Security Experts:

Warning Signs of a Startup in a Downward Spiral

How Can Enterprise Security Buyers Make More Educated Decisions Around the Start-ups They Invest Time and Money Into?

Some information security start-ups bring much needed creative thinking and new ideas to a challenging professional field. Others don’t bring much of anything to the table, and in some cases, can actually harm an organization’s security posture. How can enterprise buyers make more educated decisions around the start-ups they invest time and money into?  Also, how can job seekers considering employment at a start-up understand if they’re getting into a bad situation?

While there is no foolproof way to answer these questions, there are warning signs.  It is in this spirit that I present “eight warning signs that a start-up is in a downward spiral”:

1. Money: As the saying goes, money walks. Many investors are quite good at separating the wheat from the chaff. After all, their livelihood depends on it. There are many factors and variables that an investor looks at when deciding whether or not to invest in a start-up. After enough time has passed, if a start-up has received little to no investment, it’s a red flag that something, or someone, at the start-up is not quite right.

2. Pivots: Start-ups need to pick a problem they are passionate about and identify a strategy to solve that problem. Of course, along the way, there will need to be adjustments and course corrections as new information and data points necessitate them. That being said, if a start-up pivots, or radically changes direction every so often, that is generally a sign of poor leadership and a poor understanding of the market.  

3. Inability to articulate value: When I buy a shirt, I exchange money for that shirt.  As with any transaction, there is a concrete, tangible exchange of money for goods and/or services.  Security vendors, and in particular, security start-ups, are not exempt from this basic tenet. If a start-up can’t explain its value clearly and concisely, that is a big problem. It is going to be nearly impossible to acquire a significant customer base, never mind investors.

4. Poor management: Excellent start-ups have excellent management. It is problematic when a start-up’s management exhibits one or more of these issues:

a. Lack of understanding the market

b. Lack of understanding the problem space

c. Lack of credibility in the field

d. Inability to think strategically

e. Inability to articulate value and purpose clearly

f. History of failed ventures

g. Inability to bring tangible results to the business

The above list is not an exhaustive one, but you get the idea. If you find a start-up’s management to fit the above bill, run.

5. Exodus of talent: True professionals, and in particular, those with good professional reputations, will give any job a fair go before calling it quits.That being said, there comes a point when there is no point in staying on in a bad, toxic, or dead-end environment.  If a start-up can’t seem to retain top talent, it is a definite warning sign.

6. No tangible results: Have you ever met people who are constantly running around busy, yet never seem to be able to get anything done?  Alternatively, perhaps you’ve met people who spend more time talking about how busy they are than they actually do working?  It’s a warning sign, isn’t it?  The same goes for security start-ups. If a start-up’s management is constantly busy - taking meetings, on conference calls, chasing leads, etc., but there are no tangible results in terms of customers or fundraising, it’s a red flag. At some point, after significant time has been invested, there needs to be something to show for it.

7. Excuses/blame:  I’m sure we all know people who seem to have either an excuse or someone to blame for everything. Those same people seldom seem to be able to take responsibility for things that go wrong. In a start-up environment, these attributes make it nearly impossible to analyze what’s wrong and correct it. If you ask hard questions of a start-up, there should be direct, logical answers to those questions. There should also be a fair bit of humility and responsibility. If instead, you get a sea of words that amount to excuses and blame, it’s not a good sign. You likely aren’t talking to a winner, and you probably don’t want to introduce what they are offering into your environment.

8. False claims: If a start-up has hundreds of customers and dozens of partners, that’s wonderful news. If, however, they claim these numbers when in reality, they have a handful of customers and few or no partners, that is a different story.  Or, perhaps a start-up claims that its product or service can do any number of different things, when, in reality, it can’t. The truth can be sobering, and it is difficult to come to terms with at times. That being said, when a start-up’s idea is solid and the team has principles and values, many people in our field are quite happy to work with that start-up even very early on. Until, that is, they learn that they’ve been misled. Then that loyalty quickly vanishes, for good reason.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.