Where top VCs are investing in cybersecurity

Security is one of the toughest things to get right; a hacker only needs to win once, but businesses have to get it right every single time.

Not every company faces the same field of threats. That’s what makes security particularly difficult — there are no panaceas, and the cybersecurity startup field is crowded. So much so, some entrepreneurs complain that the vast number of solutions on the market are weighing down chief security officers with a deluge of data but not the clear visibility they need.

Or, as one of the cybersecurity-focused VCs we surveyed called it: “startup fatigue.”

Many of the rising cybersecurity startups focus on the same or overlapping problems could lead to a “cybersecurity consolidation,” one that’s dictated by customers and not necessarily the businesses themselves.

But there’s usually one element that feeds into everything — data.

As hacks and breaches become more common, companies and customers alike are reevaluating their relationships with data. Customers want more ownership of their data and the ability to give it out granularly, while an increasing number of businesses are shifting away from central banks of data and leaning towards a “zero data” approach.

By minimizing the amount of information companies store or collect, it’s validation that even some larger startups don’t even trust themselves to secure data properly.

Not only that, there’s as much mistrust inside their own networks. That’s where “zero trust” comes into play — where you don’t trust, but you certainly verify. The idea is that you get no extra special access inside a company’s four walls. Many big companies, like Google, treat all employees the as if they present the same level of security risk whether they’re in the office, at home, or in a coffee shop down the street.

“You should be able to run your whole business out of a Starbucks,” said Google security chief Heather Adkins at Disrupt SF.

Why the mistrust? Because security isn’t just a technology problem, it’s a people problem. And it’s not only people creating the solutions, it’s people with the solutions to create these startups to begin with.

We asked ten leading cybersecurity VCs who work at firms that span early to growth stages to share where they see opportunity in this sector:

In addition, we did a deep-dive interview with Arif Janmohamed at Lightspeed about how he and his firm are targeting the sector and what he sees as the next-generation of cybersecurity startups. Be sure to check it out.

Now, let’s get to the data.

Answers have been edited for clarity.

Amit Karp, Partner at Bessemer Venture Partners

In cybersecurity, what are you most interested in right now from an investment perspective?

Unfortunately, the cybersecurity landscape is overcrowded with many vendors that offer point solutions. I believe CISOs are tired of deploying additional security products which for the most part have overlapping functionality. So I am very cautious with additional tools that are deployed inside the enterprise perimeter (network, endpoint, etc.).  I am looking for companies that can be deployed quickly and demonstrate immediate value to CISOs, and do not overwhelm the CISO with many new alerts.

What are the most interesting trends in the space, particularly ones you think are under-appreciated by other investors?

I think there are still many opportunities to improve application security. The combination of every company becoming a software company on the one hand and development environments becoming more chaotic on the other hand, results in many new risks and opportunities in securing your software. This includes securing third-party APIs or open-source components which are outside your control and giving developers and devops engineers more security tools while not hindering the pace of development.

Another interesting trend is micro-segmentation and authorization — with the adoption of zero-trust frameworks and authentication becoming a solved problem — deciding who gets access to what has become increasingly important.

Are there any startups in cybersecurity you wish existed, but haven’t seen yet?

I would love to see someone create a way for people to take full control of their online data and decide what services they want to share it with and for how long. You can revoke the personal data access at any time if you don’t get the desired value from the service.

 

Rama Sekhar, Partner at Norwest Venture Partners

What I’m excited about in cybersecurity:

  1. Cyber crime is a never-ending challenge. Attacks are increasing in frequency and sophistication. SaaS and cloud adoption have dramatically broadened the attack surface that hackers can target, so I’m very interested in startups that are cloud-first in their approach.
  2. Ransomware is also on the rise. These tricky attacks are being used to extort both small and large enterprises and a startup should exist to combat it.
  3. But the cybersecurity startup landscape is extremely crowded. With so many security products proliferating the market, the bad guys are falling back on tried and true methods such as email phishing attacks which, according to the FBI, led to $12 billion in losses in 2018. I like companies using new techniques, such as machine learning, to solve these problems. As a case in point, Agari used this approach to unmask the infamous Nigerian prince scam last year.

Ping Li, Partner at Accel

While cybersecurity has attracted significant venture money (Accel alone has 20+ active cyber-related portfolio companies), we believe innovation in this market will continue to grow exponentially. It has to. On one hand, you have more sophisticated attackers (nation-state, etc), but more importantly, attack surfaces are constantly expanding along multiple vectors.

Among the areas he is interested in:

  • Cloud and mobile platforms have made the perimeter obsolete (i.e. Crowdstrike, Lookout, Code42, Netskope).  Microservices-based and cloud-native applications require more real-time and dynamic detection and prevention (i.e. Sysdig, Styra).
  • No longer can security be a “bolt on” – true application security needs to have security “built in” at time of development (i.e. Snyk, Semmle). Rise of API driven services have redefined first- and third-party security boundaries (i.e Risk Recon).
  • Data leakage and privacy have become core for enterprise security architectures – rise of the Chief Data Officer (i.e. Privitar, Transcend.io).
  • OT/IoT is a growing source of vulnerabilities for enterprises and consumers as everything is now “connected” (i.e. Tenable).
  • Authentication and identity requires more sophistication while maintaining user simplicity (i.e. Callsign, Forgerock).
  • Security operations in enterprises will be driven by real-time data driven workflows (i.e. Sumologic).

Other thoughts:

Outlined above are only a select few trends that we are excited about! While I provided a few companies above, there are multiple layers of innovation for each trend and boundless start-up opportunities to build a category defining company. As soon as one attack vector is “solved,” there will bound to be another one that arises. The cybersecurity market will drive significant innovation for years to come.

Saam Motamedi, Partner at Greylock

At Greylock, we are incredibly excited about the strong secular opportunity in cybersecurity. I currently have two cybersecurity companies in stealth, and the firm has investments in companies like Sqreen, Awake, Obsidian and others. Among many fertile areas, there are three that I’m most excited about:

  • Next-generation email security. In 2019, as email moves to the cloud and attackers become more sophisticated and targeted in their approaches, legacy secure email gateway architectures which rely on signature-based approaches are less effective. As a result, business email fraud is growing as the largest driver of cyber crime in the U.S. We believe new email solutions can utilize machine learning to deliver next-generation protection against these advanced attacks in cloud email environments.
  • Vulnerability management. Security engineering teams struggle to prioritize resources against resolving an increasing number of vulnerabilities in their infrastructure. Once identified, vulnerability remediation is manual and expensive. There are several exciting young companies addressing this area by infusing vulnerability prioritization with asset and infrastructure context, and orchestrating remediation.
  • Cloud data security and governance. As enterprise data moves to the cloud and SaaS applications, new security and compliance issues get created from the lack of visibility and controls. We believe there’s a new opportunity to deliver API-based tools to discover sensitive data across an enterprise’s cloud environment and monitor and enforce appropriate data use across the entire lifecycle.

Deepak Jeevankumar, Managing Director at Dell Technologies Capital

Our key themes for cybersecurity investing in 2020 are zero trust (tech theme), bridging human capital gap (HR theme) and hybrid cloud (industry trend theme).

The big cybersecurity categories that will be changed by these themes – vulnerability management, privileged access management, application security, networking security, fraud, email security and endpoint security.

We also look for founders who are empathetic to CISO needs – there are too many startups and CISOs have a startup fatigue. Founders need to know how to message well to the CISOs and make sure their product works with the existing security ecosystem. Usually we prefer to have a former CISO or security practitioner as a part of the founding team as they bring automatic empathy to security product design.

We also like to see a non-cyber related industry trend that can provide the necessary tailwind to enable faster adoption. Examples of these non-cyber trends that have created tailwinds in the past include: SaaS, IaaS, containers/microservices, outsourcing and CI/CD.

Lenard Marcus, General Partner at Edison Partners

Fundamentally, more and more data online means exponentially increased opportunity for cyber threats. And with devices and connectivity, governance has become a key catalyst as countries have implemented laws such as GDPR, to ensure that companies are protecting the data of users.

Our investments in cybersecurity are based on the following key areas of opportunity:

1) MDR (Managed Detection and Response): this may be one of the more clear opportunities. The companies in this category really hit at the heart of the problem in cyber which is, the hackers are ahead and have had success compromising even the best technologies. Therefore, it’s best to have human eyes and hands behind the technology to kill an attack.  Edison had a great deal of success with eSentire (www.esentire.com), which was one of the first MDR companies.

2) Endpoint Security: There is a tremendous need to manage and monitor a company’s network by ensuring the safe connectivity of the devices to which it connects. While there are many offerings, the key theme will be an ability to manage and protect data. Endpoint security has to take data at rest into account, networks, devices, VOIP connections … everything connected to the internet.

3 ) Phishing: While it may appear a bit mundane, anti-phishing email security is a great investment opportunity. Email is one of the top threat vectors and there have been numerous incidents in which financial leaders in businesses large and small have been infiltrated via email. According to research by Verizon, email continues to be the most common threat vector (96%) used by cyber-criminals to carry out attacks against organizations across various industries.

4) Countercyclical trends around e-commerce: Ecommerce is growing so rapidly because bricks-and-mortar is dying. It’s a very costly way to do business. Amid a potential economic downturn, we expect the transition to ecommerce to increase in speed.  This thesis led to our focus on technologies that fortify ecommerce websites and payments.

And a fifth opportunity unique to a specific vertical…

5) The move to connect almost everything in hospitals is creating yet another more vertically-focused opportunity to provide software and services to hospitals. IP-based medical devices also require protection. Companies like Medcrypt must now sell into entities that have never purchased cyber products yet will soon be forced to wrap their product offerings with cyber security software to ensure product safety.

And overall:

In making investments in this space, you’re trying to find entrepreneurs who are forward-thinking yet have strong market awareness. You’ve got to be sure the product is open architecture that interoperates with other products as we move from data silos to cyber vendors aligning to fight against cyber threats.

We will always focus on the product/market fit. eSentire, for instance, didn’t lose one customer in the first three years after we invested. The company initially started with a focus on hedge funds and later expanded more broadly into financial services. The team then focused on adding energy and legal verticals and did not miss a beat.  The company theme was industries with extremely valuable assets on their networks, yet cyber protection was not their core competency.

The technology too, of course, has to be superior. There have also been no computer hacks at eSentire in this time either. A good cyber security company provides managed network security because hackers are doing so well at infiltrating. You need a second set of eyes behind the product. The prowess of hackers to infiltrate a single device, makes managed detection response a very attractive segment within security and should continue to fuel its growth.

Arun Mathew, Partner at Accel

We’re seeing a lot of vendor fatigue in the market. Increasingly, CIO’s & CISO’s are consolidating the number of security vendors they’re working with. It’s important to have a platform strategy, including a compelling insertion point and a product roadmap that can support multiple use cases over time.

In terms of specific categories within security, we’re very excited about the migration to the cloud & an emerging sector around SaaS operations management or SaaS Ops, which our company, BetterCloud, is pioneering. SaaS is redefining how software is used & managed within the enterprise, and we believe it represents a new and unmanaged security vector that will be interesting and important to pay attention to over time.

Matt Carbonara, Managing Director at Citi Ventures

What are you excited about in cybersecurity?

  • Products that pull signal from the noise from the overwhelming set of data and alerts that security teams are drowning in.
  • Products that integrate with existing systems and elements in order to avoid deploying new agents while accelerating time to value.
  • Hybrid and multi-cloud security – whether multiple public clouds or public and hybrid cloud, the new enterprise reality is a multi-cloud environment. With that, the need for security and governance across these environments is critical and a high priority. Included in this is container security as containers and Kubernetes are the leading solutions for cloud portability.

Any important trends you are following in the industry?

  • Building security into products and then into the software development process itself.
  • The expanding role of identity in security. There is a view that “identity is the new perimeter,” which is more granular, robust and allows real-time identities to grant privileges and access to enterprise systems and resources.

Matt Robinson, Vice President at TCV

We’re always on the lookout for broader technology innovations with disruptive potential for better solving old known and new unknown problems across industries.

Recent breakthroughs in AI/ML capabilities unlock deep value in cybersecurity through improved identification, correlation, and automation of vulnerabilities, data, and responses. We see evidence of this in examples like Crowdstrike in endpoint protection and our recent investment in Vectra in network protection. We believe a number of other security sectors are next to benefit from AI/ML disruption such as SIEM, application security, data protection, and SOAR.

As this disruption occurs, we believe the fragmented security landscape will begin to consolidate. Larger, modern security companies will recognize security data density as an asset to which they can apply AI/ML models to create a unified solution to protect enterprises’ multi-faceted threat vectors, deepening their competitive moats and delivering greater customer value.

Enrique Salem, Partner at Bain Capital Ventures

Privacy is a significant concern for enterprises and consumers alike, and the increasing complexity of what constitutes a violation makes traditional data privacy measures less effective. In the B2B space, which is where we primarily invest, we’re seeing the emergence of AI-powered products that help contain data sprawl – a major liability for security, IT and compliance teams who are working to comply with regulations like HIPAA and GDPR. On the consumer side, we’re starting to see more and more products that help consumers control their data footprint across the web.

With the proliferation of IoT and “bring-your-own-device” (and -peripheral, e.g. headphones, Bluetooth devices) allowances, enterprises face increased security risks because security agents can’t always be installed. As a result, there’s a huge need for products that can effectively inventory and monitor devices connected to a network, regardless of whether those devices have an agent installed.

Last, with enterprises’ ongoing migration to the cloud, we’re seeing a meaningful opportunity for low-friction cloud security – in other words, security products that can integrate via cloud service APIs as add-ons to existing services. We think there are a few important features that make these kinds of products particularly compelling and ripe for adoption. API integration enables a seamless installation and the ability to show value quickly. API integrations also allow such products to leverage machine learning in a stateless manner, respecting data privacy while delivering smart, accurate security automation to reduce both breaches and SOC fatigue. Finally, this class of products can aggregate data across multiple platforms to enrich context for better security decisions.