How CISOs Want to Work With Early-Stage Startups
By Mehlam Shakir, Partner, Dreamit Ventures
Cybersecurity innovation does not happen in isolation.
It takes a highly connected ecosystem: founders willing to tackle hard problems, investors willing to fund conviction early, policymakers who create the right incentives, and design partners who help startups validate their ideas before those ideas become products. But one part of that ecosystem still has room to step up: security leaders.
The US already has many of the ingredients needed to build the world’s best cybersecurity startup ecosystem. We have exceptional technical talent, deep pools of venture capital, large enterprise buyers, and a national security environment that constantly surfaces new problem sets. Yet too often, early-stage founders still struggle to get meaningful access to the very people they are building for.
That is a missed opportunity.
The strongest startup ecosystems don’t wait until a company has a polished product, a long customer list, or a Gartner mention. They create mechanisms for founders to pressure-test ideas early, find design partners quickly, and learn directly from practitioners before they write too much code.
Ross Haleliuk has described this dynamic particularly well about the Israeli cybersecurity ecosystem in his Blog Post on Venture in Security: founders identify a real problem, validate that CISOs are willing to pay for it, secure a few design partners, raise pre-seed capital, build an MVP, and then go to market aggressively. He argues this works because the ecosystem is tightly interconnected across founders, CISOs, investors, and government support.
That lesson matters well beyond Israel.
If we want more breakthrough cybersecurity companies, we need more security leaders who see themselves not only as buyers of innovation, but also as participants in its creation.
Why CISOs matter so much at the earliest stage
Early-stage cybersecurity startups are not just selling software. In many cases, they are trying to prove that a problem is urgent, that buyers care enough to budget for it, and that the workflow they envision is realistic inside a real security organization.
CISOs are uniquely positioned to help answer those questions.
A thoughtful conversation with an experienced security leader can save a founder months of wasted effort. It can clarify whether the pain is real, who owns it, how budgets map to it, what data and integrations are required, and whether the promised value is important enough to displace an existing tool or process.
That kind of early engagement de-risks innovation for everyone.
For startups, it improves product-market fit. For investors, it creates more confidence that the company is solving a meaningful problem. For enterprises, it increases the odds that the products reaching the market are relevant, usable, and aligned to operational reality.
And for CISOs themselves, working with startups can create real upside.
Forrester found that security leaders who engage early with startup vendors can shape product roadmaps, move faster than they often can with large incumbents, and in some cases influence the broader direction of the market. Their recommendation was explicit:
CISOs should assign formal responsibility for reviewing emerging technology and back it with an innovation budget to make testing easier.
What founders often misunderstand about CISOs
Many early-stage founders assume CISOs want more demos.
Most do not.
What security leaders want is context, credibility, and clarity.
They want to know that a founder understands the problem in operational terms, not just in architectural language. They want evidence that the team has talked to enough practitioners to understand where the friction really lives. They want honesty about what the product does today versus what it may do later. And they want confidence that a pilot will not become a science project. In other words,
CISOs do not want to be treated like pipeline. They want to be treated like collaborators.
That means founders should arrive with sharp hypotheses, not vague fishing expeditions. It means asking, “Is this problem important enough to budget for?” before asking, “Would you buy this product?” It means understanding who owns the problem internally, what success would look like in 30 or 60 days, and what the switching or deployment friction is likely to be.
The best early-stage companies do this well. They seek validation before scale. They use early conversations to narrow the problem, not expand the pitch.
What CISOs should expect from early-stage startups
If security leaders are going to engage earlier, startups need to meet them halfway.
A strong early-stage startup should be able to articulate:
the specific problem they are solving
who feels that pain most acutely
why existing approaches are inadequate
what evidence suggests the problem is budget-worthy
what kind of design partner they need
what a successful pilot would look like
what product and company risks still exist
Not every startup will have all the answers. That is the nature of the stage. But the good ones will be transparent about what they know, what they are testing, and where they need help.
That transparency is what earns trust.
How CISOs can engage without creating unnecessary risk
A common objection is understandable: startup engagement sounds interesting, but the risks are real.
Yes, they are.
Startups may have immature products, limited support capacity, evolving roadmaps, and uncertain financial durability. But those risks can be managed if engagement is structured correctly.
One useful model comes from former Aetna CISO Jim Routh : a weekly ritual called STEEP (Security Technology Exploration Evaluation Process), where his team spent ninety minutes every week reviewing early-stage startups and potential pilots.
The key idea being disciplined experimentation: build a repeatable way to evaluate innovation without letting the process become chaotic or unsafe.
This is where more CISOs can raise the bar. Instead of treating startup engagement as ad hoc, security leaders can institutionalize it.
That might mean:
setting clear innovation themes for the year
assigning one or two team members to monitor emerging vendors
offering founders structured feedback even when the answer is “not now”
defining a lightweight design-partner framework
reserving a small budget for pilots
agreeing internally on what evidence is needed to move from pilot to production
When that muscle exists, startups get better feedback, and enterprises gain earlier visibility into where the market is headed.
What a better cybersecurity innovation ecosystem looks like
The healthiest ecosystems create productive proximity between builders, buyers, and backers.
In those environments, founders do not need to guess what matters to practitioners. CISOs do not need to wait until every vendor is mature before engaging. Investors do not need to underwrite pure narrative risk. The system learns faster because feedback loops are shorter.
This is one reason Israel’s ecosystem has been so effective. Haleliuk’s description of the model is not just about talent or military experience. It is about interconnectedness: founders validate problems early, design partners engage quickly, investors fund with conviction, and the ecosystem amplifies what is working. Startup Nation Central similarly argues that Israeli early-stage startups are tightly connected to global CISOs, partners, and validation networks, which helps accelerate feedback and real-world alignment.
The US has the scale to do this even better.
But percentage-wise, we need more security leaders to participate actively.
Not every CISO needs to become an investor. Not every security team needs to run constant pilots. But more leaders should be willing to share problem context, meet founders earlier, serve as design partners selectively, and help shape categories before they fully form.
Because when CISOs stay on the sidelines until a market is mature, the ecosystem gets more incremental products and fewer breakthroughs.
A practical model for how CISOs want to work with early-stage startups
From my experience leading Dreamit Ventures Cyber Innovation Platform and working closely with more than 100 CISO partners, the strongest founder-CISO relationships tend to follow a clear progression:
1. Problem validation The founder brings a clear hypothesis about a painful problem. The CISO pressure-tests whether it is real, urgent, and budget-worthy.
2. Workflow validation The discussion moves from the abstract problem to the operational reality: who owns it, what the workflow looks like, what data is required, and what would need to change.
3. Design partner alignment If the fit is real, the CISO may help define a pilot scope, success metrics, and operational guardrails.
4. Fast feedback loops The startup learns quickly, adapts quickly, and communicates clearly. The CISO provides candid input, not vague encouragement.
5. Broader ecosystem amplification When a startup earns trust, the CISO may introduce peers, speak publicly about the category, advise the company, or help it become more visible to the market.
This is how startups get better faster.
And this is how CISOs can have influence far beyond a single buying decision.
The call to action
Most cybersecurity dollars still flow to a relatively small set of large vendors. That is unlikely to change overnight. Nor should it. Large enterprises need stability, global support, and proven platforms.
But some of the most important innovation in security will continue to come from early-stage startups.
The question is whether security leaders will engage early enough, and intentionally enough, to help those startups become truly useful companies.
If founders can access practitioners before they write a single line of code, validate ideas with a real network of security leaders, secure a few design partners, and show enough signal to attract early capital, the odds of building something meaningful rise dramatically. That is how ecosystems compound.
The future of cybersecurity will not be built by founders alone. It will be shaped by the strength of the network around them.