• Survey Results: What is most important to CISOs?
    Posted by Bill Burns on July 22, 2014

    Advances in technology are being embraced by both security teams protecting sensitive corporate data and the sophisticated criminals trying to disrupt business. Addressing security, privacy and compliance concerns are often cited by businesses as top priorities before adopting Cloud or BYOD technologies. As a member of and advisor to Wisegate, I partnered with the IT advisory service to survey over a hundred security leads to learn what’s most important to CISOs, what innovations they’re focused on to address their most pressing problems, and how they’re planning to help businesses take smart risks.

    Key findings:

    1. New battlefields, same war. CISOs remain vigilant on the fundamentals – Malware Outbreaks and Data Breaches. Security teams confront growing risks on many fronts, from new technologies to external threat factors. Driving their security strategies are 6 technology trends and 5 top risks.

    2. Security programs prioritize risks and business alignment, but lack tools to draw the big picture. Their risks are increasing, but only half can efficiently report risk status to their Boards and internal business partners.

    3. As IT hands off infrastructure control, CISOs focus on the data. Shared risk models – a nod to the expanding universe of user devices and the dissolving enterprise perimeter.

    4. Automate all the things. CISOs push automation, orchestration to manage point solution sprawl. Consolidation and automation are top areas of focus to improve security program maturity. Three-quarters of CISOs are building or integrating solutions to address their top risks. APIs are frequently requested features in modern security solutions.

    1. Tech Trends and Risks Driving Security Programs

    Six Top Technology Trends

    Businesses are embracing and realizing the productivity benefits of BYOD, Everything as a Service, and ubiquitous connectivity from their mobile devices. One of the consequences of these shared-risk models is losing visibility and manageability on endpoints, applications, and networks. These advances have impaired traditional security controls based on traffic inspection, blacklist signature-matching, and device management. Businesses have accepted these risks in exchange for their benefits, driving innovation for alternative solutions to secure corporate data. Advances in predictive and behavioral analytics, Cloud Application Security Brokers and SecDevOps methodologies, for example, help security teams remain effective at addressing their top risks — harmful applications and the loss of sensitive corporate data.

    Five Top-Of-Mind Risks

    Five risks capture 51% of CISOs’ top concerns, and are increasing industry-wide. Two risks in particular -  Malware Outbreak and Sensitive Data Breach – account for nearly 1/3 of all CISOs’ attention. They were more important to participants than the next 6 identified risks combined. Beyond the top half, risk priorities quickly become diffuse and follow a power-law curve – indicating that security priorities differ across industries, companies, and program maturities.  See our earlier post for a “word cloud” version of top risks.

    Although Malicious Insider Threats receive a lot of press and are harder to detect, external threat actors pose a greater overall concern. Verizon’s 2014 Data Breach Incident Report indicates that only 8% of reported data breaches involved malicious insiders. Our data suggests that although the “insider threat” is a concern, it’s not in participants’ top-3. Coincidentally, behavior-based controls show promise at detecting anomalies in both endpoint application execution and activity logs — we look forward to more innovations in both of these top-risk areas.

    2. Prioritizing Security Programs, Measuring Their Impact

    Risk-Based, Business-Aligned Programs

    With so many possible ways for harm to affect a company and its data, how do information security programs prioritize what to focus on, what threats should teams address first, and when should they change their focus? Teams overwhelmingly follow “Risk-Based” approaches, and look forward about 2 years when reviewing their strategic roadmaps. As security products themselves implement more cloud-based controls (either directly or embedded within vendor products), security teams will stay agile amidst ever-evolving threats.

     Q: How do you prioritize your security program?

    Q: How far out do you plan your strategic roadmap?

    But Metrics and Reporting Impact Are Lacking

    Despite being able to identify their top risks, one-half of our participants admitted they didn’t have good ways to measure the status of these risks or how effective their programs were at address them. This is surprising and concerning – imagine trying to fly an airplane at night with your three most important cockpit indicators missing.

    Security and risk management systems are becoming Board-level discussions, government and industry regulations are also requiring better risk monitoring and controls. While many security products do provide dashboards, those tend to be specific to that product’s threats and activities. What’s needed are efficient ways to map all of this event data into holistic, business-level perspectives.

    3. Data-centric Enterprise Security Programs

    CISOs are looking to put security controls as close as possible to enterprise data, versus focusing on specific device types or threats. Information Protection and Control products (“IPC”, including DLP/DRM/masking/encryption technologies) were the #1 desired control to apply on computers, at the infrastructure layer, within applications, and on Mobile endpoints.

    Data-centric security will become increasingly important as emerging “Cloud Always” companies implement modern enterprise stacks, established enterprises refresh their technologies with “Cloud First” initiatives, and even “Cloud Cautious” companies realize the benefits of SaaS and IaaS. By focusing on capabilities and adherence to data-centric security controls instead of specific device types, security teams can support a wider range of BYOD endpoints and applications. Storing and processing corporate data within SaaS and PaaS providers becomes less risky if the enterprise manages the encryption keys. There are many operational considerations to address, such as enterprise search and key distribution, but this is a promising area to address a wide range of risks.

    4. Automating, Integrating Controls to Stay Secure

    Security teams are consolidating and automating their controls

    1. Over half (59%) marked as a top-choice proactive threat/misuse detection or automated orchestration to streamline their incident response processes.
    2. Three-quarters needed to build a custom solution or integration to address their top risk.
    3. Almost one-third (31%) are prioritizing security controls for DevOps environments. I also spoke about this in CSO Magazine.
    4. Aside from two participants planning to turn down their AntiVirus systems, security teams keep adding additional controls to their programs as new threats emerge.

    And finally, several participants remarked that they’re concerned about managing an ever-expanding set of security point solutions. Even if security teams could easily find qualified staff to run new controls, they get better efficiencies driving security initiatives via automation and APIs. This is consistent with our investment in Chef and the notion that good security posture is based on solid operational controls and consistent configuration management.

    Q: For which risks did you need to build something in-house because there were no acceptable commercially available alternatives?

    Methodology

    We met with nearly two-dozen CISOs across more than 15 industries, asking about trends, externalities, and what they’re focusing on to protect their enterprise risks. We then partnered with Wisegate who surveyed their members to get a broader, in-the-trenches perspective on security practices and strategies. This increased our total, usable sample size to just over 100.

    There was strong consistency between both data sets and we saw some “spreading” amongst priorities, implying that both program maturity and product choice is alive and well within the Information Security market. We also collected attributes about InfoSec programs and heard glimpses of what makes security programs successful. I will be presenting more details on these findings at the Gartner Catalyst Conference in San Diego August 11, 2014.

    We hope these findings are helpful to both enterprise security teams and security startups contemplating new approaches. We’d like to thank our CISO survey participants for their time and insights, and Wisegate for their expertise. Future InfoSec opportunities are large, defenders are eager to gain new capabilities, and the market is ready for new innovations to disrupt the status quo.

  • .
    Posted by Alex Niehenke on July 2, 2014

     In our last entry we discussed the benefit for early-product, SaaS companies to initially target the SMB market with the goal to move upmarket and capture larger accounts over time. While this presents a smoother entry into market, it creates a new set of challenges including: when to move upmarket? And when the timing is right, how does one move upmarket? As investors and board members we work with our companies closely through this growth. It is a broad subject that could be covered in many chapters of a book. Instead, here, we have asked some of our portfolio executives to share lessons from their own experiences.

    How Do You Know When To Move Upmarket?

    • My belief is this process works best when it happens organically. It will happen when enterprise customers are not having their needs effectively met by other providers and may often ask you to partner with them on building the functionality. Making those first few enterprise customers successful at whatever cost is essential for building your brand and word of mouth. –Tim Kopp (@tbkopp), former CMO, ExactTarget & WebTrends
    • Don’t get lured into going upmarket. Get pulled. Make sure you first have a strong base of smaller clients. They are references and sources of learning that will be part of the foundation that you build on. If sales start coming in, soak up as much knowledge as possible in terms of what the success factors have been, and allocate more resources towards the effort, wherever you need them most. Be disciplined about not signing a client that’s much bigger than what you are capable of delivering. –David Blanke (@davidmblanke), COO, Sailthru
    • Don’t hire an enterprise sales team until you have proven the ability to sell and service the demand. Don’t staff up on the promise of great meetings and an overly optimistic pipeline. While it’s a bit of a chicken and egg situation, it’s better to wait until the signs of success are proven with deals that close and successfully go into production. If you do it right, you will see a steady increase in the size of the customer and deal size before you ramp up spending in sales and marketing. Zack Urlocker (@zurlocker), former COO, Zendesk
    • Go deep in verticals and establish a great brand name which will begin to generate a lot of inbound interest and excitement from larger prospective customers who hear positive buzz about your products. –Nate DaPore (@peoplematterceo), CEO & Founder, PeopleMatter

     

    What Are Some Tips, Tricks, and Lessons From Having Moved Upmarket?

    • Use a land and expand model of inside sales for hunting to get a ground swell and then take it back to corporate and standardize with field sales. Large centralized deployments are hard to win so don’t waste valuable selling time going direct. Hire entrepreneurial salespeople with business development DNA. Finally, don’t hijack the product roadmap for one large customer’s unique requirements. It must work for the masses initially. –Dave Berman (@daveberman), President, RingCentral
    • Spend time with your five largest customers to understand why they are happy and paying. Basically, make sure you understand the pain points that compelled them to act, who they evaluated competitively, and what is not working about your product. -Rene Lacerte (@rlacerte), CEO & Founder, Bill.com
    • Begin working on building your brand, thought leadership, partner ecosystem, agency relationships and deep vertical expertise that enterprise accounts require. Perception is reality. –Tim Kopp (@tbkopp), former CMO, ExactTarget & WebTrends
    • Enterprise customers definitely put stress on an organization. Their expectations on are much higher than mid-market or SMB customers. But they are also much more willing and able to pay for premium support, training and implementation services. You should be able to introduce and staff some of these premium services with commitment from enterprise customers to pay for them. For example, many enterprise customers may be willing to pay for the attention of a talented Technical Account Manager. –Zack Urlocker (@zurlocker), former COO, Zendesk
    • Sign-up great SMB companies that are going to grow and you will be able to grow and scale with them. -Billy Bosworth (@billy_bosworth), CEO, Datastax
    • To achieve success, tight cross-departmental coordination is necessary. Otherwise, one piece gets ahead of another, where sales is selling a product that marketing is not messaging or new clients are coming on board that can’t properly be handled by your client services team. –David Blanke (@davidmblanke), COO, Sailthru

    One executive summarized the upmarket timing simply with “you will know.” In board rooms we often get asked whether it is time to start pushing upmarket. It is a much more organic path where you get pulled by staying close to your customers, having an open line of communication internally and externally, and strategically investing in your product and organization as the upmarket demand increases. The methodical approach also allows you to pace the disruption of an incumbent, making it harder for them to swiftly react.

  • A look at the social and technological trends that are most impacting information security programs
    Posted by Ariel Tseitlin on June 25, 2014

    During this past quarter our current EIR and security expert Bill Burns has been researching and building an investment thesis around the enterprise Information Security space.

    We set out to determine which social and technological trends most affect information security programs, and how security organizations protect their corporate and customer information as companies evolve and adapt to these trends. We also wanted to see what changes in the threat landscape are impacting InfoSec teams and what perceived market gaps exist – e.g. problems without good solutions. It’s not uncommon for security to lag behind technology innovations, and different organizations have different risk appetites, budgetary constraints, and regulatory mandates.  All of these factors affect how teams manage security and risk within a particular organization, and create opportunities for innovative startups.

    I’m excited to share some of Bill’s early results and give back to the security community that has helped us so graciously with their time and insights.

    Giving CISOs a chance to nudge the security marketplace

    To understand what market forces are at play within the security space, we reached out to nearly two-dozen CISOs across 15 industries. We wanted to know how their security programs are maturing and being disrupted, how effective CISOs are at dealing with substantial changes to their attack surface and sets of controls, and we wanted to know what “keeps them up and night” and how they’re meeting that challenge. What we heard in these interviews was refreshingly candid and insightful. They shared what controls are working, where they see concern and opportunities ahead, and what they’re strategically focused on going forward.

    What Keeps CISOs Up At Night?

    Regarding these top-of-mind risks, the consensus was that teams want to approach security more as a “science” as less as an “art”. Security organizations were looking to:

    • automate, standardize and manage their most important assets in their organization
    • find systematic ways to respond to changes in the ecosystem, integrate their solutions together and have the tools make sense of the data they already are getting
    • build baselines of what’s “normal” to, hopefully, discover earlier when things are “abnormal” and require more thorough analysis

    We also asked CISOs to identify external forces most likely to affect their security program strategy in the near future. It’s not surprising that Mobile Computing, and Cloud technologies (both SaaS and IaaS) were top security forcing functions, since they’re also top-of-mind for CIOs and organizations to improve employee productivity. Increases in Regulatory/Compliance pressure also ranked highly.

    Securing Agile / DevOps methodologies also was top-of-mind for CISOs, which is encouraging. Our investment in Chef has shown that enterprises are adopting automation rapidly, and it’s great to see security teams embracing this trend to deploy security controls more consistently and continuously. We anticipated going into the research, and the participating CISOs confirmed, that automation and API-level access will become table stakes for security products going forward, to support a new level of interoperability and customization.

    The use of BYOD and “Shadow IT” also scored as top concerns for many participants. These two technologies are managed by end-users, which causes concern for those typically assigned to protect the data being processed and managed. Data breach reports such as Verizon’s seminal Data Breach Investigation Report and post-mortems from high-profile incidents frequently implicate poor security controls on endpoints and attackers socially engineering persons to infiltrate companies and exfiltrate their data.

    • The concern from CISOs over BYOD was around usability vs. protection. Applying traditional enterprise security controls on a consumer device frequently affects the “consumer” experience that makes BYOD so popular in the first place. The CISOs we polled weren’t completely satisfied with the choice of products in this space, so we continue to see opportunity here as companies seek a balance between the need for visibility and protection versus the benefits of supporting innovative devices. In a later post, we’ll cover the divergence between “endpoint security” vs. “network security” – there was no clear winner-take-all approach articulated by participants. If your company is working on a better BYOD mousetrap, we’d like to hear from you!
    • And finally, Shadow IT is still seen as a challenge for Information Security teams to manage. Security teams are still concerned how best to effectively strike the right balance between monitoring for risky behaviors, blocking “unsanctioned” applications, and maintaining regulatory compliance…while adopting the efficiencies inherent with SaaS cloud applications. The good news is that there are many choices in this space, the problem is choosing which product has the specific feature set you need. Eventually some consolidation is likely in this space since many of the CISOs we spoke to wanted key features from multiple vendors.

    We also measured trends that have the least effect on security priorities, and those were more industry-specific. What matters least to a highly-regulated government contractor (that can afford to lock down or prohibit BYOD) is different from a fast food restaurant chain that doesn’t write custom applications. Choice is alive and well within the information security market!

    What’s next?

    We’ve just scratched the surface on the insights we’ve gleaned from our initial survey. We’ve partnered with Wisegate, a next generation IT advisory company, to create a streamlined version of this security questionnaire and open it up to a broader audience.  For more information on Wisegate and a to see a list of their community-based public reports, please visit here.

    Bill shared some of early insights last month at the Rocky Mountain Information Security Conference. We’ll be sharing more of these research results this quarter as this research project wraps up, including the security market segments that we find most interesting. Stay tuned!

  • How do you know when you’re about to get to startup heaven, scaling up fast and reliably?
    Posted by Sharon Wienbar on June 18, 2014

    A version of this article previously ran in Entrepreneur.

    How do you know when you’re about to get to startup heaven, scaling up fast and reliably? A company’s growth curve can head in a variety of directions, not just the lucky, up-to-the-right hockey stick of explosive growth.

    At ScaleVP, it is our business to figure out exactly when a company can use our money to grow to the heavens, or when it’s best to keep the burn low. The checklist below is based on insights we’ve drawn from our due diligence over more than a decade of helping to scale a number of successful startup companies.

    1. Product

    Do people want to buy what you have to sell? In Silicon Valley speak, that translates into having achieved “product-market fit.” At this point, you’ve tweaked your product (service, solution) and have a standard version, and maybe a few options that are appropriate for the bulk of your market. Signs that you haven’t yet achieved this state include products that are customized for each customer, need a lot of customer support, have negative margins, get poor customer reviews or do not get used after purchase/installation.

    Do not confuse having a “minimally-viable product” (MVP) with being ready to scale. Eric Ries of LeanStartup fame coined that phrase. An MVP is used to test-market your product before it is built so you know what to build without wasting precious resources on building the wrong features. You need real products to scale, not a mock-up.

    2. Price, packaging and positioning

    These three P’s are related to your product, and describe the bundle of attributes that you are taking to market. You better have these nailed down before scaling, too.

    • Price: This includes not just the number you stick on the pricelist or tag, but the pricing methodology. Pay upfront or subscription? Charged how often? Freemium, premium or free trial? Volume discounts? Lots of add-ons, or all-inclusive? This blog post, from my colleague Stacey Bishop, offers tips for current software pricing strategies.
    • Packaging: It’s easy to understand when it’s physical goods, but many products have packaging, which describes what’s included with the product. Does your software come with storage, support services, integration, installation or implementation? What’s in the premium versions versus the basic product? If you’re selling a physical product, is delivery included?
    • Positioning: This is how you describe your offering. It’s not your tag line, and you may never utter these words exactly, but it’s a single statement that places your offering in its market context and clearly reflects why your product deserves consideration. A popular template reads: “For [target market], the [brand] is the [point of differentiation] among all [frame of reference] because [reason to believe].” This will evolve as your product and market mature, but you need to have a clear picture of who your target customer is and why she or he will select you. Your positioning statement is the foundation of all the messaging you will use to scale: marketing copy, sales scripts and presentations, investor pitches and press releases.

    3. Sales channel

    You have to figure out a cost-effective way to get your product to customers. Much of the money spent by startups goes towards sales and marketing (see the second chart here). Your people are relatively expensive, the programs cost real money, and oh, by the way, both people and programs interface with your prospects, so if they’re not right, you risk doing more harm than good. Scared now? Good! Do not spend a lot here before you have figured out what works.

    Your “sales channel” is the path to a successful, cost-effective sale. It includes the methodology (telesales, direct sales, retail/distribution, value-added resellers, e-commerce, etc.) and the associated processes (telesales scripts, salespeople’s backgrounds, reseller training materials, etc.) that lead your customer to say “yes.” You don’t need every component to be polished and optimized to begin scaling, but you should have a clear idea what works, what doesn’t, and most importantly, what you would do more of if you had additional money.

    ScaleVP often sees a pattern with companies on the verge of scaling: They move from the entrepreneur him/herself making initial sales to adding a couple of sales people, then a manager with another small handful of sales people. That point where you have built a small, competent team that executes flawlessly is exactly when you know you have the recipe for success and are ready to scale.

    4. People

    Sales isn’t the only department that needs to prepare for scaling. As the entrepreneur and leader, you need to be ready to scale. This usually means you have hired some top talent to support you in key functions, and the team as a whole has the capacity and clear direction to take on the challenges of extra business. Your company needs to be able to service existing customers consistently and simultaneously attract new customers, and keep all of them happy.

    Engineering needs enough leadership to keep driving innovation, while the business team is closing more deals. And if you’re making a real-world product, factories, shipping departments, customer service lines and finance departments all have to keep growing efficiently as the business expands. With modern software-as-a-service solutions, many of these functions can be automated inexpensively.

    If part of your organization is fragile or broken, you can be in startup hell — frazzled, inefficient and stalled. You either won’t attract needed startup capital, or if you get it, you won’t spend it effectively. So ask yourself, “Are we all ready to scale?” using the checklist above. If you are, we could be seeing you soon.

  • Focusing on reducing churn now will strengthen revenue growth quarter over quarter
    Posted by Zack Urlocker on May 20, 2014

    A version of this article previously ran in GigaOm.

    In my career, I’ve worked with a number of SaaS startups to help them refine the efficiency of their operations. One of the things that is often neglected is customer churn. Early focus on churn helps build discipline that becomes even more important as a company grows to $100M or more in revenues and can be a huge factor in driving growth.

    In the bad old days of on-premise Enterprise software, a startup was considered to have traction when it got its first dozen paying customers. These were typically large six figure deals, and required a lot of heavy lifting to get the customers into production. Not surprisingly, every employee knew who the early lighthouse customers were and what they needed. While the old school field sales model was not particularly efficient, it had the virtue of driving an organization towards making early customers successful.

    The irony of high-volume SaaS sales is that when you have hundreds or thousands of customers, things can become rather anonymous. The more customers you have, the harder it is to keep a pulse on what people are really doing with your product. As a result, it’s harder to make sure customers are using your product correctly. And if customers aren’t successful in using your product, they churn.

    Having churn is like rowing a leaky boat. After a while, you spend more time bailing water than rowing and you’re not going to make much forward progress. By contrast, organizations that focus on reducing churn will find that their revenue growth gets that much stronger every quarter.

    Break it Down

    To accurately measure what’s going on, you should begin by breaking out churn (customer cancelation) from contraction (a downgrade in spending). Some customers may downgrade in accordance with seasonal business, such as is common in the retail sector. You should measure downgrade and churn separate from uprades and expansion; otherwise your net growth numbers will mask problems that are bubbling below the surface. If your SaaS product has different editions (e.g. Basic, Pro, Enterprise) you should watch for downgrades that suggest customers are not seeing the value in the higher-end features.

    It’s also worth paying attention to churn and contraction by customer segment. In most SaaS businesses, churn is highest in low-end customers. Some of those smaller customers will inevitably be acquired or go out of business. Over time, if you move upmarket to larger SMB or Enterprise customers, low-end churn becomes less significant. Customers who spend a lot of money usually have greater commitment and resources for working through any speed bumps during implementation. They’re also far less likely to switch to another vendor with newer features.

    Understand the Reasons

    The most important thing is to understand why customers are downgrading or churning. While it’s easy to speculate, the best approach is simply to ask your customers through a combination of surveys, emails and ideally phone calls or face-to-face meetings. Remember, your purpose in doing this is to understand the customer’s experience, not to second guess them.

    While sometimes founders get defensive with customers, recognize the value of the feedback you’re getting, even if its negative. And make sure that this information is shared within the company to help come up with ways to improve your offering and provide a better experience.

    Classify your findings to determine whether it was a customer issue, a sales issue, a product issue or some external factor. Did the customer not understand what they were buying?  Did they lack the skills to implement your product?  Was it missing key features?  Did users find it too hard to use?  Were there quality or reliability issues?

    Your first line of defense in reducing churn is to make sure your product lives up to its marketing claims and that it quickly delivers value to the customers. The more people a customer uses your product, the less likely they are to churn.

    Depending on your product, it may be worth adding some introspection to help you determine usage patterns that suggest a customer is at risk of churning.  Some, like less frequent log-ins, are obvious.  If you’ve got thousands of customers, it may be worth doing some analysis to come up with less-obvious predictive signals.

    Human Touch Goes a Long Way

    At Zendesk and MySQL, we implemented several customer programs to reduce churn and benefited from below-industry churn rates. One of the key principles was that I wanted to avoid being the kind of company that only calls up customers when seeking a renewal. Instead, we built a Customer Account Management (CAM) team that worked with customers over the entire lifecycle.

    We defined a twelve-month program with regular check-ins, emails and phone calls to make sure customers were successful in using the product. The Customer Account Manager’s role was to be proactive with customers, identify any issues that were getting in their way and build a relationship of value and trust.  Through this relationship, we earned the right to additional expansion and upgrade opportunities within the customer and through referrals.

    The Customer Account Managers also kept their eyes peeled for issues that might suggest the account was at risk of churn, such as if a new manager was hired, or if certain features weren’t being used. They kept accounts up to date with information about best-practices for customizing their setup, implementing new features or learning about training that might be helpful to them, and so on. When necessary, the Customer Account Manager could call on resources in Support, Engineering or elsewhere to solve a customer’s issues. The account managers were also a great first line of communications on those rare occasions when there was downtime.

    Occasionally, fast growing customers would outgrow their initial setup. Maybe they went from a dozen users to several hundred without putting in place the proper controls or reporting. Or in some cases the person who set things up never read the documentation and did a lousy job. Regardless, we would work proactively to help customers through these situations. While this meant undertaking some modest amount of services for free, the alternative was far worse: an unhappy customer who would inevitably blame our software. In general, by being proactive, we could turn these situations around and win the ongoing loyalty of what would otherwise have become a problem customer.

    Towards Negative Churn

    In a rapidly growing business, you may experience “negative churn” meaning that your upgrades and expansion more than make up for contraction and churn. But even in this kind of scenario, it’s vital to pay attention to churn. Failing to do so leaves you blind to trends of customer dissatisfaction that may indicate fundamental problems with your product or your business model. Negative churn can easily mask an eroding customer base that leaves your business vulnerable. In a fast moving boat, even small leaks are worth patching.

    While some modest amount of churn is inevitable, you should strive to get your churn rate as low as possible and then continue to monitor any changes. If your churn rate is more than 10% annually, you have work to do.

  • Because getting the website right is imperative
    Posted by Rory O'Driscoll on May 15, 2014

    Our investment in Pantheon was announced today. Why Pantheon? It’s simple. The website is the single most important marketing asset for any company but for most companies the process of building, launching and running a business website is a mess. In enterprise software, a broken but important business process represents an opportunity for software to make things better and build a valuable company in the process.

    Why does this matter and why is it hard?

    For most businesses the website is the brand. The first instinct of a customer today is to check out a company online. For every one customer that comes to a first impression by walking into a physical building, ten or maybe one hundred others have already come to their conclusion, by going online. Marketing cannot get the website wrong.

    If building a website was something that could get done once, “nail it and move on”, this would be a fairly tractable problem but it isn’t. The pace of technology change means that website building is like painting the Golden Gate Bridge. Get it done, take five minutes to admire the view and then start again. In the last five years alone, social media, mobile platforms and content marketing have made every older website obsolete.

    The final part of the problem is that building a corporate website is a fractured process. Marketing owns the problem but the process usually involves an outside design firm, often a separate development shop, a hosting company, and an in-house group of people, all of whom have opinions and only some of whom have ability. For any CMO, “redoing the website” is a must do and a high-risk part of the job.

    A quick history of web content management

    This is a twenty-year-old problem. In the 1990’s the two big winners in this market were Vignette and Interwoven selling expensive proprietary “on premise” software products. In the past decade these offerings and these companies have stalled as inexpensive, open source and cloud based software is where the world is going.

    SaaS based products have swept the table in the digital marketing arena and we have been lucky enough to work with many of the winners including Omniture, Exact Target, Vitrue and Hubspot. These companies used the SaaS delivery model to “bundle up technology” and make it digestible to marketing departments as a service-based, business-focused offering, removed from the underlying technology. At the same time, open source has become the dominant business model for infrastructure products.

    Web Content Management fell squarely in the middle. Squint one way and web content software is a product used by developers to build great websites, and like all web developer products it needs to be available open source. Squint the other way and the process of building, launching and running a website is a core business function for the market department and needs to be managed accordingly.

    Drupal or WordPress + Pantheon

    The verdict is in on web content software and open source has won. WordPress and Drupal are the two most commonly chosen web content management systems, with 50%+ market share. These sites are then hosted either in-house, or more often on a third party hosting site that offers a simple “hosted Drupal” offering.

    This meets the developer need but not the needs of marketing. Getting a website up and running is a business process, not just a developer task. What marketing wants is a SaaS offering that will manage the build process across designers and developers, handle the code check in and check out, enforce “look and feel” across multiple sites, (most corporations have hundreds of websites, not just a single corporate site), and then manage uptime and changes once the site is launched, all from a single system. Marketing cares much less about what open source product is selected.

    Enter Pantheon and the Website Platform

    Pantheon does not build its own web content software but instead allows the developer to run either Drupal or WordPress on the Pantheon Website Platform. The company has leveraged new infrastructure technologies (an entire separate post could be written on how Pantheon leverages containers Varnish and its own file system) to be able to offer marketing departments and design agencies a product that is at rough cost parity with managed hosted services, but which offers an entire suite of SaaS tools for the management of websites. Customers come through a marketing funnel, driven by developer adoption and then can convert to paid status as the site is rolled out. Because there are always budget dollars for hosting, adoption happens quickly. The customers come for the hosting, but stay for the software.

    Team, Traction and Upside

    It goes without saying that we like the team. The founders, Zack, David, Josh and Matt have a strong technical background and also ran a website design agency. They know what it takes to get a website up and running and they have surrounded themselves with smart go to market executives. The traction is also there. Our focus at ScaleVP is – as the name would suggest – on companies where the product market fit is clear, the go to market path has started to emerge, and what is then required is scaling the business. Pantheon fits this to a tee.

    Stepping back, what excites us the most is the chance to be part of what we see as the Digital Marketing SaaS company that will manage the marketing asset that is at the center of the entire digital marketing universe, the website. We have been part of building great companies in web analytics, (Omniture), customer marketing (ExactTarget), marketing automation (Hubspot) and social media marketing (Vitrue). The website is the glue around which all these products rotate but to date there has not been a meaningful SaaS offering to help manage websites. We think Pantheon will be that company.

     

     

     

  • Software as a Service has changed the way software is consumed. It is also changing the go-to-market for new software companies
    Posted by Alex Niehenke on May 5, 2014

    Traditional client-server software favors large enterprises. Licenses required big, upfront cash commitments and customers need in-house IT for implementation, maintenance, and security. Small and medium sized businesses (SMBs) generally do not have these resources, and even if they do, are reluctant to make the large investments needed. SaaS has changed the paradigm by pushing IT requirements to the cloud into a shared resource. More important, it’s turned the purchasing decision into a monthly operational expense that can easily be scaled up or down as the business needs change. Many SMBs are now buyers of software that was previously not accessible to them.

    Young software start-ups no longer need to invest millions to build out an enterprise-grade product. Rather, they can quickly enter a market with limited features and functionality by focusing on the SMB buyer. This buyer has lower requirements and a higher propensity to adopt new technology. We’re seeing new SaaS start-ups getting into the market with minimum viable products faster than ever before. These companies then iterate their product based on customer feedback and demand. The most frugal even charge customers for product build-out, self-financing the company’s road map through customer cash.

    With time a SaaS company’s product becomes more robust. The company innovates its product in areas where traditional vendors are lacking. Mid-market and enterprise customers start calling. Larger companies become customers and account sizes grow. The natural march up-market begins. We’ve seen the process repeated many times in our portfolio with HubSpot, RingCentral, DocuSign and Box as recent examples. This attack from the bottom is also known as the Innovator’s Dilemma. However, it’s particularly acute in the software business where a SaaS vendor can ultimately serve the full market from SMB to large enterprise all with the same software platform modulated for customer size.

    The most direct measure for a company’s trajectory upmarket is growth in average selling price (ASP) per customer. Salesforce (CRM) and NetSuite (N) are successful companies that embody this tendency. Both started their businesses in the SMB market. Looking back at their initial public filings, NetSuite disclosed (December, 2007) that its “customers are small and medium-sized businesses and divisions of large companies” while Salesforce similarly stated (June, 2004) that they “derive a significant portion of [their] revenue from small businesses”.

    The numbers shed even more light (neither company discloses ASP per customer, but both do report customer count that can be divided into the last quarter’s revenue and multiplied by four to approximate ASP). Industry reports estimate that NetSuite’s ASP was as low as $120 in 2001. By the time NetSuite went public in 2007 average ASP had grown to $20K, up from $15K the previous year. In 2010 NetSuite publicly stated that it wouldn’t onboard new SMB customers and today ASP is $45K with most new customers coming in at over $100K. It’s come a long way from its early days of its customers being small and medium-sized businesses. Similarly, Salesforce had an ASP of $14K when it went public in 2004 and has grown its ASP over 40% since IPO. We’ve heard that Salesforce’s ASP was in the low thousands in the early days.


    Of course some software products can only be launched into the enterprise. Companies like Workday and Cornerstone OnDemand come to mind but most young SaaS companies should heavily consider the SMB market in their initial go-to-market strategy. SaaS companies can get to market quickly and iterate based on consumer feedback. Larger accounts and growth in average ACV will come with time. We believe you can scale massive businesses by starting in the SMB segment and we actively invest in companies focusing on this market.

    In our next entry we’ll discuss best practices for when and how to scale upmarket.

  • .
    Posted by Sharon Wienbar on May 1, 2014

    CEO Ben Wolin often talks about how Everyday Health was founded in his Brooklyn kitchen. Our first in-person meeting was at the end of a long day, in the main ScaleVP conference room. Ben, Mike Keriakos and Brian Cooper, cooked up some magic in that meeting. My partners and I left that meeting hungry to invest.

    ScaleVP first invested in Everyday Health in 2007.  At that point, the company was scaling its advertising  business that it had launched in 2006. We’d come to know the company and team earlier, over the phone,  when they primarily published subscription diet content. I originally contacted the company as part of a  market project I was doing on vertical content companies. We liked the idea of an open, ad-supported vertical  content company in the health space. Premium content in that sector is enduring (as opposed to say, sports or  news, which is ephemeral) and high value, as health and wellness advertisers pay a premium for targeted  consumers in a health context. By 2007, I was calling them every quarter urging them to do a financing with  us to scale the business.

    Our initial investment memo, the recipe for why we invested, detailed some of the company’s strengths: a large  and growing market for digital ads, its leadership among startups in the space (it had more than twice the revenue of the next largest startup at the time) the combination of a consumer business that generated targeting data and an advertising business that uses it.  The team, with a combination of youthful enthusiasm and wise-beyond-their-years practicality, deeply impressed us.

    Seeing a founder take a startup all the way to IPO and beyond has a special sweetness among the joys of venture capital. Many in Everyday Health’s senior leadership team started in the earliest days: Ben, Brian Cooper, CFO; Scott Wolf, head of sales, and Greg Jackson, Chief Data Officer. Other newer team members (Alan Shapiro, Paul Slavin and Melanie Goldey) added to Everyday Health’s quick rise.

    Together we’ve diced and hashed numbers, strategy, acquisitions and plans, but all the while my respect for Ben’s team has grown faster than the fennel in my garden. This team has mastered so many challenges: the Great Recession, M&A deals large and small, and all sorts of technical innovations that could have burned them, but instead became the icing on the  cake: mobile, social, programmatic and other buzzwords representing significant market shifts. The team consistently embraced emerging shifts that could have caused an “innovator’s dilemma” but instead yielded new business lines.

    Ben is a quick study, and I particularly like that he does study; Ben seeks data and advice before setting a direction. But his greatest strength is his connection with people—employees, partners, audience and investors. This sets an outstanding tone for the content and conduct of the business, and makes me especially proud to be associated with Everyday Health. ScaleVP says “Salute!” to Everyday Health and the team’s IPO.


  • Former ExactTarget CMO shares his top pain points facing marketers today
    Posted by Stacey Bishop on April 22, 2014

    For the past 10 years, ScaleVP has focused on the digital marketing lifecycle, investing in such companies as: Omniture, ExactTarget, Hubspot, Vitrue, Datasift and Demandbase. But we strive to always stay ahead of the new “hot thing” in marketing and that starts with really understanding CMOs’ top pain points and obstacles. That is why I am thrilled to announce that Tim Kopp, former CMO at ExactTarget, has joined us as a part-time Executive-in-Residence to help ScaleVP assess new markets.

    Most recently, Tim ran a nearly 300-person marketing organization at ExactTarget, a ScaleVP investment. During his 6+ year tenure the business grew dramatically resulting in a successful IPO in 2012 and acquisition by Salesforce.com for $2.7B in 2013.

    Responsible for marketing to marketers, Tim has a keen understanding for what marketers’ want, the solutions that are available today, and where existing solutions fall short. In addition to consulting with us, Tim also serves on the board and/or advises several SaaS marketing companies such as: Ahalogy, Monetate, G2 Crowd, Clarastream, Bright Funnel and Mass Relevance. From the frontlines, Tim has shared with us some of the top pain points facing marketers today: CMOs lack a comprehensive dashboard, an end-to-end view of the customer experience, and predictive pipeline analytics.  Whichever company has a cure for these pain points will attractive to a CMO—and ScaleVP would like to help accelerate their growth.

    “Mint” for Marketers

    A lightweight, CMO-centered dashboard that can do for marketing what Mint.com did for personal finance. Some strides have been made, but more work can be done to create a solution with gorgeous design, a mobile interface, and simple dashboards that cut across the marketing stack.

    Tim explains, “Many CMO’s spend time trying to cobble together systems tracking pipeline, deal stage, key events and other metrics but lack a single view of a campaign.” While some firms offer business intelligence dashboards, these mainly serve CEOs.

    Master Customer Record

    When companies have many different marketing systems, the customer gets a disjointed experience. They receive multiple messages from various marketing software tools that don’t talk to each other. CMOs can access many specialized, best-of-breed solutions to track engagement but no single application offers a complete picture of the customer lifecycle for a particular brand.

    Again, a dashboard would be helpful. “Companies,” Tim explains, “want to be able to predict the ideal engagement path customers take when they begin to interact with the company and then map that journey to a perfect digital experience.”

    Take Ritz Carlton, for instance.  Customers “like” on Facebook, receive emails, and get offers via other travel companies. Ritz Carlton actively engages with the customer but lacks a master customer record with attributes, engagement data, actions, and experience feedback. With a master customer record and dashboard, Ritz Carlton would be able to see both the path customers took and the next interactions the customer should have with the company.

    Predictive Pipeline Analytics

    It’s the last week of the quarter, how do you convert your pipeline prospects to customers? Most sales and marketing teams have a set of marketing activities they execute in order to convert prospects to paying customers.  But without historical performance data on these actions, sales and marketing can’t intelligently opt for one marketing activity over another. If they understood the correlation between different marketing activities and closing deals, they could increase their conversion rate.

    A lightweight, predictive analytics application that combined some business intelligence with Salesforce or other CRM data could act as a guide in these situations. The application could suggest the next best activities for marketing and sales to get the highest conversion of existing prospects. Does a discount, better payment terms, or free professional services lead to a higher closing rate?

    As SaaS simplifies systems integration and our analytics capabilities improve, isn’t it time we took care of the CMO?

  • Apps without performance monitoring are like Formula 1 race cars without instrumentation and pit crew. They either crash and burn or finish last.
    Posted by Andy Vitus on April 9, 2014

    Using a mobile app should be like a drive in a Ferrari: fast, responsive, and no crashes.

    In reality, many mobile applications have high crash rates and poor response times. Mobile app developers and operations teams are overwhelmed by the complexity of supporting every combination of operating system, mobile carrier, and underlying hardware platform.

    Two years ago, when I first started learning about mobile app development, I immediately looked for a third-party APM (application performance monitoring) vendor. I was coming from a Ruby on Rails world where every server app is instrumented to monitor latency and exception. The case for deploying mobile APM is even stronger given that the developer has no access to the device on which the application runs and, consequently, no visibility into the entire environment in which the application exists.

    I was surprised to find that, while there were multiple startups offering crash reporting for mobile applications, there wan’t a focused, mobile-first APM offering. By mid-2013, though, it became clear that Crittercism had identified the broad need to support mobile development teams with detailed run-time analytics and was expanding its offering dramatically.

    I’ve written earlier about the characteristics ScaleVP looks for when investing in developer-oriented SaaS companies. It was immediately clear that mobile APM is a perfect candidate for an outsourced service:

    • it is a broad horizontal market because every mobile app with any pretension to quality needs visibility into its performance;
    • performance monitoring is unlikely to be a point of strategic differentiation for any mobile development team; 
    • the imperative for high-quality mobile applications makes performance monitoring mission-critical; 
    • the functionality can be cleanly abstracted; 
    • and, really, what developer wants to write that piece of the code themselves.

    Aside from an attractive market, the other half of the venture equation is a stellar team ready to capitalize on the early traction. The more I got to know the executive team at Crittercism, the more clear it was that Andrew, the CEO, had built a solid team with deep bench strength.

    Many companies hit a quarter or two air pocket between identifying product-market fit and building an organization that can scale to $100M in revenue; this was not the case at Crittercism. Everyone had a clear vision for what they were planning to accomplish over the next two years. We always love to invest in companies with a strong tailwind and a clear plan for deploying new capital to maintain rapid growth.

    We’re excited to be joining the team as Crittercism expands internationally, scales up operations, and continues to invest in its category-leading mobile APM serviceOur belief is that over time all quality mobile apps will use Crittercism. Apps without performance monitoring are like Formula 1 race cars without instrumentation and pit crew. They either crash and burn or finish last.

scalevp