Security startups: an exciting opportunity but beware of the package
08:00 Monday, 27 September 2021
UK Cyber Security Council
This correspondent is of a certain age - an age that means my history includes a stint as technical director of a dot-com startup. In an unusual quirk of career path I went from that role into one as CTO of an organisation that invested in, primarily, tech startups.
Back in the dot-com days the focus of start-ups was on internet businesses in general (generally with either an advertising revenue model or one based on income from an online store). Here we are in 2021 and the new age of start-ups is, unsurprisingly, in the cyber security industry.
Security start-ups are an exciting prospect for school- or university-leavers as a first job. Nimble, exciting, pushing the boundaries of technology, devising new ideas to help businesses defend their systems and data. Not only that but security overlaps loads of other exciting concepts, not least the fledgling area of quantum computing and the slightly more established field of Machine Learning and Artificial Intelligence. It’s exciting for the employee, and the employer benefits from a bunch of bright, keen, inexpensive people joining the workforce.
You may have spotted that I used the word “inexpensive”. In one sense this will always be the case: unless you’re exceptionally bright, exceptionally lucky or exceptionally related to the person who funded the company, you’re several years – at the very least – from a six-figure salary. But in other senses, you need to ensure that what you accept is fair.
You can expect start-ups to be frugal with their money: it’s a limited resource and they have to make it last. No matter how deep an investor’s pockets, it is no surprise if they phase the delivery of the cash based on the company hitting targets – all of which are either directly financial (online sales revenues, for example) or indirectly so (for instance customer or partner sign-ups). It is common, then, for start-ups to be creative when it comes to rewarding their staff.
At the extremely frugal end of the scale are unpaid internships: you spend time working with the company in return for bolstering your experience. These are increasingly frowned upon in the UK since, fairly or not, the perception is that the company benefits significantly more than the individual.
The other common approach is for management to offer stock – or stock options – in the company as part of the package. Stock is easy to comprehend: you get a certain number of shares in the company, usually with a condition such as staying with the company for two or three years. If the company is valued at £1m and has a million shares issued, a grant of 1,000 shares is worth a theoretical £1,000. Stock options are more complex, but the principle is that an individual is given the option to purchase stock at some point in the future at a price that is set at grant time – so if the stock price has risen in the meantime, there is a clear profit for the individual.
There is one fundamental gotcha to stock and options: shares in a company are only worth what anyone will pay for them – if, indeed, they can be sold. If we take our example of 1,000 shares in the £1m company, if three years later it is acquired (by a competitor, say) for £10m, that £1,000 stake cashes out for £10,000. Similarly there is a cash-out in the event of a flotation on a stock market – the Initial Public Offering, or “IPO” that we read about. But stock in the company is only of any value if you can sell it at some point.
This does not mean, of course, that internships are necessarily a bad thing. Neither does it mean that stock or stock options are a bad thing – after all, as employees of the company you and your colleagues have direct influence on how the company operates and it is in your interests to work hard, innovate, have new ideas, find ways to manage resources effectively, and generally increase the company’s value.
The point is, though, that at the beginning of your career in cyber security, you need to enter any role with your eyes open. By all means look at internships if you can see genuine value for yourself. And don’t walk away at the first sniff of the company offering stock as part of the package: it’s not necessarily a bad thing.
But always remember: most start-ups don’t succeed. Consider whether your next employer will be impressed by your six months unpaid internship with a company that no longer exists, or whether your shareholding in your employer will ever get to the point at which someone will buy it from you.
And take a punt if you wish. But before you take the plunge with a cyber startup, pause for breath and understand fully what you are signing up for.