cybersecurity venture capital - cbre/media/cbre/countryunitedstates/corporate...technologies,...
TRANSCRIPT
We interviewed five of the leading investors in the greater Washington area, all focused on expanding their cybersecurity and related technology portfolios. Below is a brief introduction to our panel of investors and their respective organizations:
MIKE JANKECo-FounderDATATRIBE
RON GULAPresident & Co-FounderGULA TECH ADVENTURES
JIM HUNTManaging PartnerLAVROCK VENTURES
MOURAD YESAYANPrincipalPALADIN CAPITAL GROUP
HANK THOMASCo-Founder & PartnerSTRATEGIC CYBER VENTURES
DESCRIBE YOUR RESPECTIVE INVESTMENT PHILOSOPHY. WHAT ARE SOME
RED FLAGS YOU LOOK FOR IN INVESTMENT OPPORTUNITIES AND WHAT
INTERESTS YOU?
RON GULA: We [Gula Tech Adventures] are helping cyber
security companies get started here in the mid-Atlantic area. This
area does not have as strong of an eco-system as we've seen in other
markets, such as Silicon Valley, and we are hoping to help catalyze
even more companies to start.
JIM HUNT: The red flags are too difficult to enumerate. We
[Lavrock Ventures] review prospects against the follow priorities in
descending order: the team; the approach they will take to get to
market; the idea itself; the market and their positioning in that market;
the valuation.
There are a hundred things that can knock an investment opportunity
out the queue but would say the most prevalent are team related,
including arrogance.
MOURAD YESAYAN: We [Paladin Capital Group] look at
cyber security as a critical ingredient to a larger category that we refer
to as digital risk management and digital resilience, which broadens
our investment spectrum. So, cyber security is critical for that, but it’s
not sufficient. One of the key reasons why new digital technologies
(e.g., anything from the cloud to autonomous platforms) may not get
mass adoption is because organizations must solve for security or
safety concerns. For example, you have to solve for governance and
risk management concerns if financial organizations want to adopt the
blockchain for certain kind of transactions.
HANK THOMAS: We are a team of career cybersecurity
professionals first. The fundamental premise that underlies the
investments we [Strategic Cyber Ventures] make is an assumption that
a determined adversary, be it a criminal, hacktivist, or nation state,
is going to get into your networks if they want to. Perimeter security
controls when deployed alone have proven to be insufficient. At SCV,
we are focused on intrusion suppression. Technology that hunts,
deceives, diverts, or traps the bad guys on your network. We believe
that if we can limit the adversaries dwell on networks, and your most
important data and business functions, we can significantly reduce
the impact of cyber events to the end users of our products. We are
raising the cost of doing business for the bad guys while protecting the
networks, data, and brands our customers.
Cybersecurity is an industry that’s remarkably dynamic because
hackers are constantly looking for ways to defeat the security controls
of today. Tomorrow’s threats won’t look like today’s. Entrepreneurs,
their teams, and their technology are having to constantly evolve with
the threat. It is very important to us that the people who are behind
our portfolio companies are dynamic enough to keep up with the
cybersecurity ecosystem.
MIKE JANKE: We [Datatribe] invest and co-build what we
call “over the horizon technologies” that come out of the U.S, UK
and Canadian intelligence agencies and research laboratories. We
draw teams out, that have built game-changing technologies that
solve Nation State security issues. And we co-build enterprise cyber
security firms. We're 100% focused on commercial markets; however,
government organizations do become customers, but we treat them
just like we do for G.E. or Disney. Due to the unique nature of our
company, we have the access to what we call, over the horizon
technologies, because in certain areas the intelligence agencies are
two to four generations ahead of commercial software products.
We bring an ecosystem of Silicon Valley startup experts to address
competencies that do not exist in the MD/DC/VA area and combine
that expertise with the cutting-edge intelligence community talent and
software.
ARE THERE ENOUGH COMPANIES IN THE WASHINGTON,
D.C. AREA TO FILL YOUR PORTFOLIO BASED ON THE
STATED CRITERIA?
RG: There are plenty of early stage, high quality, cyber companies
in this area. We've had to turn away some very good ideas and
companies already who we could not work directly with, but have tried
to remain helpful with introductions and advice as they've grown.
JH: Yes, I personally see 1.4 deals a day and, if you add in what my
partners also see, we are probably at 10 a week. Most are not at all
within the strike zone but we are not exclusively looking in this region.
If the company is out-of-region but has a product that could be an
interesting fit in USG markets – particularly national security – it can
be very interesting to us.
MY: Yes, there is a ton of talent here from both entrepreneurial
perspective as well as just the basic tech and executive talent to build
these companies.
HT: No. There are plenty of companies selling services back the
federal government, but not enough building security products.
East coast entrepreneurs, especially ones in the DC area, are
generally closer to the cybersecurity problem. By that I mean they’ve
been in the trenches fighting cyber threat actors for years, mostly
as a federal government employee. They have the advantage of
watching the adversary evolve and adapt and they understand their
tactics, techniques, and procedures. They are highly specialized and
have built security controls that have solved very real problems for
the Department of Defense and Intelligence Community. But the
ecosystem isn’t mature enough here yet for many of them to feel
confident about going out on their own. Especially into the riskier
security software product space that is more commercially focused and
venture backed.
MJ: This area is incredibly blessed with talent and technology that
is developed for Nation State needs. However, there is big difference
between a good idea and what is needed to build a commercially
viable company. So much of the infrastructure here iis focused towards
services and selling back to the government, which is a completely
different business. So, we import the Silicon Valley talent to add to
these teams and work side by side with the startup 8-10 hours a day
providing them the experience and resources they need to build a
real commercial software company. The Silicon Valley approach of
simply writing a check and sending them out the door, will not work
here. There is no ecosystem of product management, experienced
enterprise sales, multi-time CEO and other key talents required in a
commercially-focused startup. In this area, you need to surround the
startup with the experienced DNA needed to bridge that gap.
“According to The Bureau of Labor and Statistics in 2016, MD/DC/VA has 3.5 times more “cyber engineers” than the rest of the country combined, living in these zip codes. However, 90% of these engineers are focused on Government services and not on building commercial software companies. We are changing that.
AT WHAT STAGE DO YOU SEE THE CURRENT
D.C. CYBERSECURITY MARKET? IS IT
YOUNG, ESTABLISHED, OVERPOPULATED?
RG: The D.C. market has many high tech cyber services
companies, which is great and supports the mission of the intel
community, civilian government and DOD [Department of
Defense]. We are trying to encourage and invest in product or
software cyber companies. As this market matures, we will see
more “pure” software companies emerge.
JH: From the standpoint of the investor population it is under
populated. From the perspective of companies looking or
funding, then it is different. There are plenty of companies in the
region that are very interesting. I’ve been doing this for 35 years
and have invested in some area winners, including Aquicore, Blue
Cart, ID.ME, Avizia, Social Tables, videoNext, Microcoaching,
Zoom Data, Immuta, APEX Expert Solutions, Oceans Edge,
Adlumin and the list goes on. They are here but you need to
patiently look.
HT: It is currently 90% focused on providing services and
reselling cleared and trained government employees back to the
federal government as contractors and consultants. The services
space is crowded. The cybersecurity product company space is
young but growing.
At SCV we are looking at nationwide opportunities and have a
team in place that can match west coast business experience and
dollars with east coast expertise. We want to change this dynamic
and organically grow more commercially viable cybersecurity
product companies from inside the beltway.
ARE THERE ENOUGH COMPANIES IN THE WASHINGTON,
D.C. AREA TO FILL YOUR PORTFOLIO BASED ON THE
STATED CRITERIA?
RG: It’s very likely that this administration will sign legislation requiring more cyber security preparation disclosures for public
companies and increase the spending of cyber defenses for government agencies. Both will cause more investment and potential
opportunities for mid-Atlantic cyber security companies to help private and public sector markets.
JH: New administration or not, there will be much more public sector spending in cyber. True in private sector but I’m not as on
top of that.
MY: I think it will be a priority issue. It’s already been stated
as being a priority issue from the cabinet level including from the
Secretary of Treasury.
MJ: I’m not sure that government by itself is going to have that
big of an impact. I do believe that this has now become a priority
concern for everyone, private and public organizations alike. I do see
this translating to greater spending on cyber in both sectors.
HT: I expect the defense industry to grow and outsource more in
the next 3.5 years than we saw in the last 8. Especially around cyber
where the war on talent is real. The government does not have the
incentives in place to keep a large and technically capable workforce
long-term. They will rely heavily on the big local defense contactors
and systems integrators more heavily, and prices will continue to go
up. This administration will also reach to earlier stage cybersecurity
product companies to fill holes in their technical security strategy and
architecture. We are already seeing it happen with our companies.
SOME RECENT BUZZWORDS IN CYBER INCLUDE BLOCKCHAIN,
CONTAINERS, ARTIFICIAL INTELLIGENCE, AND ICS ( INDUSTRIAL CONTROL
SYSTEMS). WHAT DO YOU BELIEVE WILL BE THE NEXT TREND?
RG: There have always been exciting trends in cyber throughout the
history of information security. Blockchain could replace many forms
of manual transactions, such as in banking, offering more security and
transparency for everyone. Containers will hopefully allow complex
and hackable web applications be re-written in a more secure and
easy to maintain manner. Legacy industrial control systems may be
used in a cyber-attack effective power and other critical infrastructure
unless mitigating defenses can be deployed around them. My favorite
trend is the move to the cloud. Most cloud vendors “do it better” than
what typical organizations can do on their own and at a lower cost.
This isn’t an option for some markets, such as the intel community or
finance, but we’ve seen examples of compromises here, such as the
CIA setting up their own copy of Amazon and Capital One making
huge investments in cloud computing.
JH: Hot areas are defensive and offensive constructs, and much
better protection of the data inside the moat. That can include digital
rights management and encryption. Things that frankly provide security
inside the firewall and, by default look at insider threat issues.
MY: Another thing that we’re focused on, which goes back to policy
issues is, what are going to be the rules around active defense. I think
you’re going to see a lot of growth and success in companies that
are in one sense cyber security companies, but they are also solving
for productivity problems. So, I think orchestration and automation
is still going to be a big thing. One of the ways to solve for the talent
shortage partially is figuring out how to force-multiply existing talent
and how we can do things with the human only partially in the loop.
MJ: The technology industry is always ripe with buzzwords. Some
are fads and some are truly game changing areas. Technologies
such as Homomorphic Encryption, Quantum computing, Blockchain
and AI are amazing advancements that will help with security, but the
adversary is innovating just as quickly. Newer Markets such as Industry
Control security, Firmware for IOT, Blockchain and Homomorphic
Encryption are replacing past markets of VPN’s, anti-virus and archaic
ways of defending.
HT: We are watching frustrated security chiefs both in government
and the corporate world migrate towards threat hunting technology.
They have spent billions of dollars on security controls that for a
variety of reasons have not prevented breaches. They want to identify
and react to a breach as soon as possible, and are moving towards
technology that hunts, deceives, diverts, and contains the adversary.
They are moving away from technology that claims to build higher
walls or deeper moats around their network. We are particularly
interested in adaptive authentication technology that constantly
proves you are you, analytic technology that allows you to hunt for
the adversary without them knowing they are being hunted, deceptive
technology to divert and contain the adversary, and emerging
technology like memory augmentation that provides the equivalent of
superpowers to the humans that man cyber threat hunting teams.
JOHN E. REDEKER
Senior AssociateCBRE | Brokerage Services1861 International Drive, Suite 300McLean, VA 22102T +1 703 905 0305 | C +1 216 310 [email protected] | www.cbre.com/john.redeker
JONATHAN HALLSenior Associate
CBRE | Brokerage Services100 East Pratt Street, Suite 1700
Baltimore, MD 21202T +1 410 244 3174 | C +1 410 598 7372
[email protected] | www.cbre.com/jonathan.hall