Startup Underdogs Ed. 4 - Monetizing a Free Training Platform, Pt. 1

In the world of online training, monthly and annual subscriptions are all the rage. In 2018, when we were looking to increase revenues, we followed suit, introducing a value ladder top our free training, propelling Cybrary from $500K ARR to $6M ARR in just 12 months—and ultimately north of $15M ARR. While it seemed like the typical “overnight success”; we attempted to monetize Cybrary several different ways in the early years, and the subscription model was our 3rd (or 4th, depending who you ask) attempt at monetizing the free cybersecurity training model.?

To understand why we did what we did, you have to understand the context of where our heads were at in 2016. The cybersecurity market was expected to grow from $85.3 billion in 2016 to $187.1 billion by 2021, a CAGR of 17%.

The cybersecurity skills gap was a hot topic in 2015:

With claims of “3 million unfilled jobs” peppering the online cybersecurity news sites, Cybrary was riding a wave of momentum, as tens of thousands of professionals sought to explore what a career in cybersecurity could be like.

By 2016, our initial approach of “growth, engagement, then monetization” was going as planned. We had blown past the 500,000 registered user mark, MAUs were consistently ticking up, and 50,000+ monthly new registered users was the norm.

One-and-Done User (SaaS): A customer who signs up for a software service, uses it briefly, and then becomes inactive or churns without further engagement. This user typically fails to reach the product’s “aha moment,” indicating low engagement and poor fit, and can negatively impact key metrics such as trial-to-paid conversion and customer lifetime value.

Ryan Corey had just tasked me with tackling a nagging "one-and-done" problem we were facing. We were seeing cohorts as high as 70%, which meant all the growth and positive momentum we were seeing was meaningless because people were falling off just as fast. After about a month of round-the-clock design and development sessions, we began to see a TON of progress. "One-and-done(s)" dropped to right around 30%, and our MAUs shot up (note: around the time we were told Duolingo was right around 30% one-and-done).

Fresh off the personal win, Ryan called me to his office, we exchanged the typical banter, then he gave me the glum: “Dude, we need to find a way to monetize this thing. We have a ton of people, but we have no money and this thing is dead in the water if we can’t monetize it. No one’s giving us money if we can’t show them we can actually make money.”

......Such is life at a startup. The highest of highs gutted by the lowest of lows......

It would probably read better if I said we had this epic plan already figured out, but the truth is we had no clue how we were going to monetize the community. Sure we had theories on how to monetize, but no real concrete plans. We were offering free training, and we were scared to death putting a “buy now” in front of our community members. Our solemn brand promise was free training, forever, and we had no intention of breaking that.

"Figure it out”

As with any challenge, we took a look at our assets:

• We have the world’s largest, fastest growing community of cybersecurity professionals.
• Everyone in the industry is talking about us, or at least very excited to hear about us once we tell them.
• People genuinely want to be a participant and help contribute to the community.
• We have 1,000,000 niche professionals in a growing market, 100,000 MAUs, 50,000 monthly NRUs.
• Our email list is around 750,000 and is getting a 20% open-rate and 5-10% CTR.
• We have a big network in the industry, and can get introductions to just about anyone we need to.

Use a parallel businesses to help think through the problem

We were avid learners, listening to every podcast, and reading every book, on the "problem-du-jour" (problem of the day).

I was listening to a podcast on the way home from work, and it was all around the crowd-sourced music and lyrics website, Genius. In it, they were discussing the nature of a multi-sided community and the contributing roles each participant can have, and the opportunities for reciprocal benefits.

The final idea was conceived right then and there, but the seedling of what would become our first monetization strategy did

If we wanted to create a real impact in the industry, we needed to make cybersecurity companies part of the bigger solution.

We were helping provide millions with the knowledge and theory of being a cybersecurity practitioner, but our users were clamoring for training on real cybersecurity products. If we wanted to address this cybersecurity skills problem at scale, we would have to find a way to teach them how to use the tools they would be using on the job.

To this day, I still think this is an unsolved problem. I realize companies want to "PrOtEcT OuR iP", yet it still seems absurd to me that we make it so difficult for practitioners to learn the software we expect them to use on the job.

We jotted a primitive version of the idea down on paper (the cocktail napkins were not readily available). The gist of which is below…

Benefits to Cybersecurity Companies:

• Create and promote product-based courses to distribute (maybe sell?) into B2B companies (your customers or ours).
• For those companies that can’t afford an academy or training arm of the business, create your own academy (“channel”) on Cybrary.
• Promote your product to millions of cyber practitioners around the world (let people compare products, "test drive" them - most people will buy the product that is widely known about and, more importantly, know how to use).
• Cybrary is your new launch partner, helping you reach a dedicated audience of security practitioners and leaders.

Benefits to our future B2B Customers:

• Keep up-to-date with the latest products and services to help keep your company secure.
• Test-drive new products without having to waste time on demos or sales calls.
• Reduce vendor training costs, specifically those which result from high turnover or increased new hires.

Benefits to our users:

• Learn how to use the real tools on job descriptions to become more qualified.
• Stay ahead of the fast changing industry by learning about new tools in the market.

I had all these ideas and plans for how this product line was going to transform our business and the industry. For the purposes of bringing the idea to life, I simplified it to:

• People need to learn about cybersecurity tools to get a job.
• Companies want to build awareness and generate leads for their cybersecurity products to grow their business.

The solution: Cybrary Channels

A cybersecurity company’s home within the world’s largest and fastest growing cybersecurity community. Build awareness and generate new leads by teaching and promoting your products and sharing your thought leadership. Get in front of a dedicated audience of 1,000,000 cyber practitioners and 50,000 new people every day, including security directors, VPs, and CISOs.

• Creating a company channel was free (it also operated as a lead generation page).
• Creating courses and adding them to the catalog was free (video-only at the time).
• Add-on offerings of $5,000-$20,000/mo to promote white-papers, webinars, etc across the platform, social channels, and email newsletter (750,000+ subscribers).

We attracted a who’s-who list of companies:

Revenues took off (relatively), we jumped from $0/mo to doing $100,000 - $200,000/month through this sponsored content model. And the success of this initial revenue line would the evidence we needed to support a Series A fundraise and give us the runway to continue growing the business.

The Flaw in the Model

We could come to find out there were several flaws with this model (or at least the way we pursued it).

The first of which was, the budget for buying these services was coming from marketing teams, specifically their advertising budgets. And those dollars are a tough game to be in. For one, advertising dollars are quick to appear, but just as quick to disappear. And that’s what happened on more than one occasion (one, which happened just before the fundraise, putting the deal at jeopardy).?

To support the product, segmentation, attribution, and strong integration support into CRM and deal flow was going to be necessary. If you are selling on awareness and lead generation, you need to show ROI. And one of the biggest problems with that in the cybersecurity industry? People don't click links, they don't trust them. So ROI became very fuzzy.

We had the long-term view of this product-line going in the cybersecurity academies, but quickly customers were pushing us to build out the suite of advertising and reporting services (which naively, we began to cater to).?

Another was a capacity problem. We found ourselves bumping up against our own limitations in servicing all of our customers and their promotional needs. This was causing degradation in results, which would lead to customers pausing their ad dollars, or moving onto a new channel all together.

While there may have still been opportunity to stay the course on cybersecurity academies, the model which was bringing dollars in the door started to show early signs of fracturing, and we knew it wasn't going to be viable in the long term.

What happened to Channels?

Once we closed the funding round and began experimenting with new ways of monetizing the business, we phased out the product-line (we couldn't kill it off all together otherwise revenues would fall of cliff), ultimately killing it all together in early 2019 once the B2C and B2B subscriptions showed signs of exponential growth.

What about the Academy model?

We came across two more major challenges as we spoke with companies about the managed academy model. The first (maybe due to the way we were positioning it) was exposing the IP of their products to people they “did not know”. They had concerns people would reverse engineer their “secret sauce”. The second was, when approaching mid-to-large sized cybersecurity companies, Founders/CEOs believed in the problem and solution we were proposing, but often kicked us to the academy or training teams to discuss the opportunity. We were proposing a solution which, in some cases, meant replacing these people - every single one of these people saw what we were doing as a threat to their jobs...those conversations went nowhere.

Final Takeaways

To this day, I still believe there is an opportunity in the market to provide a “managed academy” service to small to mid-sized cybersecurity companies. Many of those businesses have to train companies (and practitioners) how to use their product or service. And the majority of these businesses are very bad at developing training programs. Solution engineers provide cursory training programs, and the turnover within cybersecurity teams compounds the problem.

From a new entrant perspective, it seems to me if you had the opportunity to get hands-on with a product or service that was a qualification for a job, why wouldn’t you take advantage of that. Bonus points if it provided you simulated experiences allowing you to leverage “real” data and “real” situations.

From a corporate perspective, academy teams are quite expensive to maintain, if you are a small-to-mid size startup you probably can’t afford it (but you have to offer it), and never mind the brand awareness which comes when tens of thousands of people are adding product experience/badges to their LinkedIn profiles, talking about it at conferences, etc.

I’m not affiliated, but one of the companies that has caught my eye is CourseStack by Chris Myers . They are building a “why has no one built this yet” course development platform which supports dedicated virtual machines, networked VMs, Jupyter notebooks, and code sandboxes. There’s a ton of opportunity to help creators build more technical courses, opportunists to approach it like a service and do build-outs for companies, and companies to build out their academy programs in a way that’s 10x better than the traditional video-first LMS systems on the market. Go check it out if you have some time today!

A special shoutout to Tom Condrasky , an early hire we made to help us sell Cybrary Channels. Besides being a great guy to work with, he fought hard to help make Channels a success. We wouldn't have attracted and sold the companies we did without his efforts; and, I don’t think we would have been able to raise our Series A if it wasn’t for the effort he put in every day.