What’s Influencing Cyber Capital Investment
Ann Johnson: Welcome to "Afternoon Cyber Tea" with Ann Johnson, where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other security decision-makers. I'm Ann Johnson, and on today's episode, I'm really excited that we're going to unpack the always-interesting world of cyber venture capital and investment. It's an interesting time to do that, as we're here in the summer in the U.S. and the dynamics have certainly changed just in the past 30, 60 and 90 days. So today, to talk about the world of cyber venture capital, I'm joined by two folks who really don't need an introduction, but I'm going to introduce them anyway - Dave DeWalt and Jay Leek.
Ann Johnson: Dave is the founder and managing director of NightDragon, an investment advisory firm focused on growth at late-stage companies within the cybersecurity, safety, security and privacy industries. Dave is a veteran CEO, adviser and investor who has led companies from startups to the Fortune 500 on a transformational journey of success. Focused on technology and cybersecurity, Dave has helped create more than $20 billion of shareholder value during his 15-plus years as president and CEO of Documentum, McAfee and FireEye. He also serves as the managing director of AllegisCyber, executive chairman of M&A advisory firm Momentum Cyber, as well as investor and board member in the world's most innovative companies, such as Delta Air Lines, Five9, Iboss, Claroty, Team8, DataTribe and Optiv. Welcome to "Afternoon Cyber Tea," Dave.
Dave Dewalt: Thanks for having me, Ann. Great to be here. By the way, this is my first time having tea for a podcast. Usually, it's, like, wine or whiskey. So tea is a little bit healthier for us. So, thanks for having me.
Ann Johnson: No problem. It's probably more appropriate for the time of day, too. No judgment there. Joining us also is Jay Leek, who's the managing director and co-founder of both SYN Ventures and ClearSky Security. Throughout the past 22 years, Jay has worked as a product manager for information security vendors and a consultant to numerous telecom companies, government agencies and financial institutions, assisting them with business development, strategic planning and architectural design. Welcome to "Afternoon Cyber Tea," Jay. Great to have you on, also.
Jay Leek: Thank you very much, Ann. It is after 5, though, on the East Coast, so it is appropriate for wine or whiskey.
Dave Dewalt: And, Jay, I forgot to wear black. Is that cyber black that we were supposed to put into the memo there?
Jay Leek: I thought you got it. You know, I was expecting you to, like, wear the outfit. Come on, Dave.
Ann Johnson: I wear a bright pink, Dave, so I'm trying to, you know, be a cyber rebel. It's also 90 degrees in Seattle, so I'm just trying to deal with the weather.
Ann Johnson: You know, it's an interesting time, we talked about that. In the last few years, we've seen venture capital investment in cyber really balloon. And now experts are reporting economic slowdown, and we're starting to see some signs of slowdown throughout the world. And then it is - it's impacting the venture capital world. So, if you could talk to us about the last few years and, you know, actually what you're seeing now and how quickly things are changing. Dave, let's start with you.
Dave Dewalt: Yeah, Ann, I mean, it's a great question, right? I mean, it's kind of the question of the day. You know, I start out and talk a little bit about what I call cyber super cycles - kind of a mouthful. But in the 20 years or so that I've been, you know, sort of monitoring this market segment, you can almost track the cyber industry by the threat cycle. So I call them cyber super cycles because whenever you see a highly elevated threat environment, you - typically, right behind the highly elevated threat environment, you see a highly elevated spending environment. Customers spend more, many more threats, and ultimately, behind a spending cycle, comes the investment cycle.
Dave Dewalt: And over the last 20 years, we've seen a couple of major super cycles that occur. The last 2 1/2 years has been one of those threat super cycles. By almost every major metric, the threat environment is at its highest level for a variety of reasons. Obviously, the pandemic and all the resulting crises - economic, cultural, government, you know, democracy, now, Russian-Ukrainian conflicts. You know, we've seen a massively elevated threat environment - lots of zero-days. We can talk about lots of ransomware issues all over the world. And that has elevated the customer spending environment, which has elevated the investor environment. If you look at Momentum Cyber's report they just put out, you know, in the last day or two, I mean, we have record-level investments going into cyber. Despite the economic scenarios that we're all watching, we're seeing a plethora of investments happening from all over the world because you have a very vibrant customer-spending environment.
Dave Dewalt: And, yeah, we've seen contraction in public. Yeah, that's moving into the private sector. But as an investor, I almost see this as a perfect opportunity because, in the bull market of going up where the valuations were really high and the threat environment - spend environment was really high, there was very high revenue multiples you had to pay. Now you're seeing some contraction while still seeing the threat environment - spend environment up, creating an even better opportunity for investors.
Ann Johnson: Yeah, I think that cyber tends to be a little bit recession-proof because people still need to secure their infrastructure. Even if they're not launching a lot of new products, they're still tending to secure technical debt. So I think it's still a pretty good place for technology companies to be investing. And then, of course, they need money to invest. But, Jay, I'd love to get your thoughts about, you know, what's happening right now.
Jay Leek: Yeah. So, I mean, one of the big categories, though - the five or six thousand vendors that are out there are actually feature companies. They're companies that really, you know - they're solving a problem, but they're not an independent company. And over the past, you know, several years, you know, we would meet these companies, and they're great teams. They have real customers, but they're never going to get up to the right velocity. They really shouldn't be raising $30 million, much less even value to $30 million. And then we watch them get funded with $30 million of capital. And you're like, how is that even possible? And so the biggest trend I think we've seen so far this year - even greater than like, you know, valuation corrections and stuff, which has happened probably more in late stage and early 'cause - but definitely even some in the earlier stage - is you're finding companies that really never should have got funded, at least at the levels they were getting funded at, just not get funded.
Jay Leek: And I think that's actually, like, the biggest flip side that's actually happened in the past, call it 90 to 120 days even, which isn't necessarily a bad thing for the industry too because it just eliminates a lot of noise. And when those companies get funded, they also drive up valuations for companies that actually should get funded because if they can get funded with that kind of valuation, then the real companies should even be higher. And it's just a slippery slope of, like, you know, heading in the wrong direction that, you know, creates a house of cards. And so that's kind of unraveling as we speak.
Jay Leek: It's interesting. I was - I spent a month of - I spent, like, kind of April and May kind of surveying investors that had been doing this for a minimum of - or for over 25 years 'cause I wanted them to go through - it is pure venture investors for at least 25 years. And I wanted someone - talk to people who had seen dot-com, financial crisis and was witnessing today, firsthand. And I talked to, you know, probably 12 or 15 of them. And one of the gentlemen early in my conversations said, in the past 30 years, I've never seen the VC industry change to the downward as much as I have in the past four months. In the last 30 days, I've never seen it - in the past four months, I had never seen it change as much as I have in the past 30 days. And I bet you if I were to go back and ask him again that same question, he'd say, in the past 60 days, I've never seen it change as much they have in the past 30 days, right? And basically, implying that we went through generational changes, you know, at least two times, at that point, in the kind of May timeframe - and actually, probably, I would submit, probably, three since in this year that we had witnessed in dot-com or financial crisis.
Jay Leek: And my supposition as to why that's the case is because our private sector multiples had caught up, or in some cases even surpassed public sector multiples, when historically, in every other cycle, they trailed. And so, when the public market is corrected, the private industry quickly, you know, whipsawed faster than normal. And so that's, I think, why we were just seeing things kind of like, you know, go all over the place. That being said, I think that the security industry, to the point you made earlier, is much more resilient than any other area of technology. So, I don't think it's been as crazy or will be as crazy, but it's definitely gotten better from investor perspective, to Dave's point earlier.
Dave Dewalt: And if I could just, maybe, underscore a couple of points Jay just made with some real numbers. I mean, just to give the audience a little sampling, I mean, this is just hot off the press. But we had, in the first half of 2022, 47 capital raises of over a hundred million per company. So 47 companies got over a hundred million of capital in the first half of the year - 12.5 billion in financing in the first half of the year, and that was more than all of 2019 combined.
Ann Johnson: Wow.
Dave Dewalt: So, just to give you a kind of where this puck is going - even more importantly, has been the movement towards M&A. So, you know, one of the things, you know, Jay was alluding to is, like, sometimes the investment cycle term can also swing to an M&A cycle as well - 102.6 billion in M&A volume in the first half of the year - hundred billion in M&A just related to cyber industry and eight of them over a billion-dollar transactions - 14 unicorns on their investment. So these are companies - 50 million of revenue on average, with a billion-dollar unicorn kind of valuation. So interesting times in cyber still as, you know, we've - kind of going into the second half of the year now, I totally agree with Jay. I think the second half of the year is very different than the first half of the year because many of those deals were in flight in 2021, finishing off in 2022. So, you're starting to see a systemic change in all that. But when you look at the report card from a number point of view, pretty darn vibrant cyber.
Ann Johnson: Yeah, it'll be interesting to see that report card in January, when we look back at the back half of the year. Before we look ahead for a second, can we go all the way back a couple of years? Tell me as investors, you know, what your thesis was. What made a company attractive to you? Why did you choose to invest in some companies versus others? What type of criteria were you looking at?
Dave Dewalt: Yeah, I can start, Ann. You know, I've been investing, you know, pretty heavily since 2012 in NightDragon. This is our 10th anniversary here of investing - I think 41 companies now total, you know, probably not near the breadth that Jay has. But, you know, we'd - looking at - largely, I'd look for, at least in the cyber markets, you know, a major threat problem that has yet to be solved. That's one of the reasons I became CEO of FireEye. I mean, at the time - 2012 window - you know, FireEye was a 10 million revenue company, and, you know, nobody really heard of an APT. Well, they had, but not by much at that point. But advanced persistent threats became a new vector of attack, especially in which ways that the attacks were coming in. And I was looking for technology that could solve a major threat problem. My largest thesis with NightDragon has been all around that. Where are the biggest threats and risks in the world, and what commercial defense can meet that threat in a way that we could hyper-scale it with growth capital to kind of meet the valuation opportunity that's out there?
Dave Dewalt: Now, in NightDragon, we've expanded a little beyond cyber. We're doing things like satellite infrastructure, air infrastructure, supply chain infrastructure and other market segments, but having said that, the theme's the same. Where is the threat? Typically, drives spending, drives investment, to my point of the super cycles, and that's what I look for. And that's the repeated pattern we've done for 10 years here at NightDragon. Jay, what's your thoughts there?
Jay Leek: Yeah, no, I think all of that makes sense. I think there's two ways to answer the question - I'll continue with Dave's theme, and I'll put a little bit of a different twist on - or another way of thinking about the answer to that question. I'd say, over the past - since 2017, we've arguably raised $850 million across three different funds under one fundamental problem, and that's - there's a talent gap in the industry, period, full stop. There's not enough, you know, bodies to go address demand, and the demand is outpricing any kind of entrances into the workforce and the security workforce in the market. And that's not going to get any better. So investing your evolutionary disruptive technology can help address talent gap, and there's lots of different ways to address that, not just through automation. There's other ways of thinking about it. Prevention's a great example versus technical response, 'cause that requires people. But - and we can dive more into that if you want to in the future.
Jay Leek: So very much believe in disruptive technologies that can help, you know, feed the - fulfill - like, address the people problem. It's not going to get any better. Until high school students start thinking about getting into cybersecurity their junior year, it's never going to get better. So that's one area to continue that theme. The other thing - other way to think about it is maybe more purely from the investor perspective and not from the industry point of view. And we think about investing into three T's - team, TAM and technology. Total addressable market is what TAM means, for everyone on the podcast. And so, for us, we know really, really great firms that would say technology is first and foremost, period, full stop. The team is interchangeable. The TAM has to be there no matter what. But they invest in great tech, and they can replace teams if they need to. From our perspective, as we invest in the early stage of the market, team is most important, by far.
Jay Leek: And so, we are backing great teams, and then tech and technology is interchangeable between numbers two and three, as far as we're concerned, because a great team can iterate, fail, iterate, pivot, iterate, fail, succeed. A bad team will hit a wall and burn venture dollars, and that's really bad and really expensive. And so, you know, so that's what we're looking for. And the reality of it is, if you're signing up for three to five years, it could be longer, but at least three to five years and generally, you know, with these companies and you've got to make sure that you want to spend time with those teams too. They're coachable. They're mentors. A lot of the CEOs become great friends, you know, for life. And, you know, that's what's probably most important to us as a firm.
Ann Johnson: Yeah, so both of you hit on this a little bit, but I want to pull the thread more, which is that it's not just about money, right? Capital is just one part of the equation. When you think about investing - and let's talk a little bit about the team, and what are the things that you look for in a team? Because I've - I was talking to a VC firm this week about an investment they did not make. And they said, explicitly, they didn't make the investment because they didn't have confidence in the team, even though they thought the technology proposition might be interesting. So what advice do you have for founders that are starting this journey? What can they show you when they're doing their - you know, their VC pitch, the shuffle around to try to get dollars? And is it that - and how does someone - and I'm going to ask a little pointy question - how does someone that doesn't have that proven track record - right? - they're a first-time founder or a first-time CEO. How do they actually convince, you know, the firms to invest? Jay, why don't we start this one with you?
Jay Leek: Yeah. So, I mean, for me, it's - are they coachable? Are they giving you lip service to any kind of advice that you may have? Doesn't mean they have to take the advice, but the best first-time founders I've ever worked with, they'll go and actively seek advice from Dave. They'll seek it from me, even though they probably shouldn't talk to me 'cause I'll probably give them bad advice. They'll seek it from, you know, 10 other people, you know? And then they'll bring all that in, they'll synthesize it, make it their own, and come up with the right direction to go, right? And to me, that's like a quality that - it's hard to learn that. You know, you can learn it, but it's also - it's in your DNA, you know? But you can break out. Like, I have - we've backed true introvert CEOs that know they're introverts, and so they wake up every day to try to be an extrovert and they work really hard. They're never going to be your go-to market CEO, but they can become damn good leaders and build great companies if they surround themself with the next level that can actually, you know, compensate for that.
Jay Leek: So, you know, it's really just people that want to win - and you can tell that - and that really want advice and help around the table because, I mean, the CEO or founder that comes to me and has everything figured out and doesn't need our help, doesn't need our money either because they got it all figured out, as far as I'm concerned. And unfortunately, like, we'll take it one step further. We have - we've met with companies - many times, actually - where they have great tech, they have, actually, real customers. We know them. We actually like their team. But unfortunately, we're not going to sit in the CEO's board for the next four to five years. Life's too short, so we won't do the deal. And that's unfortunate, you know? But that's just the way life goes. And there's plenty of good deals out there. And I'm sure there's plenty of firms that'd be more than happy to give them money and make money off their back.
Ann Johnson: Understood. Dave, how do you think about that?
Dave Dewalt: I swear Jay and I could be brothers from different mothers, slightly, but we have a lot of the same DNA, but just a little different, right? Jay's a proven operating, you know, chief security officer who understands what it takes to operate and run security operations, and his mindset really draws on that, which is incredibly valuable. You know, I'm a proven CEO, right? Different. And that's why we're at different stages a little bit in where we invest. I can't help somebody design a product. I can't write a line of code, but what I try to look for is those same three T's that Jay mentioned - team, tech and TAM - but what I try to help and do is create only one remaining risk for my investments. I want the tech to be there, and I want the TAM to be there. And what I want to be able to do is help them with the go-to-market risk, because the difference I always say is, like, IP is a game of inches, but go-to-market is a game of miles, one of the sayings I love, because whoever wins the go-to-market game kind of wins the market.
Dave Dewalt: When I took over as FireEye CEO, there was five companies - you probably remember them - Lastline, Damballa, Fidelis - whole bunch of them. And, you know, the difference was minute when it came to the features. But the biggest difference was who could win the go to-market? My point being - we have to bring operational excellence and management to the investments. There's one thing just to put an investment into the company. There's another to really help that company grow and scale. And that's what - at least with NightDragon - I know ClearSky and now SYN's doing the same thing - is you've got to help. And help in our case is how do we bring hundred partnerships to them, people with experience, operating excellence so that the team gets better?
Dave Dewalt: And to the point Jay also made - coachability is everything. I mean, one thing I learned after 20-plus years of being CEO of operational companies, you know, I don't know everything. I got to be coachable. Every situation is different. And I use this little adage - I call it the four H's. What do I look for in a team? Humility, honesty, hard work and hunger. Why? If you've got those four components, you stay humble. You're honest with your shareholders and with your board. You're coachable to that point. You're hungry. You're ambitious. You want to drive. And you're a hard worker. Man, those X factors make great leaders. And I look for that in a team. I look for that in who I invest in, and that makes for great partnerships with us, at least at NightDragon.
Ann Johnson: OK. Dave, let's keep going with you because you talked about this, but I want to pull the thread a bit further. You - neither one of you just gives companies money. I've been on boards with both of you, right? Neither one of you is just - hey, I'm going to throw some money at a company. I'm going to run away, take a board seat, quiz them once a quarter and never be present. You're much more present than that. So can you talk, Dave - and then we'll go to Jay - about what else you bring a company? How do you resource it? What - who on your team is working with the company? How do you mentor them? How do you grow them after the investment?
Dave Dewalt: Yeah, I think it's really important. I tend to look at it in three phases with every company I work with. There's a phase where I do a lot of research on a segment. I'll try to interview almost every competitor, understand the market segment. Like, I just went to a six-month-plus, like, crypto kind of entire research project to really understand the vulnerabilities and problems of the crypto security market. And then there's a due diligence, then there's a term sheet. And so all phases you try to look for leverage that you can create for whatever asset that you're involved with. During due diligence, I do a lot of calls to try to help do due diligence but also set up go-to-market partnerships that could potentially help and aid in the company and also be part of the syndicate that could put capital into a company.
Dave Dewalt: And then after an announcement, you try to do everything you can to market, amplify, drive partnerships, create scale for the company, bring them talent, create playbooks for them. Everything you do as a CEO or when you ran a company, you try to apply to the companies you're investing into. And those are three plans I always say to every CEO. There should be three things you should have every time. One is an annual operating plan. Of course, they all have that. But another is a strategic plan. That's, like, a three-year plan. Big rocks - where do we want to be? If you can see it, you can be it, I like to say. So what's your three-year plan to win? And then each year's annual operating plan matches tasks of that strategic plan.
Dave Dewalt: And the third is an amazing communication plan. How are you going to communicate your vision, your strategy to your constituents that are around the world - employees, partners, shareholders, et cetera? And what cadence are you going to drive to create that? Because at the end of the day, one thing I learned running companies, half of your trading value is on performance of your PnL, and half of it is on the perception that you're winning the market. And if you can do both halves of that, perception and performance, you're going to get an incredible trading multiple to what you're actually doing. So you got to build all three plans, create that plan, execute that plan and drive it. And that's why we built a management company the way we do with NightDragon is to help those companies do those plans and those initiatives.
Ann Johnson: Jay, how do you lean in and help your companies post - you know, you've given them money. Now what?
Jay Leek: I mean, I think as Dave - I think it actually starts pre-, though, even. I mean, we're investing in a earlier stage of the cycle, and we're often creating new categories that don't exist. You know, I've been part of creating the EDR category, the SOAR category, half a dozen others, actually, just to name a couple. And so, you know, there's really no competitors that you know of, and if there are, they are two guys in a garage in Boston, Tel Aviv or Palo Alto that you got to go figure out. So we are looking for the people that are actually competing. But more importantly, we're looking at, you know, is this category - is this a need that you really have today? Because when you go ask a CISO about it, they don't know about the need. You know, so the technology - they know about the problem that they're having. And so we spend a lot of time, you know, researching that area and then trying to make sure that this is actually going to be something that people are going to buy because they haven't historically bought it. That's not always - sometimes they are already selling, but usually it's still a category that's very much in development or changing dramatically.
Jay Leek: And so in that process, while we're doing our diligence, we'll often introduce companies to, you know, quite a few CISOs that their customer intros at the same time - whether we invest or not, we're creating pipelines for them in our due diligence process, which actually feeds into, you know, conversations around valuation and demonstrating that we're actually - you know, we're not going to be the highest valuation; we're going to be a fair valuation. Then kind of going in, like, post-investment, it's all about, like, creating CISO buzz across our CISO network. And for us, like, you know, we tend to represent, in the vast majority of our seed, you know, A or early B investments that we're making, anywhere from 25 to 50% of net new AOR first 12 to 24 months after we invest through our relationships, either directly or indirectly, in a sense that, you know, they were going to lose that deal if we didn't intervene with XYZ CISO that we know and kind of can help get it over the line. So that's one way.
Jay Leek: The other thing, given the stage of companies in which we invest, we're always hiring for the first time or replace or upgrading one or more of the following roles - head of sales, head of marketing, head of finance. And that's just the stage at which we're at. And so we - the head of sales and head of marketing is actually a more obvious one, but the head of finance is equally as important, we've learned. And if you think about it, that's how the money flows, you know, in and out. And it's not that he's doing anything malicious, but, you know, you don't want to be surprised your gross margins are different than what you think they are 'cause you got, you know, an improper finance guy in there. You know, you - it's invaluable how much proper head of finance can help your next fundraising round. Or if, out of the blue, you get M&A inquiries from a sponsor, how they can help those conversations, et cetera, et cetera.
Jay Leek: And so making sure you have that right, even in the early days where you're few million or even less than that of AOR and even, you know, maybe with outsourced a CFO fraction - CFO function when you're just starting to turn on revenue. It's actually invaluable. It sets up the right controls early. It sets up a company culture early and it's - you're always prepared for those unexpected events whenever, all of a sudden, Dave did his research and is like, I want to talk to this company. And I'm not expecting it. I'm always prepared to have that conversation with Dave as opposed to making a mad scramble and not showing well in front of him.
Jay Leek: So, you know, we help companies kind of prepare for that. And then we also - you know, we're going in early, and there's always the next round of financing. And so we're really, really helpful in trying to think about making introductions of who's the most likely funds or firms that want to become a leader in next round of financing. You start building those relationships. So it happens much more naturally. And the same thing goes even on the strategic acquirers. So before we make an investment, we're thinking about, who are the most likely buyers of this company if it performs the way we hope it does over the next three to five years? And to the extent we can put partnerships in place and start having those strategic conversations around go-to-market - not really an acquisition at all - you know? - because the likelihood of that happening is probably very low, but eventually it might happen. And if we can start building those relationships for the future, even if it's years out, we'll start putting a lot of those balls in motion.
Ann Johnson: It's all really good because I think companies need so much help, especially the first-time founders or folks that come from a complete technical background. They're going to build a great, you know, piece of technology, but they have no idea how to bring it to market. They don't even understand product market, fit or pricing, et cetera. So the value that both of you add to the companies is a lot more than just what is in your wallet. And as you think about - Dave, I know you have a passion around crypto - but as you think about the future - here at Microsoft, we're working on a project called Cyber 2030. What is it that has you excited about the future? And, Dave, we could start with you and maybe your passion around crypto or the research at least you've done around crypto. But what is it? I think cyber is a great place to be optimistic, by the way. I'm always optimistic. So what has you optimistic about the future in the world of cyber?
Dave Dewalt: I always kind of - you know, the reason I'm even doing NightDragon, you know, here at this stage in my career is because I love it. I mean, I just love what I do. The combination of mission, money, fun and learning kind of hierarchy of needs kind of drives me. And, you know, I just love working with founders and companies and building value. And at this stage, it's as much fun and learning as it is money and mission. But the combination is what's gotten me positive. And watching the inertia of innovation around the world is incredible. This isn't just a kind of a two-country sort of innovation engine, kind of Israel and United States anymore. We're seeing innovation all over the world. That's exciting.
Dave Dewalt: But really what I'm looking for - and I see the 2030 kind of nomenclature used, and I love it. I call this concept future fusion. And the reason I call it future fusion is because I see the cyber market as we think about cloud and endpoint, mobile and IoT and, you know, things around the core of what you traditionally think of cyber is morphing quite a bit. And the Russian-Ukrainian conflict really brought that home. There's many, many domains that have to coordinate now in the sphere of conflict or in the sphere of where technology is going. I mentioned this at the beginning. NightDragon's focus has been on what we call cyber safety, security and privacy. We call it CSSP. But it really covers a multitude of domains - space, air, land, maritime, cyber, supply chain, crypto, industrial. All those areas are kind of coming together. Cyber and physical are coming together now. So you're starting to see, like, physical threats like active shooters or tornadoes or hurricanes really involve now - an element of cyber response is critical to the success of that response, not just a traditional network intrusion or some sort of endpoint intrusion. Same with space - we've watched that - or air or crypto markets or supply chain.
Dave Dewalt: So I believe the cyber market is just going to, like, literally double and triple again over the next couple years. Because when you look at sort of the size of the bigger market I'm referring to, it's about a 400 billion a year market heading towards a trillion. But that's the revenue side. If you actually look at the cost side, it's a five or six time bigger number - you know, five and $6 trillion a year in losses related to these segments. So what's exciting is to watch the growth of revenue, but over time, you're going to eventually see a balance between the two. And we've got to get there. And hopefully by 2030, it might be an avenue of that. But now the world's domains are colliding. And we're going to see the cyber market just grow and grow and grow. And eventually, cyber will be a ubiquity across every other domain because it has to because of technology. So that's what we're looking for is all those trends. How do we harden security and safety at every domain and bring a digital component of security to that? That's, I think, where the biggest market is going over the next 10 years or so.
Ann Johnson: I think that makes an awful lot of sense to look at it from that macro lens as opposed to - we're always solving the net problem, like Jay talked about, the first EDR - now we're on the 100th EDR, right? What is really the hardening of the entirety of the infrastructure and landscape? Jay, what are your thoughts about the future? What are you optimistic about?
Jay Leek: Look; I mean, I'm a security lifer also like Dave. I mean, so I love my CISO years, and I love not having the accountability and responsibility of protecting the firm but being able to work with lots of great CISOs and sort of give them access to innovation they might not otherwise have access to, connect some dots and, you know, help make the world a safer place, as cheesy as that may sound, that we really think we're influencing more companies today than we were. Patrick and I, my partner, who's a former CISO also, think we're influencing, you know, more companies today than we ever were as a CISO single company.
Jay Leek: You know, I, like Dave, reason I got into this, you know, full time versus, you know, doing my next CISO gig is because what got me out of bed my last couple of years at Blackstone - not that Blackstone was bad by any means - but, you know, being part of, you know, the investments that I was making while I was there, seeing, you know, founders create value, not just in terms of dollars but in all kinds of experiences, and solving new challenging problems and things heading up into the right direction as opposed to, you know, the cranky user complaining about their password or whatever else it may be or just responding to a breach 24 by 7 for five years I was there across different companies we owned - you know, it's just like, that's what got me out of bed. And I really enjoy that.
Jay Leek: So I look forward to being able to give great founders access to capital and advice and helping them grow great companies that I'm sure other people could also do but, you know, putting our own practitioner twist on it. You know, we look at everything very much from the eye of the CISO. Would we buy this capability and deploy it within our security program with your associating CISO today? If we were to do it, how impactful would it be to the organization if it didn't have it? You know, and being able to give that kind of strategic advice, drive strategy road map, go to market, all kinds of stuff, very much from the customer lens and bringing that experience into the boardroom, we think it's just different and look forward to continue doing that.
Jay Leek: As far as where security's going, like, I mean, I think this is happening right now. This isn't 2030. I really have a hard time seeing more than a couple of years out, security, because technology just moves so fast. I would get it wrong if I tried to guess. But, you know, while analysts might be preaching detect and respond, we think prevention is the way. You know, and I realize these things are cyclical, and they go back and forth. But by definition, if you can stop it, you can prevent it. You don't require more people. I think I mentioned this earlier.
Jay Leek: And I just think that's so important because technology is - the reason why we give up on prevention is because technology wasn't delivering on promises they said they can do. So you figure out ways in which technology can deliver. And I think there's a lot of hype cycles that have been overmarketed where capabilities like Microsoft Azure are allowing you to be able to catch up with it. So, you know, out of the 3,000-plus companies we've met over the past five years, security, every single one of them talked about their AIML or analytics. For starters, there's no AI in security. That's just a marketing term. Just talk about MLs, kind of the analytics, if you ask me. But I would argue that over the past five years, some single-digit percentage of the companies, if you were to take away the - whatever they were talking about from AIML or analytics from the company, some single-digit percentage of the companies actually, you know, would be disrupted if you took it away because it wasn't part of the secret sauce. It's more of a marketing thought.
Jay Leek: And I would - I'd say we're starting to see a trend where the marketing is starting to catch up with the - I'm sorry. The technology is starting to catch up with the marketing hype because the ability to burst in the cloud and kick off a bunch of jobs and do things cost effectively and spin it back down, the ability to have curated data sets that you didn't have previously so you can actually train models that you've trained in the past, but you didn't have enough data to really train it properly, et cetera, et cetera, and do different things - you know, what we're hoping for is when we raise SYN Ventures fund three in a couple of years, that we're going to be able to say 20% of the companies we met with actually, you know - their ML, AI and analytics made a difference.
Jay Leek: And so I'd argue we're at the tip of the spear of a lot of the things we've aspired to be able to do because we're just now getting the capabilities to really do it and do it at scale in a production environment. And it's probably going to take till 2030 to do a lot of those things, quite frankly. I just don't know how quickly we're going to move. We're just - the world's moving so fast. We're so much more dependent on technology today than we were five years ago, not to mention 20 years ago. And I got - I don't know if it's Moore's law or whatever, but, you know, that's just kicking it into hyperscale right now. And so it's going to be super interesting to see where we go over the next, you know, eight years, which seems like a long ways away, even though we're going to blink and be there.
Dave Dewalt: Jay, man, there's some days where I just wish I was a CEO again. You know, I won't be. But, I mean, think about the opportunities you just said, right? Right now, you have an opportunity to hyperscale your company in ways that I couldn't do. I mean, I grew McAfee in my time from, like, a billion to 2.6 billion in, you know, a seven-year period, and I thought I was doing really well - right? - you know, growing companies and scaling, you know, FireEye the same way. It was pretty good growth. But boy, with cloud, crowd and AI now, I always say those three things, you know, the cloud infrastructure, the hyperscalers, give us unbelievable scale opportunity, crowd empowerment. The CISO and security community is tighter than ever, working together as a crowd and then AI and machine learning of big data - you put those three things together, whatever sector of the market it is, it creates an amazing opportunity for scale. And - you know, why we love to go to market side of things. But, you know, now an opportunity to go from zero to a billion in revenue is way faster than it ever was before and more doable. So, you know, this is a fun time to be in the market. So, I wish I could reverse the aging clock a little and go back and do it again.
Ann Johnson: Well, you're in the same place I am, right? I mean, I've been in the market over 20 years, and right now is when I think we are absolutely at our best. And it's for all those reasons Jay said - without the cloud, without - yeah, and what you said Dave - without the crowd, without the ability to actually - I was talking to a customer just this week about the difference between a naive Bayesian risk engine of the early 2000s and the things we're working with today, and the power and the promise that that has. I mean, this is a great time. You know, boom - great to start my career right now, right? But we are where we are. Can't run back the clock.
Ann Johnson: We're going to wrap with one last question. So, both of you have been practitioners in your career. You know a lot about cybersecurity. And, of course, you've taken those learnings into what you're doing now, but we always like to leave the audience with a couple pieces of practical advice. If you were - Jay, if you were still a CISO today, what would be the one or two things you would make sure you were hyper focused on?
Jay Leek: You know, this is actually a little bit of a soapbox since I built my career doing this. So, I would just continue - so it's a little, I don't know, self-fulfilling I guess, but it's super important. I would encourage every single sitting CISO today to make sure that they have one to three true design partnerships going on. And a design partnership is, you know, with an early stage startup. And this is - a lot of people, I think, don't understand what a real design partner is. A real design partner is committing time, some level of money maybe even, you know, effort, insights into a company, working with them. And they are accepting whenever a company doesn't quite have it right, and they're not throwing in the towel and giving it up, but they're giving them constructive advice on how to get better, to help them move along faster. And ultimately, the benefit to them is that you get first access to solving a problem that's unique. You generally get best economics, you know, and you also get your roadmap. But I would just kind of prioritize - however, you better not ask for anything that doesn't appeal to the general masses. Otherwise, you're doing the company a disservice.
Jay Leek: But to me, this is like - this is how you stay on the bleeding edge, actually, of solving really difficult problems that haven't been solved yet, and partnering with early stage startups as a design partner, I don't think you - I think you struggle - unless you're, like, at Citibank level, I think most companies struggle to do more than one to three because there's a lot of work and there's also some risks that you're taking by doing it. And it's hard to find the skilled people that actually can do that kind of work within your organization. But I think you can get like expotential (ph) benefits from doing that, and it's a way to kind of help protect your organization and subsequently protecting your job.
Ann Johnson: I love that. Dave, a little different dimension. You've been a CEO a few times. So if you're sitting in the CEO chair, what are you working with with your security organization? What are you advising them to prioritize?
Dave Dewalt: Yeah, I mean, I've talked a lot about leadership and team, why - Jay talked about this, right? Great teams can do great things, even in tough times. And so if you're a CEO, you have to surround yourself with people better than yourself in every area. It's hard to be a CEO and be good at everything, right? So what you typically find in companies that are highly successful - they have great teams. And the leader of that team has hired great people around them. And then the second thing they've done is they've inspired them with passion and motivation. So if you have a great team that's highly motivated and inspired, I mean, you can do great things. So, you look for that intangible - that X factor side. Can the CEO hire? Can they hire better than themselves? Can they motivate, inspire? Because, boy, a handful of good men and women motivated, who are really good at their jobs - I mean, there's no end in sight to what success that they can have together.
Dave Dewalt: So, you know, I always try to start with the team, really make sure you've hired well as a team. What have you done to make them passionate, inspired with energy and motivation to the point where they'd run through a brick wall for you and for the whole team? And when those intangibles occur, I mean, just greatness happens - Ann, Jay, and know this. And, you know, I look for that every time. I mean, going down the specifics and tactics, I mean, it starts with a great team. And that is the hallmark of the greatest companies I've ever seen.
Jay Leek: Everything you said, Dave, applies to CISOs, right? I mean, it's just that's a great leadership. So, you know, CISOs, listen to that same advice because it couldn't have been said better.
Ann Johnson: No, it's fantastic. And I think it's leadership - you know, it's not just your technical leadership. You need to evolve yourself, if you haven't, into being a true leader. And, you know, when I pitched this show - and I do have to do that, by the way - to the production team, and I said I wanted to have both of you on, I was convinced this would be a really rich conversation, a lot of depth, a lot of breadth. And I am pleasantly surprised. It's even better than I thought it would be. So thank you both for joining. I know our audience is going to get a lot out of this. Really appreciate you making a time in your busy schedules.
Jay Leek: Thank you.
Dave Dewalt: Thank you, Ann.
Ann Johnson: So I invited Dave DeWalt and Jay Leek to join me on "Afternoon Cyber Tea" because I knew the conversation would be very rich from a conversation standpoint - the depth and breadth, their experience. But not only just a tactical standpoint, the view on business - how they think about investments, and then they were both operators. You know, Jay was a CISO and Dave was a CEO. And in those chairs, they learned a lot about the industry that's informed their investment and informed how you build great companies. It was an amazing show, and I'm really looking forward to the audience feedback.