Why is it so hard for security startups to get government customers?

It is often said that we learn more from our failures than from our successes.

I was recently asked to share an ongoing technology problem in government that has frustrated me over the years and remains unresolved in most state/local government situations. Here's the story I told about why it is so hard to bring in hot new technology (that is needed) from startup companies:

Back in late January, 2014, a delegation of public and private sector technology leaders from Michigan visited Israel for their excellent Cybertech 2014 event in Tel Aviv. It was a great event, wonderful trip, etc.

As Michigan State Government's CSO at the time, I was especially impressed by the many new cyber companies, their "Start-Up Pavilion" and the culture developing between Israel's tech and defense communities.

We learned a ton, and our team was energized by the ideas, innovation and "get it done attitude" that we observed. You can read more about the trip and related background material in this Government Technology Magazine blog.

But as Paul Harvey used to say, "Here's the rest of the story..."

After we got back from the Middle East, my former boss, Michigan CIO David Behen, asked me, "Which were your favorite Israeli start-up companies and why?"

I pulled out a list of about ten or so companies, and we discussed each of them for a few minutes.

David pressed further, "OK, I know this is hard, but what were your top five?"

I gave David my list, and I even wrote about them in my govtech.com blog:

Here are a few examples of start-up companies that we were impressed by:

Seculert -- Advanced threat protection with no hardware or software. "Seculert provides an integrated platform that analyzes malware communications, traffic logs, and suspicious files to identify known and unknown advanced threats.

Aorato -- Protects Active Directory (AD) from advanced attacks. I asked the CEO Idan Plotnik what the company name meant, and he said, "Invisibility" in Greek.

SQream Technologies - Big data benefits which are faster and cheaper. "SQream Technologies provides you with state of the art software which combines modern GPU technology (Graphic Processing Units) with the best practices in today's Big Data platforms, providing up to 100x faster insights from data."

Other start-up companies that impressed us included LightCyber for targeted threat protection and Dome9 for securing cloud apps.

Finally, David went even further: "If you had to pick just one - who would it be?"

I said, "That's really tough, they are all so different. But if I had to pick just one -- I'd pick Aorato."

My boss asked, "Why?"

"Because ... Yada, yada, yada..."

(Note: For a variety of reasons, I don't feel the need to go into the details of Aorato's products/services or state government security needs in this public blog. Needless to say, several key people saw benefits to this particular vendor solution. More important, those details are not required to make the point of this particular piece.)

"OK, go for a pilot," David replied.

With that support, I set off in February to build the necessary coalition within the technology department to kick-start a successful proof-of-concept and security infrastructure pilot with Aorato.

(Note:  Michigan government has a very centralized technology function with centralized authority and an ample security budget. The good news right off the bat was that initial funding and authority were not significant hurdles in this particular case. However, these can be major issues in other governments or situations. The budget would even have been a major issue a decade ago in Michigan with major cuts all around.)   

So here's what we did:

STEP 1: Get my own security team onboard -- I pulled my direct reports into my office and told them about the trip to Israel, along with some details on a few cyber companies that I liked. After answering a few questions, the team left -- looking forward to the upcoming WebEx meetings.

STEP 2: Scheduled the online demo  -- My excellent executive assistant coordinated a WebEx demo, but the first available date was 3-4 weeks out due to very busy schedules.

STEP 3: Scheduled another demo for those who didn't make itthe first time -- The first demo went great, but several people could not make it because of last minute "mini-emergencies." This best date for the next meeting was another 2-3 weeks out due to very busy schedules and other higher priorities like Windows XP migration and other "hot" deadlines.

STEP 4: Corral the troops -- I asked: "Isn't implementing this a good idea? Let's make the business case." After a second round of demos that included some of our key onsite vendor partners, the reaction was only lukewarm.

Typical comments were:

"Sounds ok, but we're too busy."

"What can you take off our plates to do this soon?"

"Are you sure this is such a hot security issue for us?"

"I like it, but can we even buy from a foreign start-up company? Do we really trust these guys?"

"I don't see what this will replace in our current security architecture? We use Office 365 in the cloud. How can do this without new staff or, yada, yada..."

STEP 5: Get in Line - I decided to make a few phone calls to key directors, managers and other leaders and push the issue harder. I even told a few people to get it done. They said Ok, but pushed back harder. What could they stop doing if we do this? They finally agreed to develop a pilot project charter.

A few weeks leader, some of the staff working the pilot came in and asked: What are we really trying to accomplish with this product?  "Can't we do this is 3-6 months after we finish identity management and other more important projects that we are on the hook for delivering on time and on-budget."

STEP 6: Fight the vendors -- Meanwhile, I spoke with a few key vendors who I trusted. They didn't say "No, this is a bad idea." But... they clearly had their own special interests. They wouldn't go out of their way to see another new competitor's product succeed -- especially a startup with no track record.

STEP 7: Procurement Woes -- After a project update meeting in June, I pushed the issue again with various team members. I remember getting a phone call from some procurement specialist asking: "How can we pay for this, even if we like it and the pilot is successful?" Can we buy this sole source? What would be the justification? (Answer: No sole source).

One person made it clear, "There is no competitor. This is a one-of-a-kind product. Also, the vendor has no track record with unique testimonials? How can we pay for the product?"

STEP 8: Project champion leaves -- When early July rolled around, I announced that I would be leaving state government in August to join Security Mentor, as their new Chief Strategist & CSO. Over the next few weeks, I watched as my departure announcement took the wind out of the sales for this product.  My last day in Michigan State Government was August 1.

STEP 9: Project Stalls with other high priorities taking precedent -- I spoke with some government colleagues in September, and they told me that they stopped working on the pilot. The reason: two other higher priority security efforts, including identity management and the enterprise-wide risk assessment. Both of these projects had gone through the formal Request for Proposal (RFP) process, with competitively won contracts. Management expectations were high on those efforts.  There were no available people to work out the necessary details for a pilot with Aorato.

STEP 10:  Microsoft Buys Company -- And then... in November, I see this blog announcement from Microsoft, announcing that they are buying Aorato. (This was actually welcome news to me from a distance, and made total sense given the functionality of the product protecting Active Directory.) If you go to the Aorato website, you get this message:

We are excited to inform you that we have been acquired by Microsoft.

Hello Microsoft,

At our core, Aorato has always been focused on strengthening enterprise security, by giving customers deeper visibility into their Active Directory and identity infrastructure with an emphasis on user behavior intelligence and analytics. Joining Microsoft gives us a unique opportunity to pursue this vision, and help customers at the broadest possible scale.

With this acquisition, we will cease selling our Directory Services Application Firewall (DAF) product. As part of Microsoft, we will share more on the future direction and packaging of these capabilities at a later time. 

Thank you to all who have supported Aorato.

In conclusion, this story has both a happy and a sad ending. The happy ending is that Michigan can implement the functionality within the current Microsoft contract that is already in place - since the startup company was bought by Microsoft.

The sad ending (to me) is that it took so long. We didn't get it done faster.

One colleague told me: "See Dan, I told you so. This Aorato acquisition just proves my point -- Wait long enough... and the innovative companies will be bought and rolled into exiting products from existing large vendors. Dealing with technology startups is too hard and usually ends badly."

And My Point Is...

Perhaps you've heard this quote from Denis Waitley: "Failure should be our teacher, not our undertaker. Failure is delay, not defeat. It is a temporary detour, not a dead end. Failure is something we can avoid only by saying nothing, doing nothing, and being nothing."

I share this story, since the problems identified, when a security startup company tries to sell to a government organization, are not unique to this particular Michigan situation. I hear similar stories from colleagues all around the country.  Vendors need to remember that they are usually selling to over-stretched technology and security teams that rarely have dedicated research, development, test and evaluation (RDT&E) teams.

No, selling to governments is not hopeless for startups. Yes, there are plenty of things that I could have done differently. As I look back at what happened, I made mistakes. I could have pushed harder, made more phone calls to the vendor, asked more questions or taken a host of other actions. I was accountable. I tried, but not hard enough.

The new Michigan DTMB Strategic Plan even calls out special efforts to dedicate staff for innovative initiatives in the future. Other governments are planning similar innovative things -- so take advantage of those special programs for small companies.

But my point is that government technology and security teams struggle mightily to implement hot new products, even when they know they need them. There are numerous reasons for this, many of the reasons can be seen in this brief case study. Some issues flow from governance models, others from culture and others from government procurement challenges. Regardless of the reasons, it hard for very small or startup companies to sell bleeding edge technology to most government organizations.

In my next blog early in 2015, I will return to this topic and provide some lessons learned from the government side and some tips for vendors who are trying to break into the government marketplace to sell technology and security.

Tags Security Leadership

Show Comments