Episode V: The Value Strikes Back

By Mark Dorsi, CISO, Netlify

Each week, I set aside time to speak with startups and founders about the companies and products they’re setting out to create. For me, this process is two parts mentorship, one part market research. I love working with startups, especially ones solving objectively interesting problems. Mentorship, guidance, and building are personal passions. But as a CISO, it’s also critical for me to know—and to help shape—the next generation of B2B security software because these will ultimately be the tools that my colleagues and I will depend on to be difference-makers down the road.

Across the board, there’s one area where almost every startup seems to miss the mark. The vast majority simply haven’t put enough thought into the specific outcomes they want to drive for CISOs. In this piece, we’ll talk about the exercises I run through with startups to identify these outcomes, and how they’re intended to work.

The Founder’s Madlib

I start every feedback session with every startup the same exact way—by sending them what I call the Founder’s Madlib:

“Company provides (a thing) for (a business category) who needs (a problem solved), setting itself apart from (demonstrating measurable good | fast | cheap value).”

It’s a simple yet profound written exercise, intended to show folks like myself what the company provides, who they provide it for, and how that differs from the status quo.

The Kinds of Companies

The Madlib represents a backdoor avenue to finding a defensible moat by leading founders to an even more foundational question—what kind of company are you building?

I really only ever encounter a few types of companies in the B2B software space:

• Companies that increase productivity
• Companies that increase revenue
• Companies that decrease spend

Most, if not all, on the security side of the house are productivity plays with potential to help increase revenue and decrease costs. The challenge when speaking with startups and founders is that most don’t know which of these buckets they fall into. Without understanding this, it’s difficult to define value—an issue many companies face when preparing for compliance audits. Common compliance pitfalls can derail companies that haven’t aligned security with business objectives.

The Defensible Moat

One important thing to double-click on at this moment is avoiding the defensible moat’s misplaced value trap. When speaking with companies that haven’t determined what type of business they’re in, they’ll often think their defensible moat is the ecosystem they’ve connected, a special dashboard, or some wiz-bang widget. The defensible moat is the true value you deliver and how well you’re holding your teams accountable for delivering on that value.

To help with this, I push startups over time to show me one slide when we’re working together—the “Defensible Moat” slide. The intention is to demonstrate in simple terms how much of a head start they’ll need to be successful versus the set of tools that’s already in place.

The Buckets of Productivity, Revenue, and Expense

Teams can contribute to the business in three fundamental ways:

• Increase revenue: Create collateral for customers that directly influences sales.
• Increase productivity: Ensure time investments (e.g., training) lead to measurable productivity gains. Gamifying security awareness is one approach that can improve adoption while minimizing disruption.
• Reduce expense: Eliminate unnecessary work, measure efficiency, and remove waste.

Day One Value

Once we have the instrumentation in place, we can start to understand when the value of the product will be realized. The key is Day One Value: how quickly can a product start providing tangible value? If a tool takes months to show impact, the likelihood of continued engagement drops significantly. This is especially true when evaluating fractional CISOs vs. vCISOs—businesses want immediate impact with minimal onboarding friction.

Diversifying the Audience

While it is getting easier, it’s still tough for CISOs’ peers to understand security risks in business terms. A common miss is groupthink—where security tools are built with **only** security professionals in mind. The best products resonate across the C-Suite, Engineering Managers, and even HR, helping the company prioritize risk mitigation effectively. How startups can build enterprise-grade security is a great example of aligning security priorities with business scalability.

Putting It All Together

For modern B2B security startups, the process is simple even if the execution is complex:

1. Identify the true value prop (productivity increase, revenue increase, expense sensitivity).
2. Articulate outcomes in business terms so CISOs can make a compelling case to leadership.
3. Solicit feedback from a diverse audience to ensure clear messaging across roles.
4. Demonstrate progressive improvements by leveraging shared insights across customers.

Startups that check these boxes will ultimately be the most successful, not only in bringing their product to market but in helping fulfill the larger vision of a unified global security team.

As always, I’m more than happy to work with each of you so that your value proposition is quick and easy to understand for the category and type of buyer you’re interested in acquiring. Feel free to reach out so that we can make the world a better place—one security conversation at a time.

One team!