Top cybersecurity VCs share how COVID-19 has changed investing

The coronavirus pandemic is, without doubt, the greatest challenge the world has faced in a generation. But the wheels of the world keep turning, albeit slower than during normal times.

But where the world has faced challenges, the cybersecurity industry remains largely unscathed. In fact, some cybersecurity businesses are doing better than ever because cybersecurity has emerged as one of the few constants we all need — even during a pandemic.

The vast majority of the global workforce is (or has been) working from home since the start of the lockdown, and the world had to quickly adjust. Tech companies pushed their technology and services to the cloud. Businesses had to shift from not just securing their office network but also preventing threats against their highly distributed employees working from their own homes. And, hackers are retooling their attacks to be coronavirus themed, making them far more likely to succeed.

All of these things — and more — need security. Or, as one investor told us: “Many of these trends were already underway, but COVID-19 is an accelerant.” That’s helped cybersecurity firms weather the storm of this pandemic.

We spoke to a dozen cybersecurity VCs to hear their thoughts on how COVID-19 has changed the investment landscape:

Here’s what they told us. (Answers have been edited for clarity.)

Ariel Tseitlin, Scale Venture Partners

Security budgets haven’t been affected nearly as much as broader IT spend. We continue to see existing portfolio companies raise follow-on financings, and we continue to meet with companies for new potential investments. The big change in my criteria for new investments is that a company must be able to continue growing in the current environment. We don’t know how long this downturn will last, so I don’t buy into the promise of “as soon as the economy recovers, growth will resume.”

Shardul Shah, Index Ventures

On Microsoft’s last earnings call, chief executive Satya Nadella said: “As COVID-19 impacts every aspect of our work and life, we have seen two years worth of digital transformation in two months.” This acceleration has actually created momentum for a number of cybersecurity businesses, which is why the best companies continue to draw significant interest from investors. I serve on the board of security firm Expel, which raised $50 million in the middle of this crisis.

Theresia Gouw and Mark Kraynak, Acrew Capital

COVID has impacted all investment sectors to varying degrees. Cybersecurity has been relatively less impacted than other areas.

Niloofar Razi Howe, Energy Impact Partners

COVID, and the ensuing lockdown, has impacted the entire investing landscape. When making a decision to invest in a company, there is both qualitative and quantitative analysis. The qualitative has to do with the team, such as their background and experience, the chemistry of the team and chemistry with you as an investor. It is almost impossible to do qualitative analysis without actually spending time in person getting to know the team. The quantitative has to do with the market and financial performance. While the market for cyber continues to be extremely strong, especially as it relates to enabling tech transformation and working from home, evaluating a company’s pipeline and prospects is tougher and no one has a crystal ball in terms of how spending will be impacted over the next 18-24 months, making valuation analysis difficult.

On a positive note, many public cybersecurity companies have done well through the lockdown and should make investors more comfortable that multiples will stay strong and once the economy is back on track, exit valuations will remain high. Finally, many funds — not all, and not Energy Impact Partners — have either slowed or stopped investing in new deals in order to focus on existing investments and make sure that their portfolio companies remain strong and capital efficient over the next 18 months, which means there has been limited bandwidth to look at new deals.

Attacks have spiked during the work-from-home phase of COVID-19. Both nation-state and financially oriented attacks are up, leveraging novel vectors of attack while attempting to take advantage of enterprises that lack tooling for a work-from-home workforce. Also, massive numbers of fraudulent sites are posing as CARES Act sites or COVID testing sites and attempting to scrape credentials and personally identifiable information. As a result, demand for these types of tooling have spiked. Specific approaches to selling and deploying have seen benefits as well — for example, inside sales as the primary mode of selling and cloud native solutions that do not require physical access to customer premises.

Sarah Guo, Greylock Partners

Firstly, most knowledge workers are working from home, which means a flood of digital interactions, the sudden requirement to work with business critical applications remotely, and an increased focus on identity as the perimeter. Secondly, digital transformation is happening at 10 times the speed — and DevSecOps and application security need to keep pace — as cloud usage is accelerating and as businesses realize the value of globally remotely accessible services.

Deepak Jeevankumar, Dell Technologies Capital

We definitely see longer diligence cycles, which is good for the startup world as it keeps the bar high. First-time entrepreneurs are having a harder time raising capital for seed and Series A rounds. There has been a slight decrease in valuations — especially in the mid-stages of growth, such as Series B and Series C.

Umesh Padval, Thomvest Ventures

The COVID-19 health crisis has pushed everyone to work from home. This has pushed some major trends.

First is the push for companies to use more cloud vs. on-premise solutions. Second is the push to more bandwidth due to an increase in the use of applications like video conferencing, streaming video and gaming.

With the move to cloud, the need for security continues to be even more urgent. Bad actors view any crisis as an opportunity to hack corporations as well as consumers. Enterprises are seeing many more attacks whether it is ransomware, phishing attacks or zero-day attacks. This has caused the security budgets of enterprises to increase significantly, which provides increased demand for many of the security companies around the world.

The impact on VCs in this climate is also profound. They need to make sure that they first take care of their existing portfolio companies, which in most cases will need more money as demand for most companies — with few exceptions — has dropped precipitously. After a couple of months, VCs will start looking at newer companies to invest in but will be far more selective. Also, doing due diligence over Zoom without meeting the founders or CEOs and then deciding to invest will be a major decision for VCs. VC investments in startups will definitely decrease during these times.

Saam Motamedi, Greylock Partners

COVID-19 has led to significant change and accelerated a number of important trends across industries — several with a large impact on cybersecurity and the opportunity landscape. One of the important impacts is the shift to distributed workforces that heavily use digital communication and collaboration tools. As work goes remote, the integrity and security of these tools becomes of paramount importance.

A second key impact is the acceleration of digital transformation and the increased investment in software by companies across industries. As part of this transformation, application security, DevSecOps and trends like remote access will significantly accelerate, creating an opportunity for entrepreneurs to build new products and companies. Across all these areas, there’s an increased focus on products that clearly drive return on investment, have fast time to value and can be deployed remotely.

Alex Doll, Ten Eleven Ventures

In mid-March and early April, we focused our attention on helping our existing portfolio companies adjust to the lockdown environment. It became clear that COVID-19 had a dramatic impact on the 2020 calendar year operating plans, and we needed to be there for our portfolio companies to help them adjust to that. We also continued diligence on investment opportunities that we had identified before the crisis.

A month on, we were back to having a lot of conversations and diligence activities around new investment opportunities. Cybersecurity VC continues to have substantial opportunities because of the acceleration of digital transformation, cloud infrastructure, data engineering and other database applications that all need security and privacy protections to surround them. Many of these trends were already underway, but COVID-19 is an accelerant. For example, COVID-19 did not start the work-from-home use case, but it was perhaps at the 20%-30% user level rather than 100%.

As we look at the landscape today, we consider both the demand and supply side. On the demand side of the equation, we see estimates that growth in security spend will slow. In April, Gartner released adjusted growth projections that moved security spending from 9% growth in 2020 ($148 billion) to 4% growth in 2020 ($141 billion). But the bigger picture is that security spending as a percentage of total IT spending has moved from 5% to 10% in recent years, showing how important the sector has become. In my opinion, this will ultimately grow toward the 20% range, as security becomes more part of other technology initiatives.

On the supply side, we will likely see a healthy reduction in the total number of new company formations. There are some very niche players who have been attracted to cybersecurity as a “hot space” recently. These companies will probably not make it and go away for good. A reduction in the total number of companies in the ecosystem is probably healthy right now.

Dharmesh Thakker, Battery Ventures

With so many people working at home — and using more and different devices outside corporate firewalls — cybersecurity is likely becoming a bigger priority for many companies. A user’s actual identity, as opposed to the specific device they’re using, has become more important. Cybersecurity startups and other vendors are adapting to this new reality: CrowdStrike, for example, launched a flexible licensing plan that allows customers to surge the number of endpoints covered by the software for up to 60 days with no impact to existing license terms; the company also launched a freemium lightweight version of their product. A company in our portfolio announced month-to-month pricing for the first year of usage with hassle-free cancellations for any new customers.

Ultimately, the best companies will continue to innovate regardless of market cycles; focus on customer success; and emerge from this stronger than before. We believe the best companies have a combination of cloud-native and cloud-first products; frictionless go-to-market engines with a product-led and bottom-up approach, and an ability to leverage emerging channels such as AWS Marketplace to enhance distribution.