Playing-to-Win Strategy
Apply the Play to Win framework to Cybersecurity Startups
In the fast-changing world of cybersecurity, startups need a clear strategy to handle challenges and beat competitors. Statistics show that around 90% of startups fail, often because they lack a clear strategy. This isn't only about the Go-to-Market (GTM) strategy. It's also about how the whole company is expected to operate and succeed.
Also, research shows that up to 67% of business strategies fail due to poor execution. These numbers show how important it is to have a clear plan and execute on it, especially in a fast-moving field like cybersecurity. 
The Play to Win framework, created by A.G. Lafley and Roger L. Martin, helps startups design a strategy, following a established structure, that can easily be transformed into an execution plan that makes them stand out.
When I started working at ESET in Latin America, there was an open field with immense potential. The challenge was clear: where to focus, how to win, and how to become a leader in cybersecurity in the region.
As a bootstrapped company, our limited budget meant we couldn't compete with bigger players with the same tools they had. There were already strong competitors in the region, like Symantec, Trend Micro, and McAfee, each with a established and large commercial operations and several years in the region.
Once we researched the market and evaluated our findings, we identified two key factors that could help us: our competitors didn't have strong cybersecurity experts in the region, and the majority of the region shares one language—Spanish.
We defined a simple strategy—use our product's strengths for consumers and small businesses, become thought leaders by sharing unique insights with local media and the market at large, and focus on recruiting channel partners.
We specifically targeted value-added resellers (VARs) that were already working in industries related to cybersecurity, but not necessarily had another antivirus in their portfolio.
To reach channel partners and the market, we participated in and organized events. We partnered with universities to provide cybersecurity masterclasses at their facilities—something that nobody else was doing—and ensured we were present in at least one key IT or cybersecurity event in every regional country.
Lastly, we partnered with a regional media outlet specialized in channel partnerships to increase our reach to the local market.
This combination became our winning approach and helped us establish a position in the region.
We did the above following a similar framework to the one described by Lafley and Martin in their Playing to Win book. This helped us become a leader in cybersecurity in the region in just a few years. Of course, the strategy evolved over time, as it is crucial to evaluate and iterate regularly, but the core principles remained consistent since the very beginning.
My experience at ESET in Latin America demonstrates how applying the Play to Win framework can create a significant strategic advantage, even in challenging environments.
By leveraging clear focus areas, building on existing strengths and identifying opportunities as well as competitors' weak spots. Moving fast and with determination, we were able to establish a leading position in the cybersecurity market.
This approach is particularly valuable for startups, as it provides a structured yet flexible way to make strategic decisions, maximize resources, and iterate over time, and helps to make product as well as GTM decisions.
Let's explore how cybersecurity startups can apply this strategy to fuel their growth and success.
Define Your Winning Aspiration
For any cybersecurity startup, the first step is to identify what "winning" looks like. Are you looking to become a leading provider of endpoint security to SMEs? Or do you aim to create a groundbreaking zero-trust solution for large enterprises?
Winning aspirations should be ambitious yet focused, providing a clear goal for the company. For example, a startup could define its aspiration as "becoming the go-to provider for AI-powered threat detection for healthcare institutions." A clear and inspiring goal helps guide decisions and keeps the whole team focused on the same target.
In our case, we defined that we wanted to become the established cybersecurity thought leader in the region, focusing on providing value to the market besides our products, that we targeted towards small and medium businesses, education institution and government agencies.
Focusing in more than just the commercial aspects of our operation helped us to build trust as our byproduct of our activities. We weren't "just an antivirus" company, we were the go-to-source when it came to cybersecurity.
Moreover, we very clearly decided that we would be 100% focused on the channel, not having any sort of direct sales. This also provided confidence to those that were working with us that we would never compete with them, something that competitors were doing.
"Becoming the Latin American cybersecurity thought leader and the company that the channel can trust" became our main objective.
We were not just selling antivirus; our purpose - our "winning aspiration" - was to help customers and channel partners become more secure, no matter which solution they chose at the end. Our focus on providing expert insights and educating the market, as a thought leader, was the vehicle for building that trust.
Choose Where to Play
Cybersecurity is a broad field, spanning areas like network security, cloud protection, identity management, and more. Startups must choose their battlefields wisely.
The "where to play" decision is about selecting the market segments, customer types, and geographic regions that offer the best opportunities.
For instance, a startup might decide to focus specifically on providing cloud security solutions to mid-sized fintech companies in North America. By narrowing their focus, they can specialize deeply and deliver greater value compared to trying to serve every segment at once.
This extends the "winning aspiration" further, and provides guidance to the GTM and other activities that come after creating the company strategy.
One example of a company that clearly defined their "where to play" is Wiz, a cloud security startup that became an unicorn already. Wiz chose to focus on providing cloud security solutions for enterprises that are migrating to or managing complex cloud environments.
By focusing exclusively on cloud security, Wiz was able to address the unique challenges associated with multi-cloud and hybrid environments, delivering specialized insights and tools that traditional security vendors struggled to provide effectively.
This hyper-focused initial approach allowed Wiz to clearly define the following steps in their strategy. By being clear about where to play, Wiz could plan their resources, skills, and strengths better, which gave them an advantage in executing their strategy well.
Determine How to Win
Once the "where to play" is defined, the next step is deciding "how to win". In cybersecurity, this often comes down to differentiating yourself in a crowded space.
A startup might focus on leveraging proprietary AI algorithms to detect threats faster than competitors, or they could provide a unique user experience that makes compliance simpler for non-technical users.
The "how to win" strategy involves identifying the elements that give you a competitive edge—whether it's technology, exceptional customer service, speed of execution, or something else entirely, even the way the organization is structured.
A great example of a successful "how to win" approach is CrowdStrike. Everyone knows the large company they have become today, but when they started, their scope was more narrowed, competing with established and next-gen antivirus and endpoint security companies.
A key reason why they succeeded was that their agent could be installed on endpoints where another competitive product was already deployed, something that wasn't possible with other established vendors at the time.
By offering this capability, CrowdStrike was able to position itself as a "second opinion" for end customers. Once customers experienced what CrowdStrike could do, it made removing the existing solution more trivial.
This helped mitigate the Total Cost of Ownership (TCO) associated with switching endpoint security solutions, which has always been one of the largest obstacles in this sector.
Furthermore, CrowdStrike's commitment to being cloud-first, at a time when no other established vendor had adopted this approach, further differentiated them.
These factors guided not only their GTM activities but also their product decisions and, along with other key strategies, helped them succeed and become the industry leader they are today.
Develop the Core Capabilities
Winning in the cybersecurity world requires certain core capabilities. These are the strengths that allow your startup to execute its "how to win" strategy effectively.
If your goal is to provide cutting-edge AI-driven threat detection, then your core capability might be a team of highly skilled data scientists and cybersecurity experts.
Alternatively, if your strategy revolves around exceptional customer support, you might need a world-class onboarding process and an agile support team. Building these skills with clear focus is essential for keeping a competitive edge.
At ESET in Latin America, we wanted to become cybersecurity thought leaders. We needed experts in our team that could influence the market, and those are a limited "resource". What did we do? We created them.
We partnered with universities around the region to raise the awareness of the most relevant topics in the industry and to develop programs to educate the future experts in cybersecurity.
This made sure we always had the people we needed to carry out our strategy, and even after 20 years, these programs still give local cybersecurity enthusiasts the chance to become professionals, work at ESET or even in other cybersecurity companies.
Set Up Systems to Support Your Strategy
Lastly, implementing a Play to Win strategy means building the right systems to support your startup. This includes setting up processes for rapid product iteration, fostering partnerships with key technology vendors, or even establishing an efficient go-to-market approach.
In cybersecurity, the threat landscape changes constantly, and having adaptable processes is crucial for staying relevant. Align your operations, culture, and decision-making mechanisms to reinforce the strategy, ensuring every team member knows how their role contributes to the overall aspiration.
In order to be the company they are today, systems and infrastructure became a key part of CrowdStrike's strategy. As a cloud-first company, they needed a partner in the cloud service providers world, and they found it in AWS. This was a win-win for both, as CrowdStrike became a great example of how to scale with AWS, which gave them preferred access to AWS services, and the Amazon service had a great success story to share.
Not only that, they made use of Salesforce to create commercial processes that would make a difference. In the early days, setting up a demo with an endpoint security vendor was a struggle, and CrowdStrike facilitated that process to the extreme, using Salesforce as their commercial platform.
When we were developing the Latin American market for ESET, my team and I made sure that we had the systems we needed to support our thought leadership and partnerships operations.
Maybe other systems we had were less mature, but with the above being our north stars, we were able to provide great insights to media and influencers regularly. We had data that no other company had in the region, and we gave tools to our partners to connect with us in the most streamlined way.
Staying focused on our goals, activities, systems, and how we made decisions was how we achieved our strategy. Staying firm in our strategic goals, and ensuring every action aligned with our objectives, was how we ultimately succeeded.
Playing-to-Win: A Focused Path to Success
There are many frameworks you can use to develop a strategy for your company, and many of them have their advantages and disadvantages.
Using the Play to Win strategy in a cybersecurity startup means making clear choices—where to focus, how to stand out, and which skills to develop.
It encourages startups to think deeply about their ambitions and the specific steps they need to achieve them, and guides other key activities and decisions, like the product development and GTM activities, even the hiring practices.
In a highly competitive and constantly shifting field like cybersecurity, this clarity can be the difference between becoming a market leader and getting lost in the noise. By playing to win, cybersecurity startups can create a unique space and build resilience for the long haul.
If you are a Miro.com user, you can utilize this template to develop your Play to Win strategy.