Yoav Leitersdorf is the founder of YL Ventures, a 12-year-old, Mill Valley, California.-based seed-stage venture firm that invests narrowly in Israeli cybersecurity startups and closed its fourth fund with $120 million in capital commitments last summer — a vehicle that brings the capital it now manages to $260 million.
The outfit takes a concentrated approach to investing that has seemingly been paying off. YL Ventures was the biggest shareholder in the container security startup Twistlock, for example, which sold to Palo Alto Networks last year for $410 million after raising $63 million altogether. (YL Ventures had plugged $12 million into the company over four years.) It was also the biggest outside shareholder in Hexadite, an Israeli startup that used AI to identify and protect against attacks and that sold in 2017 to Microsoft for a reported $100 million.
Still, the firm sees a lot of cybersecurity startups. It also has an advisory board that’s comprised of more than 75 security pros from heavyweight companies. For insight into what they’re shopping for this year — and how startups might grab their attention — we reached out to Leitersdorf last week to ask what he’s hearing.
TechCrunch: You say that you’re in constant communication with chief Information security officers across corporate America. I know you publish a quarterly report where you try to capture their insights. What are they still missing at the start of 2020?
Yoav Leitersdorf: We’ve uncovered a number of common threads in these network surveys. The first is about their longstanding visibility concerns. Today, very few enterprises enjoy complete visibility across the entirety of their network, and even those that manage to maintain good awareness and visibility into their critical systems still come across surprise interconnected third party services and data flows. These kinds of surprises carry enormous implications and a huge amount of risk since CISOs can’t protect what they can’t see.
CISOs also tell us they’re still lacking the means to adequately tackle the challenges posed by cloud migration and cloud configuration — or, more specifically, cloud mis-configuration. In fact, concerns over cloud environments were among the main themes of the last edition of our report. DevOps/DevSecOps/SecDevOps — whatever its term du jour — they’re working hard to adapt to this constantly evolving space, and integration and collaboration seem more important now than ever.
I also saw in one of your reports that incident response has become another big problem for CISOs.
It is. Digital transformation and big data have provided innumerable improvements to the way enterprises operate, but [these managers] are suffering from alert fatigue, and they often aren’t able to distill their systems’ events, alerts, and raw data into action. It’s one reason we think that [incident response] presents another ripe opportunity for automated solutions.
It’s also worth mentioning that, on a broader level, CISOs are no longer the sole owners of an enterprise’s information security and data protection, because these are no longer strictly security domains. Often, CISOs are promoted to positions of wider responsibility across multiple technology verticals, so our own network of CISOs is increasingly looking for technology with features and functionality across engineering, DevOp, data governance and ands security — and that’s also coming into play in our own investment strategy.
Is it redundant then to ask where you think there’s the most opportunity right now and why?
We spend a considerable amount of our time addressing this very question. As mentioned, cloud security is a particularly hot topic among CISOs right now, and governance in particular is getting a lot of that attention.
There’s been an explosion of cloud-based services across all verticals, and cloud migration seems to be part of most companies’ roadmaps. In fact, most enterprise companies, particularly global organizations, have already gone beyond a single cloud initiative, and are now multi-cloud, and this only creates more challenges. During and post-cloud adoption, CISOs are having difficulty managing a common set of security and privacy policies across disparate clouds with disparate native tool capabilities. We think there’s a lot of room [for startups] to help operationalize security controls across clouds.
Privacy is another high-potential area for entrepreneurs to tackle. Landmark legislation like GDPR and CCPA are only the tip of the iceberg. Privacy addresses more than protecting the confidentiality and integrity of data; it’s about its use cases as well. Today, companies and organizations have to comply with GDPR terms like “legal basis to process” and the stakes for failure are high.
Another domain that’s ripe for opportunity is source code security, though we suspect it won’t be a greenfield opportunity for long; companies across nearly all verticals are growing more reliant on proprietary source code that often houses highly sensitive corporate information.
You’ve told us before about your strong ties to Israeli founders and to the 8200 Unit of the Israeli Defense Forces in particular. Do you think they have an edge over their U.S. counterparts because of their military experience? Is there a comparable unit in the U.S. — or anywhere outside of Israel — that is spitting out talent?
Israel certainly stands out in the industry as a technical powerhouse, and I would venture to say that it’s in a league of its own insofar as cybersecurity talent goes. It’s because the country currently boasts the densest concentration of cybersecurity technical talent in the world that overseas investors and customers are turning to its talent pool in larger numbers. Nearly $1.4 billion was poured into Israel’s cybersecurity market last year — and most of it came from international sources.
Amazon has dominated with AWS. Do you see this continuing? How will the world look five years from now in terms of who is hosting the workload of enterprises?
While AWS is one of the best-performing and well-known cloud platforms, I don’t entirely agree that they’ve dominated the market or will in the future. In some industries, as well as other regions, other public cloud providers like Azure, GCP and Alibaba Cloud have a much larger market share. In fact, there are quite a few cases where relying on a cloud provider other than AWS is actually a requirement for doing business.
Contrast that with Azure, which has made strong inroads in supporting highly regulated industries, including the U.S. government and other governments across the globe. GCP is also making tremendous strides in providing native tools for supporting the compliance requirements of doing business in the cloud. At the same time, Azure Arc and Google’s Anthos — both multi cloud management platforms — now enable, and even encourage, companies to increasingly adopt more cloud providers. This could very likely negatively impact AWS’s market share down the line.
Some estimate there will be 20 billion connected devices in the world by the end of next year or the year after, so naturally, there are lots of companies springing up to try and secure these devices. Do you see this eventually becoming a winner-take-all market? If so, why? If not, why not?
It’s true that we’ve seen a sharp rise in startups broadly looking to tackle IoT security and connected devices. But I don’t think that this is a winner-takes-all market. There are simply too many different vertical-specific challenges for that to ever be the case. Different devices — even if they seem superficially similar — communicate via very different protocols in different settings.
There will be some consolidation to be sure, but as the proliferation of connected devices continues, the challenges will continue to grow, too, and that will require new solutions and approaches to those new challenges.
There’s a shortage of security practitioners worldwide; you’ve spoken about the related need for automation to help the CISOs you know. Can you elaborate a bit on what you’ve seen or funded that’s interesting?
Many of cybersecurity’s traditional functions can be tedious, repetitive, and simultaneously stressful. There’s also no allowance for down time when it comes to security. All of that is a recipe for burnout, and those tedious, repetitive, stressful roles are not going to attract the best talent. Thankfully, the very fact that these functions are often repetitive opens the door to leverage automation, orchestration, and machine learning instead of actual manpower. For example, our portfolio company, Vulcan Cyber, is doing an incredible job by automating and orchestrating the laborious and time-intensive process of enterprise vulnerability remediation.
Where do you see opportunities or trends bubbling up in automation that you haven’t funded yet but are watching?
I believe automation has the most opportunity in cybersecurity use cases that involve repetitive and manual work around incident response, tier 1 and 2 management, and anything related to managing, prioritizing, and responding to high volume alerts.
Is there anything that you’re unlikely to fund because there’s already a pretty clear winner or standard?
The cybersecurity industry is constantly pivoting and changing. It’s more or less been defined by a constant stream of disruptions and improvements that all but negate what came before. This makes it nearly impossible to label any definitive industry winners, as it’s just a matter of time before they’re ousted by improved technology and processes.
I would go even farther and say that even today’s current standards in many fields, like IAM, have only remained so as stand-ins for something better.
As seed investors, we have to do our best to look several years into the future and avoid solutions that aren’t likely to last or outperform the current industry standards. Right now, we’re doing this by seeking out technologies that take a different approach to what’s available on the market and solves more than just a single challenge.
Should cybersecurity startups generally be looking to go broader, or is it smarter to focus more narrowly on particular industries and make your startup indispensable to a smaller number of potential customers?
The short answer is, a startup must focus on a small number of primary use cases to prove the efficacy of their product. Those use-cases may be either industry-specific or security domain-specific. Either way, a targeted focus is one of the most critical components to the growth of a startup. Once a startup dominates that particular use-case, they’re very likely primed to expand.
Our portfolio company, Karamba Security, began by focusing exclusively on protecting connected vehicles. They’ve since proved themselves considerably in the field and, at a time when IoT is booming across all verticals, has since been able to build off that success to help protect connected devices across many other industries.
What are you seeing in terms of valuations?
We’ve seen valuations rise over the past few years, and we’re certainly not oblivious to that, but the effect is somewhat muted at the point in which we invest.
With that said, we still make sure to emphasize the dangers of overheating very clearly to our founders and work with them to ensure that they avoid its risks. It’s fairly common knowledge in the industry that the more you raise at every stage, the higher the expectations get for your growth acceleration, and this can turn into a slippery slope. We work with our founders to help them raise funding rounds that allow them to achieve their objectives without burning too much capital before reaching product market fit.
Do you see 2020 as a year for big companies to adopt a bunch of new technologies, or do you expect they’ll be trying to better understand technologies they are already testing out? It seems like there are so many startups getting funded, I wonder how big companies are able to absorb what they are selling.
The answers to both of these questions are a resounding yes. Many companies are currently undergoing digital transformation, which is a complicated process that can take years to complete. In fact, these transformations are often escalating the normal three- to four-year tech lifecycle, where you establish proof of concept in year one, assess the efficacy and impact of the technology on your business roadmap in year two, expand in year three, and deprecate old tech and replace it with the new tech in year four. If anything, we expect to see more companies in transformation generate greater demand for new technology for years to come.
How much time does a company like Cisco usually test out a technology before it says yes or no to a longer-term implementation?
This is a complicated question whose answers depend on the complexity of the technology in question, as well as its requirements for implementation and integration into a company’s security or privacy stack. They also depend on whether or not the evaluating company is functioning as a design partner, how the solution fits into their budget roadmap, and if they’ve already tested out similar solutions.
We take the time it takes to evaluate new technology very seriously in our investment decisions and find it helpful to focus on asking how companies can minimize the time required to do it. The answer lies in making solutions as frictionless as possible.
In the early days of technology, companies worked to make themselves sticky by creating solutions that were very difficult to rip out and replace. However, in today’s technological ecosystem, stickiness is now generated through value-add, ease of implementation, and ease of use, [so more] companies are rightfully demanding frictionless or near-frictionless cybersecurity technology. It’s more crucial than ever that vendors demonstrate their value very quickly and their potential to support ever-changing business requirements crystal clear.
What’s the best go-to-market strategy for a cybersecurity company that you’ve seen? Have you observed anything particularly innovative on this front that others might consider copying?
One of the best things a startup can do is recognize how short-term success can carry you through to long-term success. For example, when it comes to closing customers, it’s quite natural to aim for the biggest logos out there to drive your brand and footing in the market. But while you wait to get your foot in Coca-Cola’s door, don’t forget to continue focusing some of your efforts on those smaller customers that will keep you going until you get there.
Conversely, any pitfalls startups should look to avoid?
It’s absolutely critical to articulate your differentiation. I’ve seen many startups pitch problems rather than solutions and spend so much time focused on fear, uncertainty and doubt that the customer walks away without a clear understanding of their value proposition.