Break on Through – Crossing the Cybersecurity Start-Up Chasm

MACH37 President and CIT Chief Investment Officer offers three simple rules to entrepreneurs seeking to differentiate their cybersecurity offering

On April 24th, I had the opportunity to speak at the DCA Live’s “Big Cyber Growth Summit” in Crystal City.  The event was incredibly well-timed by the folks at DCA Live as it followed closely on the heels of RSA’s 2018 conference – the “really, really big cyber growth summit” – in San Francisco, April 16-20.    

As President of MACH37 and Chief Investment Officer for the Center for Innovative Technology (CIT), I was pressed into service on DCA’s “The Getting Funded Panel.” As seems to be increasingly the case, I was joined on this panel by several individuals from our ever-expanding mentor/investor network: GAP Fund portfolio CEO-turned Venture capitalist John Funge from Datatribe; oft-time GAP Fund co-investor (ThreatQ,, Virgil Atomicorp) Steven Chen from Blu Venture investors; and a VC we look forward to doing deals with in the future - Steve Smoot from Lavrock Ventures.  

Thanks to our incandescent moderator, Matt Klinger of Bridge Bank, a lot of great questions were posed.  And courtesy of the wit and wisdom of panelists other than myself, a number of great insights and operations were advanced. But for me, the most compelling question centered on start-up differentiation – i.e., ‘How can a start-up at the earliest stage of development differentiate itself and acquire first customers in the increasingly complex and crowded cybersecurity sector?’

One need only walk the floor at RSA to seize upon the importance of this question. Over the past few years, the space has become profoundly confusing for buyers; as investors have poured funding into the sector, new market entrants and products have proliferated and lines between cybersecurity subsectors have blurred. Amid this confusion, how does a prospective buyer make the decision to take a chance on cybersecurity start-up? 

Between CIT GAP Funds, our “Virginia Founders Fund”, and MACH37, we have now been involved in 70+ seed and early stage cybersecurity investments. Based on observation of this modest universe, I would offer three simple rules to entrepreneurs seeking to differentiate their cybersecurity offering:

  1. Principle #1: Live with the Problem First

    From our experience, the most effectively differentiated solutions are those borne of founders who have lived the problem first-hand.  Nothing brings sharper focus to the product or greater credibility to the team in the eyes of the customer than a founder or founding team who have lived through the real-world pain that their product is designed to solve.

  2. Principle #2: Lean Is as Lean Does

    At MACH37, we are big proponents of the Lean methodology. Lean implementation calls for cyclical development and reiterative customer feedback., early and often. It is a natural extension of Principle #1. Vigorous adherence to this demands continuous customer cultivation and keeps moving the ball downfield, from initial data gathering to beta placement to paid customer conversion.       

  3. Principle #1: Live with the Problem First

    There is no question that a repeat and successful cybersecurity entrepreneur with a ready-made rolodex has a distinct advantage in gaining initial customer traction. But what about the other 98% of entrepreneurs who don’t fit that profile? Well, they need to get that rolodex by proxy by prudently recruiting others to the cause – FTEs, advisors and board members – that have those early customer contacts. That’s where a good accelerator can help.  

My thoughts are not exactly rocket science, and this is nothing that couldn’t be said of gaining first customers in almost any tech sector. But I would consider these principles mandatory for start-ups seeking differentiation and first customers in this crowded and confusing cybersecurity market.

For more information about CIT and MACH37, please visit and