The Good, the Bad, and the Ugly of Starting a Cybersecurity Business

Security Startup Stories

Whether you’ve thought about starting a cybersecurity company or you just work for one, you will want to take a peek as OnDefend Co-founder and CTO Ben Finke and PlexTrac Founder and CTO Dan DeCloss pull back the curtain on what it’s like to be a startup founder. From the different business types to funding models to co-founders, they shared their stories and lessons learned on a recent episode of PlexTrac Friends Friday.

Ben has over 20 years of experience in information security, starting as a communications officer in the United States Air Force. Ben’s career spans multiple information security roles in different industries, including running a security practice for a managed services provider.

Watch the full episode or read the highlights. 

Taking the leap as a startup founder

Ben and Dan kicked off the episode by comparing their backgrounds and what led them each to leave successful cybersecurity careers working for others to start their own companies. Ben worked with a co-founder to open a cybersecurity services company, which has grown into the product space with BlindSPOT — a breach and attack simulation solution. Dan, as a solo founder, built a product to solve pain points he experienced as a pentester. 

Ben shared about his experience in the early days of OnDefend: “But, you know, it’s one of those things, like it sounds so great because you’re your own boss and you get to do this stuff. What it really means is that there’s nobody else there to do the work. If you’re not going to do it, nobody’s going to do it. And so that part of it for me was just taking that leap and starting. And when we started, we didn’t do anything that was crazy overhead-wise. I mean, we just sold consulting services and we just did it with our local, like our personal networks. So there was no marketing budget. There was none of that. It was just literally reaching out to people, liike, ‘Hey, we’re doing this now.’ So, I mean, that was definitely our start.”

Dan was an entrepreneur from an early age and always had a desire to build a company in the cybersecurity space where his passion and expertise lie. The challenge was identifying a legitimate need that he could fill.

Dan said, “I think I kind of came to a realization that it’s probably not going to be this world-changing idea, where it’s just going to pop a light bulb and then that’s it. But I wanted to start getting some experience and be on the path to starting a business and going that route. So I was like, well, this is a pain I have. I hate report writing. I hate the lack of collaboration and I hate coming back a year later and rewriting the same report. So I’m like, well, I’ll start. I mean, I can solve this problem. I’m a hacker and a coder. I have two degrees in computer science. So I can solve that problem. So I set out to just solve that problem, knowing, if anything, I’ll be the first user of it and maybe the only user of it. But at least I solved a problem for me, and that’s kind of how I got started. I started with the project more of a nights and weekends kind of bootstrapping it type thing, and then it just continued to evolve.” 

Product versus services cybersecurity businesses

Ben and Dan agreed that there are two primary categories of cybersecurity companies: those selling services and those selling a product. As they represent each of these categories, they discussed the challenges and advantages of starting both. 

Ben said, “I mean, it’s one of those two. And the path we took, doing security testing, consulting specifically, is great because there’s basically no overhead. Like, just somebody with a laptop is going to suddenly start doing these things. And when you sell the first gig — you know, the first pentest that you get — you do it and you take out your time and you’re like, oh, this is actually pretty profitable, right?” 

He continued, “And so from that perspective, the services is a great entry point. On the other hand, it also is super crowded because the barrier to entry is pretty low. So if you know people and you can go sell that stuff, then I think that may be a good path to go.”

Dan agreed about the upsides of starting a services company. “I think the barrier to entry on the services side is lower, but it’s in terms of cost. Right? Because it’s your brain power, it’s your background and experience that you’re actually bringing to the table. You didn’t have to go build something first to then go sell it, which is kind of what I had to do.”

He also noted that product-based companies tend to consider investment funding routes because of the higher overhead when getting started. “That’s also part of the reason why people do go for funding. And that’s part of the reason why we chose to go for funding, too, because it helps ease that life cycle and it gives you the investment to grow.” 

Funding: To raise or not to raise

Dan continued, “And I know that was one of the things that we were going to chat about, too,  the different funding paths that people take. I get asked all the time, ‘Should I raise money?’ And my advice is always, ‘It really depends on the business.’”

Ben shared, “So we are 100% bootstrapped. We don’t have any investors or, or anything else like that. One thing that has led us — and I think this is probably the phase you guys were in before a lot of your Series A and stuff kicked in — was that you have complete control of what the platform does. So you’re still tinkering with it, playing around with it. And what’s beneficial is that it’s just you making the decisions.”

Dan pointed out that product-based organizations can be much more challenging to bootstrap than service-based businesses. He explained, “When I did dive in full time, I knew at some point we’ll probably need to take funding because it’s the type of product that really does need to grow quickly and get kind of first mover advantage into the market as opposed to something that could stay in stealth for a long time. We weren’t that kind of a company. So I did personally feel like what was best for the business would be to take funding to help accelerate growth as quickly as possible. And accelerate the development. Right?  Because it was just me, and I didn’t have additional revenue coming from other consulting services.”

Dan concluded, “I think taking funding really depends on the business, right? It shouldn’t just be like, ‘Oh, we’re, we’re going to go take funding to start a company.’ It should be based on what kind of business you are in and what kind of market you are in. It’s not a one-size-fits-all.” 

Go it alone or find a co-founder? 

Finally, Dan and Ben discussed their different approaches when it came to finding a partner or partners with whom to found their startups. Both agreed that sharing the load in the unique position of founder is a plus. 

Dan said, “While I didn’t have a co-founder, I’ve been super fortunate to have had some really solid people who joined early on. I could bounce a lot off of and could share a lot of that load. But there is a difference. I definitely know there’s a difference. At the end of the day, they’re not a founder.” 

Ben agreed that having someone to share the load who is as invested and passionate and equally responsible for the success or failure of the business is extremely valuable. “And it’s very helpful to have people to talk to you about those things. And frankly, that was what took me as long as it did to start OnDefend. I knew I wasn’t gonna do it by myself. I wanted to find somebody that I thought could help put that together. So it was after I met Chris that I realized that I think this could actually happen now. I remember vividly that very exciting day.” 

Follow PlexTrac on LinkedIn for more engaging episodes of PlexTrac Friends Friday, featuring leaders across all aspects of the cybersecurity industry.