There was a consensus at the Summit that cybersecurity is fundamentally an exercise in risk management. The sector remains relatively young, and the sorts of actuarial data, well-established best practices, and regulatory systems that have shaped risk management in other areas are still emerging.
Early stage investors help start-ups, the venture capitalists at the Summit believed, with close engagement and advice, particularly in matters affecting management and communication. If a start-up wonders what value these investors bring, they should think of expertise and guidance as much as they think of capital.
An interesting trend noted by DataTribe's Mike Janke: the big investment firms have consolidated their investments, which has pushed them out of the A round. That's left the early stages to the angels and the incubators.
"Market Outlook: Growth, Trends, & Investment Strategies.
A panel of cyber investment experts, chaired by Annie Massa (Bloomberg News) and comprised of Shaul Eyal (Oppenheimer), James O'SHea (RBC), and Eric McAlpine (Momentum Partners), described the trends they're seeing in the industry. (Video of the panel may be viewed here.)
In general, the cybersecurity sector is seeing more market capitalization, more high-level awareness, and the formation of sector-specific exchange traded funds. Eyal, who sees a trend of governments becoming involved with cyber in ways likely to. accelerate growth, noted that there are between fifty and sixty publicly traded companies in the sector. Three or four are large-cap stocks; there are many mid- and small-cap companies. McAlpine sees investors becoming much more discerning about cybersecurity companies.
For his part, O'Shea sees a growing and realistic perception of risk. Enterprises are now concerned with the risk to their business processes. "Now, not only are all IT jobs cyber jobs; all jobs are cyber jobs."
To Massa's question about the impact of high-profile incidents on the market, one panelist said (with grim satisfaction) "It was for us a Christmas present." They saw increases in value from three to ten percent in the aftermath of the WannaCry ransomware incident. Eyal noted the significance of 2013's Target hack, after which the board removed the CEO. "Boards are now involved," and this has contributed to a clear acceleration of spending on cybersecurity.
Much of that spending, however, still lacks the sort of guidance well-established best practices could provide. "Bearers of risk have no clear rules of thumb on how much they ought to spend on cybersecurity," O'Shea said. "It's difficult to price risk where there's little experience. A fear factor drives spending."
O'Shea also believes the market should look, and is increasingly looking, toward regulatory regimes to find best practices. Eyal concurred on the importance of regulatory compliance.
Regulatory compliance, however, is an imperfect surrogate for sound risk management. The panel noted that we have yet to think of digital assets as we think of physical capital assets. "It's the job of business to determine criticality," O'Shea noted, "and to plan how to reconstitute business" after a major attack.
"Opportunities & Obstacles for Financial Institutions"
Jeff John Roberts (Fortune) led a discussion of influential customers. What are those who buy from security vendors actually looking for? The panelists included Rich Baich (Wells Fargo), Jeffrey Brown (BNY Mellon), and Tim McKnight (Thomson Reuters). (Video of their discussion may be found here.)
What they're not looking for is having to deal with a multitude of new products, still less with an endless stream of pitches.
Baich advised understanding the customer, knowing their problems, and being able to discuss ways you can help them address those problems. Understand, too, that the customer might not need your solution, or be ready for it.
According to Brown, "We're rationalizing the technology stack we already have. We look for a solution to a business problem. We want to look at the business case, and we want to know what new problems a new tool will bring."
McKnight stressed the importance of communicating what you actually do. "Don't say, we do this; we'll do so much more."
The panel generally agreed that there was still a great deal of room for automating security processes, including doing so for large banks. They thought training was attractive.
"Show me the Money: Funding for Startups."
Chaired by Pure Funds' Andrew Chanin, a panel of venture capitalists heavily engaged with the cyber sector described how they look at investments. The panelists included Tom Kellerman (Strategic Cyber Ventures), Bob Ackerman (Allegis), and Alberto Yepez (Trident Capital). (Watch the panel here.)
Chanin began with an open-ended question about what drivers in the threat landscape are shaping investment. Kellerman, noting the familiar concept of a cyber kill-chain, observed that the biggest challenge is already inside your environment in your supply chain.
"Global companies rest on a digital substrate," Ackerman said. Because threats evolve, problems are addressed as opposed to being definitively solved. With an adaptive, dynamic threat, he sees the cyber market as inevitably driven by innovation.
Given that there are many venture capitalists, Chanin asked the panel what distinguished each of their approaches. For Kellerman, it was their avoidance of single solutions in the same solution space. "We never invest in the same solution space twice," he said. "Companies fail because they rely on a silver bullet."
For Ackerman's part, he said his firm sought engagement with the companies in whom they invest. They seek to bring tangible value to early stage start-ups.
Yepez thought an operational background was vital to cyber venture capital. He values bringing in former CEOs, CISIOs, and CSOs who can contribute operational experience and expertise. He's sought to build a broad advisory board to work with innovative companies.
Start-ups in this sector tend to be focused on their technology. Their considerable attention to detail and relative indifference to communication (Ackerman cracked, "In our business, Aspergers is a very good thing") suggest where they need the most help. VCs can help subject matter experts who are building companies with communication and management.
A great number of start-ups have emerged from the US Intelligence Community, and these tend to have difficulty moving into commercial markets. "The US IC has to deal with amazing challenges," Yepez said. "Their knowledge is second to none." But commercializing is tough—there's great innovation, but commercialization is almost always problematic for them.
Chanin took the discussion into international innovation ecosystems: "Everyone knows about the US and Israel. What surprising countries are innovating?" Spain, for one, Yepez said. He's had success with Spanish companies. Ackerman doesn't invest outside the US, but he sees a lot of quality coming out of Europe. In his opinion, however, the ecosystem to support a wide range of innovative start-ups isn't yet in place there.
But there can be opportunities overseas, and domestically in the US outside of California. Ackerman said that Silicon Valley is overcapitalized, and "so we're all looking for pockets of innovation." Overcapitalization increases risk. He's looking for deep reservoirs of engineering talent (and he held up Maryland as a prime example). "There's lots of product management in Silicon Valley," he said, "but deep sneaky engineering is often found elsewhere."
Kellerman observed that the best offensive talent is Russian. "That's the talent we need to disrupt. I may not want to do business with someone who doesn't get that best offensive talent is in Eastern bloc."
When you're considering investing in a start-up, what, Chanin wanted to know, do you look for during due diligence. Ackerman replied that he looks for "self-awareness and candor" in the CEO, and he wants to know about the security companies' own security protocols.
"When you become an investor," Yepez said, "you become an owner of its liabilities. So we assess their open source." They also run background checks on a company's founding team. They expose their companies to the kind of due diligence they'll receive during M&A.
So what's a nightmare story for a VC, Chanin asked. For Yepez, it was being sued by a competitor. "Build your IP portfolio with this in mind." Ackerman thought intellectual property important, but that it alone won't make a startup successful. "You don't have to be guilty to be sued. And the suit can always happen at the worst time." He advised establishing sound protocols around confidentiality, hiring, licensing, and so on. "The ability to pick up someone else's IP an run with it is in Ackerman's view an overstated risk.
The panel's final advice to start-ups was to be innovative, and don't offer a "me-too" service. As Kellerman put it, blocking and tackling are unlikely to be interesting. Get reference accounts, too: both Yepez and Ackerman stressed the importance of receiving validation of a company's potential and performance from people they trust.
The M&A Landscape.
Joanna Fields (Aplomb Strategies) chaired a panel on mergers and acquisitions, which she announced as a unicorn hunt. The panelists included Alex Doll (Ten Eleven Ventures), Peter Kuper (ClearSky Security), Chad Sweet (Chertoff Group). (The panel's discussion may be viewed here.)
Fields opened by asking what's hottest, from an M&A perspective? To Doll, although cyber can sound like a niche, in fact it's a big market. Security is a derivative theme of every major trend in tech. "It has a best supporting actor role," Doll said. So currently security analytics and AI are hot. Ability to capture many data enables us to see more than ever before. He also predicted that security for the energy grid and for industrial control systems would see considerable M&A activity in the near future.
This prompted Fields to ask what the panel saw as innovative about artificial intelligence (AI) and big data. Sweet, with the caveat that "all that glitters isn't gold," said that AI was exciting, especially as it's now being applied to products in practice. "AI will bifurcate the tech sector into haves and have-nots. We're seeing exciting use of IA in training."
Looking at the current year, Kuper thought that 2017 felt a great deal like the early 2000s. "The market may be top-heavy overall, but cyber has a strong floor of support." Consolidation will be healthy, in Sweet's view, and he sees dominant designs taking shape. "But the best mousetrap may not win." Sweet sees a great deal of spend motivation coming from regulation, compliance, and litigation.
Doll wondered if public companies weren't effectively biased against innovation. He thinks it possible that the sector as a whole could be evolving toward a pharma model. The challenge is balancing a strong channel with innovation. M&A activity happens when products reach a sufficient level of customer satisfaction.
Fields closed by asking what would be next unicorn. Sweet advised watching companies whose products are maturing and ready for implementation with real AI. AI, he said, will create high-end value.
"You've been funded...now what?"
Aplomb Strategies' Joanna Fields also chaired an afternoon panel on what companies should do once they receive their initial funding rounds. Panelists included David Blumberg (Blumberg Capital), Howard Morgan (First Round Capital), and Richard Seewald (Evolution Equity Partners). (Video of their discussion is available here.)
The sector is seeing both traditional venture capital and other, newer forms of funding entering the market. Corporate funding has become an important source of investment, according to Blumberg, and that funding is often non-dilutive. Seewald sees angel investors guiding companies toward maturity, and the consensus among the panel was that early stage investors contribute great value in the form of advice to the companies they back.