solving some security problem might be unique, but there are probably other companies aiming to provide similar benefits. Explain how your approach is different (and presumably superior), based on your understanding of the other party’s constraints or priorities. No need to get into details, since you have to be succinct, but it’s good to mention a few key technologies or other means that make your company stand-out.

Don’t attempt to educate the other party about the needs of the industry at large, such as the increasing sophistication of attackers, the challenges of keeping up with vulnerabilities, bring-your-device-to-work trends, etc. During your opening statement you can assume that the person knows this; otherwise, they wouldn’t have agreed to have the exploratory conversation in the first place.

Template for the Opening Statement

You might have only 1-2 minutes to make an impression on the other party. One approach to fitting in all the details outlined above in a brief statement is to use a template like this:

  1. Explain why you’re excited about the potential of assisting the other party with their objectives tied to your product’s value proposition.
  2. Mention a few key challenges that you know the other company is facing and demonstrate your understand of their reason for engaging with you in this discussion.
  3. Clarify why you have credibility in this space and, therefore, have the potential of assisting the other company with their needs.
  4. Share your elevator pitch, briefly explaining the nature of your product in a manner that accounts for the other party’s challenges and objectives.
  5. Pause and let the other person react to your initial pitch, so they become engaged in the discussion and so that you know how proceed with the conversation based on their feedback.

Each situation is unique. There are plenty of scenarios where my tips for forming a good first impressions need to be adjusted. Yet, it’s a good idea to understand and master some rules before you can learn the best way to break them. This post is based on the experiences I’ve had on the receiving end of security startups’ pitches. I’d love to hear from the individuals who were on the other side, since they will probably have a different perspective and tips based on their own interactions.

If this topic is interesting to you, you might like my post on Questions for Endpoint Security Startups.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more