Open Navigation

12 top cybersecurity VCs discuss investing, valuations and no-go zones

Zack Whittaker @zackwhittaker / 4 years

Cybersecurity is by far the most important area in any industry. Without it, we would be in hacker open season.

But cybersecurity is difficult to get right. One wrong move and you can leave the door open for data breaches, ransomware and nation state-backed espionage. That’s why there’s such an intense focus on cybersecurity from an investor’s point of view. How does an investor know what’s a worthwhile security solution and not snake oil? And in an already saturated security startup space, who can you trust to keep your company’s data safe?

These are just some of the questions we want answers to.

Every few months we check in with some of the leading investors in cybersecurity to gauge the heat (or chill) of the market, see what trends are making waves and understand some of the challenges in a busy startup world.

This time around, we spoke to a dozen cybersecurity VCs to hear their thoughts on what they’re most excited about, cybersecurity valuations (in the age of pandemic, no less), which companies are sparking investors’ interests and the kinds of startups that aren’t. (We also have a separate look at how cybersecurity VCs are investing during the COVID-19 pandemic, and how investors are weathering the global emergency. Be sure to check it out.)

For this survey, TechCrunch spoke to:

Here’s what they said. (Answers have been edited for clarity.)

Shardul Shah, Index Ventures

What cybersecurity trends are you most excited about from an investing point of view?

I had the privilege of hosting Adrian Ludwig, Atlassian’s chief information security officer, on an Index OnAir webinar a few weeks ago. He shared a nugget of wisdom that should leave you feeling a little more optimistic: risk engines are actually better now than they were pre-crisis. Think about it, if you are staying at home, it’s much easier to detect if your Amazon account is logging in from a different location. So specifically, I think account security companies like Castle that have “machine learning-where-you-need-it” capabilities built into their risk engines will continue to go from strength to strength.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

I drank the Kool-Aid from the University of Chicago cooler of thought on economics, and have a few principles I keep in mind. First, the invisible hand of the market determines price based on supply and demand. When interest rates are low (read: negative) you see inflows of capital into high-risk asset classes. Increased supply of capital drives higher prices. From this point of view, valuations will continue to increase.

Second, I think price can be summarized in a simple equation. Price = intrinsic value + expectations. In our asset class, the dominant driver in that equation is expectations. So, high valuations correlate to high expectations. When expectations are rooted in a deep conviction that’s well reasoned, “high” prices are completely acceptable. When high prices are supported by herd mentality or flimsy logic, high prices are like playing with fire – it can be exhilarating but you might get burnt.

Third, I’m not as talented as Sybill Trelawney, so I’ve found my divinations on the “right” valuation for great companies is often wrong and always a combination of art & science.

Which cybersecurity focus areas are more likely to succeed or fail? In other words, where’s the security snake oil?

You know, snake oil may actually be saddled with an unfair reputation! That said, I do feel a deep discomfort with medical claims that are false, probably because my wife, my sister, my sister-in-law, my brother-in-law, my dad, my father-in-law and four of my childhood best friends are all healthcare professionals. Besides feeling confident that I can get a second opinion on any medical condition I might encounter, I feel most comfortable amidst evidence-backed claims. When I hear about cybersecurity companies claiming “zero false positives,” “auto-remediation,” “AI for X,” or ambulance chasing the latest greatest threat, my alarm bells definitely start ringing.

In your view, what qualities in a person make a good founder?

At Index, the core of our craft is working with great founders. One of the common traits that Olivier Pomel and Alexis Lê-Quôc at Datadog; Dug Song and Jon Oberheide at Duo; or Yanek Korff, Dave Merkel and Justin Bajko at Expel share is that they are comfortable being uncomfortable. In their product and their cultures, in their staff and board meetings, they are always looking for paths to uncover what is not going well. They are problem solvers; and if their customers and teams do not tell them about what problems exist they cannot aim to solve them. Having honest conversations about what’s not going well allows you to reason about how to improve, and the best have this amazing tendency to get better.

What is one cybersecurity company you wish you invested in and why?

There are a few. Recently? Coalition. Co-founder Josh Motta has an intimidating level of intellect, a great sense of taste and humor and just so happens to be building a business that has the potential to become the first $100 billion security company.

What cybersecurity trends are you most bullish and skeptical about?

Bullish: pragmatic products. I fall in love with people who build products that are easy to operate and actually work the way they promise. Low bar, right?

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

Great products tend to address deep sources of pain that are broadly felt. They represent big opportunities and so naturally lots of entrepreneurs gravitate toward them. It’s true that some of the best SaaS companies, whether in video conferencing (Zoom) or in monitoring (Datadog) rose above the noise of a competitive marketplace. At the risk of being a reductionist, I think it comes down to philosophies about how tightly connected products are to their go-to-market.

Are there any companies that you would not invest in due to ethical concerns?

I met a founder once who wanted to weaponize the ability to take over camera feeds. While it was literally like a scene out of “Ocean’s 11” where the same 15-second snippet can loop over and over while Brad Pitt does his thing, I wouldn’t feel comfortable investing in espionage.

What types of cybersecurity startups/companies do you find the most attractive today?

Practical products with clear product marketing and land and expand sales motions.

What demographic or vertical is still most underserved by cybersecurity companies?

Small and medium-sized businesses (SMBs).

Theresia Gouw and Mark Kraynak, Acrew Capital

What cybersecurity trends are you most excited about from an investing point of view?

We at Acrew are very interested in security for communications — from email to messaging and video conferencing. This has been an area of interest for some time going back to our investment in Cato Networks, which enables cloud-based secure internet access including for work-from-home and continues to be a focus during these times.

We are also very keen on security solutions that are using AI and machine learning (ML) to help automate security actions, whether that is in security analytics, such as Exabeam or in identity and access management, which is where Silverfort is focused.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

Valuations have been increasing over the last several years as cybersecurity became one of the largest areas of venture capital investment. Public market valuations have pulled back across all sectors this year, but historically that takes some time to make it back to private valuations.

Which cybersecurity focus areas are more likely to succeed or fail? In other words, where’s the security snake oil?

For a while, there’s been a belief that detection and response and therefore not prevention are the only realistic goals in security. The reality of the market has been that response took a back seat to detection. And what users are finding is that detection of attacks or discovery of vulnerabilities and misconfiguration isn’t useful without an ability to do something about it (response). Some companies, such as Exabeam in security analytics and Silverfort in identity and access management have been starting to change that through the use of AI/ML to allow for more automated response. We also feel that there may now be an opportunity in vulnerability and configuration management to be more proactive and automated in managing the output of scanners. In a sense, this is swinging the pendulum back to prevention through automation.

In your view, what qualities in a person make a good founder?

A strong founding team, and perhaps no surprise given our firm’s name is Acrew, is a team that has deep domain expertise and a clear and unique technical approach to securing and growing part of the IT infrastructure. Often a change in the underlying infrastructure stack, for example the move from on-premises data centers to hybrid or cloud data centers or the increase in Internet of Things devices creates big opportunities for new security startups. In security specifically, repeat entrepreneurs often are the most compelling founding teams given their networks that provide unique access to customers, key recruits for their teams and for strategic partnerships.

What is one cybersecurity company you wish you invested in and why?

Palo Alto Networks. I tried really hard to invest early in the company, but another firm put forward a preemptive term sheet right before my meeting with the founders … and my meeting got canceled.

What cybersecurity trends are you most bullish and skeptical about?

Most bullish — see my previous answer. I’m most skeptical on automated red-team offerings. The sad truth is that any decently skilled attacker can find a way to penetrate 99% of organizations in some way. So most of these solutions are able to show compelling events. The problem is that being a good attacker does not make you a good defender and the problem of defense is asymmetrical, meaning it’s much easier to be an attacker than a defender in most situations. If there were a startup that really had a way to turn red-team output into scalable defense, that would be interesting.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

We don’t think it is actually true that cybersecurity companies do largely the same thing. There’s a huge variety of tech out there in security land. The problem is that the results they all market to are largely the same (reductively, not getting breached). The way that we differentiate is by looking at the specific functional part of security they are solving and how effective they are on that problem.

Are there any companies that you would not invest in due to ethical concerns?

We believe all startups we choose to partner with should have high ethical standards and a positive culture. That is not to say that there is any one “right” culture, but there are values that have shown to improve company performance, such as having a truthful and inclusive culture that values a diversity of multiple viewpoints.

What types of cybersecurity startups/companies do you find the most attractive today?

We think about a few categories that are interesting:

  • Security companies that can help solve the existing and hugely growing problem of communications security (i.e., what will replace the legacy email security platforms).
  • Security companies that helps corral the security problems introduced by the exploding remote work domain.
  • Security companies helping developer-first organizations; this can range from better operationalizing cloud security to securing APIs.

This is more forward looking, but the time is now to start thinking about securing AI/ML systems, not just using AIML for security, but actually securing underlying AI/ML systems.

What demographic or vertical is still most underserved by cybersecurity companies?

It’s getting better, but cloud-first or cloud-native shops are still underserved. Small companies also struggle to make use of sophisticated security products.

Niloofar Razi Howe, Energy Impact Partners

What cybersecurity trends are you most excited about from an investing point of view?

There are a lot of interesting companies in the cybersecurity space and some fast-growing market subsegments. Some of the solutions I am excited about include those focused on protecting data (homomorphic encryption, data security and management platforms), CloudSASE security solutions, Internet of Things supply chain security — just to name a few.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

The market is overheated in some ways, just right in other ways, and hasn’t been underheated for about a decade. Valuations for the highest performing companies are justified given long-term outlook for the industry. The issue is that there is a very long tail of small ideas riding the coattails of the visionaries.

Which cybersecurity focus areas are more likely to succeed or fail? In other words, where’s the security snake oil?

While there is always snake oil, I think about it differently. There are features masquerading as products, a few products masquerading as companies, and very few durable companies with real solutions for their customers. There is value to all of these — the features will get acquired, grow into products or fade, the products will get acquired to grow into companies or fade and the companies that stay agile and ahead of their customers’ needs will continue to push multiples in the markets.

In your view, what qualities in a person make a good founder?

Andreessen Horowitz co-founder Ben Horowitz has written a whole book on this, “The Hard Thing About Hard Things,” and it is well worth a read. Great founders and great CEOs have one thing in common: they are indomitable; they don’t know how to quit. By definition your job is to do something no one has done before, there are no easy answers, the road is littered with naysayers telling you it can’t be done and there’s no one you can get advice from. All you have is a belief and your emotions. As Horowitz says in his book, “Embrace the struggle.” Very few people are capable of that.

What is one cybersecurity company you wish you invested in and why?

I don’t believe in regrets. Are there great deals I’ve fought to get into and not gotten into? Sure. Next play.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

A lot of cybersecurity companies use the same words, but it doesn’t mean they do the same thing. You have to have the ability to check under the covers, test the technology, really understand what it does and how it does it. I don’t believe in incrementalism and look for companies doing something new, attacking a new threat vector, and even solving problems that no one has been able to solve for decades, even if it’s not new.

Are there any companies that you would not invest in due to ethical concerns?

Absolutely. I have a black and white rule on business ethics. If you know that people have crossed the line once — lie, cheat, steal — then they have probably done it more than once and will likely do it again. Our industry is mission driven and so unforgiving with respect to unethical behavior. Some of the situations I have pulled out of are tough, like when a founder lies about their background or experience when it would have had no impact on the investment decision-making. Building a business is hard enough when there is mutual trust — it is impossible and tortured when trust is not there. Reputation is the only thing that truly belongs to you, trust takes a lifetime to build and a moment to destroy, and so ethics has to be nonnegotiable in business. When I say this, I don’t mean to imply that I don’t believe in redemption — I do. I just won’t gamble investors’ money on it.

What types of cybersecurity startups/companies do you find the most attractive today?

There isn’t really one answer, but one trend I’ve noticed is that in our industry there are some amazing veterans continuing to solve hard problems with new startups. Some have had three or more successful exits and they still can’t stop innovating and getting back into the startup game. I get very excited about working with these founders because they understand the market, the customer, the technology and they have proven leadership skills, company scaling skills and an incredible network to bring to bear. And I am so impressed that they could do anything they want, including retire, but choose to keep solving hard problems with good people.

What demographic or vertical is still most underserved by cybersecurity companies?

With the rise of managed detection and response (MDR) and next-gen managed security service provider (MSSP), I don’t think there is a vertical underserved by cyber because now everyone can afford to get basic cybersecurity. If they are not served, it’s their choice and no longer cost or complexity.

What cybersecurity trends are you most excited about from an investing point of view?

I see meaningful opportunity in several elements of the identity market. Zero-trust is becoming real years before most predicted. The resulting changes to architecture require meaningful innovation in the areas of identity, risk-based access and risk-based orchestration. Automation will continue to be a strong theme as the labor crunch is exacerbated.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

So far we have not seen a meaningful change to venture-backed valuations, but the sample is small and the pandemic’s impact is still in its early stages.

Which cybersecurity focus areas are more likely to succeed or fail? In other words, where’s the security snake oil?

I’m not a big fan of behavioral biometrics, as I think it creates more privacy issues than it solves. In addition, I think we need to get beyond secure enclave approaches to data security and focus more on secure multiparty computing to protect data in motion.

In your view, what qualities in a person make a good founder?

Highly competitive, passionate about problem-solving and someone who can empathize with the customer’s pain.

What is one cybersecurity company you wish you invested in and why?

I’m a fan of Expel. Dave Merkel and team took a strong approach to product design and it is paying off (so I’m told).

What cybersecurity trends are you most bullish and skeptical about?

Bullish: Zero-trust and BeyondCorp approaches to automating risk analysis in real time.

Skeptical: SGX-based approaches.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

Results. The days of security firms marketing fear, uncertainty and doubt are over. Successful security companies are able to show a genuine accretive impact on the enterprises they serve.

Are there any companies that you would not invest in due to ethical concerns?

As seed and Series A stage investors, we are very focused on the founding team. We seek to partner with high-quality founders who focus on doing the right things in the right way.

What demographic or vertical is still most underserved by cybersecurity companies?

SMBs. SMB is a tough market to crack in a scalable fashion. As a result, it gets served primarily by boutique firms.

Sarah Guo, Greylock Partners

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

To state a truism — valuations are always underheated for the best companies, overpriced for everyone else. I think the current environment has investors less interested in backing the third or four player in a market without product differentiation, which is a good thing.

In your view, what qualities in a person make a good founder?

First, I look for people who clearly see a better future — who are frustrated by the way we have to operate today for lack of better tools. In terms of traits, I look for ambition, customer centricity, a commitment to high quality of product, learning animals and a high velocity of execution. In security in particular, we’ve backed a number of people who have at some point worked at the highest levels on the “offensive” side, in national intelligence, or as defensive operators, because there are unique insights one has from those roles. I also personally tend to back founders who identify as engineers first and security people second.

What is one cybersecurity company you wish you invested in and why?

I really admire what George Kurtz and his team have built at CrowdStrike. It’s modern endpoint technology but also addressing a security talent shortage at the same time.

What cybersecurity trends are you most bullish and skeptical about?

I certainly believe strongly in the applicability of machine learning to security data, but I’m skeptical of companies that overly focus on their use of a particular machine-learning technique versus the delivered value for the customer. It’s just AI-washing.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

Many of our security investments actually have a fundamental architectural difference versus the competition or are ecosystem plays (e.g., Demisto, Okta).

What types of cybersecurity startups/companies do you find the most attractive today?

I’m excited about a growing number of entrepreneurs who are willing to upend established distribution models and who are living up to consumer expectations on user experience. For example, Sqreen, Obsidian, and Demisto — a former portfolio company — all have free trials or community editions you can access online. That’s a far cry from old-school companies that hide products behind a salesperson.

Deepak Jeevankumar, Dell Technologies Capital

What cybersecurity trends are you most excited about from an investing point of view?

I think remote workforce optionality is here to stay for a long time. Increasing security for remote employees while maintaining their productivity is therefore a top priority for CISOs. There are many buckets here — zero-trust access, securing collaboration applications, securing remote endpoints, securing traffic flow from remote endpoints to company data center and cloud apps. In our portfolio, startups such as NetSkope have been big beneficiaries of this trend.

API security and anti-bot security: APIs run a significant part of our digital economy today. This is a relatively insecure attack surface. We invested in Cequence Security which uses sophisticated AI models to protect APIs, mobile entertainment and gaming apps, and e-commerce and financial websites against automated bot attacks. Most enterprises do not know what APIs they are exposing to the public internet. Sophisticated hackers have moved on from code level attacks like SQL injection to business logic attacks like content scraping, account takeover, fake account creation, etc. using exposed APIs. The team is top-notch — it ran Symantec’s anti-malware platform — and has been able to win the confidence of the top e-commerce websites and financial institutions.

Developer security integrated into the CICD cycle: One of our startups, Soluble, enables security for Kubernetes users highly integrated into the SecDevOps workflow. They were one of the finalists for RSA Launchpad 2020. We invested because the two founders bring different perspectives to the problem. Rich Seiersen was CISO at Twilio and LendingClub, while his co-founder Rob Schoening was head of DevOps for LendingClub.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

The cybersecurity valuation market has been overheated for the past few years. In my opinion, startup valuation multiples follow public market valuations. These multiples have bounced back to early-2020 levels. Private market valuations for the top decile companies continue to be rich. Investor appetite is strong as CISOs feel that cyber budgets are the least affected in COVID-19-induced replanting of IT budgets.

In your view, what qualities in a person make a good founder?

  • Intellectual curiosity.
  • Ability to inspire CISOs and potential employees. There are 10 to 20 times more cyber startups compared to 10 years ago. Inspirational abilities are needed to rise above the noise.
  • CISO as a member of founding team. About 25% of our cybersecurity founders are former CISOs (RedLock, acquired by PANW; RiskRecon, acquired by Mastercard; Remediant; and Soluble). They have automatic empathy to customer needs and are able to win lighthouse reference customers faster.
  • Ability to work with the ecosystem, as security solutions do not exist in isolation any longer.

What is one cybersecurity company you wish you invested in and why?

Snyk.

What cybersecurity trends are you most bullish and skeptical about?

Bullish:

  • API security, e.g., Cequence Security in our portfolio.
  • DevSecOps, e.g., Soluble in our portfolio.
  • Cyber risk quantification: This is a long-term need that has to be solved in the industry, e.g., RiskLens in our portfolio.

Skeptical:

  • Deception. While the technology is very useful and important, only the most sophisticated customers will be able to use this easily in their workflows.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

I can’t speak on behalf of large cybersecurity firms. Startups can rise above the noise by having an easy to use self-serve product (for bottom-up sales motion) and having voice of the customer in the team (for a top-down enterprise sales motion). For the latter, it is Important to have respected CISOs as part of the founding or early team to bring credibility to the startup. Having the CISOs as advisors is not sufficient. They need to live and breathe the startup DNA to bridge the gap to the CISO community.

We also advise our startups to contribute strongly to the cyber threat research world. This helps them to build authentic thought leadership.

What types of cybersecurity startups/companies do you find the most attractive today?

Startups that can decrease the costs of network security or security operations center (SOC) by an order of magnitude, e.g., 100 times more logs are created today than 10 years ago. Old technologies to store and analyze these logs are insufficient for the future. We invested in a European startup called Humio that is making significant progress in this domain and has won lighthouse reference customers.

What demographic or vertical is still most underserved by cybersecurity companies?

Innovative cybersecurity solutions for SMBs and midmarket are hard to come by. Investors invest relatively less in this market segment as go-to-market motion is very expensive and slow. We need go-to-market innovations (not technology innovations) to serve SMBs.

Ariel Tseitlin, Scale Venture Partners

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

It went from very overheated to just slightly overheated. Valuations have come down somewhat for three reasons: multiples have come down, growth rates have slowed, and revenue levels are now likely lower. The first and second are the big drivers.

Umesh Padval, Thomvest Ventures

What cybersecurity trends are you most excited about from an investing point of view?

There are several trends we are excited about.

Cloud security: The adoption of security platforms for multicloud and hybrid cloud environments are going to be huge. We see enterprises around the world adopting cloud in a massive way, though it is still relatively very early in the adoption cycle. The rise of cloud platforms poses a lot of security issues for the enterprise.

Brand protection: The world is moving from brick and mortar stores to e-commerce, and the online buying trend is accelerating. With this, fraud has spiked significantly and will continue to do so with fake websites selling high-value brands. This represents a massive loss of revenue and immense damage to retail brands such as Nike, Prada, Louis Vuitton, Amazon, Expedia and Uber. Even pharmaceutical companies are experiencing this trend with fraudulent sales of fake drugs being sold online. This type of fraud has also caused a spike in loss of personal data such as credit card information.

Next-generation network security: As we move from on-premise data centers to the cloud, the standard perimeters used to protect go away, as data moves between on-premise and the cloud. Once attackers get in, they can move anywhere within this environment and wreak havoc. The need for cloud-native network security solutions, which protect both north-south as well as east-west traffic across different layers of infrastructure stacks, will be salient.

Hypergrowth of applications in the cloud becomes a major security issue for enterprises: The software code being written by developers is growing exponentially and the application development environment is becoming more complex. Releases are more frequent, which in turn results in new risk and opportunities for security flaws. The adoption of all application workload protection platforms is a great area of investment

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

The investment pace from VCs has slowed down during this pandemic and, due to that, the valuations for companies absolutely needing to raise money have fallen and are becoming very reasonable. However, companies that are doing really well and are well-capitalized are garnering a lot of VC appetite, with some folks wanting to invest even at higher valuations in this environment.

Which cybersecurity focus areas are more likely to succeed or fail? Where’s the security snake oil?

We feel the areas of fraud detection and protection, anti-phishing, cloud native security, and digital identity will likely see increased traction, while on-premise-only security protection companies will have less traction in a world where enterprises are moving to multicloud and hybrid cloud environments.

In your view, what qualities in a person make a good founder?

A previously successful founder or a very scrappy and innovative founder capable of developing a disruptive platform are often positive signals. Someone who is agile and flexible and willing to change course based on feedback from customers are additional traits we like in founders.

What is one cybersecurity company you wish you invested in and why?

There are a wide variety of great opportunities in the security space. Companies like CrowdStrike and Okta are examples of companies that would have been great companies to have invested in. Having said that, we are excited about our current portfolio of amazing security companies as well as companies like Skyhigh Networks (acquired by McAfee) and Cylance (acquired by BlackBerry for $1.4 billion), where both exhibited great exits in recent times.

What cybersecurity trends are you most bullish and skeptical about?

Brand protection, cloud security, application security and digital identity are areas that will do well.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

Entrepreneurs really value my broad 20-plus years of operational experience, having been a public company CEO — i.e., they can relate to me being in their shoes and my experience on more than 30 public and private company boards. We also help companies with introductions to an extensive network of CISOs, help identify and hire key management positions, help with strategic decisions at critical times like now, help with financings and act as an on-demand resource that they can talk to 24/7 when they need guidance or brainstorming sessions. We also are focused on only a few verticals like cybersecurity, cloud infrastructure and fintech, and hence have deeper knowledge compared to a broad-based VC firm.

Are there any companies that you would not invest in due to ethical concerns?

We would not invest in companies that provide solutions in the dark web (i.e., deep web).

What types of cybersecurity startups/companies do you find the most attractive today?

We love companies in fraud detection, cloud security and digital identity, which solve major pain-points for their customers in large markets using differentiated platforms and technology.

What demographic or vertical is still most underserved by cybersecurity companies?

We feel the automated fraud detection and orchestration market, as well as the identity and access management market, are primed to benefit with newer, disruptive platforms.

Saam Motamedi, Greylock Partners

In your view, what qualities in a person make a good founder?

At Greylock, we have the privilege of working with an incredible group of entrepreneurs with diverse backgrounds. When we look for new entrepreneurs to partner with, we’re looking for people who have:

  • Customer centricity: obsessiveness about solving a customer problem and delivering superior end-user value.
  • Voracious learners: we invest in slope, not y-intercept.
  • Recruiting magnets: can attract world class talent to join them in their mission.
  • Grit: every company journey goes through ups and downs; the best entrepreneurs keep getting up after they get knocked down.

What types of cybersecurity startups/companies do you find the most attractive today?

We’re looking for entrepreneurs that have strong interest in new cybersecurity opportunities around hybrid multicloud security; applying new ML techniques to datasets to deliver products with superior effectiveness and customer value; and orchestration, automation and response as key product paradigms. We have a deep history of partnering with cybersecurity entrepreneurs at the earliest stages and working with them closely through the initial stages of customer discovery and product scoping, all the way through IPO and beyond.

Alex Doll, Ten Eleven Ventures

What cybersecurity trends are you most excited about from an investing point of view?

Of course, it’s a good time for technologies that enable employees to work safely and securely from home. For us, that includes our investment in Axis Security and their Axis App Access Cloud, a new approach for users to connect with private applications from wherever they are. It also includes KnowBe4, a security-awareness training platform focused on educating employees on how to avoid phishing and social engineering attacks.

There is also a lot of focus now on digital transformation and “moving to the cloud.” Much has been made about the rise of hybrid clouds (emphasis on the “s”) and the decline of the traditional firewall. There has been less thinking about the fact that the reference architecture for the next five years is a perpetual state of transition to hybrid clouds. It is not a one-time move. For many companies, there are regulation, compliance and privacy policies in place that cannot be easily extended to new uses of the cloud.

We think a great place to invest is in cloud security technologies that serve not only as data compliance for your clouds, but also that extend existing compliance frameworks. We backed a great team from QRadar, a security information and event management (SIEM) pioneer, and later IBM Security, who are building a company called Sonrai Security. Sonrai is an enterprise identity and data governance platform that de-risks your cloud by finding security holes and helps cloud architects still move rapidly to correct issues. Sonrai speaks all major cloud languages to understand and translate what is an account, what is a service and what basic permissions are in each different platform. That underlying capability allows the company to protect data across the hybrid enterprises.

Another trend we are interested in is the evolution of the firewall. What does the firewall look like for an enterprise without traditional boundaries? Many of the interesting and more advanced threats have been taking place through the core web protocols of HTTP/HTTPS. We see an increasing amount of innovation in purpose-built firewalls for specific application areas or protocols, where the traditional configuration rules and policies that applied to general traffic are not granular enough. The case study for this kind of investment is Twistlock, now part of Palo Alto Networks, a company we invested in in 2015 that provided container and cloud native computing (Kubernetes) security, as this technology emerged as a new preference for developers. A future example might be in big data and the rise of the data scientists modernizing the data warehouses and lakes.

Currently, data scientists are using new platforms to gather and analyze big data pulled in from all over the enterprise. But these platforms need better data governance and privacy layers. This concept also applies to enterprise blockchain. Companies need a security layer on this new kind of database.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

As COVID-19 developed and lockdowns began, valuations were down across the board. Investors turned inward, focused on their existing portfolio companies. New deals slowed. We did continue work on in-process deals. Ultimately, Ten Eleven completed investment deals that were in flight pre-COVID-19, on the same term sheets.

We see strong opportunity at the early stages, as valuations are really about ownership (and less about current quarterly financials). The seed and early stage sector also has the benefit of not needing to typically sell in the near term, as they focus on product innovation and development of MVPs. Early stage valuations remain about the same here and we think that they are currently priced “about right.”

We also see opportunities developing in later stages, but with much lower valuation expectations, generally speaking. Quality companies are getting financing done, but perhaps not at levels as company-friendly as they have been in the last couple years. We think this is constructive, as late stage growth valuations have been very high in recent years by historic measures. So, growth valuations are experiencing a healthy cooling to “about right” levels.

The companies in the middle, say $10 million revenues and 100 employees and approaching a Series C or Series D raise, are in the most trouble. It is just going to be challenging to fundraise in the current environment, especially because of the lack of visibility into customer adoption and revenues. This part of the market, probably overheated before the crisis, might suffer the worst in 2020 and 2021. It will likely turn heavily to insider-led financing transactions for a period of time.

Which cybersecurity focus areas are more likely to succeed or fail? Where’s the security snake oil?

We touched on the “most likely to succeed” areas in the question above. I don’t know if there is truly any clear snake-oil in terms of specific products that simply do not work. However, the cybersecurity industry is often guilty of overmarketing and aggressively selling.

As the industry has matured, we’ve lost some of its uniqueness, perhaps, with “geeky” marketing and more technical selling. Some terms have become very “buzzy.” For example, we’ve received business plans with some AI and security use cases from hundreds of companies. In 2018, about one-third of all business plans that arrived had the words AI and ML somewhere in their pitch. Many of these were inaccurate or overhyped. But it’s important to find the real innovation amongst the noise.

The truth is that AI can be transformational to security use cases. We have made 5+ investments where this is the case, including Cylance (2012: endpoint + AI); Darktrace (2014: network + AI); Jask and Sumo Logic (SOC + AI); Ordr (2018: IoT + AI); and Buguroo (2019: biometrics + AI).

Some areas aren’t “snake oil,” but still may be too early for us to invest in right now. One area that is “too early,” other than for government and very high-end enterprise use cases, is probably quantum security. Quantum computing is coming and making great progress, as evidenced by some of the news on progress at Google and IBM. But using quantum to crack core encryption in a business-use case is probably not near-term enough for us to consider as an investment.

The quantum ecosystem needs to develop further, with respect to operating in normal temperatures, reasonable costs, true quantum switching and networking and even the physical layers supporting infrastructure. So, other than in some very specific use cases largely in government, quantum hardening and quantum resistant encryption feels a little bit too early for us to be investing in currently.

In your view, what qualities in a person make a good founder?

We think that the best founders are smart, ambitious, understand the buyer, understand their competition, have a unique take on a specific problem, and can attract and motivate talented people to work on that problem. A founder has to find people who complement one’s weaknesses. That takes some awareness about what you’re truly good at, and what you’re not. You and your solution have to be compelling enough to get the people who can fill the holes you can’t fill yourself.

What is one cybersecurity company you wish you invested in and why?

One interesting company we admire, which is turning more and more into a security company, is Cloudflare. The founding team has done some great things in building that business. The way that the company uses its mission statement to drive product, customers and employee behavior is a great model that we would point our portfolio companies toward as an example of how to build culture.

What cybersecurity trends are you most bullish and skeptical about?

As we touched on above, we’re bullish about specific places where machine and deep learning can better power existing subsectors, like endpoints. That was the thesis of our Cylance investment (since acquired by BlackBerry.) While there are some companies out there using the terms meaninglessly, there are other companies that have been able to apply the technology in exciting new ways that are improving how we can read and understand signals.

We really like the intersection of widely distributed biometrics on mobile devices as an enabling data feed to new anti-fraud AI algorithms. This is the basis of our investment in Madrid, Spain-focused Buguroo who today has over 50 million user accounts benefitting from new biometric signals that can feed AI models in ways that produce new and better signals than we did without biometrics.

We’re also bullish about the need for better data governance and privacy tools, and the current COVID-19 environment has only underscored that.
We’re skeptical about companies that overpromise and who rely on general marketing speak. We need to understand the hard tech or the unique insider insight, and we diligence quite hard on that and employ our network of experts to help us get a complete grasp on each problem. We’ve been in the industry for a long time, so we have a decent radar on what is a superficial or incomplete approach to a given problem.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

We care a lot about the product tech underneath the stated promise, so we spend a lot of time in diligence probing the tech and making sure we are comfortable with the differentiation there. We spend all our time looking at just cyber, so we have seen many companies trying to solve the same problem in different ways. We often reach out to our advisory board and our industry contacts to get additional input. Also, because the cybersecurity space is so crowded, we need to understand how a company is thinking about their go-to-market strategy and marketing positioning.

During our investment period, we focus a lot on strategy and the company’s thinking on how to position its technology while simultaneously de-positioning incumbent technologies. Almost all new product areas start with an innovation edge and will ultimately take away spend from a nearby category or innovation budget. We are looking for entrepreneurs with great underlying technology who also understand the customer and market well enough to see the “category” opportunity and understand where the spend will come from.

Are there any companies that you would not invest in due to ethical concerns?

Yes. It’s a slight twist on the question, but we are concerned about both the nature of certain security products and also the potential for use in countries with nondemocratically elected governments.

What types of cybersecurity startups/companies do you find the most attractive today?

As we touched on above, we think there is opportunity at the very early stages and in the later growth stage, we think of it as “opportunity in the barbells.” The very early stage companies have not yet absolutely determined product-market fit or developed their go-to-market engines. In this strange time, they can find time and space to build their product and talk to and test their early product with security leaders. At the growth stage, valuations have come down, which gives us more flexibility to invest in companies at that stage.

What demographic or vertical is still most underserved by cybersecurity companies?

The CISO has traditionally been the owner of all security decisions and architecture in the enterprise. In this way, the CISO has truly been the “Best Actor” in the organization. Correspondingly, a lot of attention has been focused on that person from a sales and marketing perspective. One interesting trend we are observing is the rise of the “CISO as Best Supporting Actor,” as other areas of IT like cloud architects, fraud analysts, data scientists and developers adopt new digital transformation solutions that also need to be secured.

We think that new companies should think about everyone in the organization who may need a security or privacy solution, potentially with the CISO’s approval but maybe not as the CISO’s direct purchase. Looking at security needs from these new perspectives may unearth new opportunities.

Dharmesh Thakker, Battery Ventures

What cybersecurity trends are you most excited about from an investing point of view?

We have had a longstanding thesis that security is becoming more developer-centric — meaning developers have to take more responsibility for automatically building security into products from the beginning. It’s simply too expensive and cumbersome to centralize all security work today through centralized SOCs. And there are many startups working in this area. We also believe MDR technologies — which essentially outsource security — are interesting.

How are cyber valuations looking right now? Is the market underheated, overheated or about right?

Every company is different, but speaking very generally, prepandemic, I think the argument could be made that many tech startups in many sectors were overvalued because the market was so frothy. There is a lot of uncertainty in the market today, but Q1 earnings have largely been positive across the cybersecurity universe and stock performance has recovered from pre-COVID levels. So, this should help prop up valuations. It’s hard to predict what will happen in the markets over the next three quarters, but most cybersecurity companies have historically seen between 80% and 85% of in-period bookings coming from existing customers. And that’s a good thing in this environment, since it’s generally easier to keep an existing customer than try to get a new one.

Which cybersecurity focus areas are more likely to succeed or fail? In other words, where’s the security snake oil?

We like to think that successful cybersecurity solutions are ones that firstly address security for production systems — like applications, endpoints and production infrastructure; and secondly are able to enforce remediation in their solution. For example, we think vulnerability scanning will become a commodity and the value will be providing remediation playbooks or recipes for these vulnerabilities.

For production systems, this is really about a winner-takes-all market. This risk of replacing an existing solution is so high that a new solution has to be 10 times better.

In your view, what qualities in a person make a good founder?

Unique insights on a category or sector, relevant background that informs said insight, and an unwavering drive and tenacity to succeed.

What is one cybersecurity company you wish you invested in and why?

CrowdStrike. Beyond being a mission-critical, cloud-native, endpoint-protection solution, they have become a platform that other companies are building on top of. The number of companies leveraging the company’s endpoint agent is growing and is a strong indicator that CrowdStrike’s platform is growing and evolving. The ability to evolve from point solution to platform changes the trajectory of companies. Zoom is starting to do this on the application-software side. On the security front, we have seen this from CrowdStrike and Okta, and both have been very successful.

So many cybersecurity firms do largely the same things. How do you differentiate from the crowd?

As investors, we differentiate between startups by actually talking to customers and product experts to understand their pain points, their budgets and how they’re actually using products now.

What demographic or vertical is still most underserved by cybersecurity companies?

Internet of Things security is still nascent in our view but will continue to be a growing concern as more and more devices get connected. System-to-system communication is happening today more than ever and this is largely unsupervised, presenting big security risks. We will need to find new cybersecurity solutions to address this risk.