Setting Up a Cybersecurity Company For Success

User Feedback - Questions You Should be Asking your Customers

The Background

Forward Security is a professional services company, providing application and cloud security solutions for mid-size to large enterprises.

When I joined, they were 3.5 years old and had never had marketing support. The Founder had hired his friend to make their website and had posted some blogs and videos, but beyond that, I essentially started with blank slate.

Up until that point, they were purely a referral-based business, relying on the Founder’s network, but that well was running dry. Planning for the future, they needed sales and marketing-sourced revenue to support their ongoing business growth.

The Challenges

I met with the Founder and the COO to discuss their challenges. There were looking for a unicorn – one person who could come in and do everything.

With limited budget and support, I needed to manage their expectations. “We want to double YoY revenue!” they said. Okay, what’s your marketing budget? What’s your staffing capacity? If I brought in 10 new clients, could your current staff even handle that additional workload? If not, how long does it take to hire and onboard?

There were many honest conversations like this where we needed to be realistic and strategic of how we are going to move forward to achieve our desired outcome. After all, there’s only so much one person can do on a shoestring budget, but I was up for the challenge.

Upon further discussions and doing my own independent analysis, I determined the following challenges:

  • They had a lean team (me) and shoestring budget
  • While Forward Security was a 3.5-year-old company, their marketing was essentially non existent and their name in the market was that of a new company 
  • They had an awareness problem – they were targeting three verticals: fintech, health tech, and eCommerce – but weren’t doing anything to reach these audiences. Even if buyers in these verticals did come to the site, it wasn’t obvious Forward Security could help them
  • They lacked marketing processes – everything was ad hoc. They were using Monday.com to create a massive backlog of marketing tasks, none of which were getting done, and there was no structure in terms of ownership, priorities, and due dates
  • They lacked marketing strategy, budgeting, and reporting
  • They had arbitrary and unrealistic business goals, but they were not grounded with data, nor did they have a clear plan to achieve them
  • Hiring cybersecurity professionals was expensive and time consuming, this would limit their growth
  • While they were in the professional service business, they were in the process of launching a product and had no go-to-market strategy or budget for that product
  • They were working with a web development agency to maintain their website, and this team of web developers began running Google ads, but were completely unqualified to do that. They set up some basic search and retargeting ads, but then essentially forgot about them🤦‍♂️
  • They were doing their best with what they had, but everything was half-baked, poorly planned and executed, and they never looked at data to see what impact any of these efforts had
  • Cybersecurity is a trust-based business so it’s very important to establish trust through logos, verified case studies, professional-looking assets, meeting in person at events, certifications, etc. They were not doing many of these things
  • They didn’t do a market-readiness analysis for their DevSecOps solution, lacked capital to truly establish if there was a product-market fit. In other words, did you build a thing that the market needs or wants? Have you created a solution for a big enough problem? Are people aware they even have this problem? What’s it going to cost to educate your potential buyers?
  • There was an end-user / buyer problem that needed to be addressed. Do we market the solution to the end-user who experiences this pain (the internal champion), or their boss (the buyer)?
  • There were many non-billable staff that was draining the company of capital. This created a short runway and immense pressure to succeed before the company went insolvent. They needed to know what was broken, they needed it fixed, and then they needed immediate results. Marketing doesn’t tend to work immediately
  • Due to the technical nature of their industry, not just anyone can create content. It needed to either be created by a subject matter expert (SME), or at the very least have a SME proofread and approve it

The Solution

With a massive backlog of tasks, and a long list of challenges, to say I was thrown into the deep end was an understatement. I had to navigate through a tangled mess, create some structure, strategy, and priorities to provide a clear path forward.

Any time money is leaving a company, I make that my highest priority. 

As I dove deep into the Google Ads analytics, I quickly realized the company was bleeding about $1,000 per month for the past 3 years, and these ads were not bringing in any new leads.

For starters, the web development agency were running broad match keywords, set to worldwide targeting, on very general security search terms. This captured such a broad audience with no purchase intent. It was no wonder they weren’t moving the needle.

Their retargeting ads were atrocious, were targeting the entire site without any exclusion filters, had extremely low click-through, and high frequency. Meaning, a person who went to the careers page (aka not our target buyer) 8 months ago was still being aggressively targeted. When you target everyone, you target no one. Their $1,000 per month ad budget was being wasted on random people who had no intent to purchase, and it was being spread so thin that it was never going to work.

In the interest of time, I just turned off the ads completely. I would revisit it at some later date. There were other important issues I needed to address.

I looked at the data of closed-won and closed-lost customers and prospects. I wanted to see if I could identify any patterns. You can often learn a lot from your failures. Most of the buyers had a personal relationship with the Founder, so that wasn’t all that useful, and the few closed-lost prospects declined for various reasons from pricing / budget constraints, compliance, capacity, and so on.

If we were going to move forward with a more data-driven approach, we needed to define our ideal customer personas.

  • Who are our ideal customers (industry, size, job titles, technology, location, etc.)
  • What do they want, need, and value?
  • What is the most effective way to reach them?

Upon some discussions, we determined our ideal customers met the following criteria:

  • VP, Engineering, Head of Security, CTO
  • Their reason to buy (pain point) – they build software, but lack in-house security expertise, finding staff (as was also true in our case) is difficult and expensive, and not needed on a full-time basis
  • Verticals were: fintech, health tech, and eCommerce
  • Size – mid to large enterprise 25-1,000 employees (too small of a company and they often don’t have adequate budget, and too large of a company (e.g. national bank), and we didn’t have the capacity)
  • Location – North America, ideally US. Canadian companies tended to be more price sensitive

Forward Security’s main service was their application security risk assessment. I did a quick search in Google’s keyword planner and determined there was no search volume for that phrase. The more common terminology was “pentesting, or penetration testing”, even though that wasn’t completely accurate.

The market was uneducated, but we didn’t have time to educate them. 

Leaning into what the data was telling me, I created a pentesting page on the site along with some pentesting content. The idea was to use pentesting as a land and expand strategy. On the page, I created a section educating visitors about the limitations of pentesting and why they actually needed a comprehensive application security risk assessment, in which pentesting was just one of four things that were included.

I created a larger campaign called ‘Go Beyond Pentesting’ that was complete with social posts, video and blog content, and website messaging. I would eventually turn ads back on and target people searching for pentests, but would limit it to certain regions (major tech cities in the US) to maximize the budget.

I also broke apart the other pieces of the application security risk assessment and productized those – so now each of those had pages as well.

I had some other important questions:

  • Why focus on fintech, health tech, and eCommerce?
  • Why Forward Security – what makes you unique?
  • Suppose a buyer in the fintech, health tech, and eCommerce space was looking for the exact thing that Forward Security offers, how would they discover you?

As it turned out, there was a very important reason why Forward Security was only targeting those three verticals – but you would never know by looking at the website. They had domain expertise and certifications in those three verticals. That seemed important, so I created 4 new pages – one for each vertical, along with a ‘Why Choose Forward Security’ page where I talked about their unique value proposition (UVP).

I created content and social calendars to talk about their domain expertise and UVPs. I was also doing all the graphic and web design.

The-crucial-role-of-threat-modeling-in-application-security
Using-Automation-to-Improve-Security-By-Design

I created a bi-weekly report bringing analytics and goal tracking to Forward Security. Every two weeks, we would meet in-person for at least 3 hours to go over all the numbers.

I use the analogy of a house party to describe the state Forward was in. When you decide to have a house party, you pick a date, determine your guest list, send out invites, then do all the prep – getting all the food and drinks, making sure there’s enough seating, that you have entertainment, your house is clean, etc. In other words, before your guests come over, you need to ensure your house is in order and you are prepared to host.

I spent months just getting Forward’s house in order. This required lots of strategizing, budgeting, planning, building, etc. Once we were in a better position, I began inviting guests over, mostly in the form of running ads. This was the quickest way to get buyers to the site.

I also did an extensive ABM or account-based marketing, and a network activation motion. This was about proactively reaching out to buyers in our target accounts to invite them to an event, try our new DevSecOps Platform, or just to connect.

As mentioned with cybersecurity (and I would say this is true for every business to some extent) is that people only do business with people they trust. So we needed to establish our E.A.T (expertise, authority, and trust).

Expertise – in addition to the ‘Why Choose Us’ page, I highlighted all the certifications of the staff in their bios on the ‘About Us’ page. I created social posts highlighting any staff achievement. I was more intentional about posting content pertaining to the three verticals. I used ChatGPT 4 to create new content and used our SMEs to proofread it. I dug through the archives and found existing content such as old training videos, that didn’t need vetting. I turned all that into content (i.e. blog posts, white papers, social posts, etc.).

Authority –To make the SMEs’ lives easier, I created the AppSec Insiders Podcast and edited the long form videos into YouTube Shorts, blog posts, social content, newsletters, etc. This would allow Forward to showcase their expertise on a subject, but also be the go-to authority. We focused on ASVS, NIST, and topical news stories. The Founder was also actively speaking at conferences, both in-person and virtually. I also started the Forward Security newsletter and began putting email capture forms on all high visibility pages.

Trust – I added logos to the site, as well as Clutch reviews and awards, did co-marketing with some more established partners, and made a more conscious effort to put staff faces on the site.

I created a lead magnet which allows customers to answer some questions to measure their current state of DevSecOps maturity, and then receive a result. I would capture emails, provide a follow-up email along with a customize report. We also allowed our partners to use it as well and host the assessment on their site, but the leads would come to us. We hosted some webinars and events.

Eventually, I shifted a large part of my focus away from the professional services and began to do product marketing for their DevSecOps Platform. This was a massive undertaking with a lot of moving pieces from creating an entirely new website, content, knowledge base articles (i.e. how-tos), demo videos and interactive walkthroughs, running ads across several platforms (i.e. LinkedIn, Reddit, Twitter, Google).

Eureka A DevSecOps Platform for Secure Applications
Eureka A DevSecOps Platform for Secure Applications
Eureka-DevSecOps by-FWDSEC

Other areas I focused on where:

  • Conversion rate optimization
  • Recruitment
  • Helped with an investor pitch deck
  • Created sales collateral
  • Helped with in-person events
  • Created yearly strategies and budgets
  • Worked with various vendors and associations
  • Created press releases
  • Hired, trained, and managed three junior marketers

The Results

As with many marketing activities, a.) it takes time to see the full impact of your efforts, b.) attribution is notoriously murky. So it’s not entirely clear how much, if any, these efforts described really moved the needle. However, I believe I paved the way and set them up on a path toward success. In the year I joined, the professional services part of the business saw a 20% increase, roughly $400,000 which I have to assume I contributed to on some level.

I increased the YouTube subscribers and view count. While we’re not talking huge numbers, it’s still early days and this is far more traffic than anything they had ever done in the past. Marketing is a marathon not a sprint!

From May to July, I turned on the ad spend to promote the launch of their new DevSecOps platform. This resulted in a lot of traffic to the website and Microsoft Azure Marketplace. I ultimately decided to shut it down in the interest of preserving the budget. Forward Security could not continue to be paying for ads that did not result in a positive ROI. In other words, there weren’t enough new leads / revenue to justify the ads.

I believe there were three major downfalls of this campaign.

1. We launched the product too soon. The team had been developing the platform for years and were eager to bring it to market. We advertised it as a “Beta” launch and offered a discount on the license. I advised them not to do this because a beta product may seem half-baked, buggy, and could cause more issues than it solves, especially in terms of data compliance.

2. The other issue was budget. It takes a lot of time to penetrate a new market with a “revolutionary” product, especially to developers. 

3. Developer marketing is a unique subsect of marketing. It exists for a reason – in general, developers are repelled by any sort of sales and marketing tactics. They turn on ad blockers, circumvent websites, go to chat groups that you cannot access, ignore invites, don’t open emails… this makes it extremely challenging to convince them to take a look at your solution. I joined a developer marketing Slack group and read a book on how to market to developers, but didn’t get too many new ideas that I hadn’t already thought about and tried.

The product still has a lot of issues to resolve before it’s ready for a commercial release, so we decided to pause the campaign. While it wasn’t the result we wanted, I used data to make this decision, and stand by it as the correct decision, which ultimately saved the company a lot of wasted money.

In the below figure, you can see the spike in traffic to the Microsoft Azure Marketplace. Once I paused all the ads in July, the traffic fell off a cliff. The ads were working to bring our audience to our platform, but something about our solution / offer was not convincing them. Perhaps they were the wrong audience (the end-users not the buyers).

Another time I used data to make a important business decision was when I recommended we put a stop to using a platform called Sagetap. I documented the entire story here. In short, Forward was paying a lot of money for leads that weren’t resulting in any revenue. The ROI didn’t make sense.