Learn to Leap

Building a human firewall to block cyberattacks: Lessons from SoSafe

The number of cyberattacks is increasing and causing huge losses in the global economy. At the current rate of growth, it is estimated that cybercrime costs will reach about $10.5 trillion annually by 2025—a 300 percent increase from 2015 levels.1 In the face of these growing cyberattacks, organizations globally spent around $150 billion in 2021 on cybersecurity, growing their spending by 12.4 percent annually.2New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers,” McKinsey, October 27, 2022. SoSafe is a scale-up that helps companies address cybersecurity threats by training and educating employees with an innovative and data-driven learning-by-doing approach. The platform solution helps organizations protect their data and assets and reduce their risk of falling victim to cyberattacks by investing in the cyber resilience of their employees.

In an interview with McKinsey’s Jerome Königsfeld, two of SoSafe’s cofounders, CEO Niklas Hellemann and COO Lukas Schaefer, share their insights on how they use data to inform and quickly adapt the platform. They also discuss their business-building journey and how they have set up their go-to-market channels and selected investors to successfully grow their company.

Key insight #1: Human failure causes nine out of ten cyber incidents. Behavior change and education are among the most effective ways to address cyberattacks.

Jerome Königsfeld: What inspired you to build SoSafe?

Niklas Hellemann: Our founder team has always been driven by a desire to have an impact in the world. Personally, I was also looking for a business idea where I could best leverage and contribute my interdisciplinary background of business administration and psychology. That’s why we first looked at health management for corporations. However, during our interviews with potential customers, we realized that there was no real established software category and only a limited number of companies were willing to pay for software solutions.

As we did more work on human risk management and verticals where it had a disproportionate impact, we saw a big need for cybersecurity solutions in the numbers. The average cost of a data breach in Germany is $4.8 million, and it takes companies 327 days on average to identify and contain a data breach. Nine out of ten cyberattacks involve the human factor; therefore, the human layer offers a huge potential to mitigate cyber risk. As a psychologist, I believed that changing behavior and finding better ways to educate employees could tackle the issue.

Lukas Schaefer: As a former consultant, I had to complete many conventional compliance trainings with cybersecurity modules, and it was often difficult to retain what I had learned in these one-off trainings. I realized that more engaging and dynamic methods were needed to effectively convey and help employees retain knowledge. This is where our product comes in. Our training is easily accessible and built into the work employees already do, which helps people remember what they’ve learned because they’ve done it in real work scenarios. They end up developing a deep awareness of cybersecurity issues. We found that this type of training is not widely available in Europe, which is why we decided to offer it.

Jerome Königsfeld: After you identified the need, how did you validate the feasibility and business opportunity of the concept and set up a road map?

Lukas Schaefer: We chose a classic market validation approach and reached out to nearby medium-size companies instead of small local businesses that have a lower risk of cyberattacks or big corporations that have very high barriers to entry.

From a product perspective, we built our minimum viable product with input from security administrators. In the interviews, we tried to identify their pain points and discover how they used legacy solutions to tackle them. Back then, our customers were already running phishing simulations, but these simulations were part of yearly one-off campaigns of traditional cybersecurity service providers, where the main focus was on “testing” employees, not educating and empowering them. As a result, employees forgot most of the content over the course of the year, and the organization could not track cybersecurity awareness within the company. Also, the data they had was based on the quality of a single phishing test email, which made the results fluctuate. However, we realized that phishing emails were generally a great way of training employees because they created awareness through a learning-by-doing approach. We started our own phishing-simulation product that was constantly sending out customized phishing simulations to employees and giving them tangible learning moments if they fell for a simulated attack. This was the starting point for our first six-month road map. Since then, we have expanded our product with the help of our customers.

Jerome Königsfeld: How did your understanding of the need inform your business model?

Niklas Hellemann: We have a classic SaaS [software-as-a-service] business model with a subscription fee that consists of 100 percent recurring fees. The final price depends on the scope of different elements, such as the intensity and sophistication of the simulations, the number of end users, and potential API integrations for enterprise customers. Usually, our customers roll out simulations to all employees because the biggest risk might be coming from an unexpected part of the company.

Key insight #2: Adapting to new cyberthreats is key—and it creates a competitive advantage.

Jerome Königsfeld: How have you evolved the product over time? And how did you secure a competitive edge over other cybersecurity companies?

Lukas Schaefer: We evolved our training to include three modules: conveying knowledge, testing knowledge, and acting on knowledge.

First, we convey knowledge in our e-learning modules. Instead of yearly trainings, our short modules are interactive and based on gamification psychology.

For testing knowledge, we use the attack simulation module. The best thing about our simulations is that employees immediately become part of the company’s firewall because it’s not apparent what is a simulation and what is a real attack. When they identify something suspicious, they click on the “report email” button and then receive a response saying either “You identified the simulated attack” or “Thanks for reporting. We will come back to you.” Then, automatic-detection software identifies potential phishing before an IT administrator looks at it.

Last, for acting on knowledge, we use all the data generated from our training and phishing simulations for our GDPR3-compliant reporting to identify potential gaps to act on. For example, we can analyze how different teams or locations are performing. Based on the data and the dashboards, which go beyond traditional compliance-focused metrics, we target those segments with recommendations and further training.

One of our core advantages is speed. With more than 3,000 global customers, we can see new phishing trends quickly and adapt our offering. If, for example, a company in the United States receives a new kind of phishing attack that is reported by a significant number of employees, we can create a new phishing simulation to train all our clients to get ahead of attackers.

Learn to Leap

Learn to Leap interviews

Key insight #3: Addressing human error in cybersecurity requires products that are fun and demonstrate measurable impact.

Jerome Königsfeld: How do you change human behavior to address cyber risks?

Niklas Hellemann: To change behavior, the product needs to be fun to use and demonstrate impact. Both are hard to achieve with cybersecurity products. One of our unique selling points is that our product is fun to use even though cybersecurity training is usually perceived as an unpleasant activity. As a system administrator or security specialist, usually when you implement a tool, nobody notices it unless there is an issue. But it’s different with our product. Since all employees interact directly with our product, IT administrators can have a visible impact on their colleagues and get positive feedback. Oftentimes, it is the first time that buyers and administrators receive a huge wave of praise from their colleagues. End-user engagement is a strong component of our DNA, which is why we focus a lot on user feedback when improving our platform.

Last, we can make the impact of our platform visible, even though this is not easy in the field of cybersecurity training. From the beginning, we used the data that we generated to analyze the impact of our platform on our clients. For example, we use the results of our phishing simulations to measure employee awareness levels using the campaign-based tests of conventional providers. That way, we can improve our simulations and target specific user groups in our clients’ organizations. In some organizations, we saw a reduction of up to 70 percent of successful phishing attacks and an increase in general awareness of 80 percent while they used our product.

Key insight #4: Secure the right expertise before scaling.

Jerome Königsfeld: How did you set up your team and expand it over the past few years?

Niklas Hellemann: Our philosophy has always been to hire people who are among the best in their fields and who have more experience than we have. For example, once we realized that our product had reached a maturity stage that enabled us to increase our sales, we hired an experienced CRO [chief revenue officer] very early on who helped us define our sales processes and scale our sales teams. We established a C-level structure last year to help further scale our organization and grow our team beyond our 370 employees. Meanwhile, we have talent from globally leading tech companies among both our workforce and our management team and also our board. Our ambition is to build a world-class team and empower the organization to become increasingly autonomous, using objectives and key results to steer and improve alignment.

Lukas Schaefer: Our expansion plans were complemented by our funding strategy. After three to four months, we raised our seed round with a VC [venture capitalist]. At this stage, we decided to have a professional VC instead of traditional business angels because we wanted our team to adopt a venture-backed growth playbook to prepare us for subsequent funding rounds. Our advantage in each round was always presenting revenue KPIs and using the VC funding to grow faster relative to the status quo. Unlike many hype-based models, our approach was financial-milestone driven and focused on showing tangible, customer-driven outcomes. As we entered the growth phase in 2021, we recognized that we required additional expertise to scale our business at a different phase in our life cycle. As a result, we brought in a specialist expansion-stage investment firm focused on helping European entrepreneurs scale their value propositions globally. We also added two high-impact entrepreneurs to our Series B growth round, who in tandem with the investment firm provided the right scaling advice and support. Our approach toward investor due diligence has always been thorough, not just considering availability of capital but placing more emphasis on the strategic and cultural fit of the partners. We never chased the highest valuation but prioritized investor value add and the ability to help us with recruitment and in scaling a robust and self-sustaining business model.

Key insight #5: Selling a complex B2B product requires a multichannel approach to reach customers.

Jerome Königsfeld: You are selling a complex product that is difficult for an external party to assess. How did you approach the market as a newcomer?

Niklas Hellemann: Our sales pipeline is generated in a multichannel approach typical for a B2B software company. We have our own sales force located in Cologne and local sales hubs in Amsterdam, Berlin, London, and Paris. We use an inside sales model that helps us scale faster; we can have several sales meetings on the same day, and our product can be showcased perfectly online. Also, we have a consulting approach rather than a sales approach toward our clients. Thanks to sales partnerships with system integrators and consultancies, as well as awards and a lot of thought leadership, we have a strong inbound pipeline of mature customers.

Second, we created a content funnel to educate less mature customer groups. For this segment, we organize a yearly human firewall conference where we bring together industry experts. We also publish a yearly industry report, the Human Risk Review, and several hands-on white papers.

Lukas Schaefer: Because cybersecurity is important for every organization, we can address a large market as opposed to having a specific industry focus. We focused on small and medium-size enterprises in the beginning, and then we expanded to include larger companies and even international clients. Today, we have a wide range of customers, including football clubs, political parties, and small and large corporations in various industries. We are the market leader in the DACH region, with a presence in Europe and internationally, including in the United States and Japan.

Explore a career with us