Where top VCs are investing in cybersecurity

Security is one of the toughest things to get right; a hacker only needs to win once, but businesses have to get it right every single time.

Not every company faces the same field of threats. That’s what makes security particularly difficult — there are no panaceas, and the cybersecurity startup field is crowded. So much so, some entrepreneurs complain that the vast number of solutions on the market are weighing down chief security officers with a deluge of data but not the clear visibility they need.

Or, as one of the cybersecurity-focused VCs we surveyed called it: “startup fatigue.”

Many of the rising cybersecurity startups focus on the same or overlapping problems could lead to a “cybersecurity consolidation,” one that’s dictated by customers and not necessarily the businesses themselves.

But there’s usually one element that feeds into everything — data.

As hacks and breaches become more common, companies and customers alike are reevaluating their relationships with data. Customers want more ownership of their data and the ability to give it out granularly, while an increasing number of businesses are shifting away from central banks of data and leaning towards a “zero data” approach.

By minimizing the amount of information companies store or collect, it’s validation that even some larger startups don’t even trust themselves to secure data properly.

Not only that, there’s as much mistrust inside their own networks. That’s where “zero trust” comes into play — where you don’t trust, but you certainly verify. The idea is that you get no extra special access inside a company’s four walls. Many big companies, like Google, treat all employees the as if they present the same level of security risk whether they’re in the office, at home, or in a coffee shop down the street.

“You should be able to run your whole business out of a Starbucks,” said Google security chief Heather Adkins at Disrupt SF.

Why the mistrust? Because security isn’t just a technology problem, it’s a people problem. And it’s not only people creating the solutions, it’s people with the solutions to create these startups to begin with.

We asked ten leading cybersecurity VCs who work at firms that span early to growth stages to share where they see opportunity in this sector:

In addition, we did a deep-dive interview with Arif Janmohamed at Lightspeed about how he and his firm are targeting the sector and what he sees as the next-generation of cybersecurity startups. Be sure to check it out.

Now, let’s get to the data.

Answers have been edited for clarity.

Amit Karp, Partner at Bessemer Venture Partners

In cybersecurity, what are you most interested in right now from an investment perspective?

Unfortunately, the cybersecurity landscape is overcrowded with many vendors that offer point solutions. I believe CISOs are tired of deploying additional security products which for the most part have overlapping functionality. So I am very cautious with additional tools that are deployed inside the enterprise perimeter (network, endpoint, etc.).  I am looking for companies that can be deployed quickly and demonstrate immediate value to CISOs, and do not overwhelm the CISO with many new alerts.

What are the most interesting trends in the space, particularly ones you think are under-appreciated by other investors?

I think there are still many opportunities to improve application security. The combination of every company becoming a software company on the one hand and development environments becoming more chaotic on the other hand, results in many new risks and opportunities in securing your software. This includes securing third-party APIs or open-source components which are outside your control and giving developers and devops engineers more security tools while not hindering the pace of development.

Another interesting trend is micro-segmentation and authorization — with the adoption of zero-trust frameworks and authentication becoming a solved problem — deciding who gets access to what has become increasingly important.

Are there any startups in cybersecurity you wish existed, but haven’t seen yet?