You can’t build a SaaS company in 2018 without significant funding

When I started Server Density in 2009, the company operated on a very low cost, bootstrapped model. I received a small amount of cash from Seedcamp in 2009 and then a few angels in 2011 but for the first few years, the total raised was only around $200k. The company grew off organic revenue with very low costs for the first few years and only more recently raised VC funding.

The years 2009 to 2011 were still very early in SaaS. The opportunities were mostly SaaSifying an existing on-prem business and both the number of SaaS businesses and funding sizes were small.

SaaS-seed-investments-2008-2017
Data from Crunchbase by Christoph Janz.

After 2011, SaaS was considered the business model of the future so competition ramped up and more companies were formed. This resulted in an increase in the capital required to build out and support a “proper” business.

Unless you had achieved a certain revenue scale, it was about to become very difficult to compete and even then, it was quite easy for a better funded competitor to overtake you.

As of 2018, I believe it is now impossible to start and scale a SaaS business without significant capital. Even established businesses are finding it challenging to scale when up against intense competition because of the cash requirements of so many areas of the business:

  • The product must continually evolve. Feature comparison is now the standard way of looking at the options when evaluating which product to choose as a customer. SaaS is the only sensible way to have software delivered in 2018 so the sales discussions are less about SaaS vs on-prem but SaaS Vendor 1 vs SaaS Vendor 2. Regardless of whether you actually need all the features on offer, it comes down to how many features a vendor has. This requires a large product and engineering team to regularly release updates and improvements as well as fixing issues.
  • Sales teams are expensive, especially in key geographies like the US East and West Coast. They have a high front-loaded cost and take time to ramp up. Recruitment is challenging and very costly. All this needs cash before you see any revenue.
  • Self-serve models are very difficult to build up because they require high volume organic traffic. Content marketing is saturated so unless you already have a good ranking, it takes years to build up. Marketing expertise is there but as with sales, it isn’t cheap and it’s time consuming to generate new ideas, build campaigns and pay the huge fees to sponsor and travel to conferences.
  • Supporting customers through a proper customer success operation requires experienced people, management tools and a proactive approach which is high touch. Again, building the team is the most expensive area.

Bootstrapping SaaS to sustainable revenues and profitability is so hard in 2018 because of the time it takes to grow organically. During that time, well funded competition will appear, out-build and out-spend.

Funding doesn’t necessarily mean success but it does make competing more difficult simply because it does usually mean a more feature-rich product can be developed.

That said, it is still possible to gradually build up a profitable small software business in a niche area that can grow over time. Many of these businesses exist and provide a great quality of life for the founders or small teams. But this is not the type of business I’m talking about here.

Instead, I’m saying that the model that Server Density took in 2009 to build a large scale, SaaS business around a critical business need like systems monitoring is no longer possible. To get into SaaS today you have to have a major differentiator, rapidly prototype, get some initial revenue and then raise significant capital. And not just that, you have to do it within a short 12-18 month window.

It’s certainly cheaper and easier than ever to form a startup. However, it is has never been more expensive and difficult to scale.

Predicting the next decade of self driving cars, SaaS and China

I’ve been thinking about what the next 10 years of the technology industry will look like and have come up with a few things I think we’ll see develop.

  • Self-driving, electric cars will become mainstream and they will be linked to ride sharing services in particular. We’re already seeing countries ban the sale of new non-electric cars. Logistics will be the first to take advantage of self-driving, followed by consumer vehicles. The self-driving transition will be led by ride sharing services, with Tesla entering the market with their own offering. Uber is best placed right now but their success depends on their ability to navigate their major cultural issues.
  • Voice driven personal assistants will become significantly better, driven by direct access to your personal data. This will be easiest for Siri and Google Home because they have their own platform where the data resides (assuming Apple develops Siri into more of an open platform). Alexa will have direct access through integrations.
  • SaaS as a software delivery model will mature and we’ll see more SaaS companies IPO. There will be no growth and revenues in non-SaaS software will contract – renewals of these non-SaaS licenses will drive most of the revenue, with minimal new business primarily from legacy businesses and/or with FUD reasons. The 2.0 era of SaaS is already over and we’re beginning to transition into SaaS 3.0 which will be about “real” AI driven insights on the data.
  • Every consumer device will be connected and considered part of the “Internet of Things” but the largest scale users will be industry. There will be more and more major security incidents involving poorly architected IoT products until government regulation steps in.
  • The cyber security industry will transition from 1.0 to 2.0 which will involve consolidation, the emergence of a few big vendors (likely AWS, Google and Microsoft) and a clearer approach to sales and marketing.
  • China will become dominant as a world power (militarily and economically). Silicon Valley in the US will no longer be the number one place to be for technology, innovation and startups which will instead be in China. But this will only happen if China breaks down the wall that exists with Chinese companies only really operating in China, unless China is considered a big enough market by itself (it already is, but most technology companies want to go global which is challenging from within China).
  • Clean energy will become ubiquitous but we’ll get there indirectly via fracking and natural gas and continue to be supported by nuclear for a very long time.
  • We will return to human exploration of space through private enterprise. This will be led by SpaceX but China will become a major player here too, probably suddenly.

I look forward to coming back to grade my predictions in 2028.

Cyber security and leaving the door unlocked

A standard part of home or office contents insurance is making sure you use a lock from a list of approved manufacturers, and then ensure that the lock is actually engaged when you’re absent. Enabling other security mechanisms such as alarms is also typically required.

This seems entirely reasonable and simple common sense: if you leave a building unlocked and your belongings are stolen, it’s your own fault – you were negligent.

It’s not quite the same when it comes to cyber theft.

Even though you can purchase insurance to cover you against the risks of cyber attack, hacking, ransomware and data loss, the policies are much vaguer when it comes to understanding your responsibilities.

In a physical contents policy, it is sufficient to use the term “locked” to describe the state the building must be in to be considered sufficiently protected. When applying for the policy you will be asked if there is an alarm and in theory the presence of one should reduce the premium. The same isn’t the case when applying for a cyber insurance policy. I think it should be.

Basic security steps

There are two steps you must take to secure your online accounts:

  1. Use a password manager, with unique passwords for every online account that are at least 12 characters in length (as of Jan 2018, this will change over time).
  2. Use 2 factor authentication using a TOTP app such as Google Authenticator, not SMS. Or even better, use a security key.

Having the same password (or a small number of passwords) for your online accounts is the single biggest reason why account compromise is so frequent. A single breach of any online service will reveal your password for everything else, something which happens on a regular basis.

Without a password manager, this becomes difficult to achieve, especially since you will want to use a random selection of numbers, letters and special characters. The main reason to use a passphrase with combinations of words is to make it easier to remember. Using a password manager means you don’t even have to remember anything except the single master password, can protect against phishing because auto-fill matches are based on URL patterns and you can quickly enter credentials with keyboard shortcuts.

You have to expect that your password will be leaked (or possibly guessed given sufficient compute power), and so that is why having 2 factor authentication is so important. This is a great example of having layers of security so a breach of one type of protection is mitigated by another.

If you don’t use both of these “techniques” for at least your email and ideally for every account, you are negligent. It’s the same thing as leaving your property unlocked.

Applying this to cyber policy insurance

Just implementing these security measures significantly improves your security and should really be a standard part of applying for cyber insurance just like asking about alarm systems is for contents insurance. Not using either should therefore increase your premium.

But given the number of people who are still acting negligently with regards their own cyber security, perhaps it’s not yet been considered in the risk analysis for insurers. Maybe so many people don’t bother with proper security that it doesn’t show up in their premium modeling yet.

Or maybe it does. If you look closely at the insurance wording, you might find something like this:

What is not covered – pre-existing problems: anything likely to lead to claim, loss, breach, privacy investigation, illegal threat or interruption which you knew or ought reasonably to have known about before we agree to insure you.

Source: Hiscox Cyber Policy

This is vague enough to give the insurer scope to exclude many claims for poor security practices – “ought reasonably to have known about” easily covers not using the two security techniques above. There is enough advice online and from official government channels saying the same thing (2FA and password managers) for this now to be considered reasonable knowledge.

Leave the room to get feedback from your board

I’ve been running monthly board meetings for Server Density since 2015 which was when we brought on an institutional investor. My board now comprises of the VC partner (Barnaby Terry), my first angel investor (Qamar Aziz) and an independent (Oren Michels).

Although it’s well established that employees should have regular performance reviews, this isn’t widely heard of when it comes to evaluating the CEO performance. In much larger businesses, compensation can be linked to stock price or other KPIs, but at a startup or small business it can be harder. Feedback often needs to be qualitative as well as quantitative.

You might implement a 360 degree feedback process within the management team but a formal opportunity for feedback from the board to the CEO is rare. This might only surface through scrutiny of specific board agenda items, difficult questions or ultimately being fired!

With this in mind, an idea I have been using for some time is a specific section of the board meeting where I leave the room and allow the remainder of the board to discuss without me present. This is a good opportunity for them to discuss the meeting topics themselves but I specifically frame it around “Feedback to the CEO”. This lasts 10-15 minutes, after which I’m called back in.

Despite the board members not being in the day-to-day so less able to provide specific operational direction, I have found the feedback very useful. It has allowed me to direct my thinking on difficult topics, understand how I might change my approach to problems and reconsider where I should be spending my time.

Positive feedback is just as useful as negative. I know many CEOs suffer from imposter syndrome so being given praise is valuable as well. You should try and bring on board members who have been CEOs themselves, so they understand the difficulties. Feedback is so much more valuable when it is from someone who can relate to the experience.

If you’re not getting feedback from your board, you’re missing out on a big part of why they’re supposed to be there.

The most important piece of advice I’ve learned on structuring board meetings is that they should be discussions without fear of conflict. Just using the meeting as a status update is a waste of everyone’s time and incredibly boring.

Further reading on running effective board meetings I’ve found helpful:

We’re still in v1.0 of the cyber security industry

Things are just starting to get interesting in cyber security. We’re seeing a ramp up of attacks, from corporate breaches through to election tampering and disabling critical healthcare services. Governments are posturing and hinting at their warfare capabilities. There is almost no regulation and most end-users are failing to protect themselves.

Security is still talked about by the uninformed as a binary state. To be secure, or not.

Actually, “defense” isn’t a single thing. It’s not a question of whether you will suffer a security incident, but when. As such, good security is implemented through layers and with a mind to mitigating breaches through compartmentalisation:

In every instance, it is the lack of compartmentation between accounts and personas that has been the cause of the pain. Without proper compartmentation, attackers are able to leverage information from one compromised account to access another related account. Increasing privileges and traversing across the persona’s exposed and interlinked account control centers.

The human element of security is often the weakest. We hear a lot about zero-day vulnerabilities and elaborate hacks because they are cool, but it’s the simplest breaches – users with poor password hygiene and no 2-factor authentication – that are the biggest cause for concern. People are used to frictionless access to their computers, and the UX around 2FA and strong passwords is usually less than frictionless.

E-mail continues to be a popular communication platform despite it having minimal built-in security. With history of all your communication, files, personal conversations and direct access to all your other accounts (through password reset), it really is a single point of failure. Nobody uses PGP properly so most have given up and moved to encrypted apps like Signal and WhatsApp.

Yet email continues to be a critical part of business and governmental infrastructure.

The security industry is also full of vendors with vague, fluffy marketing. It can be difficult to know precisely what you’re buying and it’s difficult to compare products because they’re often hidden behind enterprise sales processes. The big cloud providers are starting to offer data-driven products and there are some promising businesses like Cloudflare, but for the vast majority, the market is confusing.

  • Unlimited attack surfaces
  • Users not paying attention to basic security practices
  • Frustrating and inconvenient UX
  • Enterprise vendors selling vague security promises
  • An increasing number of attacks from criminal gangs, hacktivist groups and nation states

To me, it looks like a very immature landscape where things are just getting started. We’re still in v1.0 of the cyber security era and things are only going to get more interesting!