Afternoon Cyber Tea with Ann Johnson 12.13.22
Ep 65 | 12.13.22

Shaping the Future of Cyber


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson. On today's episode of "Afternoon Cyber Tea," I am planning to chat with Dr. Chenxi Wang about venture capital and diversity and inclusion in cyber. Dr. Wang is founder and general partner of Rain Capital, a seed-stage venture fund focused on cyber. She is a well-known cybersecurity operator, technologist and thought leader. As an outspoken advocate for women in tech, Dr. Wang was named Woman Investor of 2021 and 2019 by the CyberRisk Alliance and Women Tech Founders. She is a trusted adviser to security organizations worldwide, regularly contributes to Forbes and Dark Reading and holds a Ph.D. in computer science. Welcome to "Afternoon Cyber Tea," Dr. Wang. I am thrilled to have you on today.

Chenxi Wang: Thank you, Ann. Thank you for having me. 

Ann Johnson: So to get started, I would love if you could tell us more about your journey. Tell us when you first got interested in cyber and what actually led you to founding Rain Capital. And why do you find cyber so exciting today? 

Chenxi Wang: How much time do you have? (Laughter). Well, I came into cyber purely by accident. In grad school, you know, we all had to pick a field. And I was always interested in math. And I looked around in different computer science disciplines, and I decided applied crypto was an interesting one because it allowed me to flex my math muscles, if you will. So I started doing research projects in applied crypto. And then I got to know the other fields of computer security, and I got more and more into it. And then I wrote my Ph.D. thesis, essentially, on code obfuscation in AppSec, application security. And that's my foray into the field of cyber in general. Now, I went from, you know, Ph.D. research to Carnegie Mellon University as a faculty in computer security. And at that time, we were doing a lot of not only research but also academic curriculum in terms of sort of fostering the next generation of cybersecurity talent. I spent six years there. Then I came to industry doing industry research. And then eventually, I moved into operator and executive roles. 

Chenxi Wang: The technologies that we developed in academia - a lot of them did come to industry. But also, industry has such interesting set of requirements that academia may or may not be exposed to, which - that's why I was happy that I actually made the switch into looking at real problems and real challenges within enterprise environments and the greater internet. So founding Rain Capital was one of the interesting tenets of my career where I looked at, you know, what I have done. I've done research. I've done operator roles. I've done practitioner roles. And the investor role was one that I did not do at that time. And I said, well, one thing I really enjoy was working with founders and early-stage entrepreneurs, helping them scaling up their business. So obviously, one role that could allow me doing this with multiple founders is investor. So I looked into raising a fund, and here we are. So it's a shortened version of a 20-year career, I guess. 

Ann Johnson: It's always hard to abbreviate. And when I start the podcast and ask that question, I get the typical response, like, well, how long do we want to talk about that? As long as you want, but you've done a lot, and you're incredibly accomplished. And you have this really deep technical background, and you've managed to marry that with this finance background in starting - right? - your own venture capital firm, which is just amazing. So congratulations on that. 

Chenxi Wang: Thank you. 

Ann Johnson: So I don't think we could go much further without talking about the current conditions. You know, as we're recording this in December of 2022, there's been a lot of change with the state of cyber venture capital just in the past 6 to 9 months. So can you talk about the last few years and how there's been this huge wave of capital invested in cyber? Why has cyber been so attractive? And then what are you seeing right now? 

Chenxi Wang: So cyber has always been an interesting industry, where it may not be as sexy as consumer tech 10 years ago, but it's always been the undercurrent of technology that everybody needed. And as you and I both see in the industry in the last five, six years, we've seen more and more regulations and compliance requirements that companies are now - do spending more money and require more talent to run their cybersecurity operations. And also, the threats have changed tremendously. And we've seen more innovations in cyber in the last 10 years than maybe all the years combined beforehand. And those factors led to what we call a hot, rising market in the last two years or so, 2020 and 2021. And I would say the pandemic accelerated the growth because moving from a campus-centric company culture to remote working, one of the first factors you have to put in is networking. And it's secure networking, right? Secure remote communication, secure remote access and all of that came back to security. So we saw tremendous growth in the requirement, in the investment in security technology through 2020 and 2021, which led to a huge infusion of capital. And I would say that's probably a little overheated the market, and we saw those unrealistic valuations in 2020 and 2021, which - I think we are going through a period of correction right now. And I personally think the correction is needed. We just can't possibly grow the market at the same rate that it was in 2021. And so I think this period of cooling off is welcome. But the interesting thing for us as - for this conversation I'm putting on my investor hat - is what we are going to do looking at existing investments. And some of them have grown tremendously but is under the financial model of the last two years. How are we going to help these companies survive through the reality of today, the macroeconomics as it is. And how do they build a sustainable, survivable business throughout this whole thing and go into 2024, 2025? - is everyday conversation that I'm having. 

Ann Johnson: Yeah. So is there money that's still flowing right now? I know it's cooling off, but is there capital that's still flowing into cyber? And do you think there will be a lot of deals in the next six to nine to 12 months? And if there are, what type of deals are those? Is it M&A? Is it PE buyouts? What do you think is going to happen? 

Chenxi Wang: So deals are still getting done - right? - at a lesser rate. And I would say the questionable teams or the questionable companies, meaning that, you know, the metrics are not as strong, either are not getting the deals done or are taking longer to close financing rounds. But the good ones, the ones that you look at and say, that's a clear winner or will be a clear winner, we still see multiple term sheets, and valuations are still pretty healthy from their standpoint, even though it's not as crazy. So those financing deals are still getting done. But I think, looking at cyber startup scene as a whole, we'll see a lot of M&A deals, lot of consolidation. Some of the companies raising money are not able to raise further rounds, will be going through a period of a consolidation, either getting gobbled up by large companies or merged with others. And some of them will probably go - you know, the long-tail ones probably will go through the asset sales route. So we'll see a lot of consolidation, M&A, and PE rollup is also - I would think we'd see more. And probably a little bit less on the front end of the funnel, meaning that we saw, like, gosh, so many companies in 2021, and I think we'll see less in terms of front of the funnel. The quality that come in is better, and the ones that getting through the funnel all the way to funding is - the criteria are tighter, and the filters are tighter. So you end up getting higher-quality deals done, I think. 

Ann Johnson: I do think - and I've heard consistently that people are believing that the quality of the deals will improve, even though there isn't as much deal flow, there's still capital available. 

Chenxi Wang: Correct. Yeah. 

Ann Johnson: So yeah - which takes me to the question, you know, about advice you would have for founders. If you're the founder or CEO of an early-stage company today, how would you approach raising money? And also, what would you be doing right now to make sure your company thrives and even survives over the next 12 to 18 months? 

Chenxi Wang: Let's take this question apart from - one is if you're raising your first set of capital as founders, what you should do. And the other one is for maybe existing founders who already raised capital but is taking the company - wanting to take the company to the next phase of growth and obviously may need additional capital, as well, as, how do they sort of structure the business model? For the first part of this question is if you are founders that are raising your first set of capital, I would say the criteria of getting over the hump, acquiring your first set of capital has significantly become more stricter, meaning that you really have to bring your A-game. I was just telling this to a founder that I met at re:Invent just a few days ago, that it's no longer, like, two person with an idea with a slide deck and somewhat interesting can raise capital. What you need to do is really do your homework and talking to potential buyers and customers of your solution. Really understand what the market is asking for this type of capability, what the customer journey will be like. What are your relative positions against related products and functions out there? And ideally, not only come with ideas and possibly a prototype product but come with four or five potential design partners or folks who have good things to say about your approach and may even put their names behind the approach and say, hey, if they build this, I will be a customer, you know, if it meets these criteria. And those become essential for you to raise capital. 

Chenxi Wang: So it's not just the uniqueness of the idea, the strength of the team, but also showing signs and momentums and market acceptance of your idea is critical. And VCs are no longer willing to give you money to experiment so that you can attain that product market fit. They want you to get to that product market fit much quickly before a raise of capital. So that's for the first part of that question. Second part, if you already have a company and you're looking at scaling up and building survivable, sustainable business through this economic downturn, obviously we don't know how long this macroeconomics conditions will last, but being conservative is probably the right approach. What that means is really looking very closely at your burn and your runway. 

Chenxi Wang: So in the past, potentially 18-month runway is healthy enough. Now you want to get to 24 if you cannot have more, right? Twenty-four-month runway will give you - hopefully give you enough time to execute into the next milestone, but also on top of that, may have a settled venture debt secured in case you need it. And a lot of other companies actually raising maybe insider round, a bridge round to get them even more cushion. And one thing I would say is managing the burns are really important. This is not to say you should lay off, you know, half your team as we know some of the companies are doing, but as a founder, getting very close to the productivity numbers of different functions and different roles. You must understand how much your marketing is enabling the business, how much your sales enabling the business, how much engineering is enabling the business, and being able to actually put that on a piece of paper to say, hey, we are investing in these functions in the right way, in the productive way, so that the return on investment is indeed there. If it's not there, then you really have to look at how to manage the cost. 

Chenxi Wang: And so managing the burns, managing the productivity to get you the right length of runway and potentially adding additional cushions by insider rounds or venture debt to get you that 24-month plus runway is critical. Now, this is in addition to everything else you have to do, which is building a killer product and being really good at working with customers and building a brand and all that normal startup stuff. 

Ann Johnson: So thinking about that for just a minute - right? - you need to do all of that stuff, and you need to do it all really well. And that's fabulous advice. And the 24-month runway I think is really important. But how do you effectively communicate that to your investors and to your board? A lot of startup CEOs I know struggle with the communication to their board and making sure their board understands that the investments they're making are the right ones. What advice would you give on actually communicating to the board or to your investors? 

Chenxi Wang: Yes. So I think that's a fabulous question. And that is a question that many founders struggle and especially the first time ones. So I would say communicating more rather than less in the time of change is critical, right? You don't want to wait for your investors to come back and ask you questions. Oh, what are you doing here? What are you doing there? If they start asking all the questions, that means you're not communicating enough. What you want to do is anticipate what questions they will have and feed them information proactively so that they feel that you are on top of the game, right? 

Chenxi Wang: And I have - in my portfolio, I certainly have founders of the whole spectrum of being really good at communicating - others a little bit less so. So I'm trying to coach those that are - may not be used to this proactive and more than regular communications really is bring them to the forefront of the decisions you're making and making sure they understand, you're being proactive, you're being responsive to the market conditions, you're managing cost, you're managing the growth in a responsible way. So that means don't wait until the next board meeting to put together attack and send them the night before. That is not the right way to do it. The right way to do it is send them regular communications, if not weekly, monthly - smaller, more consumable communications about we're doing this, we're doing that. We found this method being effective. We are working on these kind of initiatives with customers. These will return - will generate this type of returns. Just bring them into the fold a little bit more. That will pay dividends much - they'll pay a lot of dividends, to be honest. 

Ann Johnson: I think the overcommunicating time has changed and bringing the board along with your changes is really, really fantastic advice. One last thing before we talk about diversity, which is you have been on this cutting edge of cyber innovation your entire career. What today do you have passion about? What trends, technologies or categories do you think are worth watching in cyber? 

Chenxi Wang: That's such a timely question, especially since I just went to re:Invent. So having been on the show floor, looking at all these companies that are doing innovations in the cloud, for cloud computing, with cloud computing, one thing that really jumped out at me is there's so many things that are looking at accelerating the tasks that developers have to do, right? So you and I both know that several years ago, Andreessen wrote this blog about software is eating the world. And really, the trickling down effect from that is, yes, software is eating the world. So now we are all building tools and utilities for the teams that are producing software so that they can eat the world in a faster and more productive pace. So that's the overall impression that I walked away from re:Invent. And what does that mean for cybersecurity? It means that you can no longer build a security product in silo with development because there are so many things that are intimately entangled between dev and security. 

Chenxi Wang: So you always have to think about security as part of the dev life cycle, the dev environment. How do I - making devs life easier so that they will produce more secure code? How do I make security findings easier so that it can go into the regular flaw remediation life cycle that the developers have, right? And in fact, there is a ton of perspectives on the floor that are really thinking about the ilities (ph) of the system, the ilities meaning reliability, security, dependability or other - or quality - making the ilities of the system so they're very much hand in hand with the development part of the core function. Now, that doesn't mean all the developers have to handle security and reliability, everything. But making those tasks so seamless, so easy to handle either by developers or web developers, is a visible trend of the industry. And I think anybody who is not having this trend in mind or not believing this trend is going to be left behind, security included. 

Chenxi Wang: So you and I, being security professionals, we all have to look at this trend and say, hey, the newer products are all going to be like this, all going to be part of this current. If they're not, if they're outliers, that is not going to be productive for the product itself, not going to be productive for the user of the product and eventually is going to fade away. So that's my big takeaway of, you know, what's going to happen. 

Ann Johnson: I think that's fascinating. I also think it's a paradigm change, particularly for the security industry, where we're so focused on building point solutions that solve point problems. And the industry has to mature beyond that. 

Chenxi Wang: Yeah, it has to. I think you kind of have to say - you know, a lot of security products or innovations in the past have been about threats, right? So how do we handle this one threat really well, which are needed. But think about folks who are building the system, folks who are managing operations. They are there to ensure code is deployed, system keeps function. They don't really care about this one threat du jour. What they care is whatever you need to do, security, you cannot interrupt my operations, and you cannot make so that my code doesn't run, doesn't deploy. So you have to take these assumptions I've given - cannot interrupt operations, code has to be deployed, customer has to be served. Under these assumptions, how do I operate to deal with threats? And that's the mindset shift that we need to have. 

Ann Johnson: Yeah, and I think that's fair. Well, let's pivot a bit, because you've been this huge champion advocate of improving diversity and inclusion in cyber. Why do you think this is such an important industry imperative, and what advice would you give cyber leaders? What should they be doing right now, today? 

Chenxi Wang: We've seen numbers in the cyber industry, right? I think a few years ago was 11% women and now we are at 20%, which is a huge improvement. We're a long ways away from parity. And we're not even talking about parity. I'm talking about places where I can go and have a conversation and don't even think about it's weird to be a room of all guys, all white guys, that I don't see any diversity. And that's - we're far from that. 

Chenxi Wang: Why is it important? I think a lot of the security products are securing users' data, securing applications used by average users, you and I as consumers. Consumers don't look like - they're not all engineers who are male or white or homogeneous. They're very different. The way they interact with your product's different. The way they use your application's different. Wouldn't it be interesting for the producers of security technology to really understand the mindset of these customers, consumers, so that our technology can answer or can cater to their needs more closely, more intimately? I think that's an extremely important thing to keep in mind. 

Chenxi Wang: And another thing is we keep getting new researchers or threat researchers into the industry, which is great. But if you look at bug bounty researchers and some of them are - I call them the funnel of security talents coming into the industry - a very, very low percentage are women. And what I like to do is really demystify the whole sort of security technology, that I don't like this image of a guy sitting in the basement and wearing a hoodie and hacking a remote server. What I like to have is the impact of our technology. We are helping a retiree in her 70s being able to secure her nest egg so she can go on vacations with her grandchildren. We're helping the poor countries, third-world countries having clean water projects because the investments into those are secured by fraud detections, by threat detection products. And those impact of the technology, we don't talk about as much. We talk a lot about who's building what and how they build it. 

Chenxi Wang: But if we take a step back, I personally are inspired by the missions that we secure, by the applications and everyday lives that we enable. And I think if we focus on that, we see more diversity and more sort of different lines or passions coming into the industry. And I think that will be for the better of everyone. 

Ann Johnson: I agree. As you know, I've been a big advocate of bringing more diverse talent to the industry. And one of the reasons is we have, you know, this talent shortage that we're not going to solve if all of our talent keeps getting sourced from the same places with the same backgrounds. 

Chenxi Wang: Absolutely. 

Ann Johnson: So you founded the Forte Group as a way to build community and help support women in cyber. I just recently joined. I'm excited to get more involved. But can you tell the audience a little about the mission and goals of Forte Group, and how they can get involved? 

Chenxi Wang: Yes. The Forte Group is a community of senior women leaders in cyber and high tech. The mission of the group is enabling a network of senior leaders in our own world, in our own roles, being able to do our jobs better, as well as being able to initiate diversity and inclusion projects with the support of this network and community. So what we're doing is bringing in external experts to help us work through certain initiatives. We'll have special interest groups looking at cyber insurance, looking at emerging threats, emerging tech. And we also have - this is also a personal support network. So any of us can tap into the network if we have a challenge we need to solve or a question we need to answer. So I'm very excited that you're part of the group, Ann, and I know you brought a lot of experience of not only technology and leadership, but also, you know, DNI. So we're very excited to collaborate with you more on those ongoing initiatives. 

Ann Johnson: Thank you so much. Look, you always have so much going on, right? You have a lot of irons in the fire all the time. Can you share a few of the things that you're working on right now that are super interesting for the audience? 

Chenxi Wang: Sure. Obviously, I'm still doing a lot of investments, but I'm spending time on Forte. I'm also a board member. I'm sitting on the board of Fortune 500 public energy company. So we're doing a lot of renewable energy research, and I'm very much inspired and - inspired by that and then learning quite a bit about, what are the interesting renewable - forms of renewable energy for the next foreseeable future for our younger generation, as well as learning about EV battery technology and nuclear fusion. That's all very different from cyber but yet impacts everyday life just as cyber. So I'm very excited about that. And I'm also - I also want to write more. I think I'm getting into more of the tech impact writings. I want to write about AI technology, its impact and how we can leverage those in a positive way to really accelerate our tasks as a society but eliminate some of the questionable - so the consequences of the new tech. 

Ann Johnson: That's fascinating. And I was reading an article today, actually, that published on LinkedIn, talking about why Silicon Valley is suddenly so hot on nuclear. So there's definitely alternatives that we all need to be looking at as we shape the future... 

Chenxi Wang: Yes. 

Ann Johnson: ...And future-proofing against - right? - assets that aren't going to be available to us long-term. 

Chenxi Wang: Yes, absolutely. Do you know that 75% of EV batteries are produced outside of the U.S.? And actually, that number may even be higher. So what's the future for U.S. in this - right? - if we're all going to move to EV? Is that a disadvantage for us? And how are we as tech leaders really looking at this trend and say, hey, where should we be investing - and not just in these IT technologies, but in the energy, in climate? All those are fascinating questions. 

Ann Johnson: Yeah. I think those are fascinating questions. And just like the recent trends to move chip manufacturing back onshore to the U.S., I think we're going to see - start to see trends, too - because from a supply chain standpoint, as you know - and we're going off topic a little, but that's OK - the supply chain has been so vulnerable - right? - over... 

Chenxi Wang: Yeah. Absolutely. 

Ann Johnson: ...The past 2 1/2, three years, we realized how vulnerable it was during the COVID period. And I think that those types of things, to protect both the supply chain, domestic security and national security are going to be increasingly important to think about what we need to manufacture in the U.S., so it's here and present for us. 

Chenxi Wang: Absolutely. 

Ann Johnson: Well, thank you so much for sharing your insights. We also like to send our listeners off with one or two key takeaways and inspiration for the future. So what do you think is most important for our audience to know about the industry today, and what should we all be optimistic about in the future of cyber? 

Chenxi Wang: So let me take the optimistic view first. I think we are just scratching the surface of automation, of data insight, women in cyber. And I've seen so many innovations also in the data and the AI community we're not even yet leveraging. So what does that mean? That means we have so much room for improvement. And I would encourage anyone who's in emerging tech to really, actually take an adjacent functional community to really learn more about what they are doing. Data is one. AI is another one. Maybe infrastructure is another one - is take that learning back to cyber. I think it will broaden up your horizon and really, you know, making you a better cyber engineer, cyber talent but also can foster new innovation. So a big takeaway, I would say, is the cyber that we know today, the cyber market we know today is not going to be the cyber market 20 years from now. The infrastructure piece will eat part of the cyber. The data piece will eat part of cyber. But eating isn't taking things away, but it's actually - one plus one is greater, too, in that fashion. So it begs the question, what are we going to do as cyber talent, cyber leaders? What we need to do is looking at not just a cyber-specific innovation but really cyber within the context of business applications, within the context of enabling automation and innovation all across what the role of cyber is. And I challenge myself in thinking about this almost every day because we're looking at, you know, new companies. And I always say, does this company fit into this trend? Or is this company just making delta improvement on the old model, right? So if we can look at everything we do, new initiatives we're starting with that mindset, I think we'll be a lot more productive, and we'll move faster as the industry. 

Ann Johnson: Well, fantastic. Well, thank you so much for taking the time to join me today. I really appreciate it. I know how busy you are. 

Chenxi Wang: Thank you, Ann. Thank you for having me. I really enjoyed the conversation. 

Ann Johnson: And many thanks to our audience for listening. We will be taking a really short break for the remainder of December. But join us in early January for more "Afternoon Cyber Tea." 

Ann Johnson: I invited Dr. Chenxi Wang to join me at "Afternoon Cyber Tea" because she is such a deep subject matter expert in all things cyber. She also is the founder of her own venture capital company, and she's diversifying that portfolio even outside of cyber. She really has a pulse on the industry as a whole from a - both a technical standpoint - she has a Ph.D. and is just brilliant. But also, she's managed to straddle that into a really great point of view from a financial standpoint and inside and outside of cyber and, of course, to talk about diversity and inclusion. It's a fabulous episode, and I know you will enjoy it.