CYBERSECURITYVENTURECAPITAL

Q&A whitepaper

We interviewed five of the leading investors in the greater Washington area, all focused on expanding their cybersecurity and related technology portfolios. Below is a brief introduction to our panel of investors and their respective organizations:

MIKE JANKECo-FounderDATATRIBE

RON GULAPresident & Co-FounderGULA TECH ADVENTURES

JIM HUNTManaging PartnerLAVROCK VENTURES

MOURAD YESAYANPrincipalPALADIN CAPITAL GROUP

HANK THOMASCo-Founder & PartnerSTRATEGIC CYBER VENTURES

DESCRIBE YOUR RESPECTIVE INVESTMENT PHILOSOPHY. WHAT ARE SOME

RED FLAGS YOU LOOK FOR IN INVESTMENT OPPORTUNITIES AND WHAT

INTERESTS YOU?

RON GULA: We [Gula Tech Adventures] are helping cyber

security companies get started here in the mid-Atlantic area. This

area does not have as strong of an eco-system as we've seen in other

markets, such as Silicon Valley, and we are hoping to help catalyze

even more companies to start.

JIM HUNT: The red flags are too difficult to enumerate. We

[Lavrock Ventures] review prospects against the follow priorities in

descending order: the team; the approach they will take to get to

market; the idea itself; the market and their positioning in that market;

the valuation.

There are a hundred things that can knock an investment opportunity

out the queue but would say the most prevalent are team related,

including arrogance.

MOURAD YESAYAN: We [Paladin Capital Group] look at

cyber security as a critical ingredient to a larger category that we refer

to as digital risk management and digital resilience, which broadens

our investment spectrum. So, cyber security is critical for that, but it’s

not sufficient. One of the key reasons why new digital technologies

(e.g., anything from the cloud to autonomous platforms) may not get

mass adoption is because organizations must solve for security or

safety concerns. For example, you have to solve for governance and

risk management concerns if financial organizations want to adopt the

blockchain for certain kind of transactions.

HANK THOMAS: We are a team of career cybersecurity

professionals first. The fundamental premise that underlies the

investments we [Strategic Cyber Ventures] make is an assumption that

a determined adversary, be it a criminal, hacktivist, or nation state,

is going to get into your networks if they want to. Perimeter security

controls when deployed alone have proven to be insufficient. At SCV,

we are focused on intrusion suppression. Technology that hunts,

deceives, diverts, or traps the bad guys on your network. We believe

that if we can limit the adversaries dwell on networks, and your most

important data and business functions, we can significantly reduce

the impact of cyber events to the end users of our products. We are

raising the cost of doing business for the bad guys while protecting the

networks, data, and brands our customers.

Cybersecurity is an industry that’s remarkably dynamic because

hackers are constantly looking for ways to defeat the security controls

of today. Tomorrow’s threats won’t look like today’s. Entrepreneurs,

their teams, and their technology are having to constantly evolve with

the threat. It is very important to us that the people who are behind

our portfolio companies are dynamic enough to keep up with the

cybersecurity ecosystem.

MIKE JANKE: We [Datatribe] invest and co-build what we

call “over the horizon technologies” that come out of the U.S, UK

and Canadian intelligence agencies and research laboratories. We

draw teams out, that have built game-changing technologies that

solve Nation State security issues. And we co-build enterprise cyber

security firms. We're 100% focused on commercial markets; however,

government organizations do become customers, but we treat them

just like we do for G.E. or Disney. Due to the unique nature of our

company, we have the access to what we call, over the horizon

technologies, because in certain areas the intelligence agencies are

two to four generations ahead of commercial software products.

We bring an ecosystem of Silicon Valley startup experts to address

competencies that do not exist in the MD/DC/VA area and combine

that expertise with the cutting-edge intelligence community talent and

software.

ARE THERE ENOUGH COMPANIES IN THE WASHINGTON,

D.C. AREA TO FILL YOUR PORTFOLIO BASED ON THE

STATED CRITERIA?

RG: There are plenty of early stage, high quality, cyber companies

in this area. We've had to turn away some very good ideas and

companies already who we could not work directly with, but have tried

to remain helpful with introductions and advice as they've grown.

JH: Yes, I personally see 1.4 deals a day and, if you add in what my

partners also see, we are probably at 10 a week. Most are not at all

within the strike zone but we are not exclusively looking in this region.

If the company is out-of-region but has a product that could be an

interesting fit in USG markets – particularly national security – it can

be very interesting to us.

MY: Yes, there is a ton of talent here from both entrepreneurial

perspective as well as just the basic tech and executive talent to build

these companies.

HT: No. There are plenty of companies selling services back the

federal government, but not enough building security products.

East coast entrepreneurs, especially ones in the DC area, are

generally closer to the cybersecurity problem. By that I mean they’ve

been in the trenches fighting cyber threat actors for years, mostly

as a federal government employee. They have the advantage of

watching the adversary evolve and adapt and they understand their

tactics, techniques, and procedures. They are highly specialized and

have built security controls that have solved very real problems for

the Department of Defense and Intelligence Community. But the

ecosystem isn’t mature enough here yet for many of them to feel

confident about going out on their own. Especially into the riskier

security software product space that is more commercially focused and

venture backed.

MJ: This area is incredibly blessed with talent and technology that

is developed for Nation State needs. However, there is big difference

between a good idea and what is needed to build a commercially

viable company. So much of the infrastructure here iis focused towards

services and selling back to the government, which is a completely

different business. So, we import the Silicon Valley talent to add to

these teams and work side by side with the startup 8-10 hours a day

providing them the experience and resources they need to build a

real commercial software company. The Silicon Valley approach of

simply writing a check and sending them out the door, will not work

here. There is no ecosystem of product management, experienced

enterprise sales, multi-time CEO and other key talents required in a

commercially-focused startup. In this area, you need to surround the

startup with the experienced DNA needed to bridge that gap.

“According to The Bureau of Labor and Statistics in 2016, MD/DC/VA has 3.5 times more “cyber engineers” than the rest of the country combined, living in these zip codes. However, 90% of these engineers are focused on Government services and not on building commercial software companies. We are changing that.

AT WHAT STAGE DO YOU SEE THE CURRENT

D.C. CYBERSECURITY MARKET? IS IT

YOUNG, ESTABLISHED, OVERPOPULATED?

RG: The D.C. market has many high tech cyber services

companies, which is great and supports the mission of the intel

community, civilian government and DOD [Department of

Defense]. We are trying to encourage and invest in product or

software cyber companies. As this market matures, we will see

more “pure” software companies emerge.

JH: From the standpoint of the investor population it is under

populated. From the perspective of companies looking or

funding, then it is different. There are plenty of companies in the

region that are very interesting. I’ve been doing this for 35 years

and have invested in some area winners, including Aquicore, Blue

Cart, ID.ME, Avizia, Social Tables, videoNext, Microcoaching,

Zoom Data, Immuta, APEX Expert Solutions, Oceans Edge,

Adlumin and the list goes on. They are here but you need to

patiently look.

HT: It is currently 90% focused on providing services and

reselling cleared and trained government employees back to the

federal government as contractors and consultants. The services

space is crowded. The cybersecurity product company space is

young but growing.

At SCV we are looking at nationwide opportunities and have a

team in place that can match west coast business experience and

dollars with east coast expertise. We want to change this dynamic

and organically grow more commercially viable cybersecurity

product companies from inside the beltway.

ARE THERE ENOUGH COMPANIES IN THE WASHINGTON,

D.C. AREA TO FILL YOUR PORTFOLIO BASED ON THE

STATED CRITERIA?

RG: It’s very likely that this administration will sign legislation requiring more cyber security preparation disclosures for public

companies and increase the spending of cyber defenses for government agencies. Both will cause more investment and potential

opportunities for mid-Atlantic cyber security companies to help private and public sector markets.

JH: New administration or not, there will be much more public sector spending in cyber. True in private sector but I’m not as on

top of that.

MY: I think it will be a priority issue. It’s already been stated

as being a priority issue from the cabinet level including from the

Secretary of Treasury.

MJ: I’m not sure that government by itself is going to have that

big of an impact. I do believe that this has now become a priority

concern for everyone, private and public organizations alike. I do see

this translating to greater spending on cyber in both sectors.

HT: I expect the defense industry to grow and outsource more in

the next 3.5 years than we saw in the last 8. Especially around cyber

where the war on talent is real. The government does not have the

incentives in place to keep a large and technically capable workforce

long-term. They will rely heavily on the big local defense contactors

and systems integrators more heavily, and prices will continue to go

up. This administration will also reach to earlier stage cybersecurity

product companies to fill holes in their technical security strategy and

architecture. We are already seeing it happen with our companies.

SOME RECENT BUZZWORDS IN CYBER INCLUDE BLOCKCHAIN,

CONTAINERS, ARTIFICIAL INTELLIGENCE, AND ICS ( INDUSTRIAL CONTROL

SYSTEMS). WHAT DO YOU BELIEVE WILL BE THE NEXT TREND?

RG: There have always been exciting trends in cyber throughout the

history of information security. Blockchain could replace many forms

of manual transactions, such as in banking, offering more security and

transparency for everyone. Containers will hopefully allow complex

and hackable web applications be re-written in a more secure and

easy to maintain manner. Legacy industrial control systems may be

used in a cyber-attack effective power and other critical infrastructure

unless mitigating defenses can be deployed around them. My favorite

trend is the move to the cloud. Most cloud vendors “do it better” than

what typical organizations can do on their own and at a lower cost.

This isn’t an option for some markets, such as the intel community or

finance, but we’ve seen examples of compromises here, such as the

CIA setting up their own copy of Amazon and Capital One making

huge investments in cloud computing.

JH: Hot areas are defensive and offensive constructs, and much

better protection of the data inside the moat. That can include digital

rights management and encryption. Things that frankly provide security

inside the firewall and, by default look at insider threat issues.

MY: Another thing that we’re focused on, which goes back to policy

issues is, what are going to be the rules around active defense. I think

you’re going to see a lot of growth and success in companies that

are in one sense cyber security companies, but they are also solving

for productivity problems. So, I think orchestration and automation

is still going to be a big thing. One of the ways to solve for the talent

shortage partially is figuring out how to force-multiply existing talent

and how we can do things with the human only partially in the loop.

MJ: The technology industry is always ripe with buzzwords. Some

are fads and some are truly game changing areas. Technologies

such as Homomorphic Encryption, Quantum computing, Blockchain

and AI are amazing advancements that will help with security, but the

adversary is innovating just as quickly. Newer Markets such as Industry

Control security, Firmware for IOT, Blockchain and Homomorphic

Encryption are replacing past markets of VPN’s, anti-virus and archaic

ways of defending.

HT: We are watching frustrated security chiefs both in government

and the corporate world migrate towards threat hunting technology.

They have spent billions of dollars on security controls that for a

variety of reasons have not prevented breaches. They want to identify

and react to a breach as soon as possible, and are moving towards

technology that hunts, deceives, diverts, and contains the adversary.

They are moving away from technology that claims to build higher

walls or deeper moats around their network. We are particularly

interested in adaptive authentication technology that constantly

proves you are you, analytic technology that allows you to hunt for

the adversary without them knowing they are being hunted, deceptive

technology to divert and contain the adversary, and emerging

technology like memory augmentation that provides the equivalent of

superpowers to the humans that man cyber threat hunting teams.

JOHN E. REDEKER

Senior AssociateCBRE | Brokerage Services1861 International Drive, Suite 300McLean, VA 22102T +1 703 905 0305 | C +1 216 310 2485john.redeker@cbre.com | www.cbre.com/john.redeker

JONATHAN HALLSenior Associate

CBRE | Brokerage Services100 East Pratt Street, Suite 1700

Baltimore, MD 21202T +1 410 244 3174 | C +1 410 598 7372

jonathan.hall@cbre.com | www.cbre.com/jonathan.hall