Monthly Archives: June 2015

Interesting Startups

I am lucky enough to meet some amazing founders, some have gone on to do build awesome businesses others are work in progress. From time to time I meet startups that I think look really interesting, startups I would invest in or want to join or just think the founders have that something that tells me they will be successful.

Each month I send out my “Interesting Startups” email featuring a few startups I have met and think are Interesting.



I have a background in Information Security and these are some of the security projects I am involved in.


– WordPress security, the latest vulnerabilities. Featuring Marvin the wordpress security plugin.

Why Cost Per Acquisition (CPA) doesn’t matter at the start

What is cost per acquisition?
A quick explainer for those not familiar with the term. Cost per acquisition is the cost of an activity that generates traffic to your website or downloads of your app. If I buy a banner advert (who buys banner adds these days?) for $60 and 3 people click on that banner add per day and visit my website then the cost per acquisition is $60/3 = $20. My Cost Per Acquisition (CPA) is therefore $20 per customer/user.

You may have heard people say “do things that don’t scale when starting out”, this means doing things that are resource intensive that you know you couldn’t scale because it wouldn’t make financial sense.

So why do non scaling stuff in the early days?
You are seeding your startup trying to build momentum so you can afford to do things that will not scale because you know or believe their will be a tipping point where momentum takes over and you no longer need to put as much effort in to meet your targets. Think of it like pushing a giant rock down a hill, getting it going requires huge effort probably by a group of people pushing with all they have but once it starts to roll it requires little effort to keep it going.

In the early days of testing an idea you are acquiring customers/users to test your hypothesis and iterating the product based on the feedback from those customers/users. Therefore you are also going to be doing things that don’t scale to acquire those customers/users (social media, blog posts, content marketing etc) and if you are looking for quick tests then you are almost certainly going to have to do some paid acquisition. Given that you are in testing hypothesis mode and you are in no way optimising your customer acquisition strategy there is no need to measure your cost per acquisition. Of course it does start to give you some valuable data and some ball park figures but its far from accurate and shouldn’t be used to base your financial model around.

It is very possible to go from $10 cost per acquisition down to $0.20 after you learn what works and optimise your strategy. So to base your financial model on $10 when it could end up at $0.20 is going to make it way out, of course if the financial model works at $10 per customer then its going to kick arse at $0.20.

Therefore while you are in the early stages don’t worry about the cost worry about which methods are effective, spend your time tracking which blog post and which tweets were more effective rather than the relative cost. By effective I mean activity which drove traffic to your website or to downloaded your app.

Security who cares?

I sat down with the CEO of a tech startup who has a mobile product for large corporates and we got chatting about security startups. “No one cares about IT security, well accept the people who’s job it is to worry about it and those people who have just been effected by an incident (hacked) but that is a short term caring that fades quickly. So we are left with a small bunch of people around the world that actually care, but the vast majority don’t give a ****”.  That was his opinion and i have to agree, security has always been a fear, uncertainty and doubt (FUD) sale, that has not changed in years.

So if you are thinking about launching a new product into the security market how do you deal with a niche market and an apathetic audience, I think the answer lies in not selling security you have to sell something else doesn’t matter how you brand it just don’t sell it as security. We have all been buying insurance and burglar alarms for years because we understand the consequences if it all goes wrong and how insurance and a burglar alarm may help, with IT security its very different. Most people don’t understand the cost of loosing data from them personally or a business, its difficult to quantify until it happens. Therefore the vast majority of security sales happen after an incident and not before.

Will security ever become a product people understand and want to buy whether that be a consumer or a business, I think yes and as the digital world evolves this day will come. Today most Microsoft Windows users now buy antivirus software because they understand the risk and so follows they will start to understand the bigger risks and buy services to mitigate these risk as well. The question is as alway when? I think consumers are at least 5-10 years behind enterprise and enterprises are not all there yet so we have a while to wait.