One-year update: Lessons Learned at Build Sec Foundry

| | No comments

A year ago, several members of the San Antonio security ecosystem announced the launch of a new incubator that would focus on early-stage, high-growth security product startups.  Our goal: coalesce the extremely strong security ecosystem in Central Texas to support security product startups.  We wanted to challenge ourselves, and the San Antonio community, to prove that scaleable security product companies could launch and grow within our ecosystem.  We had identified a structural gap in our startup ecosystem and wanted to fill it with mentors, programming, access to enterprises and connections to service providers that are critical during the early days of getting a company off the ground.  The process hasn’t been easy, or straightforward, but over the course of a year we’ve refined the program, grown our portfolio and learned from our customers.

These goals are embodied in the daily work at Build Sec Foundry.  Over the last year, our program has enhanced service offerings, partnerships and resources needed by what I would call “ground-floor” founders.  We are constantly engaging the companies that are a part of our portfolio to learn what resources they need, and where we missed opportunities to accelerate their business growth.  By being open to feedback, constantly learning from our member startups, and listening to enterprises that are plugged into the program, we continue to eliminate the noise that early-stage startups often hear, and focus founders on the most meaningful tracks to growth.

Here are the most significant lessons learned from the past year, which help shape our work at Build Sec, and help build a new security startup cluster within San Antonio’s growing tech ecosystem.

Lesson 1: Technical security talent within the ecosystem often lacks the necessary business acumen to successfully launch a business.

One of the original impetuses for creating a program to support security startups was a bootcamp, run by the San Antonio Chamber of Commerce’s Cybersecurity Council.  This bootcamp focused on supporting transitioning service members from the U.S. Air Force and U.S. Intelligence Community who had a desire or idea to launch a security company. Our initial premise was that the availability of technical talent was high in San Antonio, but that the talent completely lacked the business knowledge that would allow them to viably test their startup idea prior to failing.  That premise was proved out early on in the bootcamp, through the amazing military members we worked with, and still largely holds true today in the founders we work with at Build Sec.

San Antonio has one of the largest concentrations of security and intelligence talent in the United States, but faces significant obstacles for harnessing that talent and supporting new company creation.  Much of the security talent exists within classified defense missions, which largely operate disconnected from the broader community ecosystem.

Our program at Build Sec still retains a strong focus – through our leadership, advisory board and mentors – on supporting veteran founders.  In fact, the realization that Department of Defense (DOD) talent lacks the understanding of how to successfully structure, found and begin a company, has driven us to build out a set of resource offerings that fills that gap.  Our strategic service partnerships provide over members with connections to companies that are here to support them from day 1.  Whether that’s legal support, IP protection, company filing, branding and marketing, cloud hosting or investor relations – we’ve put together a market-leading group that allows our startups to cut out the time finding, building and funding those relationships

We will most often admit a startup well before they have outside capital or revenue coming into the business, so our decisions are largely made upon belief in the founding team, and understanding of their product concept and it’s ability to penetrate the market.

Our goal a year ago was to create a program that can support future startups out of one of our universities, or a team of transitioning military members from the Air Force, but to do that we need to continue building out a collaborative network of companies, mentors, service providers and early customers.  It is critical, for any successful startup community, to have that collaborative and connected network.  San Antonio isn’t there yet, but we’re getting closer.

Lesson 2: Ecosystems are often as important in the early days as outside capital.

A central hypothesis that our core team had from Day 1 at Build Sec, was that the strength of the San Antonio and Central Texas ecosystem would be enough to attract, retain and grow new security startups.  I recently saw a chart that outlined venture capital availability in 20 states across the U.S.  No surprises here, that East and West Coast states had tremendous size advantages for capital over Texas.  While Texas wasn’t at the bottom of the list, it was significantly lower than other states based on pure volume.

It didn’t take a chart to tell us that Texas is still lagging in terms of venture capital, but the team at Build Sec feels strongly that a robust ecosystem can, at times, outweigh the natural draw founders have to move to the coasts to court and secure capital.

San Antonio is home to the second largest cluster of security assets outside of the National Capitol region.  The Air Force has their component command to U.S. Cyber Command located here, as well as the Intelligence, Surveillance and Reconnaissance mission (24th AF and 25th AF, respectively).  The National Security Agency (NSA) has their largest and most robust facility outside of headquarters at Ft. Meade, located on the Southwest side of town.  The University of Texas at San Antonio (UTSA) has consistently been ranked as one of the top universities in the nation to pursue a bachelors or masters degree in cybersecurity, and is quickly growing their programs and partnerships with industry and government agencies on campus.  In fact, UTSA was designated as the lead by the Department of Homeland Security (DHS) to organize the Information Sharing and Analysis Organization (ISAO) Standards Setting Organization.  I know, a lot to chew on there.  What that means is UTSA is leading the federal effort to develop info sharing standards amongst government, military, companies and academic institutions.  Why is that important?  One of the most significant hurdles facing the security sector is the availability of data, and the impetus for organizations to share attack/threat data.  With UTSA in our back yard, San Antonio is pursuing efforts to emerge as a hub for the intersection of big data, security and AI/ML.

San Antonio is home to 5 colleges/universities that are designated by DHS as Centers of Academic Excellence (CAE’s) in Information Assurance and/or Cyber Operations.  We have the largest number of middle and high school teams competing in the Air Force Association’s CyberPatriot Competition, producing huge numbers of K-12 students actively engaged in defensive cyber operations.

If we can learn anything from Startup Nation and the emergence of Israel as a leader in new security technology and startups, it is that if connected appropriately, the assets of an ecosystem can be a driver for new product companies.  Build Sec has and will continue to pursue collaborative strategies amongst local government, private industry, universities, entrepreneurial organizations and the federal government.  Those connections will foster access for our member startups and begin to truly build a community comfortable with, and aggressively seeking emerging tech.

Lesson 3Enterprises are still slow to engage, validate and test emerging tech.

One of the core aspects of the Build Sec program, is access to enterprise.  Early-stage security product companies must have validation, testing, feedback and deployment sites to gain critical insight into their product and go-to-market strategy.  Over the course of the last year year, we have worked to build an enterprise partner group that is supportive of our member companies, and who will provide early deployment sites, proofs of concept, and validation of our startups’ products.  But it has not been easy.

While San Antonio has a strong base of enterprise security shops that cross-cut industries such as energy, healthcare and financial services, they are still, by-and-large slow to engage with early-stage companies.  This is not an issue specific to San Antonio, but something that faces Corporate America as a whole.  As the speed of innovation and technology increases daily, and the ability of bad actors in security exponentially grows, companies are being forced to look outside of their internal capabilities to find solutions.

The challenge that faces those corporations, is how to do that effectively and efficiently, and how to ‘sell’ that to leadership.  I’ve often spoke with security directors who love the idea of exposing their teams to emerging technology in the security space, and who have the resources to test and validate products to identify possible business relationships, but often times there is no existing process within the organization to do that.  Comfort is a major factor here, and it’s something we’ve worked through – both by top-down leadership from our advisory board, as well as by articulating a simple process by which local enterprise can engage our member companies.

As a community, our corporate sector still has a long way to go to develop individual solutions that allow them to keep pace with emerging tech, and we will work hand-in-hand with them as a source for security product innovation as they venture down that path.

Lesson 4: Startups need forcing mechanisms to remain agile and prevent stagnation.

I’ve read tons of articles that talk about the corporate structure that should be in place early on for startups, even if it’s a team of one or two.  Roles, responsibilities, accountability, timelines and goals should be outlined and kept current to ensure everyone on the team is working towards the same goal.  It’s easy for founders to get taken down rabbit holes, which eat up time, energy and bandwidth, while ultimately costing the company money.

Our program at Build Sec is opposite of the traditional accelerator models that bring in companies for a short period and, through mentors and pitch sessions, prepare for demo days and customers engagement pitches at the end of the program.  To adequately serve the local market, our program needed to be shaped to work with founders over a longer period – usually 12-24 months.  When we first meet a founding team, it’s often that they are likely 6 months away from a possible initial seed round, if not longer.  Our goals for them range from appropriate corporate formation, company positioning, early product development and testing, and the acquisition of initial customers.

The life cycle we work through with founders is designed to take them from the ‘ground floor’ to institutional capital.  Our companies, if committed to the process, will be able to scale in an accelerated manner while in the program.

Lesson 5: The security market is growing quickly, and thus the friction between product-market-fit and product-channel-fit is more important than ever for new entrants.

Through meetings with our startups we recognize that many founders are hyper-focused on finding product-market fit (PMF), and while that is an absolute necessity while crafting a successful go-to-market strategy, it’s more important than ever within the current global security market to find the best product-channel fit (PCF).

We have met with a number of founders, some of whom we chose not to admit to the program, who had arguably built a fantastic product that they were ready to sell.  The challenge seems, that often products are built to solve a perceived paint point within a market, without truly understanding the market, the various channels, and the actual paint points that lead to sales.

From the perspective of our founders, board members and mentors, the Build Sec program operates to help companies identify the the most effect PCF.  The identification of product-channel fit, and understanding that your product molds to the channel, not the other way around, helps eliminate unnecessary effort on diversification of channels.

The global security industry will continue to grow, with some estimates of market size being north of $200B by 2020.  Across the board though, security spend as a percentage of a company’s overall IT budget, continues to often hover around 6-9%.  With limited spend for security, it is still necessary for our startups to be laser focused and confident in both their PMF and PCF.

Lesson 6: Laser focused strategy is a necessity, and Build Sec is laser focused.

Build Sec is focused on product startups.  Our program is 100% designed and curated to find, foster, support, grow and accelerate new security startups in San Antonio, while becoming a source of new security innovation for corporations in our community and around the globe.

Launching any new startup is a daunting task – ask any former or current founder – but if you can’t be successful launching a security product in San Antonio, we have to ask ourselves what we’re doing wrong.  We did that, with the process beginning over two years ago, and today we’re working to ensure that the security ecosystem here is ready, structured and connected in a way that we don’t miss out on finding the next big security product.

P.S. We’d love to connect with you on Twitter or Facebook.

Stay tuned for more insight from our founders, member startups and other ecosystem members.