When you’re a startup founder, it’s something of an occupational hazard.

You wind up reading piles of books about founding startups.

It’s worth the time and effort, because the best of these books offer invaluable insights from some of the most successful entrepreneurs on the planet.

But one thing I’ve noticed is that cybersecurity startups don’t follow a lot of the most important advice.

If you look at the classics of the genre—Zero to One, The Lean Startup, Rework—a few common themes emerge. Founders are consistently told to:

• Start small and gradually expand into larger markets

• Build a minimum viable product and bring it to market quickly to test assumptions and gather data about the market

• Take an iterative approach to development and pivot rapidly as needed

• Keep the organization’s “mass” low by staying lean and avoiding technology lock-ins and long-term contracts whenever possible

But time and time again, I see startups in cybersecurity:

• Launch at an unsustainable pace or rate of spending, instead of starting small and attempting to scale over time

• Spend an inordinate amount of time and effort on engineering and development work before launching a new product or service

• Purchase tools that would only be appropriate for a far larger business

• Lose agility by accepting lock-in and long-term contracts from their vendors

Cybersecurity Tools as a Drag on Growth

What’s going on here? Are cybersecurity startup founders just not reading the same books as everyone else? Are they constitutionally immune to good advice?

Far from it. If you look at much of the general business counsel found in these books (on hiring, personnel management, funding, and so on), you’ll see founders in cybersecurity applying all of that distilled wisdom—and doing it every bit as well as leaders in other sectors.

In order to understand what’s happening with security startups, we need to acknowledge a fundamental problem in our industry: Cybersecurity teams are burdened with a product marketplace that doesn’t serve their needs. This takes a number of forms, including:

• A cumbersome sales culture full of mandatory meetings with vendor reps and lengthy negotiations

• A billing model that involves long contracts, complex licensing, minimum spending, and termination fees.

• Black-box solutions that are opaque, inflexible, and demand a “just trust us” approach to cybersecurity

• Bundles of tools sold as a single product that are often poorly integrated and come with unwanted or unneeded functionality

These are issues I’ve talked about before in the context of cybersecurity platformization or the trajectory of our industry—but the implications of this situation for builders and startups is particularly problematic.

Cybersecurity founders, unlike their peers in other sectors, are often unable to do what they should be doing, even when they know what that is. How does a fledgling company avoid lock-in when every vendor requires rigid, long-term contracts? How can you start small and grow when you’re working with bloated, pay-to-play tools that demand massive up-front investment?

At LimaCharlie, we’re building something that offers a different approach to cybersecurity tooling and infrastructure—and a way for security startups to take advantage of the experience and learnings of the successful entrepreneurs who have gone before them.

Solving Startup Problems with the Public Security Cloud

The alternative I’m talking about is a public cloud-like platform for security operations: something like AWS or GCP, but specifically for cybersecurity. In brief, this entails an integrated platform that provides core cybersecurity tools and infrastructure via a public cloud delivery model: pay-per-use, on-demand, API-first, scalable, and automation-friendly.

Our implementation of this approach is the SecOps Cloud Platform (SCP). For builders in cybersecurity, it’s a massive shift, because it enables them to:

• Access enterprise-tier cybersecurity capabilities through a pay-per-use billing model, enabling startups to begin with a small client base and scale their infrastructure spending as their revenue grows

• Build niche products and services around narrow bands of functionality within the SCP—then expand their offerings using the same, well-integrated platform as they grow

• Test and validate new business ideas at minimal cost and iterate rapidly using a platform built to facilitate engineering and customization

• Stay agile and independent by using a platform designed to scale up or down as needed and integrate easily with other tools.

A few years ago, I might have referred to the SCP as an idealistic vision for change. But some of the biggest names in cybersecurity have now embraced the platform approach, and we’ve seen our users successfully leverage the SCP as business enabler and a go-to-market accelerator in real-world scenarios. In short, the SCP represents the direction cybersecurity is already heading—and needs to continue to head if we’re to move into the future.

The SCP offers a better, more efficient way to support cybersecurity operations. But beyond this, the security public cloud will also be a growth engine for the industry, enabling innovators and builders in cybersecurity to apply the business lessons learned by founders working in other areas of technology and in other fields.