It’s always a gamble to establish a start-up, but if you were to choose any sector where you’d fancy your chances of success, it would surely be cybersecurity.

After all, the cybersecurity market is estimated to grow to $224.48 billion by 2022, according to Statistics MRC, while CB Insights reports that venture capitalists (VC) invested $3.1 billion in a record 279 cyber-security start-ups last year, a far cry from the $833 million invested in 117 firms in 2010.

Some notable companies have emerged in this time, Cloudflare, Tanium and Zscaler each raising $100 million or more, while specialized security VC funds and accelerators have appeared too.

“There has never been more interest in cybersecurity, so we’re seeing increasing amounts of innovation in the field, and ever more start-ups too. It’s an exciting time,” says Alex Van Someren, managing partner of the early stage funds at Amadeus.

David Cowan, partner at Bessemer Venture Partners, sends a cautionary note: “With VCs flocking to the cyber sector, even the bad start-ups get funded.”

Either way, running a start-up is a huge challenge with many mistakes made along the way. Some get the product wrong, lack the right investment or jump into a saturated market. Others lack the skills, the ability to articulate their solution well to the right people, or fail to land those successful early pilot projects.

Even the most mature, promising start-ups make mistakes. Tanium, the endpoint security and systems management start-up valued at some $3.7 billion, has been criticized recently. A Bloomberg report revealing not only that the CEO fired employees before their stock vested, but that sales representatives had also exposed a hospital's computer network during pitches.

Establishing a start-up

So, what’s it like working in a security start-up?

Jay Kaplan is CEO and co-founder of Synack, a security start-up which raised $21 million in Series C funding last month. Kaplan, formerly of the NSA (where he was senior cyber analyst) and Department of Defense (working for the Incident Response and Red Team), explains that his company, which relies on crowdsourcing experts for vulnerability testing and pen testing, is trying “fix a broken market”.

It’s clearly working well, with the recent Series C attracting partners in Microsoft Ventures, HP Enterprise and Singtel. But even still, why switch from a rewarding role at NSA where he was helping to ‘save lives’?

“NSA is incredibly exciting and I can say without doubt I helped saved many lives and that a mission is extremely fulfilling. But government work was not something I wanted to build a career in.”

“Running a company was what I was really passionate about, what I wanted to do. I actually ran a company - a shared web hosting and development company -- when I was 14. It made me realize entrepreneurship was in my DNA.”

Ankur Modi agrees. Now CEO and co-founder of AI security firm StatusToday, he was previously a data scientist and engineer at Microsoft.

“The motivations were neither financial nor job satisfaction; I was extremely happy with my team [at Microsoft], where we were driving the new era of productivity.” He recalls how a colleague mentioned the digits in his salary would fall away. “It’s true,” he admits.

“It was very clear I had something I could do, that I could make a big change on the use of data in organizations,” he adds. StatusToday’s AI-powered platform aims to understand human behavior, boosting security, engagement, and productivity.

He notes he was interested because it was “something I care about,” and he had an entrepreneurial mind-set.

Nik Whitfield, CEO of big data security firm Panaseer, had the same burning desire. “I was lucky to work with amazing people at BAE Systems (Detica as it was). But the start-up world was always a big lure for me, and the market conditions were too good to pass up. The convergence of Big Data, cybersecurity and data science was always going to create new companies and solutions, and I had to grab the chance to lead the innovation in this space.”

Funding and pilots

Of course, a critical element to any start-up is support and investment. Support may come from accelerator programs and competitions, while financial investment is absolutely essential.

All the start-up founders here agree funding is extremely difficult, with Whitfield noting: “Every funding round is different and every investor is different. But there’s one thing in common, which is that they have to believe in their gut that you and your company will make a substantial return on investment. If you don’t believe that, don’t ask someone else to. “

Synack has a stellar panel of VCs, perhaps owing to Kaplan’s connections, and he says their help has gone beyond the financial.

“VCs are extremely influential, and we’ve got phenomenal investors, who have incredible networks,” he says.

These networks, says Kaplan, enabled the firm to attract end-user partners who understood that the early days were “all about trial and error.”

“That's really crucial for any start-up, testing things out and seeing what direction to take the product in,” he adds.

Modi says partners have been imperative to his start-up’s early success. Extolling the virtues of investors who have “been there and done” it in start-ups, he points to his VCs at venture firm LocalGlobe and Nation Capital, as well as GCHQ, with Status Today part of the agency’s first cyber-accelerator program. He warns other start-ups to not underestimate the amount of support they will need in order to grow.

“The success at StatusToday is down to partners, investors and the team that comes together,” says Modi.

Like Kaplan, Modi says successful pilots have been with carefully selected partners, who also understand that results may not always be instantaneous. Whitfield, meanwhile, points to finding clients who have a clear business problem, and a willingness to embrace both innovation and working with a start-up.

“These gems are few and far between,” he says. “But if you find the right client, treat them like a true partner...they will be an asset and supporter of your business for years to come.”

Get innovative with products - and pitches

Security firms face numerous challenges and no more so than start-ups trying to disrupt the hottest markets with limited resources.

“Good ideas are always copied – it’s the quality of execution that differentiates,” says Whitfield, explaining one of his key challenges.

“The key to success for start-ups in cybersecurity is around delivering innovation in one of the critical topic areas, rather than re-treading old problems,” says Van Someren, seemingly agreeing.

He notes particular interest around Artificial Intelligence and Machine Learning -- but “precious little evidence of effectiveness” -- while he’s more interested in start-ups in data discovery and GDPR compliance tools, risk analytics and risk modelling.

He continues that too few start-ups truly understand the market they are in: “Taking the time to develop a concise explanation of what problem you’re solving, how big the market could be, and why this is the right team to do it makes all the difference.”

Modi agrees -- “most don’t spare enough time to understand the problem [of the market]” – but cites the issue of building trust as a key issue. As he notes, he can no longer rely on the “badge” of Microsoft.

“Credibility in security is so important, and it’s important trust is built-in at the start of the success story.”

Kaplan says his challenge has been getting people knowing and understanding a crowdsourced model, getting the ‘foot in the door’, and now scaling the business up.

“Right now we’re all about scale. That means very quickly ramping up sales operation, expanding internationally, expanding marketing efforts, and we’ve still a lot to do to build on the engineering front and on customer success side….while making sure the customer is still seeing tons of value, and that we’re building brand highly respectable people want to work with, to do business with.”

Aside skills, scale, ideas and product execution, Cowan mentions perhaps the elephant in the room – that sometimes security solutions, however great, will fail.

“The greatest challenge any cybersecurity start-up faces is still stopping attacks. But right behind that comes the challenge of proving value: how do customers know how much damage you saved them from?”

Start-up advice? Know your market and USP

Whitfield advises: “Do it, but do it with your eyes open. The stats don’t lie, most will fail, but the self-development opportunity is incredible. And listen to everyone – be thick skinned enough to feel the criticism of your product idea, but not so much that you stop listening."

Kaplan says you need to go all-in: “You have got to go all in….that’s critical.” He stresses the importance too of building strategic partnerships, evaluating your exit strategy and developing ties with CISOs who should soon realize this partnership enables them to drive products “that conform to their requirements.”

BVP’s Cowan advises start-ups to start big: “To gain traction, start by selling to the biggest targets: the US government, major utilities, and the multi-national banks. If you can secure them, you can secure anyone.”

Modi’s advice is simply to know your market and target audience, and - critically - to move beyond security as a siloed part of IT. You will get more internal champions as a result.

Cybersecurity start-ups face a long and winding road, but with plenty of opportunity to disrupt a complex, ever-changing market.

Got other ideas? Head to Facebook to let us know.