How Organizations Can Utilize Cybersecurity Start-up Vendors

Every year a significant number of cybersecurity start-ups launch into the market, providing new innovations and solutions for organizations. Although, competition is fierce and existing larger solution providers have brand recognition and a list of existing clients, there are benefits for working with start-ups. This article explores how and why organizations can utilize cybersecurity start-up vendors. 

• Does limiting vendor selection to established companies impact the overall effectiveness of cybersecurity within an organization?
• What risks might large organizations have when considering start-up cybersecurity vendors?
• What strategies can organizations use to balance their need for stability and reliability with the potential benefits of engaging with innovative startups?

Organizations Reliance with Legacy Providers

Large organizations often have very complex environments and processes that have evolved slowly and in an organic fashion over time with many disparate legacy solutions and practices that are very challenging to evolve and adjust.

These circumstances can result in a variety of challenges/friction when considering partnerships with modern and advanced startups and emerging technology companies. Factors that result in resistance or slow adoption of more advanced technologies may include:  

• Lower risk appetites for newer partners with extensively intensive and lengthy vendor risk management processes and expectations
• Existing partnerships, contractual obligations, and regulatory requirements
• Limited practitioner experience and subject matter expertise in modern and emerging technology
• Complicated and customized technology workflows, solutions, and integrations across the technology estate

These factors often results in balancing and prioritizing short-term stability and operational effectiveness of known paths, approaches, and technologies more heavily than opportunities that new vendors and technologies may offer.

This can result in companies deprioritizing opportunities to partner with more modern providers and taking more circuitous journeys to establish and drive more innovative cultures, advanced and automated technical stacks, and rapid and iterative software and technology development/deployment cycles. 

Results of Limiting Vendor Selection 

Limiting vendor selection to more established companies can diminish the opportunities to impact and enhance the effectiveness of cybersecurity capabilities.  It can stifle advancement of technology stacks and practices, reduce agility and limit staffing opportunities.  For example, an enterprise may implement solutions that require more interactive sessions or third-party solutions with very specialized subject matter expertise that limits the pace and degree of automation and orchestration that is achievable. Limiting vendor selection can also limit attracting, hiring and retaining advanced and modern technologists and practitioners.

The current inflection point in cybersecurity, that new and emerging vendors are at the forefront of, is a dramatic shift from previous generations.  Many early-stage vendors are building their organizations from the ground up in fundamentally new ways based on very modern technology stacks, cultural/organizational paradigms and experienced practitioners that are providing enhanced efficiencies, outcomes, flexibility and continuous improvement for both them and their customers.

Start-up outcomes are purposefully designed to be a catalyzing force to evolve and shift dynamically and rapidly.  Partnering with these organizations provides other organizations the opportunity to benefit both directly from the value of their products and services and indirectly by working with them and experientially gaining insight, experience, and knowledge by working with them to advance and evolve internally.  

Risks Large organizations Have When Considering Startup Cybersecurity Vendors

Legitimately, large and established enterprises may have more risks to consider than newer, smaller, and nimbler companies and need to ensure more rigorous and thorough mitigating practices are established.  These may include:

• Impact of partner survival and stability is more critical when change is more challenging.  An organization should have plans in place in the event the companies or solutions are not able to continue to meet their expectations.
• Ability to effectively staff, hire and retain subject matter experts that are well versed in newer technologies and models and can drive change may require much lengthier cycles and alternative and external resourcing capacity to be planned for.
• Support capabilities and capacities for regional coverage, hours of operations and scale of an incident are critical to consider and must be planned and accommodated for much more holistically.

Many rewards can come with these risks and they must be more effectively accounted for in older and larger environments and institutions. 

Strategies to Balance the Need for Stability with the Benefits of Innovative Startups

There are many strategies to help balance stability, reliability and innovation that can be leveraged with any situation to minimize and offset the risk of a singe point of failure.  These strategies are in alignment with many business resiliency capabilities:

• Initial implementations should be with lower risk use cases and smaller estates, managing scope is a critical strategy to managing risk
• Overlapping and complimentary technology can help balance risk and provide future evolutionary opportunities.  For large organizations, leveraging best of breed and having multiple suppliers is an investment in business flexibility that can offset the risk of vendor lock-in whether vendors are new or well established.
• Abstraction of vendor solutions and management consoles from day-to-day users can ease changing specific instrumentation.  For example, normalizing vulnerability data in a unified vulnerability management systems or data lake can allow an organization to change vm scanners more easily and quickly since there are fewer dependencies and users of the scanner.  

Benefits of Lower Price Points for Organizations

During the early days and years of a startup, customers can take advantage of lower pricing.  Startups are often in a position to be more flexible and amicable to creative exchanges of value.

Often a startup is still establishing their financial models and must prioritize strong design partners that can help hone their strategy and product, logos that will provide credibility and market awareness, and implementations that will drive their software and support resiliency capabilities.

Benefits and opportunities may include:

• Lower prices
• Expansion pricing options 
• More flexibility with contractual obligations 
• Design partnership and driving product direction and feature prioritization 
• Hands-on support and leadership attention

By leaning in early to modern and advance startups many enterprises can get relatively high impact and value per dollar and flexible licensing agreements with early-stage vendors to offset some of the risk of early investment