CyberWire Daily - Securing a Deal - Cyber Security Venture Capitalists on what they look for. A CyberWire Special Edition. [Special Edition]
Episode Date: November 29, 2016In this CyberWire Podcast Special Edition, we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists wh...at they expect before they invest. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+. You know, the great thing about venture capitalists and entrepreneurs is they're pretty good eventually at spotting opportunities requiring deep technology-based innovation.
Cybersecurity has become a month app rather than an ice to have.
VCs are really expecting a roadmap to revenue, a plan to revenue.
There's no question that cybersecurity remains a hot industry.
That attracts investment. to revenue. There's no question that cybersecurity remains a hot industry and that attracts
investment. What are venture capitalists looking for and how do they decide which deals to make?
How did we get here and what's the outlook looking ahead? We round up some experts as well as some of
the top cybersecurity venture capitalists in the industry to find out how they choose and what they
expect once the deal's been made.
When you come to me, I want to understand the big vision.
I want to understand, you know, who's on the team.
I want to understand why your value proposition, your solution is particularly compelling. That's Robert Ackerman. He's founder and managing director of Allegis Capital.
They provide seed and early stage funding for what they describe as disruptive and innovative
cybersecurity solutions. I want to understand how big of a business you think you can build.
And I also understand what you think the capital requirements are likely to be.
And I also understand what you think the capital requirements are likely to be.
Now, look, this is an art.
It's not a science.
All of the numbers, the strategy, the tactics are all going to be subject to revision as you engage with the marketplace. But it's the way to begin to frame an initial conversation.
And so I'm basically asking you to give me a graph on a timeline that shows, you know,
here's what we need to do in engineering.
Here's what we need to do in sales and marketing.
Here's what we need to do in financing.
You begin to, at a very high level, paint a picture of how this business is likely to
come together.
It doesn't need to be perfect.
It just needs to be, what do you think today and why?
perfect. It just needs to be, what do you think today and why? And again, it's the starting point for a conversation with a potential venture capital partner. But you have to be willing
to demonstrate both a go-to-market strategy and a technology roadmap that is at least two years
in the future. Tom Kellerman is CEO and co-founder of Strategic Cyber Ventures,
a cybersecurity-focused venture capital fund in
Washington, D.C. And many organizations seem to think that their technology is sound and it's
perfectly developed and there's no need for any sort of adaptation or modernization of the
capability. And from my perspective, as having been a cybersecurity operator for 19 and a half years, I would
suggest that the adversary will always reverse engineer your technology and they will always
figure out a way to bypass it, just like you see with the advent of sandboxes being ineffective
due to sandbox evasion techniques in today's world.
And so when you consider that reality, please don't tell me that you don't have a technology roadmap because you feel like it's perfect.
Please acknowledge to me that you may or may not have been granted your patents.
And please try to shine a light on what you will do with that investment.
If I invest in you, how will you go to market from an engineering investment perspective all the way through sales and marketing. But when you speak to sales and marketing, highlight what industry verticals
you're going to target first and how. They think what they have is the best thing out there and
they can't see that there's other competitors. Tammy Howey is CEO of the Chesapeake Regional
Tech Council, a non-profit economic development organization in the mid-Atlantic region.
She's also a lawyer and has helped with the successful exits of over 150 companies.
They can't see that there's other people that are coming into their space because they think they're so great.
And they really need advisors, and I'm really big on having the right advisory board
that helps people that have invented something or that has a great company with a tech product.
They can help them in
all the verticals they need. They need to make sure they're legally sound, that they actually
own what they think they own. They need to make sure they're financially accounting for it. They
need to make sure that they are marketing it properly. And they need to make sure that the
rest of the world understands and, you know, that what they're selling is what they're selling.
Anyone who started their own company has heard this bit of advice,
network, network, network. Dr. Christopher Pearson is general counsel and chief security officer for
ViewPost, an electronic payment and invoicing company. Making sure that you are networked
into the right people that are in the VC world is critical. You want to do so before you need funding.
You want to try to meet,
sink in and get mentored by CEOs,
by VCs, by others that are in this industry.
You want to make sure you do that at least a year before you think
you're going to knock on anyone's door.
One of the things that entrepreneurs
really need to spend their time with
is planning their fundraising effort.
Who do they want to talk to
as prospective investors and why? And it's not just the firm, it's the individual within the firm.
You're looking for people that are focused in your sector, that have experience that you may
be able to connect with or allow them to connect with you. That will give them a frame of reference
through which to view whatever the startup proposal you have is, to the extent
that you're not targeting them, you're wasting your most precious commodity, which is time.
You definitely need mentors and sponsors to be able to support you in terms of making introductions,
getting in front of the VCs, and actually gaining and starting that relationship.
Don't cold call. Find a way to be introduced to that partner within that firm.
Frankly, all of us are overwhelmed with potential investment opportunities.
We probably look at 1,000 a year.
We make a half a dozen investments.
And I hate to admit it, but frankly, the companies that are on the top of the stack of things for us to look at are things that came in via referral from trusted sources.
You know, one of our CEOs or people we've backed in the past, other venture firms.
So once you work the process of getting down to that target list, you then need to figure out,
how do I get a warm introduction to the venture capitalists I want to talk to?
So I'm on the top of the stack, and I at least have an opportunity to tell my story.
Remember, the objective of that first meeting is to get to a second meeting.
It's not to close the deal. It's not going to happen.
But it's to get to a second meeting.
get to a second meeting. Of course, no deal happens in a vacuum. The investment environment can have a huge impact on how quickly the money flows, how VCs value a company, what they expect
to get out of it, and how quickly. For a look at today's environment and how we got here,
Christopher Pearson and Alberto Yepez give us a rundown.
In 2015, you had, you know, it was kind of a peak year for VC investment in cybersecurity. It almost,
you know, nearly $3.7 billion invested in that year globally. This year, about half the year
was only $1.6 billion. So folks are really thinking that there's some overcrowding here.
There's going to be some synergy and some collaborations and some mergers that need to happen because it is getting very, very crowded.
If you take a look at things made from 2012 until the present, there are some definitely
marked differences, especially when you take a look at 2012 versus so far what has happened in
2016. So back in 2012, you had something of 83 exits and five IPOs in that timeframe.
In 2016, you have 39 M&A opportunities in terms of exits and only one IPO.
So the IPO market has definitely become much harder to egress into, which for some VCs, that's an issue.
that's an issue. They may be looking at time horizons that are at the five-year in terms of an exit and thinking about how you actually push the company out there so you can get back
the funds at a 8x, 10x, what was put in, becomes an issue in terms of the IPO market
not being as accessible. In terms of M&A opportunities, you still see good amounts
of activity. Like I said,
I think 2015 was a peak year for cybersecurity investment. But when you take a look at things
to date in 2016, you see a little bit of a slowdown, a little bit of a drop off there.
So we're still raising significant funds in 2016, but the flow has been stifled a little bit.
And overall, if you take a look at 2012, perhaps, as being different from 2016, you not only see differences in terms of funding and deal flow and M&A and exits, you also see differences in terms of where those investments were made.
So in 2012 and for a year or two beyond, you saw still a lot of investments in the network and endpoint security area, kind of tried and true.
In that 2014 area, everything, you know, I can remember back to our RSA conference that year in 2014,
everything had a little sticker, so to speak, on it that was threat intelligence included,
threat intelligence baked in, we're a threat intelligence company.
It was kind of the good buzzword, the good keyword that folks were using as information sharing was popping up more and more, even though it had always been there. So you saw the market move from network
and endpoint into this threat intelligence world. Now what you see in 2016, a little bit at the end
of 2015, is this morph into behavioral detection or AI. The artificial intelligence, we're not necessarily there to AI.
We're more on automated cybersecurity or cybersecurity automation. But in 2015,
at the end of 2015, and definitely in 2016, you see a lot more deals, a lot more interest in this
AI, automated security, behavioral net flow types of area. And of course, cloud has been one that's, as there's been a push more to Azure and to
Google and to AWS, you see those options popping.
But you do see a shift from the traditional tried and true, prevent the infiltration to
a market that is more dominated by VCs looking at who's doing something sexy and cool with exfiltration
or behavioral or net flow analysis. So you do see a lot of shifts there from that, like I said,
from that 2012 to 2016 area. The groupings of acquirers has almost triple, if not quadruple.
That's Alberto Yepez, co-founder and managing director of Trident
Capital Cybersecurity, one of the largest funds that exclusively invests in cybersecurity companies.
Before, the only companies acquiring cybersecurity companies used to be cybersecurity companies,
like Symantec, McAfee, Checkpoint, the big ones. Then after that, the system companies like IBM,
Then after that, the system companies like IBM, Oracle enter the market to become acquirers.
Now what we've seen is companies that are in the industrial base,
companies like GE, Siemens, Bosch, enter the market and they're looking for acquisitions.
So almost a whole new category of players coming in and buying companies.
Then the cloud companies are also coming in
and looking for security.
Before people were just, it was AWS.
But if you look at the landscape of how Microsoft
is pushing, trying to get Azure to be comparable to AWS,
IBM is trying to figure out what their play is going to be.
Oracle has a cloud.
Google has entered the market.
So it gets very, very exciting.
So 2017, as I look ahead,
I think that we're going to see a few interesting selections
being made in network and endpoint security.
And those are going to be the folks that are using more of this automated cybersecurity,
more like the Taniums and Silo, Red Canary, those types of companies that are doing behavioral analytics, net flow analytics, automation and security there.
I think that threat intelligence, you're going to see a little bit more of a convergence there.
You know, companies are using one solution or the ISACs are using one solution.
And I think we're going to see a little bit of convergence there.
I think behavioral detection is, and that's where you get the behavioral detection slash AI,
that's going to continue to blossom.
I have a few worries there that we have too many companies that are at such a small size
that is actually creating quite a crowded market in
that space, quite a crowded market. And so I think what you're going to see is some strategic buys
in that area. So you have folks like Darktrace and LightCyber and others doing interesting things in
behavioral detection. But I think we're going to see even some convergence there. And I think that with the increased likelihood of, you know, kind of the big three sector to pop a little bit more than it has.
There are some good companies that are out there that are developing solutions in this space.
You know, definitely tracking folks like, you know, Argus and Bastille and ThetaRay.
But there doesn't seem to be anyone with any hold on the market.
I think given the attacks that we just saw now, what is it, three weeks ago, with the Dyn attacks
in terms of distributed denial of service attacks that were via
IoT devices, I think that we're going to see a lot more focus there as attacks
naturally morph into the home environment
or home impact. But definitely, AI,
automated security, behavioral analysis
and net flow, that area is going to be super interesting. Exfiltration, companies that move
right into that area entirely, kind of like in silo, I think is going to be very interesting.
And the IoT area as well.
So 60% of our decision is based on the team.
And it's not necessarily whether it's someone I want to work with,
although your gut and your blink is always giving you advice.
But it's really a question of the team dynamics,
the cultural fit of that team itself,
the honesty in that team themselves, the acknowledgement of the team and the leaders of that team, usually who are the CEO and CTO, that other team members
may be able to step up their game or may need to be replaced. You want to make sure above and
beyond anything else that there's a right cultural fit. If this is not someone that you want to be
on the phone with on a Sunday or a late night, early morning, or call in a crisis situation and ask for help,
you should not do the deal with them. A lot of times people pay attention to the deal terms and
let those override common sense, culture, and personality items. You want that person sitting
in the seat next to you when things get really hot, when things don't go the right way. You want the person sitting in the seat next to you when things get really hot, when things
don't go the right way. You want that person to be someone that you can talk to, that you can
relate to, that you can have a business and a personal relationship with. And don't look for
somebody that just looks exactly like you. Look at someone that has more experience, that is going
to challenge you, but you could work with. The process of building a company is anything but a straight line.
That's Bob Ackerman.
In order for a venture capitalist to be effective in working with a team
and hopefully bringing their experience to bear
and helping that team get through the minefield,
which is inherent to every startup,
there needs to be chemistry.
There needs to be a connection.
You need to be able to talk to each other. There needs to be trust. If you don't,
you're inevitably going to end up with an antagonistic situation where you're working at cross-purposes, and that only increases the risk of building your company.
The willingness of that team to acknowledge their own deficiencies and to complement their competitors is paramount.
So many times I've gone into organizations who poo-poo and disregard their largest competitors
without doing a feature-based comparison and acknowledging some advancement by a competitor
that they themselves should attempt to achieve?
From a venture capitalist perspective, first, second, and third, we invest in people.
We like big markets. We love differentiated technology. We value compelling,
differentiated solutions. But at the beginning and the end of the day, it's all about investing
in people. And so it's the background of the people, it's their temperament, it's their personality,
but it's also, can you establish that trusted relationship?
Speaking of people, sometimes there's one person in particular who can slow down a deal or even kill it.
A reluctant founder holding on too tight.
If you plan to bring in a venture
capitalist, you better get over control and you better understand that you're going to be sharing.
The best venture capital investor partnerships are ones where there truly is a partnership.
Owners always get in their own way. Tammy Howey. Nine times out of 10, you know, you are passionate.
That is your baby. That is your child, that's not just for cyber companies.
Every CEO thinks they can do everything. But the true smart CEOs and the serial entrepreneurs that
have been out there hire people that are so much smarter than them in certain verticals so that
they can get out there. Everybody's capital spends the same. What you're looking for is over and
above the capital, what resources, what experience, what network
can a venture capitalist bring to the business that helps mitigate risk and improve the probability
of success.
That comes at a price, and that price is, you know, equity.
And so, you know, you will receive investment capital, but you're going to suffer dilution.
So again, you're back to, you know, an equation where you're trying to optimize're trying to optimize what you're getting and what you're giving in return. I think one of the real mistakes
that entrepreneurs make, and I can say this as a two-time entrepreneur myself early in my career,
is insisting on control. Control is an illusion. You have influence,
and what you want is the people sitting around the table with you
who can bring complementary skills and experience and networks
to the problem-solving that is inevitable in building a company from a concept.
Control is a false sense of security
because you may be controlling a small island,
but if you really want to go after the global opportunity, you have to open up and trust the people, the same
way you trust people that come in and help you build the product and your executive team
is the same way you're going to add members of your board and investors.
So my biggest advice is control is elusive and it's very hard to relinquish.
But at the end of the day, you have to trust people that have alignment with you.
If you are the CTO and founder and you're wearing the CEO hat, you should be willing to
take that load off of your shoulders. You should be willing to unburden yourself and someday hire a professional CEO, someone who has run
corporations and organizations before to come in and serve as your partner so that you can focus
on what you are best at. That is their Achilles heel. You're holding on so tight to their baby,
they don't want it to go away to college. They need to appreciate the fact that their technology
needs to grow. Their organization needs to grow.
They're having the conversation with us and others because they want just that.
They should appreciate that the value of their creation and historical impact of their creation will be far greater once they allow it room to grow.
to grow. And they can only achieve that by acknowledging that they need to give up some semblance of organizational control internally so that they can create a far more global team.
That's one of my biggest challenges over the years with my clients is I have to tell people,
this is not your child. It is a business decision. So as soon as they can let go of this product,
this company being their child, and they view it as a business person, the deal always goes so much smoother.
If you want to be good in our business long term, you develop a BS detector really, really quick.
That's Bob Ackerman. He says there are some common mistakes people make when they're looking to engage with a venture capitalist. I think that one of the real challenges for a lot of entrepreneurs is it's proclivity to come in with perhaps a little more hubris than is constructive.
There are things that we all hear all too often.
We have no competition.
Everyone has competition.
It may be a direct competitor. It may be a direct
competitor. It may be competition for budgets, but everybody has competition. Identify those up front.
Take control of that challenge and own it, if you will. The next mistake I see people making is,
of course, our financial projections are conservative. I have never had anyone come in and say,
our projections are just wild-ass guesses.
Inevitably, people come in and tell me,
you know, these are all conservative.
You don't need to go there.
Just talk about how you see the business coming together,
what the thought process is, you know,
behind the financial projections you have,
what the variables are,
and where you came down on those variables. Again, what you're trying to reflect is that you are a master of the subject matter, that you've thought about the business, the variables in building the
business, that you know what the knowns are, but you also can identify what the unknowns are,
and engage the prospective investor in a conversation.
If you engage them in a conversation, you begin to build a rapport.
You begin to develop a plan or a shared vision around the business opportunity.
And that goes a lot further than walking in with,
we've got all the answers, nobody can teach us anything,
we have absolutely no competition,
and by the way, there's 13 other guys
that I'm going to be meeting with over the next two days.
The financing will be done by the end of the week.
When you start making those kinds of statements,
you just undermine your own credibility.
Do your homework.
Not all venture capitalists are equal.
I made the same mistake when I was an entrepreneur.
I would just try to talk to every single venture capitalist that wanted to talk to me.
It's good for practice, but it may not derive a lot of return.
There are groups that are specialists,
and I would go to people that understand the industry to try to get funded.
It's a short list, but you're better off because even though they decide not to invest,
they'll give you some very good feedback. Make sure that you're going to choose a venture fund
or an angel investor who can add value to you beyond just writing a check.
That's Tom Kellerman from Strategic Cyber Ventures.
Really understand what they've done in the past.
Look at their current members of their portfolios.
There are a lot of venture capitalists out there, as well as strategics,
that may have already invested in your competitors who are not telling you this
and are only sitting there with you to
conduct a brain drain exercise, or they just want to invest in you at a small amount to ensure that
they've cornered the market on that security control. Be wary. Look at who they've invested in.
I'm going to go to market strategy. Pick two industry verticals that you think you can make it rain in, if given the right team, if given the right resources, and explain fully how you would deploy those and over what period of time from a staffing strategy perspective.
Acknowledge your own weaknesses and speak to how you could see yourself improving both your leadership and your strategy, and finally, your team. If you have to give up the
reins as founder to become the CTO and founder, you should be willing to do that if you have the
right chemistry with the CEO or COO that you bring in. Well, my first advice is you should plan from
day one for your exit because there's certain things that happen at your exit
that if you haven't planned for at the beginning,
then you will not be able to sell your company
at the price you want to
and you will not be able to go public.
So when you first start your company,
you should figure out,
am I gonna be an exiting company
or am I gonna be a lifestyle company?
And then as you go along each year in your planning,
you should say, okay, are we going to be an exiting company or a planning company, you know,
or, you know, a lifestyle company. And if at any point in those conversations, you decide that you
are going to have an exit, then you need to make sure that you get real accountants in the door
and have your accounting up to par because you're going to have to, if you get sold to a public
company, you're going to have to roll your financials into that public scope and you need to make sure that you are tight on
your numbers. And you also need to make sure that you have a board structure and an advisory
structure that is attractive because you can have the greatest product in the world. And if people
don't believe what you have is great, then they're never going to be
interested in buying you or taking you public. So I guess the two most important things I would say
is make sure you have a great board or advisory board and also make sure that you have your legal
house and your accounting house in order. Building a startup is a lot like crawling
through a minefield in the middle of the night. You know, there's two ways to get through it.
There's the Braille method, which has a relatively high level of attrition.
You're likely to get something blown off.
Or you can go find a map.
In a domain like cybersecurity, which moves so quickly, you need to find a map.
You need to have somebody who can help you run through that minefield.
Because if you have to stop, if you
have to get on your hands and knees, if you have to crawl, you know, game, set, match, you inevitably
lose. So this is an area where, you know, advice to the entrepreneur is, you know, you're looking
for an experienced cybersecurity investor that has been working in this space for years,
that has the experience, that has the network,
that has the customer relationships,
that can help you build out a team,
that can keep you off of those mines as you run through the minefield.
We do all of that because we want to see them grow.
And we're not just trying to flip companies or crack a whip on them
and force them to grow quickly.
We're in this for the long haul.
And we just want to become members of their team. or crack a whip on them and force them to grow quickly. We're in this for the long haul.
And we just want to become members of their team.
Not coaches, but members of their team.
So just see us as an added franchise player or two on a football team that's going somewhere.
And that's our CyberWire special edition.
My thanks to Bob Ackerman, Tammy Howey, Alberto Yepez, Tom Kellerman, and Christopher Pearson for being a part of our show.
Be sure to check out our daily cybersecurity news brief and podcast at thecyberwire.com.
The Cyber Wire podcast is produced by Pratt Street Media.
Our editor is John Petrick.
Our social media editor is Jennifer Iben.
And our technical editor is Chris Russell.
Our executive editor is Peter Kilby. And I'm Dave Bittner. Thanks for listening. Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.