Cloud, Data and Zero-trust: Here’s Where VCs are Putting Their Cybersecurity Investments
-
bookmark
-
print
The last year was a busy one for cybersecurity investors, with a record $7.8 billion flowing into the space in 2020, according to Crunchbase. With remote work, increasingly sophisticated hackers, and more mission-critical data getting stored in the cloud, plenty of deals will continue to be made in the years ahead.
Where those dollars will go was a central topic of discussion during a panel, I hosted at the BMO Cybersecurity summit, which took place on May 25. The panel discussion, which focused on venture capital-related opportunities in the cyber landscape, featured some of the leading experts in this sector, including:
-
Greg Dracon, General Partner, 406 Ventures
-
Deepak Jeevankumar, Managing Director, Dell Capital
-
Will Lin, Managing Director and Co-Founder, ForgePoint Capital
-
Prasad Parthasarathi, Director and Global Head of Cybersecurity, Cisco Investments
Betting on the Cloud
While each panelist approaches cybersecurity investing differently, many see similar opportunities across the market, including cloud security. Lin says that while millions of dollars have already been invested in cloud security operations, it’s still a fragmented space without a clear leader. “There isn’t clarity yet on what the winning solution is,” he explains. “As a result, I’m spending a lot of time thinking through how I can apply cloud security in different contexts and verticals.”
Lin is also seeing opportunities in the data security space, where many of the leading companies are now multiple decades old. “That means the sector is ripe for innovation,” he says, adding that he’s sees more early-stage data security companies. “It’s one of those spaces, like cloud, that is maturing, evolving, and crystallizing, but there’s still plenty of uncertainty. There is no best practice in terms of how you do data security in the cloud-native world.”
For Dracon, there is a big opportunity in cloud-based app security. Given that most cloud services are managed by third-party companies, such as Microsoft and Amazon, businesses will become increasingly more focused on securing the programs they’re creating. “As cloud services are adopted, there’s less and less to secure, so it forces your hand up to the application layer,” he explains. “So we’ll see more focus on app security and within the cloud.”
Making Life Easier for Developers
Developer tools are another area of growth for investors, says Jeevankumar. Given that every business is essentially a tech operation these days, companies across all sectors are hiring developers to create new tools and programs. Yet, many of these developers aren’t creating with security in mind. “How do you empower the new age of developers with easy-to-use security?” he asks. “We’re just at the beginning of the developer-influenced security phase.”
The move to help developers easily integrate security into work is part of a broader move to simplify IT, adds Dracon. It used to be that the buyers of security tools were “tech geeks like we are,” he says. Now that people across organizations are interested in security, marketing and sales, its influencing what people buy rather than just tech. For Dracon, that means investing in easier-to-use tools. “We’re seeing non-security people buying and using tools,” he says. “So these have to be super easy to use and deploy.”
At the same time, many companies are finding it increasingly difficult to hire good cybersecurity talent, which means more areas will need to be automated, says Jeevankumar. “We need to figure out where the acute talent problems in the cybersecurity industry are and what parts of it can be automated or enhanced using automated principles,” he notes.
Zero-trust Future
All four panelists are also focused on zero-trust, which looks at trust as a vulnerability in the security process. Typically, once a security tool trusts that a user is legitimate, that person can do what they want within a system. However, given that it’s now easier for hackers to gain that trust, more companies want to move to a verification model, where someone must verify who they are every time trust needs to be established.
This idea of zero-trust is a significant shift for the industry, says Parthasarathi. “Zero-trust is contrarian to all the principles that the IT landscape has operated on over the last two decades, which has been focused on integrations enabled through least privileges,” he explains. “Zero-trust flips the model on its head and requires us to view these integrations as fundamentally contaminated. Instead of least privileges, Zero-trust demands adaptive, contextual and granularly vetted access.”
For Lin, who invests in early-stage security companies, new categories bring new investment opportunities. “The whole point of venture capital is to create new categories, to create innovation,” he says. “And so what that means is time is a critical factor to these categories we’ve created. For example, if someone tried to create a zero-trust company (a few years ago), it would have had a really tough time as people just weren’t ready for it. So we spend a lot of time thinking about the timing of markets and what we can do to be helpful in terms of solidifying those markets as they (grow).”
Big Ideas
When it comes to finding investment opportunities, every panelist agreed that working with businesses that can truly solve security industry problems is key. “We’re (investing) in people, and we’re looking for people who not only know the problems in this space but are trying to figure out where problems will go down the road,” says Dracon. “We also look for very big disruptive companies that can become platforms.”
Before Jeevankumar invests, he must be convinced that a chief information security officer (CISO) will put that technology at the top of their stack. Ideally, companies would use a handful of technology tools in their business, but as time goes on, they’re using more and more, he says. That’s why he needs to be sure that CISOs will put the company he’s investing in at the top of their priority list. “Vendor consolidation is always a priority, but it never happens,” he says. “CISOs are willing to experiment with your companies, but how do you convince them that the product that you have is time-critical, not just mission-critical, to the whole security portion of an organization? So we look for people who can convince the CISOs that that’s the case.
Two critical investment decisions that Parthasarathi considers are ease of deployment and how long it takes to prove the company’s value. Given how quickly decision-makers change in a company, vendors can’t afford to have long sales cycles. “We like elastic deployments and easy-to-demonstrate proof of value,” he says, highlighting his recent acquisition of Duo, a zero-trust security solution. “That’s one security solution that any of us can sell within a week, without a sales background.”
In the future, Jeevankumar expects to see more private equity buyouts of lower multiple cybersecurity companies. Lin thinks there will be more activity in the security operations center space, as many of those companies are now large and generating a lot of cash. “I can see a future where some of those companies get acquired because they can be cash-flow positive pretty easily,” he says. “They also give companies a lot of scale.”
For Parthasarathi, extended detection and response (XDR) will see a lot more M&A activity in the future. “The focus being on security analytics, security forensics, remediation,” he says. “Other sectors broadly require super-hardened, deep security capabilities that platforms have cultivated over multiple decades. However, startups have an advantage in analytics and forensics with high velocity innovations across AI, ML and NLP. This space is ripe for sustained inorganic activity.”
- Minute Read
- Listen Stop
- Text Bigger | Text Smaller
The last year was a busy one for cybersecurity investors, with a record $7.8 billion flowing into the space in 2020, according to Crunchbase. With remote work, increasingly sophisticated hackers, and more mission-critical data getting stored in the cloud, plenty of deals will continue to be made in the years ahead.
Where those dollars will go was a central topic of discussion during a panel, I hosted at the BMO Cybersecurity summit, which took place on May 25. The panel discussion, which focused on venture capital-related opportunities in the cyber landscape, featured some of the leading experts in this sector, including:
-
Greg Dracon, General Partner, 406 Ventures
-
Deepak Jeevankumar, Managing Director, Dell Capital
-
Will Lin, Managing Director and Co-Founder, ForgePoint Capital
-
Prasad Parthasarathi, Director and Global Head of Cybersecurity, Cisco Investments
Betting on the Cloud
While each panelist approaches cybersecurity investing differently, many see similar opportunities across the market, including cloud security. Lin says that while millions of dollars have already been invested in cloud security operations, it’s still a fragmented space without a clear leader. “There isn’t clarity yet on what the winning solution is,” he explains. “As a result, I’m spending a lot of time thinking through how I can apply cloud security in different contexts and verticals.”
Lin is also seeing opportunities in the data security space, where many of the leading companies are now multiple decades old. “That means the sector is ripe for innovation,” he says, adding that he’s sees more early-stage data security companies. “It’s one of those spaces, like cloud, that is maturing, evolving, and crystallizing, but there’s still plenty of uncertainty. There is no best practice in terms of how you do data security in the cloud-native world.”
For Dracon, there is a big opportunity in cloud-based app security. Given that most cloud services are managed by third-party companies, such as Microsoft and Amazon, businesses will become increasingly more focused on securing the programs they’re creating. “As cloud services are adopted, there’s less and less to secure, so it forces your hand up to the application layer,” he explains. “So we’ll see more focus on app security and within the cloud.”
Making Life Easier for Developers
Developer tools are another area of growth for investors, says Jeevankumar. Given that every business is essentially a tech operation these days, companies across all sectors are hiring developers to create new tools and programs. Yet, many of these developers aren’t creating with security in mind. “How do you empower the new age of developers with easy-to-use security?” he asks. “We’re just at the beginning of the developer-influenced security phase.”
The move to help developers easily integrate security into work is part of a broader move to simplify IT, adds Dracon. It used to be that the buyers of security tools were “tech geeks like we are,” he says. Now that people across organizations are interested in security, marketing and sales, its influencing what people buy rather than just tech. For Dracon, that means investing in easier-to-use tools. “We’re seeing non-security people buying and using tools,” he says. “So these have to be super easy to use and deploy.”
At the same time, many companies are finding it increasingly difficult to hire good cybersecurity talent, which means more areas will need to be automated, says Jeevankumar. “We need to figure out where the acute talent problems in the cybersecurity industry are and what parts of it can be automated or enhanced using automated principles,” he notes.
Zero-trust Future
All four panelists are also focused on zero-trust, which looks at trust as a vulnerability in the security process. Typically, once a security tool trusts that a user is legitimate, that person can do what they want within a system. However, given that it’s now easier for hackers to gain that trust, more companies want to move to a verification model, where someone must verify who they are every time trust needs to be established.
This idea of zero-trust is a significant shift for the industry, says Parthasarathi. “Zero-trust is contrarian to all the principles that the IT landscape has operated on over the last two decades, which has been focused on integrations enabled through least privileges,” he explains. “Zero-trust flips the model on its head and requires us to view these integrations as fundamentally contaminated. Instead of least privileges, Zero-trust demands adaptive, contextual and granularly vetted access.”
For Lin, who invests in early-stage security companies, new categories bring new investment opportunities. “The whole point of venture capital is to create new categories, to create innovation,” he says. “And so what that means is time is a critical factor to these categories we’ve created. For example, if someone tried to create a zero-trust company (a few years ago), it would have had a really tough time as people just weren’t ready for it. So we spend a lot of time thinking about the timing of markets and what we can do to be helpful in terms of solidifying those markets as they (grow).”
Big Ideas
When it comes to finding investment opportunities, every panelist agreed that working with businesses that can truly solve security industry problems is key. “We’re (investing) in people, and we’re looking for people who not only know the problems in this space but are trying to figure out where problems will go down the road,” says Dracon. “We also look for very big disruptive companies that can become platforms.”
Before Jeevankumar invests, he must be convinced that a chief information security officer (CISO) will put that technology at the top of their stack. Ideally, companies would use a handful of technology tools in their business, but as time goes on, they’re using more and more, he says. That’s why he needs to be sure that CISOs will put the company he’s investing in at the top of their priority list. “Vendor consolidation is always a priority, but it never happens,” he says. “CISOs are willing to experiment with your companies, but how do you convince them that the product that you have is time-critical, not just mission-critical, to the whole security portion of an organization? So we look for people who can convince the CISOs that that’s the case.
Two critical investment decisions that Parthasarathi considers are ease of deployment and how long it takes to prove the company’s value. Given how quickly decision-makers change in a company, vendors can’t afford to have long sales cycles. “We like elastic deployments and easy-to-demonstrate proof of value,” he says, highlighting his recent acquisition of Duo, a zero-trust security solution. “That’s one security solution that any of us can sell within a week, without a sales background.”
In the future, Jeevankumar expects to see more private equity buyouts of lower multiple cybersecurity companies. Lin thinks there will be more activity in the security operations center space, as many of those companies are now large and generating a lot of cash. “I can see a future where some of those companies get acquired because they can be cash-flow positive pretty easily,” he says. “They also give companies a lot of scale.”
For Parthasarathi, extended detection and response (XDR) will see a lot more M&A activity in the future. “The focus being on security analytics, security forensics, remediation,” he says. “Other sectors broadly require super-hardened, deep security capabilities that platforms have cultivated over multiple decades. However, startups have an advantage in analytics and forensics with high velocity innovations across AI, ML and NLP. This space is ripe for sustained inorganic activity.”
Heard at the BMO Cybersecurity Summit
PART 1
The Changing Face of Cybersecurity Risks
June 10, 2021
Cybersecurity experts have their work cut out for them – with more people working from home and hackers getting savvier, more da…
PART 3
The Top Technology and Business-related Cybersecurity Trends for 2021
May 19, 2021
The last 14 months have been interesting and unprecedented to say the least. While many of us have been adjusting to the new paradigm…
You might also be interested in
How NASA and IBM Are Using Geospatial Data and AI to Analyze Climate Risks
NextGen Treasury: Protecting Your Organization from a Cybersecurity Attack
Op Ed: Businesses and Community Organizations Need to Come Together to Fight Poverty
Biggest Trends in Food and Ag, From ESG to Inflation to the Supply Chain
BMO Announces $250,000 Donation to Organizations Supporting Global Emergency COVID-19 Relief Efforts
Canada Eyes Biggest Economic Rebound in Half a Century, Plots Equitable Recovery - Panel
Leading with Resiliency: Highlights from BMO’s Forum for Executive Women
Ian Bremmer in Conversation: The Pandemic and a Changing Geopolitical Landscape
COVID-19 Puts Spotlight on Strong Liquidity Management, Antifraud Practices
Canada's Six Biggest Banks Take Decisive Action To Help Customers Impacted by COVID-19