CyberWire Daily - Tech Investment Strategies and Overview [CISOP]
Episode Date: December 23, 2025In this CISOP episode of CSO Perspectives, Host Kim Jones sits down with John Funge, venture capitalist at DataTribe, to explore how investors view the cybersecurity landscape. Kim reflects on the ten...sion between innovation, profit motives, and the real needs of security practitioners—raising questions about whether the industry prioritizes mitigation over true solutions. John offers a candid look inside the VC decision-making process, breaking down how teams, market fit, and long-term defensibility shape investment choices. Together, they examine how founders, investors, and CISOs can better align to drive meaningful, effective security innovation. Want more CISO Perspectives? Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by digital.
design and scalable connectivity without the frustration, friction, complexity, and cost of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack, secure wired, wireless, and cellular in one integrated solution built for performance, resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's M-E-T-E-R.com
slash C-I-S-O-P.
After certain particularly long weeks during my years as a C-S-O,
I would need to sit and contemplate a question.
Is the cyber technology industry working across purposes
to that of the cybersecurity profession?
profession as a whole.
Specifically, has the cyber industry decided that they would rather sell mitigation as opposed to
solve the problem?
We've seen this at times in other industries, such as health care, where it's so profitable
to sell palliatives that some providers appear to have decided that it's less important to
cure diseases than it is to sell mitigations.
While I do not assume altruism and nobility are the primary drivers for all cyber professionals,
sometimes it seems as if the cyber technology industry allows its focus on maximizing profit
to stand in the way of advocating for innovative yet incredibly useful tools and solutions.
This is to the detriment of the consumer, our clients.
Case in 2015, I had the privilege of working with a small tech,
tech company based in Australia.
The technology in question looked at the problem of establishing identity differently than
anything else I had seen and could do so at low cost in a way that would virtually
eliminate certain types of fraud.
I sat in on a pitch meeting with a venture capital firm that was run by a former CEO of a
security technologies company.
The technology partner of the VC firm, a former security technology CTO, had spent days
understanding and testing the product
and found that the Australian company's
claims were, if anything,
understated. The technology
did what it said it would do
and more, which
is why the VC firm refused
to offer funding or support.
As the firm's founding
partners stated,
your tech would destroy at least one third
of our portfolio.
The technology partners shook the hand
of the Australian company's founder and
closed the meeting with the following words.
No offense, but I hope you get hit by a bus on the way home.
Cut two, almost ten years later.
Technology companies and their investors are now clamoring to solve the very same problem
that this small Australian company solved a decade ago.
Sadly, though, that solution is no longer available.
After hearing essentially the same answer from all potential investors,
the Australian company was forced to fold its tent.
This was a grave disservice to the millions of users impacted by credit card fraud every single year over the past 10 years.
Folks, I don't work for free and I have no objection to making money.
That said, I hope it can never be said that I have let little green pieces of paper overshadow what I believe should be the primary mission of everyone in cyber.
Our job, simply put, is to keep people safe.
If you prefer a less altruistic and more business-like answer,
our job is to minimize the probability of material incidents within the organizations that we serve.
It's time for CSOs and other cyber professionals to start demanding more of our industry brethren's.
Let's stop accepting tent control updates to technologies as innovation and start pushing for true solutions.
My two cents.
Welcome back to C-So Perspectives.
I'm Kim Jones, and I'm thrilled that you're here for this season's journey.
Throughout this season, we've been exploring some of the most pressing problems facing our industry today,
and discussing with experts how we can better address them.
Today, we're diving into how venture capitalists see the cyber landscape.
On today's episode, I'm excited to sit down with someone who brings a very different perspective
from that of old security guys like myself.
John Fungge is a venture partner with Data Tribe and has been on the investing side of security for many years now.
Throughout today's conversation, we break down how venture capitalists see the cyber landscape, how they go about determining what businesses to invest in, and what some of the common challenges are that they face.
So we have mutual friends, but we actually haven't talked before this.
So would you take some time to introduce yourself to my audience and tell me a little bit about John Fung, please?
Sure, sure.
So I am a venture capitalist, and I work with Data Tribe.
And if I go sort of all the way back to the beginning of my career, I started as many do as a software engineer for a few years.
And pretty early in my career, I got the sort of startup bug.
And through the startup process a few times where I've started, built and sold three companies.
And then I met the founders of Data Tribe, and one thing led to another.
They invited me to join the firm in 2018, and that sort of brought me to the other side
of the startup table.
And so I've had the pleasure of being able to do that.
And then since that point, I've been swimming in the waters of early-stage cybersecurity startups.
And, you know, Data Tribe is an investor in N2K, and, you know, I've certainly been a huge fan of all the different Cyberwire podcasts, and I usually am on, I like to think of myself as being on the other side of the mic, but this side of the mic is fun as well.
Fantastic. Fantastic. So I want to take this conversation.
a little bit atypically from a founder's perspective or a venture capitalist perspective.
I want to take it from the perspective of an operator, which I have been for many years in the past,
and try and get an understanding as to how decisions are made in terms of what type of innovation to invest in.
And let me caveat that a little bit, John.
I know there's obviously a business component
and a financials component
and a viability component associated with that.
That's a little bit beyond the scope of where I want to go.
What I want to get at is I have seen in my limited experience,
that's sarcasm.
I've been doing this for quite some time.
I've seen in my limited experience good technologies
that would solve problems that I have
not be able to get to the table.
And I've seen in many cases
other technologies that I describe as tint control
all of the old Bloom County.
Thank you for getting that reference.
As tint control upgrades
immediately get piled into funding.
And in one case,
it's one of the examples I use
within one of the lead-in essays for this episode is, you know, we're now looping back
attempting to solve a problem that a technology that was roundly rejected by various VC firms
10 or 15 years ago, we're now attempting to solve the problem with lesser technologies
today.
So what I'm really trying to get into is outside of the business components, which are obviously
important, I get that.
how do you all make decisions on what problem that you wish to solve or help me solve out in the environment?
Can you talk to me about that, please?
Well, you know, it's interesting.
If you were to look at it as a pie chart, I'd actually say, and this varies depending upon the sector that you're working in.
But at least in cybersecurity, while the technology is important, it's probably a minority.
of the calculus that goes into,
particularly at the very early stage
of a decision to make an investment.
And when you are investing in an early stage startup,
you really are going into business with that team.
And so part of the due diligence of that
is to really sort of think holistically
about a number of factors
that are kind of outside of both
even the sort of the business side
as well as the technology side.
So thinking about
a lot of it has to do with
is the collaboration
with this particular group of founders
really good between the investors
and the founders?
Is the group of founders,
do they represent
unique capabilities?
So a lot of times there's really good ideas.
And then the next natural question,
after you look at a really good idea is to say, well, why this team? So there's sort of a concept
of kind of a founder market fit along with the market opportunity, the market opportunity itself.
Sometimes there's really excellent technology solutions, but they don't necessarily lend themselves
to a excellent business opportunity. Either the market might not be big enough. And generally speaking,
and this kind of gets into just the business of venture capital.
And, you know, when you're making an investment as a VC,
and by all, you know, by all means VC is not the only way to create a great company.
I mean, there's a lot of excellent entrepreneurs and excellent startups that get created, you know,
without venture financing.
It's one way.
And it happens to be maybe, you know, in tech media, you know,
know, it can be a lionized a bit in a way where it makes it seem to founders.
Like, that's, you know, maybe like the best path is the only path.
But you're looking oftentimes for a home run.
I mean, it's very much a power law business.
And so every time you're making an investment, you're really looking for a huge opportunity
or something that, like, at least at the very beginning, when you're considering the investment,
you have conviction.
And this is a word that gets thrown around a lot, but you really do feel it.
Like when you are going through the process of meeting with founders investigating the market,
investigating the competition, investigating how they're going to go to market, you really start
to develop a belief, a conviction in the opportunity.
But yeah, you have to have a conviction that's a really, really big opportunity and that this
team is world class in that and that they have something where they can create truly
differentiated and defensible position in the medium long term. I mean, so there's a lot of
kind of factors in there. And there's subtle things. Like one of the things that's really subtle
that, you know, we and by all means, we are not perfect at this and we will, you know, kind of
routinely look at opportunities and say, you know, was there something about this that we missed?
But one of the things is how the company gets integrated.
or the technology gets integrated into the environment.
So, for example, you might have a startup where it's largely maybe a threat intelligence
or a data offering where, in essence, the delivery involves maybe a login or a very
simple API integration.
That's very, very different than if you're kind of going to market with a product that
demands every employee in the company reinroll in the way that their identity is managed
or you have to do some sort of deep integration into the security tech stack that might take
months of time and much bigger lift. Those two paths alone can influence a decision to make an
investment or not because we look really, again, we're looking really hard at what is the path
for this startup to take whatever it is they have today,
continue to improve upon it,
and then achieve the maturity milestones
that they need to achieve with the amount of capital
that we are going to give them
and or other investors are going to give them to get there.
And usually for most startups,
that's, you know, give or take 18 to 24 months
of quote unquote runway.
And in that amount of time,
they have to kind of with wherever the starting point is.
So there will be some kind of starting point with their product, and they have to take that
and kind of either complete the product or if the product is more complete and kind of ready
with a minimum viable product or something that's ready to go to market.
They have to find those initial customers and get those initial customers to kind of pay
and use the product at a level where you can really demonstrate enough of the product
market fit in order to really justify a next round of funding. And it's hard. I mean,
it's really hard to do as a founder. It's really hard to do as investors. And cyber,
in particular, while on one hand, cyber is not unique in that there are other verticals that
are kind of equally as crazy in terms of the number. So like, I don't know if you've ever
looked at the Martec space, but Martech is a little bit like cyber where there's just a
a billion companies and the typical large enterprise has like 50 to 80 tools they use,
et cetera.
So, you know, cyber is not unique in that sense.
But it is, I think, unique in the sense that cyber, the pace of innovation and change
is spurred by adversarial activity.
And that makes it in a lot of ways just really unique and interesting.
Let me duck in here.
Because that particular line leads me to another question that I want to be probative on.
So first, so far, this has been a great primer, and I appreciate this more than you know.
One of the challenges that I see within the environment, you know, understanding that this is not a charity and understanding that we need to make sure that we're making sound business decisions as we make investments and that I would.
would expect any investor to do that with the capital of investing the same way I do with my
personal portfolio within the environment. That's not an unreasonable issue or an unreasonable stance to
take. The challenge that I have in some cases is for many years, decades, in some cases,
the industry of cybersecurity has placed itself or wanted to place it,
itself as another partner to the profession, both terms used in big air quotes, of cyber security
and versus that adversarial relationship that can occasionally exist between toolset and
solution providers, et cetera.
When that relationship became almost untenable, and particularly now, as we're seeing
the pace of change increase, there has been a push or movement to say we need to lean into
innovative startup type solutions out there to look for those to solve the problems that we're
trying to solve that any of the institutional players are struggling with, aren't doing as
quickly, in some cases can't solve. The challenge that I have, though, as I look at both of those
areas, is I understand all of the pieces you're saying, John, that go into this, but I've been in
the room in a couple of cases within VC meetings where they have walked away from solutions
that I need, that solve problems that I have, and the main reason behind it in one case was
quoted by one person who said, you'll destroy the rest of my portfolio if you implement this
solution. And now I'm still struggling with the problem. So it's kind of difficult for me to
look at entities like yours as a partner when you're walking away from solutions that I need
within the environment.
So how do we reconcile a reasonable need?
And I want to emphasize that term to you and my audience,
an absolutely reasonable need for you to make sure
that you're investing soundly within the environment
and that you have the ability to not only destroy
and not destroy other investments,
but to build and grow your portfolio
with a need that I'm looking to folks like you
to help me solve problems that I can't solve.
You're walking away it feels like.
You're walking away.
from solutions that I need.
How do we inject ourselves into that equation
so that we can become more partnered
in trying to whoop up on the adversary,
which is what we're all trying to do.
Talk to me, if you would, please.
Am I making any sense, by the way?
I'm not trying to poke at VCs.
It's not worth here for.
You're making a lot of sense.
And I think, so, you know, one of the things
I think that you're touching on, Kim,
is that there's a slight, you know,
slight bit of daylight to some extent
between the incentives of investors and the incentives of the vendor
and the incentives of the customer and practitioners using the technologies.
And the more they're aligned, the better.
I mean, in theory, it's the success, you know, in kind of wording off adversarial activity
and reducing cyber risk, you know, to the extent that that's a success for the customer,
that's a success for the vendor.
And then in theory, the company that's doing that should succeed.
And then that would hopefully propagate into investment returns for their investors.
So for sure what happens, and it's interesting because you have a compelling sort of case there where, you know, sort of what sounds like a very promising technology didn't end up getting backed.
And you say, well, why is that?
And well, one thing is, is this is just something that investors in general, and I don't
know the particulars of that situation, but investors in general don't invest in startups that
somehow compete with their current portfolio.
So that's, and there's a lot of good reasons for that.
But basically, you just don't want to have a conflict of interest where, you know, you're sort
of really trying to your best as an investor to help your portfolio company.
succeed. Again, looking at individual decision versus just sort of how the whole system
in theory is supposed to work. Like what it's, you know, it's interesting when you sort of think
about like what's happening if you bubble it up in aggregate. So like what happens in aggregate
is that when a company, when a startup is going to market to raise venture capital, what they're
doing is they're making a little market. And that little market, and it might be 10, 20, 30,
funds is assessing whether that opportunity looks like the best use of their capital.
And based on their background expertise, they're putting money on the line.
They're saying, okay, I mean, there's nothing really more pure in terms of conviction
about a trend than people putting actual investment dollars on the line.
So definitely see or understand conceptually what you're, you know, what,
you're talking about makes sense to me and yeah you would want to do that particularly as you know
you're investing significant amounts of cash with you know within the area i guess what i'm trying to
get to is where is the in it where in this process is the injection of okay i've been doing this for 40
years there where do you consult with people who've been doing this for a while to say not only is
there are market, but are we looking at the addressable problem sets out there, that these are
the problems right now that old gray hairs like me are facing right now? And then adding to that,
how is this look five, ten years down the road? And is there an addressable market space?
I'm trying to understand where in that calculus is the injection of...
Practitioner input. Yes, thank you. That's what I'm trying to spit out.
So,
I'm going to
Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch?
What if you could build the hardware, firmware, and software with a vision of frictionless integration, resilience, and scalability?
What if you could turn complexity into simplicity?
Forget about constant patching, streamline the number of vendors you use, and, and you use.
reduce those ever-expanding costs
and instead spend your time focusing
on helping your business and customers thrive.
Meet Meter,
the company building full-stack
zero-trust networks from the ground up
with security at the core,
at the edge, and everywhere in between.
Meter designs, deploys,
and manages everything in enterprise needs
for fast, reliable, and secure connectivity.
They eliminate the hidden costs
and maintenance burdens, patching risks,
and reduce the inefficiencies of traditional infrastructure.
From wired, wireless, and cellular to routing, switching, firewalls, DNS security, and VPN,
every layer is integrated, segmented, and continuously protected to a single unified platform.
And because Meter provides networking as a service,
enterprises avoid heavy capital expenses and unpredictable upgrade cycles.
Meteor even buys back your old infrastructure to make switching that much easier.
Go to meter.com slash CISOP today to learn more about the future of secure networking and book your demo.
That's M-E-T-E-R.com slash C-I-S-O-P.
Here's the thing.
that due diligence, right? So, and it's, again, if you're a startup, you're going to go talk with
a handful, you know, or more. And so there's a bunch of people that are kind of all looking at it
hard. And in some ways, like, again, in theory, this is really testing the validity of the
idea. But the way we do it, and different firms do it in different ways. But we, you know,
we have a CISO network of about 30 CISOs. And when we are making an investment every single
time, we will engage with, you know, five to ten of our, you know, members of our CISO network,
as well as we'll engage with prospective customers. Like so, for instance, one of the things that
is very, you know, if you're a startup and your, and your prospective investors do this, it's usually a
pretty good sign. And it's also a pretty graceful thing where they will introduce you to people
they know that could be prospective customers. And so we will actually,
go ahead and arrange meetings.
And for the startup, even if we don't back the startup, that adds value to them because
it's like, wow, that was a valuable introduction.
I just got introduced.
For a lot of a better term, it's free consulting.
Exactly.
And those introductions, you know, you know how busy Sissos are.
I mean, they can be very hard to get those meetings.
And so 30 or 60 minutes with somebody, you know, at a Fortune 500 company who is a SISO
to provide you feedback.
And what we do is we'll facilitate that meeting.
and then we go in there and just shut up and listen.
And so we're doing that exact thing that you're saying
is that we're attempting to get that practitioner input on the problem domain.
Now, there are times.
Like we have had situations where, you know,
because our headlights,
because we are oftentimes investing at a, you know,
maybe the company doesn't have even a product yet
or they don't even have revenue,
they're very, very baby, baby companies,
we may be looking at a trend or something that is like further in the future than the immediate agenda that a usually a sissos working more in like a 12 to 36 month horizon whereas we might be able to thinking more along the five to 10 year horizon right so it's sort of there's a little bit of a judgment call that that you need to make in terms of saying okay like is what this startup doing aligning enough with what we're hearing articulated as as a as a demand in the market but
At the end of the day, we can't do, we just don't have the resources nor do any of VCs to do, you know, interviews with hundreds of people.
So we're ending, so and startup founders do it and investors do it.
We end up making really important decisions on a small number of high fidelity data points.
And then we grok that against our other due diligence and understanding of the market.
But your point is, Kim, is super, is super valid and super important.
Like if that company, when they have, you know, whatever that product is, when it's done and ready to go, like, if they don't have willing customers that are open to buying it because they recognize there's a valuable problem.
And a valuable problem, we have to be clear, it's not just like a, and this is, you know, the kind of cliche, is it a, is it a kind of a medicine or a vitamin?
Like, it has to be something where the prospective customer will literally.
stop what they're doing and make time.
Like, this is so interesting, and the value proposition to me is so compelling that I'm
going to, like, block out a meeting for it.
So it has to be a super compelling type of thing.
That makes sense to me.
So let me take another tack on that.
You mentioned something in terms of time horizon within the environment.
You're right.
I'm going to say something that I said before that will probably be controversial among
some of my listeners, but it needs sense.
saying. Most strategic CSOs aren't really strategic. They're really operational within the
environment. And in many cases, what they're calling strategic planning is changing the word
operations plan and putting the word strategy on it. Finding strategic CSOs out in the wild
is hard because we tend to play whack-a-mole. And even when we do find strategic CSOs out in the
wild, finding ones who can look beyond that time horizon that you mentioned earlier,
John, is what, maybe one in 10,000.
So my question to you is, how do we get better at that so that we can provide better input
to folks like you so that we can create more of that alignment and close that gap
between where you're going and what we need?
How do I do that?
Yeah, I mean, I think, so there's definitely opportunities, you know, and I've certainly
I would invite, you know, invite Sissos that would be interested to, you know, to engage with
data tribe. But, you know, usually there's this incredibly sort of complementary and valuable
exchange of points of view in these types of conversations where we can help SISOs to really
see what's kind of coming down the path in that longer term horizon. Because that's what we're all
I mean, that's what we do, think about all day long.
And what Sissos can help us with is to tell us where, you know,
where we're seeing mirages and help us stay grounded in the ground truth of, like,
the reality of the enterprise.
And because, you know, venture investors, we spend a lot of time thinking about
kind of getting these technologies into production and there's nothing more valuable
than the folks that are actually.
in the seat telling us for sure, hey, you know, so whether it's with Data Tribe or another
venture firm, I would definitely encourage SISOs and, you know, you'll find investors are
pretty receptive to, you know, and whether it's through a formal kind of SISO network or it could
just be through informal coffees or it could be other types of kind of conference or meeting
settings. Some venture firms will organize periodic dinner events to get together. You'll pick a,
you know, you'll pick a topic and kind of trade thoughts and notes. But, you know, there's a lot of
different formats and ways to do it. But it's kind of, it's easy, I think it's easy to sort of say
at the high level. I think the hard part is finding the time because it's so, everybody is
so busy. CISOs tend to complain regarding the disconnect. But it,
If we don't make the time to bridge that cap, how are we going to make it better?
Yeah.
So, you know, the – and I say this to my audience.
For every one, in fact, I've got three sitting in my email, and I haven't been in the chair in a while, but I'm an old security guy.
So every now and again, people ping me.
I've got three invitations for a telephone meeting, a Zoom meeting, and a dinner.
I'm at least going to go to the dinner.
Free steak.
I'm a big guy.
Yeah.
Yeah, if we don't make the time to do that, it's not going to get any better.
So as these opportunities come up, because you're right, we see them all the time, and the issue is time, there's a value proposition to close that gap for us to say, figure out how you're going to provide that feedback loop, but don't just fart it off, which is what a lot of us do.
Yeah, yeah.
No, and that's the thing.
It's finding that time and kind of doing it in a way that fits with your routine.
but, you know, it kind of delivers value.
And so that would be something I, you know,
think is a pretty low-hanging fruit opportunity.
Awesome, awesome.
I got two more questions for you than I'm going to be respectful of your time.
I really, seriously, this has been hugely helpful.
You have no idea.
I really appreciate you.
The first question is probably a little more provocative.
I just finished Ezra Klein's book, Abundance,
within the environment.
there's a section in there.
I can't remember the chapter,
so I'm closely paraphrasing,
don't quote me on this,
where he talks about the
tamponing down of innovation,
particularly within the academic field.
He uses the example of MRNA,
which became the foundational piece
for the COVID vaccine,
and how the woman who had actually initially
done the research on that spent 20 years
not being able to get
grants, not being able to get recognition to the point where she had shelved it when we have
that opportunity to potentially get ahead in some of these solutioning for some of these things
because it was too far off from what the standard mainstream was looking at. Thus, my analogy
to Bloom County's Tint Control, that academia and academic research in many ways we were making
tint control changes in expected and accepted avenues of research before rather taking a 15 degree
avenue off from that in looking at something that's truly new and truly innovative, etc.
I'm curious, are you seeing, sensing, feeling, experiencing as a founder a similar tamponing down
of innovation
or is really the sky of the limit out there
and it's just a matter of the business models behind it
within the space you're in now. Talk to me.
Yeah, it's interesting.
I think, you know, it's funny
because we operate in a small,
you know, sort of small, relatively small corner of the economy
and so you can have broader, you know,
broader macro trends with regard to, you know,
you know, kind of deep tech R&D, you know, cyber is a, cyber is a very active market.
It's, it has been growing faster than the economy by a fair amount.
It's not growing as fast as AI.
I mean, AI is the, you know, and at some point we'll have to sort of lose the AI moniker
and just kind of everything has AI and it's go back to a different taxonomy.
But, you know, like in the last quarter, just under 50% of the venture capital, you know,
in the U.S. full stop, went into some kind of AI-related opportunity.
But, you know, cyber, there continues to be a very rich kind of bubbling caldron of innovation.
And, you know, in a lot of regards, the way, you know, I look at it and others is that cyber innovation really is a function of other digitalization, right?
So, like, as the rest of, you know, as robots come online, as autonomous vehicles come online, as, you know, as you have, you know, AI assisted processes, AI development, there's these new attack surfaces that continuously getting created.
So, so I'm going to push you a little bit on that one.
I can see what you're saying, but isn't that fundamental attitude, which is not unnecessarily unreasonable, stifling,
our innovation within the environment.
Is that the reason we haven't solved fishing?
Is that the reason we haven't solved identity?
Because we're looking, you know,
there are fundamental challenges
within the realm of cybersecurity
that we have been working on
for my 40 years military and civilian
within the profession that we haven't solved.
And is it because we're waiting to anchor
some of these solutions around new attack surfaces
versus just, look, let's just solve the damn problem.
I'm curious.
Yeah, no, I sort of think, if I were to,
I look at it, you know, there's, there's so many, so many sort of pieces to this.
So let me see if I can boil it down to a couple, a couple succinct thoughts.
One of them is, is that there is a true, you know, sort of weight to making these big changes you're talking about.
So we've looked at opportunities where, you know, the startup will be proposing, we're going to, we're going to completely blow up the SIM.
Like, you're, you know, we're going to go in and it's going to be a,
a totally different tech stack.
We're going to take 20 or 30 tools out of the,
you know, out of the enterprise and replace it.
Now, that might be the kind of profound change
that's actually necessary to really impact the problem
in the way that you're thinking about, Kim.
The challenge with that is that it's really, really hard.
Yeah, it'll never sell.
And it's really hard to build a business around that.
And so there's this inertia.
It's a little bit like, I mean, on a micro level,
inertia that gets built up around like an email address. Nobody intended email addresses to be used
the way they are. But like, you know, you've got 200 accounts tied to an email address and it makes it.
So now like enterprises, they've got all these tools, 80, 60, 80, 100 tools. The inertia of making
any kind of massive change to that is, um, is incredible. So that's what I guess one point I think is
is kind of auguring against the type of profound change you're talking about. And that's a fair point.
Yeah.
We do, you know, at, at, at, at, at, at, at day of tribe, we spend a fair amount of time.
So we, we, you know, are partners with, with, uh, the Carnegie Mellon Sci Lab.
And, um, they are an incredible organization.
I don't know if you know much about them, but they, they, they, um, really do some incredible.
One, and one of the things I've, I'm always impressed with the research that they do there is that it's very, um, it's very relevant.
very over the horizon, but not so far over the horizon that it's like science fiction.
And that's the balance that's really tricky.
But there is, even in our collaborations, you know, we've looked at a couple of opportunities
out of Carnegie Mell very closely, came very, very close to investing in one.
And they, there is a true funding gap.
So if you look at Data Tribe as an investor, right?
So we are a foundry, and as a foundry, in addition to capital, we provide a whole ecosystem of support, you know, kind of people that are expert entrepreneurs to help with the founders.
You know, we have other resources, literally a facility that the companies can work out of.
And we nurture our number, including our CISO network, we nurture an ecosystem of networks that we plug the startups in, all of this design to help them just succeed, go fast.
and to kind of lower their chances of failing,
half of the companies that we invest in
probably don't have product even when we're making,
you know, making the investment.
And we're high conviction.
We'll make a, you know, we'll invest, you know,
$2 million, $2.5 million into a company
that doesn't have a product.
And that's very unusual.
Yeah.
We're about as early as you get in terms of VC.
It's a long way of saying that.
And even as early and as optimized as we,
for working with deep, deep tech founders,
there's still a bit of a gap
between the readiness of an innovation
coming out of an institution like a CMU
and be really being ready to get into that mode
of like, okay, we're going to go from zero
to a million dollars of annual recurring revenue
and 10 referensible accounts in 18 to 24 months.
And so that's a real problem.
I'm, you know, certainly not, you know, there's many, many people that have thought a lot more about that kind of innovation funding gap problem.
You know, I think it's out there.
I mean, I do think that increasingly, like, organizations and VCs are getting better at kind of helping those founders in the university environments and other labs as well.
I mean, we also look at the intelligence community as another place where there's really interesting, like super over the horizon innovation happening.
And oftentimes there, the innovations are kind of being put into like a production application.
So it's even more close to sort of ready for kind of putting into a product.
But it's, yeah, so those two things.
I think there's a huge inertia that is, that's out there.
And then there's there is this kind of, you know, bit of a gap where,
You know, there's a professor needs to, you know, usually needs to figure out a business,
you know, some kind of business partner or someone that helps them with the business side.
And sometimes there's a hard decision they need to make whether they want to continue to teach
and try and do the startup on the side or whether they want to jump in both feet.
Most investors will want to see them jump in with both feet.
And that's a big, that's a big, you know, decision.
And so there's a lot of, there's a lot of delicate things that need to kind of come together,
at least in that, in that academic environment.
But I don't know, those, I guess that's a really interesting question you pose.
And I wouldn't discount the possibility that, you know, we sort of every day there's
there's startups that come along where it's entirely possible.
There's just an entirely new way of thinking about a, you know, a whole part of the problem.
And, you know, and we stay very optimistic to that.
I mean, it's, you know, I would love, you know, the sort of mission-oriented side of me would love to see cyber not growing faster than the economy.
I mean, you can read reports that, you know, cyber right now is 200 billion-ish, depending upon the source market.
And there's, you know, there's plenty of smart market forecasters out there that forecast it going to 1 to 2 trillion over the next 10 years, you know, at a pace that's faster than the economy, you know,
12 to 14% compounded annually, as opposed to 2% of the...
And so, like, what does that say?
It says that, well, digitalization has continuing to happen,
so we're going to have more cyber with all that digitalization.
It's also saying that, you know,
we haven't figured out a core solution, like you're saying,
to bend the curve.
And at some point, it would be nice to bend the curve.
I completely agree with you.
Yeah.
Let's just the one thing you would want my audience of CSO's current and future
to know or do.
that we either don't know about VC or that we're not doing in terms of engagement?
One might be, you know, an interesting trend right now to be aware of
is that there are a family of, you know, a number of startups working on platforms
to help large organizations rationalize and understand
their cyber stack and to manage it. So basically suck in all of the contracts and also help to
manage renewals and to basically figure out what is my, where are my gaps, where are my overlaps,
what's my best marginal risk buy down, all the rest of that. And I think that approach,
as it gets more and more AI enabled, I think there's a real opportunity for AI to really help
not just at sort of the security analyst and sock level,
but also help with some of these vendor management, vendor decisions.
So that's a trend I would encourage your listeners to kind of keep an eye on.
And so that could just be a really different,
because that procurement and management of all those relationships is a huge burden.
And it's not necessarily helping you defend the organization,
but it's something you have to do.
So to the extent you can do that better.
And then the other thing, and we mentioned it before,
I mean, I think the other thing would just be, you know, VCs, you know,
want to engage with Sissos.
And I would, you know, I would invite your listeners, you know,
whether it's with a data tribe or another VC they may know,
to, you know, to really kind of embrace taking some slice of their time
and allocating it to trading notes with people on, you know,
what's coming in the five to ten here horizon.
John, this has been a very educational session here.
I really appreciate you giving us the time.
Thank you so much for sharing with us.
Kim, thank you.
I enjoyed it.
And that's a wrap for today's episode.
Thanks so much for tuning in and for your support as N2K Pro subscribers.
Your continued support enables us to keep making shows like this one,
and we couldn't do it without you.
If you enjoyed today's conversation and are interested in learning more,
please visit the CISO Perspectives page to read
our accompanying blog post, which provides you with additional resources and analysis on today's
topic. There's a link in the show notes. This episode was edited by Ethan Cook, with content
strategy provided by MyOn Plout, produced by Liz Stokes, executive produced by Jennifer Ibin,
and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next episode.
Securing and managing enterprise networks shouldn't mean juggling vendors,
patching hardware, or managing endless complexity.
Meter builds full-stack, zero-trust networks from the ground up, secure by
design and automatically kept up to date.
Every layer from wired and wireless to firewalls, D-N-S security, and VPN is integrated,
segmented, and continuously protected through one unified platform.
With meter security is built in, not bolted on.
Learn more and book your demo at meter.com slash CISOP.
That's M-E-T-E-R.com slash C-I-S-O-P.
And we thank Meeter for their support in unlocking this N2K Pro episode for all Cyberwire listeners.