Trust is fundamentally about a sense of safety, familiarity and assurance that “everything will be fine.” Faith is built as we address our doubts and the questions that make us wonder if we can rely on someone or something to be there when we need them.
The process of vendor selection in cybersecurity is not very different. What’s different are the questions people ask and the clues they are hoping to find.
What problem is this company trying to solve?
The No. 1 question people ask as they learn about a new tool is: “What problem is this company trying to solve?”
It is on this first step that many startups fail. Intentionally or not, cybersecurity marketing rarely makes it easy to understand what the product does, and equally importantly, what it doesn’t do.
In the rare cases when a company is clear and transparent about where it stands, we’ll see security practitioners getting impressed.
You should make it easy for people to understand where in the security stack the product fits, what it does and what it does not do. Make it easy to access your help center, technical and API documentation and other materials so that people can quickly build a mental model of your offering.
Does it actually solve it?
The fact that someone is trying to solve a problem does not mean they are actually solving it. There is a lot to be said about the importance of social proof, but the tough part is that security teams often do not want to disclose what solutions they are using and how they fit in their environment, as adversaries can use this information to accomplish their goals.
The best way to build trust at an early stage is to start with an open source version of your product that prospective buyers can inspect.
There are, however, other ways to provide real user feedback and prove that the company does what it says it does:
Collect customer testimonials and make them easily accessible. If you don’t have any paying customers, ask if your design partners would be comfortable going on the record as users of the product.
Make sure that your testimonials are real and truthful, and that the person who provided the quote is prepared to be randomly pinged by prospects with questions. A good security team will do its due diligence and talk to other customers, especially if the startup doesn’t have an established reputation yet.
Have an easily accessible online community where people can ask questions, talk and send direct messages to one another. It is very common for security professionals to DM their peers to get some unfiltered feedback about the vendor.
Will this company be around a year from now?
It can get incredibly expensive to try and implement new security tools, and organizations are not looking to replace their security stack every year. At the same time, the vast majority of cybersecurity companies are startups, and startups come and go all the time.