‹  Back

March 07, 2023 · 8m read

Should you start a company in security? — a  discussion with Haroon Meer, Zane Lackey, and Ryan Noon

Material Security 


Haroon Meer of Thinkst Canary, Zane Lackey of Signal Sciences and a16z, and Ryan Noon of Material Security offer their expertise and insights on the pros and cons of starting a company in the security field, as well as practical advice and lessons learned from their own experiences. Whether you're a seasoned entrepreneur or just getting started, this discussion is a must-watch for anyone considering venturing into the world of security startups.

The blog below summarizes the live discussion. It has been shortened for ease of reference. For the full talk, see the video above.

Q: There are a lot of different kinds of entrepreneurship in security. What are the patterns you’ve observed in the industry that work well?

Zane Lackey: There is no right or wrong answer when it comes to entrepreneurship in the security industry. The key is to ensure you match what you want to do with how you fund or build your company. For instance, running to VC funding may not be suitable for some individuals if that is not the type of business they want to develop or can run successfully. It’s important to find what you enjoy and build your company around it rather than put funding above everything else.

Haroon Meer: There is no one-size-fits-all solution to entrepreneurship in the security industry. However, individuals should follow their contribution instead of just their passion. In other words, they should focus on what they are good at and what the world needs. While following your passion may be fun, it does not necessarily move the industry forward significantly. The key is finding a sweet spot between what you enjoy doing and what the world needs.

Ryan Noon: I try to spend a lot of time with early-stage founders, especially those who are just starting to think about raising venture capital. When people come to me, they often already have their minds made up about everything, and I try to help them take a step back and think about what they really want.

When looking for people to work with, I find individuals with a deep passion for their work. I look for someone who loves their class project more than getting an A in school. It's that ownership mentality that really stands out to me. Starting a company is not just a job ladder or a way to be your own boss. It's a challenging journey that requires personal growth and a desire to make something meaningful exist in the world. I caution against starting a company just because you hate your boss or want to be your own boss without fully understanding the responsibilities that come with it and where that will ultimately lead.

Overall, I look for individuals who don't necessarily fit into a traditional job or career path and are willing to take a random walk through their careers, exploring opportunities and seeing where it takes them. Starting a company is really challenging but it’s definitely a gift.

Q: There are a lot of people who want to know about fundraising. Should you go the VC route or not? 

Haroon Meer: Despite the fact that people think I am totally anti-VC funding, I’m not. I just don’t think that it should be everyone’s default. That’s not to say I don’t think people should make big companies that take on the world. I’m just increasingly not convinced that VC funding is the best way to get to that.

One of the main reasons I like hackers to build companies is that almost everything in company-building can be hacked. Being a founder is largely just which things you hack on any given day. So I’m always surprised at how many steps people take as laws of nature, laws of physics when they’re not. And one of them is funding. Certainly, good or bad, it changes certain directions or makes certain directions more likely. 

My take is that if you take where you want to be and work backward, maybe VC funding is the best way to get there. But most of the problems that I think young companies have aren’t solved by what VCs bring. I think it’s strange that most people think that’s the first step on their company-building journey.

Zane Lackey: There’s a reason I always refer to Haroon as the smartest person in security and answers like that are a prime example. It's essential to step back and think about the company you want to build, the problem you want to solve, and what that company will look like in 10 years. Not every answer will align with seeking outside investment, and not every subset will require VC-style funding. Other options can lead to awesome companies too.

Ryan Noon: I’ve always been a fan of the spark versus the gasoline analogy. VC is gasoline. You, the person, are the spark. Don’t get too high on yourself because when was the last time a spark kept someone warm? But one of these things is the action, and one is the reaction. 

The point is to make money, not spend VC money. Figure out how to build a great business that people will pay for. That puts you in the best possible position. 

People ask me, “Are you gonna sell the company to one of the horsemen of the apocalypse, or are you gonna IPO?” The best way to have the option to do whatever you want is to build what we at Dropbox used to call a GFB (a great effin’ business). You don’t get that option if you haven’t built a GFB.

Q: Founding a company involves significant self delusion. What are things you should not be delusional about?

Zane Lackey: How hard it is. I firmly believe this is by far the hardest thing in your career you’ll do. I managed to delude myself twice in my career progression, going from a pen tester to a defender and then the same from a CISO to a vendor. It turns out it’s the hardest thing you can do in your career. But it can be extremely rewarding. I don’t mean financially, but emotionally and from a fulfillment perspective. That’s the trade and why people do it.

Haroon Meer: You have to be delusional to some extent to step in and try it. You have to be slightly nuts. But there’s a lot of things that you absolutely can’t be delusional about.

You need to be non-delusional and listen when you get feedback. You need to try to convince many people to do this thing with you. But then you need to listen when people say it's breaking or not working. Nothing will make you meet reality like starting a company. That’s just what it is. It's a good mix of delusion and being absolutely honest with yourself. Within our company, being honest with ourselves ranks super high. You need to be honest about things to build a meaningful company.

Ryan Noon: There’s a time to be creative and a time to turn the crank, and you need to balance both. You need to be tough enough to make it there. But you need to be self aware and honest with yourself, as Haroon said, to get there the right way. Achievement without the pain is winning.

Q: How do you know when it's time to make the jump?

Zane Lackey: It’s cliche, but extremely true: when you know, you know. When my co-founders and I were all still at Etsy together we would constantly be discussing ideas with each other. Over time our interest declined in all of the ideas until one day, one idea stood out, and the interest only kept growing and growing. That's when we left Etsy and started the company.

Haroon Meer: I have a different take on this. When people want to build a product or have an idea, they often say they can't do it while working full-time and need to quit and think about it. But if you decide to be a founder, your life will operate with that sort of distraction for at least the next five years. You should be comfortable enough to take things pretty far without saying, "I need to clear everything so that I can think about whether I'm going to make this jump or not." Mostly, I think you can figure it out and get pretty far before you have to leave your day job.

Ryan Noon: At the very least, I try to get validation from friends. One of the things that I always emphasize for people is that entrepreneurship is an apprenticeship business. It helps so much to learn it from other people. Ping one of the three of us if you have nobody else. Just talk it through with somebody. Don't just wait for the money. You have no idea how easy it is to do your first fundraise when you've done some preparation with people who have been through it before. It’s 100x easier. Much of the tech industry has a massive pay-it-forward culture, including security. We’re all paying it forward.

Haroon Meer: In some ways, it's also easier than lots of people think. Just get started, and help will come. I’m firmly of the belief that the advice doesn't have to come from VC land. There are enough founders and people who've been around who will help if you ask it. It just usually doesn't look like, "Hey, mentor me." You've got to take some steps. You've got to do the work, and the community is pretty great.

Ryan Noon: You have to be good at meeting people. Devote a significant chunk of your week to meeting new people, engaging with them, and trying to get ideas, advice, validation, or early customers or something. You have to force yourself to be an extrovert. I am not an extrovert. I am a huge introvert. I have just forced myself to be extroverted for so many years and I can basically play one on TV now.

You need to be a net importer of advice and help. Once you're doing that, it gets so much easier. Most people want to learn from you and then help you. So give them your perspective and insight. Tell them your story. It’s not just getting them emotionally invested. They're curious. That’s why they’re a teacher. Be someone that someone wants to help. But you do need the help. You’re dead otherwise.

Q: What's the most unexpected skill that it takes to be a good founder?

Haroon Meer: Twenty years ago, there were just so many unknowns that made it difficult to start a company. But now, with all the blogs, good books, and resources, many of these unknowns have been demystified.

I haven't seen anyone build a successful company without pointing out that the people you hire matter much more than anything else. That will dominate over anything. You can start with good technology or a good idea, but you will quickly run into problems. So you need to be able to convince people to work with you.

Silicon Valley is famous for having Steve Jobs-type founders. One of the things that made him successful was his ability to convince people to work with him. Ultimately, how you convince people to work with you will be the big thing. People matter more than anything. You need to convince people to come along with you.

Ryan Noon: If you can fill the rest of the clown car with people you love being around, you have such a better shot. You also have to work backwards. My co-founder, Abhishek, is amazing. He loves those premortem exercises where we assume we have failed and work backward to figure out what we could have done differently to mitigate it.

You have to optimize for happiness and fulfillment, but also your own sanity. It’s way easier to manage a handful of smart people that you work well with than a bunch of other people. The point is not to make headcount go up on LinkedIn; it’s to win. Put together a great team.

Q: So how much of this advice changes for someone building a services company versus a product company?

Zane Lackey: Bootstrap it. You're afforded a luxury in services that you are often not afforded in product, which is that you can get revenue almost immediately. Take advantage of that incredible opportunity.

Ryan Noon: Seriously, you'll make money faster. You already know how to get paid for your labor. Just learn to manage a client pipeline. Then, find people that can do what you can do and scale it up. That’s at least what my friends that are good at this have told me.

Haroon Meer: What matters more than anything is that you build a great business. It’s the same if you build a services business. People forget that if you build a good product it solves everything else.

Zane Lackey: When candidates have asked me in the past, “What's the goal for the company? Is it to IPO or to sell?” The answer was the same every single time: Build a company that's capable of doing either.

Ryan Noon: One thing to be careful of when building services business: understand that building any business is hard and engrossing. You need to be consistently honest with yourself. Are people buying from you because they love the way that you’re solving the problem? Or are they buying from you because of the fundamental technology? People paying you to solve their problems is the common thread, but the means are really important. If you’re building a services business, look for those opportunities; the cluster of common problems. And then build the software to make that easier.

Q: It feels like every corner of security has at least half a dozen different companies. Is there any whitespace left in security? 

Zane Lackey: The short answer is: don’t be worried about the competition. There will always be competition, no matter what industry. If there is no competition, then you’re likely doing something wrong. Focus on your strengths compared to them. If you’re entering a market with other companies, it’s unlikely you will have more resources or money than them. Hopefully you have some insight that they are all missing or you have a better understanding of the problem and the solution. Or maybe you have an amazing network in security. Think about what is your unique advantage and focus on that. Don't be afraid of there being competition.

Haroon Meer: In terms of white space, I have to say that we are really lucky in security. So many things are terrible. The incumbents are really not doing that great of a job. One of the reasons you should start a company is because maybe you figured out why they are doing such a terrible job. But really I can’t think of too many products that are unassailable in the space. 

Ryan Noon: Unlike everybody else, we have bad guys to fight in security. It's like being a kid playing cops and robbers, but with real consequences. It’s a wonderful moral basis. The phrase I like to use is “Technology spreads because it’s useful; not because it’s safe.” Security is basically the side effect of other technological change. We are the clean up crew for the rest of the tech industry. Hell yeah.

Q: What was your mindset in opting for "stealth mode" with security and your opinions on the term as a whole?

Ryan Noon: It's really about having a marketing strategy in place. In the security world, nobody really knows what tools and methodologies work. And they need to find out. They can go to events like Black Hat and buy the product from the most personable salesperson or they can go talk to their friends. That's why there are so many great security slacks and communities. That’s a great thing since it’s people sharing their experiences.

We did our first million-dollar deal with a one-page website that had no information on it. We were in stealth mode for almost three years, not because we wanted to hide from our competitors but because we didn't have any other marketing strategy for the company. We just tried to build good software, show it to people, work with them, collaborate with them, and have them tell their friends. Make noise when you have a reason, but don't try to figure everything out ahead of time. Don't play house and pretend to be bigger or farther along than you are.

Zane Lackey: I've come around completely on the idea of stealth mode for competitive reasons. Do not worry about the competitive side. Having less information on your website for potential customers to see isn't going to change whether you build a better product or company. Be as open as possible, but also understand that not having a public-facing marketing strategy is sometimes just a placeholder. Don't think you must do it from a competitive, secretive angle. This is a natural tendency for many of us in security, but I was totally wrong.

Haroon Meer: We’ve got a pretty small initial selling point at Thinkst Canary and still a tiny sales team. We still do all internal sales and inbound sales. I think there’s no better time in history where you can have a small team, a good product you actually love, and you can actually thrive. So I think it’s doable. Until someone does it, it looks impossible. That’s why it’s so good for hackers. Make a thesis, test your thesis. Go try it.

There were a ton of great questions from the audience that we did not get to answer. Look out for a sequel of this event to hear more helpful insights. Thanks again to all who participated!