Episode V: The Value Strikes Back

Episode V: The Value Strikes Back

By Mark Dorsi, CISO, Netlify?

Each week, I set aside time to speak with startups and founders about the companies and products they’re setting out to create. For me, this process is two parts mentorship, one part market research. I love working with startups, especially ones solving objectively interesting problems. Mentorship, guidance and building are personal passions. But as a CISO, it’s also critical for me to know — and to help shape — the next generation of B2B security software, because these will ultimately be the tools that my colleagues and I will depend on to be difference makers down the road.?

Across the board, there’s one area where almost every startup seems to miss the mark. The vast majority simply haven’t put enough thought into the specific outcomes / value they want to drive for CISOs. In this piece, we’ll talk about the exercises I run through with startups to identify these outcomes, and how they’re intended to work.?

In the current state of the economy, where folks need true business justification to purchase a product or service, this is where the value strikes back. This is a time when products and services need to be able to quickly and simply demonstrate their value at a moment's notice.

The Founder’s Madlib?

I start every feedback session with every startup the same exact way — by sending them what I call the Founder’s Madlib:

“Company provides (a thing) for (a business category) who needs (a problem solved ) setting itself apart from (demonstrating measurable good | fast | cheap value).”

It’s a simple yet profound written exercise, intended to show folks like myself what the company provides, who they provide it for and how that differs from the status quo. At its simplest, a completed mad lib might look something like this:

Mark's Sandwiches revolutionizes the lunch experience for busy professionals, setting itself apart from other fast-food chains by offering a delectable and nutrient-rich alternative in the same amount of time it takes to order fries and a shake.

Of course, most startups I speak with aren’t looking to sell sandwiches (nor am I using this blog as a platform to soft launch my own food cart), but the notes are all the same. The problem is, most startups haven’t contemplated what they’ve set out to do at this foundational level. Oftentimes, this means the founding team is not internally aligned on how to fill in the blanks. They might not even be sure of the problem they’re solving, and they’re certainly not demonstrating their uniqueness in a way that creates a defensible moat.?

In the example above I've accomplished multiple things, including giving myself the ability to measure success over time. Our teams can be focused on what we intend to do 1) deliver a nutrient-rich alternative; 2) in the same amount of time it takes to order fries and a shake. In the classic good, fast, and cheap triangle we've picked good and fast. While it might not be cheap, we will be able to measure ourselves by maintaining the taste (nps survey) while increasing the nutrients (scientific measurement) and reducing the time to delivery (productivity measurement). If I could have one dashboard our teams reviewed every morning, it would be one where I could see how we are performing against these good and fast metrics team-by-team as compared to the rest of our cohort over time. Teams could then quickly decide for themselves if the action they're taking is going to increase productivity and nutrient density while maintaining taste, because they'll be able to hold themselves directly accountable against the desired outcomes.

I typically see the Madlib used in the following ways

1. Founders: Internal alignment on the problem that’ll be solved, for whom, and why it’s valuable.
2. Customers: Quick understanding of what the solution is, and the impact it’ll have.
3. Investors & my peers: why the solution is worth the investment

On a number of occasions I’ve directly connected a founder with other CISOs and investors by providing the Madlib to the interested party. It is a great way to introduce the thing you’ve produced and why it’ll be an amazing addition to someone's suite of services.

The kinds of companies?

In a way, the Madlib represents a backdoor avenue to finding that defensible moat by leading founders to an even more foundational question — what kind of company are you building?

I really only ever encounter a few types of companies in the B2B software space: companies that increase productivity, companies that increase revenue, and companies that decrease spend. Understanding which of these best fits their value proposition is the first thing a successful startup has to identify before they begin to build and deliver solutions to users. Most, if not all, on the security side of the house are productivity plays with potential to help increase revenue and decrease cost.

The challenge when speaking with startups and founders is that most don’t know which of these buckets they fall into. In fact, many are reluctant to prioritize just one. But without understanding what type of company they’re trying to build, founders are certain to have a hard time prioritizing the most important components of their solution. It’s also difficult to be truly bold about what you deliver when you don’t know what type of company you are at the root.?

This is a universal challenge for technology builders, and one we experienced at Netlify as well. It took many conversations and even more questions to finally identify that at our core we are a productivity play. Once we did, we were able to be significantly more bullish in our messaging. What does Netlify do? We help customers ship s**t faster. That’s a true productivity play, one that returns time to the business and gets our customers products to market faster.?

How much faster, you might ask? In Netlify’s case, it is 300 percent faster. Imagine being able to go from shipping new products and services from once every thirty days to once every seven days or every seven minutes. That’s an incredible increase in productivity and true value for our customers. One could certainly argue that it leads to increased revenue and cost savings, too, but at the end of the day that only happens if our customers can deliver content to their customers faster.?

Here's an unofficial Madlib for Netlify: Netlify empowers our customers to effortlessly orchestrate a harmonious ensemble of best-of-breed services with remarkable speed, setting itself apart from traditional monolithic web architectures notorious for their sluggishness when it comes to content delivery and adaptability to new technology.

In this one statement, Netlify teams can now measure themselves based on 1) have we empowered our customers; 2) how swiftly can they assemble best-of-breed services; 3) as compared to their prior delivery speed over time. Interestingly enough, Netlify is typically a good, fast and cheap alternative compared to monolithic approaches especially for those companies that are in a phase of digital transformation. Arguably, our marketing campaign should’ve been “We help customers effortlessly ship the good **it faster.”?

The Madlib represents a first step in the journey to getting to this clear, concise, defensible moat and what it will take to maintain that moat over time. The exercise is complete when a company understands its most important metric from the customer’s perspective and how to track progress internally so that the team is aware of just how well they’re doing against their foundational KPIs. Yes, I'm including all teams in these KPIs. From recruiting to sales every team needs to be aware of just how they're affecting available buckets of productivity, revenue, and expense so that it's easy for management to understand the impact a particular set of work might have on the bottom line.

The Defensible Moat

One important thing to double click on at this moment is avoiding the defensible moat’s misplaced value trap. When speaking with companies that haven’t determined what type of business they’re in they’ll often think their defensible moat is the ecosystem they’ve connected or a special dashboard or some wiz-bang widget. Sure, those things can be part of the story but they’re not a defensible moat. The defensible moat is the true value you deliver and how well you’re holding your teams accountable to delivering on that value. Ask yourself the question, once someone else sees this new thing you’ve created, how long would it be before it will be turned into a commodity? What are the qualities that are special about it, that keep it from becoming a commodity faster than other things?

In the business, your defensible moat is how far out in front you are of the competition. I see plenty of startups that enter the race in another company’s wake which is a tough spot to start in unless you’re hoping to be acquired. This is a very viable approach but one whose intention needs to be set from the start. If you’re not intending to be acquired then you need to be honest with yourself and your investors on just how you’ll be able to withstand the incumbent implementing a “good enough” version of your special sauce.

To help with this I push startups over time to show me one slide when we’re working together. It’s the “Defensible Moat” slide. The intention is to demonstrate in simple terms how much of a head start they’ll need to be successful versus the set of tools that’s already in place. “The world looks like this today, tomorrow it will look like that, and it’ll take the incumbents this long to eat our lunch”. The key is that all the existing leaders should be represented on the slide and it should be super clear as to why the particular area of intended investment is an important investment. In that moment we discuss who the other players in the industry are and how long it would take them to develop a similar MVP (Minimum Viable Product) that would be “good enough” in the eyes of the existing customer base.

The buckets of productivity, revenue, and expense

I’ll likely do a followup post on the available buckets teams can work from, but in short these are the areas teams can focus on when it comes to contributing to the business. One can look to:?

• Increase revenue: Teams can look to create collateral for customers based on function and then measure how many leads are a direct result of the artifacts produced. For example, compliance teams produce collateral around third-party attestations. These attestations can be tied directly to revenue as they relate to the customers that have requested them. Just be sure you can measure which customers have shown interest.
• Increase productivity: We have a productivity bucket for all the teams we interact with. The question is, how are we spending it wisely and ensuring that any work we’ve asked our partner teams to do can be offset by some increase in productivity in another area? For example: I can have the entire company take an hour of training. How do I find a way to give that hour back by decreasing the time it takes them to login to systems or access services? The key is to be deliberate with the amount of time you’re asking for so that you can properly offset that request at a later time.?
• Reduce expense: Yes, time is money, and so is expense. Once you begin to hold yourself accountable with the above metrics you can really focus on what matters to the business, eliminating pet projects that have no intentionality behind them. As such, you’ll be able to be sensitive to cost and make quick decisions. Your folks will either be able to let you know what the return on investment will be, or they won't. It becomes a fairly simple exercise.?

Instrumentation and the “One Team” goal?

The end of the exercise, however, is really only the beginning of the journey. I want companies to understand their value, and I want them to be able to articulate that value in terms that are relevant to me as a CISO. But most importantly, I want to know how they’ll use their entire data set to help me drive the right decisions at the right times. I want to know what instrumentation they have in place that will allow me to see what my peers have done, what they have experienced, and what I should do based on that experience. And I want visibility that allows me to easily quantify the impact of their solution on my business, and the business of my customers.?

Lack of business metric instrumentation, in general, is an ongoing issue within the world of B2B security products. Many companies have simply never thought about it. By identifying that critical customer metric, startups can build the right instrumentation into their solutions from the outset. Essentially, if a customer could come in and look at a screen that helps them understand the value your solution offers, what would that be? Imagine if a customer could log in and immediately see how productive they made their customers yesterday, or how much money they saved them, or how much risk they reduced, all by using your product. It would be more powerful in driving customer behaviors than any testimonial ever could.?

This resonates with nearly every single startup I encounter. They instantly realize that they have zero instrumentation around how the customer perceives their value, because they’ve never thought about it themselves. It’s not that they don’t have desired outcomes, or even intention set behind what they want to deliver for customers. They simply haven’t spent enough time there to truly understand the audience — CISOs. For a CISO to buy, we need a clear vision statement in place. It’s not enough to know what problem you solve, you have to know why that matters so that you can communicate the outcomes in terms CISOs understand.?

Day one value

Once we have the instrumentation in place we can really start to understand when the value of the product will be realized. This is all about return on investment. The team will invest some amount of time to implement the new tool, so it should be clear how long it will take to get a return on that investment of time. Ideally, products should offer Day One value which means within just a few hours or minutes the tool will start to provide value. For those tools that do not provide Day One value the questions are 1) why, and 2) how can the tool be optimized to provide that Day One value? This is a key metric for founders to keep their eye on. In a world with too few resources we need to have tools that provide us value in the amount of attention we have available to focus on the problem at hand. The longer the time to value the less likely it is that you'll be able to hold my attention.?

Diversifying the audience

While it is getting easier, it’s still tough for the CISOs peers to understand the risk of a thing and its impact to the business. This is a common miss, and is largely due to a heavy dose of groupthink that disproportionately influences the products that are produced. In short, we need to diversify the folks we’re soliciting feedback from so that outcomes from the security tools of tomorrow will quickly resonate with other decision makers in the company like the C-Suite, Engineering Managers and yes, even the Head of People, so that companies can prioritize the risks that are most critical to the business in the shortest time possible.?

As always, if one can’t easily ELIF (Explain it like I’m five) the “why” then the CISO is going to have to spend an inordinate amount of time articulating to the business that the risk they’re accepting is too much or too little as compared to other businesses of similar size and stage.

Putting it all together

For modern B2B security startups, the steps are simple even if the process itself might be arduous:

1. Identify the true value prop (productivity increase, revenue increase, expense sensitivity).
2. Articulate these outcomes in business terms so that the buyers (CISOs) know what asks to make to company leadership and why.?
3. Solicit feedback from a diverse set of folks so that you’re sure to produce content that is easily understood by the CISOs peer group.?
4. Demonstrate progressive improvements in sharing information between customers to foster one global security team.?

Startups that are able to check those boxes will ultimately be the most successful not only in bringing their product to market, but in helping to fulfill the larger vision of one, unified global security team that is able to lean on itself for meaningful support. This work is only just beginning, but the future holds incredible promise.?

As always I’m more than happy to work with each of you so that your value proposition is quick and easy to understand for the category and type of buyer you’re interested in acquiring. Feel free to reach out so that we can make the world a better place one security conversation at a time.?

One team!

#oneteam #founders #startup #security #onesecurityteam #leadership