InfoQ recently sat down with Brandon Hoe, VP of Marketing at Oxeye, to talk about some of the marketing challenges faced by software startups in the application security space. Having led four early-stage security startups himself, he emphasizes the importance of establishing market positioning, identifying your Ideal Customer Profile (ICP), and developing the right messaging for your ICP.  He highlights the benefits of working as an integrated revenue team (sales + marketing as one), why he’s eliminated the traditional notion of marketing qualified leads (MQLs) from his approach, and introduces a new industry podcast that he recently launched which showcases the personal stories of leading experts in the cybersecurity world. 

Hi Brandon, can you tell us a little bit about yourself and what you do at Oxeye?

I’m the VP of Marketing at Oxeye, and every day, I try to find ways to get the word out about how Oxeye eliminates 90%+ of the vulnerabilities that legacy application security tools find and report, so that developers can focus on writing code instead of fixing ‘vulnerabilities’ that don’t really exist. The claim seems incredulous until we have the opportunity to educate our potential customers about how we approach the problem. Taking this tack helps us to overcome the skepticism people have about the claims, while keeping the relationship mutually collaborative and respectful.

You’ve led marketing at four early-stage security startups.  What has that experience been like?  What are some of the biggest challenges of early-stage, startup marketing?

The early stages of a company’s life are its most important - it’s purely a matter of survival at that point, and that presents a very unique and dire challenge. The vast majority of early-stage companies have founders and leaders who don’t fully understand what marketing truly entails. 

The natural inclination for most founders/leaders at this stage is to focus on the more visible marketing tactics - events and social media are generally the ones they gravitate to the most. But this typically happens before they’ve developed the foundations for effective marketing - going through the exercise of positioning themselves in the market, defining their Ideal Customer Profile (ICP), and developing messaging that resonates with their ICP. These are foundational activities that help increase the likelihood of success of any future marketing effort. 

Another common misconception about marketing is that it’s like a spigot that automatically results in all the business a company can handle once it’s turned on. Marketing is a long-term activity, and its effectiveness builds over time. Since most early-stage startups have small budgets and large expectations for rapid growth, this can result in conflict or an erosion of trust between marketing and the primary stakeholders of the company. 

Security has generally been an ‘after-thought’ for many software development organizations.  More recently however, we’ve been hearing more about the idea of ‘shift-left’ security.  Are organizations actually embracing this or is this an idea that’s just being touted by vendors?

The ‘shift left’ movement in application security has been a mantra for a number of years now, and the underlying principle - that the sooner you tackle security in the software development process, the better - is extremely sound. The challenge with shifting left is that to date, the tools that were created with the goal of shifting left and enabling developer-focused security creates a lot of noise, ultimately generating extra work for developers and security teams.

Digital marketing campaigns or exhibiting at events? What’s typically more effective for early-stage companies?

I’ll have to say the common marketing mantra - “test it!”. Without doing so, it’s impossible to say what works best for your particular situation, as the answer is dependent on the industry, your implementation of digital marketing, and other factors. Ideally, your event marketing would be supported by a comprehensive digital marketing program. Isolated marketing tactics aren’t nearly as effective as a comprehensive program where all marketing tactics support each other.

The AppSec space is quite crowded, with hundreds of companies clamoring for developer mindshare.  How do you ensure that your message doesn’t get lost in all the noise?

Yes, it’s an incredibly crowded space, with a number of massive incumbents, and no shortage of new players! 

In our particular situation, it’s a little bit easier to stand out because we can make claims that nobody else has been able to make before. There’s the main claim of reducing vulnerability lists by 90% and up, then the supporting claims that we can do so by focusing on exploitability, which is determined by accessibility of the vulnerability from the Internet (directly or indirectly) and whether a package is used at runtime or not, or is merely an unused artifact. 

While our claims are unique, the challenge of getting the word out there and overcoming decades of inertia and skepticism about claims is something we are continually hacking away at. 

One of the downsides of being an innovator is that you are tasked with the burden of educating the market about what’s possible. Dollars spent on education don’t provide nearly the same ROI as dollars spent on winning business from customers who are already well-informed about a novel approach or technology. 

With that in mind, I try to market in a way that’s cost-effective, and respects our position as a seed stage company, and the current market dynamics. Constraints force creativity, and it’s a lot of fun to try to outmaneuver the competition without throwing loads of money at marketing.

As VP of Marketing you have a daily stand-up with your sales team. What are the benefits of this? What are some of the important feedback loops needed to help both teams - marketing and sales - be more successful?

We are joined at the hip with our sales team for a number of reasons. I consider myself the pipeline quarterback, and I need to understand the status of all the deals in our sales funnel and how we can successfully advance them. Most times, it’s purely in the hands of the sales team, and I merely provide ancillary support, but if there are occasions when I can do more (e.g. provide an introduction to someone I know who might be an advocate for us), I do so.

The primary benefits of being an integrated revenue team (sales + marketing as one) are that it provides an immediate feedback loop on what problems customers actually face (as opposed to what we believe they face), what messaging resonates, and to know definitively where people are learning about us. It also allows us to be in sync on what we’re saying, and to generate ideas collaboratively and create campaigns that are comprehensive and consistent across all touchpoints. 

Marketers are often tasked with providing ‘sales-ready’ leads to their sales teams.  What does it mean for a lead to be ‘sales-ready’? What are some of the challenges of arriving at a shared understanding of what this means across both departments?

I hate the word ‘leads’ because it’s inhuman, and antithetical to my philosophy about marketing, which is that we are trying to connect with people who can benefit from using our product. I prefer to use ‘potential customers’ instead. I know most people would consider it a matter of semantics, but the words we use have a tremendous impact on how we conduct ourselves. We try to do business in a way that feels more human and relationship-centered, not merely transactional. Yes, there’s a job to be done, and  yes, that job is to grow our business, but we’re not interested in doing it in a way that feels devoid of humanity.

Because we’re a very early-stage startup, we’re focused on logo acquisition, and hence, our metrics reflect our goals. We’ve eliminated the traditional notion of marketing qualified leads, or MQLs from our approach, so in essence, all our potential customers are ‘sales-ready’. That means we only consider potential customers who have a need and a timeline (as opposed to a conventional budget, need, authority and timeline) in our measurements. This will change as we grow larger, naturally, but this is where we are today.

You recently launched a new cybersecurity podcast - The Storm and the Light - at Oxeye.  Can you tell us a little bit about it?  How does the podcast align with some of your marketing goals? 

The description of The Storm and the Light encapsulates the goals of the podcast -

“The Storm and the Light dives beneath the surface to bring you the stories of people from the world of cybersecurity, shining a light on who they really are, and what made them the people they are today. Along the way, we will strive to understand our guests better, and glean lessons from their lives that might inspire us, and help us become better people and professionals.“

I felt that there was a void in the cybersecurity podcasting world of the stories behind the personas, and Oxeye is trying to fill it.

We understand that traditional selling approaches are fast becoming archaic. People are sick and tired of being sold to aggressively, and being asked for a meeting right after a first LinkedIn interaction. Buyers now look for information within their own networks - what some people refer to as “dark social”. This isn’t really different than before - we place more weight on the opinions of the people who we trust or who share similar professional profiles as us - but the magnitude of the shift has forced everyone to rethink how to market and sell. One truth remains, though - that people will never buy from a company they’ve never heard of - so the podcast is one of numerous investments we’re making to ensure that the first human-to-human point of contact that occurs during a sales cycle is not the first time a potential customer has heard about us. It’s a long-term play, but one we feel very optimistic about.