Trends and advice for cybersecurity start-ups.
By The CyberWire Staff
May 18, 2018

Trends and advice for cybersecurity start-ups.

Panels throughout the day addressed various aspects of the start-up market. If one theme ran throughout the conference, it was the centrality of a start-up's team to its evaluation by prospective investors.

The importance of teams (and of physical proximity).

A panel on funding for startups included Bob Ackerman (AllegisCyber), Ron Gula (Gula Tech Adventures), Bruce Tarragin (Blumberg Capital) and Dov Yoran (Cisco Security) with In-Q-Tel's Katie Gray moderating. Gray noted the difficulty of rising above the noise in a crowded space, and the challenge of quickly convincing CISOs to add another security product to their equally crowded enterprise. She asked the investors to explain how investment varied by stage, and to describe what they were looking for when a team pitched them. What, in short, makes a company rise above the others in the space?

Location, physical location, is important, in Ackerman's view. "Virtualization is total B.S.," because proximity matters terribly to a young company. And, while niches may have their value, venture capital looks for the broadly horizontal.

Also, be doing something broadly horizontal. Niches have their value, but the VCs look for the broadly horizontal.

Gula substantially agreed with Ackerman. He likes to see both team and technology. "It's all about expectations," he said, and said that they always looked to bring other investors to the table.

Not everyone agreed about the importance of physical proximity. Taragin valued his own fund's geographical flexibility. Yoran also took exception to the emphasis on geographical proximity, but he did think it important to have people located in centers of mass.

Ackerman argued that you need to look to where talent is concentrated: Israel, Maryland, recently Atlanta and Texas, a bit in Pittsburgh, and of course Silicon Valley. Expertise is geographically concentrated.

It was noteworthy that the VCs who operated in California and Maryland emphasized the importance of location. Those whose operations were based in either New York or Israel downplayed it. Taragin did concede one geographical preference, but it involved finance and not technology. "What good companies have in common is that they're all passing through New York and Silicon Valley. It seems clear that New York is the East Coast hub for VCs, and Silicon Valley for the West Coast."

Finding innovative technology.

Ackerman said that AllegisCyber looked at the team's pedigree of the team and their domain expertise. A connection to government work, and especially to government labs, is in his view a plus, since government laboratories tend to be ahead of industry. Silicon Valley is into incremental innovation. If you get closer to the labs, you find the bigger innovations (like homomorphic encryption). These emerge from big government or industry labs. "We understand that we may need to provide the company-building experience. You can't learn fast enough to be successful in this space, and therefore pedigree is everything." 

Taragin's fund has built out a network of C-level execs in a council whom they consult regularly. Part of their due diligence is putting prospects in front of their CEO/CISO network. Yoran warned that too much government focus or an excessive academic inclination were problematic. Start-ups infected with these "can lack fire to get things done in the short term."Gula: Companies in Maryland have great expertise, but don't understand go-to-market, or how to pitch.

Acquisition as exit.

A panel on the merger-and-acquisition landscape led discussion of acquisition as a form of exit for start-ups. It was moderated by Bloomberg's Annie Massa, with Alex Doll (Ten Eleven Ventures), Eric McAlpine (Momentum Cyber), Ken Schneider (Symantec Ventures), and Muddu Sudhakar (entrepreneur and executive).

To Massa's opening question about what makes a company a desirable takeover target, Schneider said that in earlier stage acquisitions Symantec Ventures looked for the possibility of plugging the acquisition into their platforms in ways that would rapidly drive revenue. "Our investment thesis at Symantec is to drive innovation around the ecosystem."

Doll thought that people often miss the incremental business plan. They overlook the ability to reposition the combined entity. Security is a struggle to deliver, and it can be difficult post-acquisition to innovate.

Sudhakar stressed the importance of being a market leader, the number one player in the space. McAlpine, who thought that M&A was fundamentally all about people (an echo of the earlier VC panel), advised looking to acquire in ways that could extend one's business into proven and provable opportunities.

Deal-breakers for an acquisition.

Massa asked her panel about red flags. Sudhakar said that in this age of software and the cloud, hardware and appliance companies won't be acquired. And, if you're a security firm, don't let yourself get hacked.

McAlpine was wary of founders who wanted to control everything, to "keep people out of the tent." He wonders, when he sees that, what the founder is hiding. Doll compared acquisition to the hiring process. The acquirer will own a combined profit-and-loss, and acquired companies often fail to appreciate this. Scheider thought that structural problems within a company can be a show-stopper.

Trends in mergers and acquisitions.

McAlpine offered a shout-out to going public: "We need more equity in the space, so root for the companies doing the IPOs, like Carbon Black and Avast."

Doll observed that, while the balance historically has been in favor of the big acquirers, private equity has become very important, and IPOs have grown more possible. Leverage has to a degree shifted back to the sellers.

What companies are desirable takeover targets? McAlpine thought that securing the public cloud was an attractive challenge. Schneider stressed the importance of pre-existing relationships. "We almost always do a deal with companies we've got some relationship with."

"The timing of when you sell is important," Doll said. "When you have an innovation edge, that can be the time to sell." Taking a company public, however, is much more attractive than seeking to be acquired. Companies that are growing may take the IPO route.

McAlpine observed that 60% of cyber acquisitions are below $100M. Cyber is a nuanced, growing market. You need access to buyers, and out-of-sector buyers are important to the cyber M&A market. Schneider said that big deals are now in the tens of millions of dollars.

Doll emphasized that research and development weren't delivering for the big companies. "If it were, we wouldn't see three-thousand small companies. They're filling a void in the market."

And observations on technology, performance, and risk.

A panel on equity performance analysis led by Modern Wall Street's Olivia Voznenko, with panelists Howard Smith (FirstAnalysis), Ken Talanian (Evercore ISI), and Gur Talpaz (Stifel) took up a range of topics of interest to investors and entrepreneurs. To a question about whether security buys tended to follow major incidents, the panel thought that, on the contrary, the market had become less reactive.

They've seen a shift away from prevention to risk management. The insurance market in the space remains immature, with immature actuarial models. And one of the biggest risks of all, according to Smith, is reputational risk, which is essentially uninsurable.

A large number of vendors are chasing a finite amount of money. The market is growing, but so is the competition. The sector now looks as if it's ready for consolidation. Investors are more interested in a company's ability to develop a sustainable path to the customer than they are, for example, in research and development.

Attractive technologies.

People want a centrally managed presence in the cloud, which would be functionally holistic. Traditional on-premise vendors are doing well, the panel thinks, in the public cloud environment, with Palo Alto Networks cited by several speakers as offering a good example of how to move into public cloud security. The push to the cloud has also driven a need for greater capacity firewalls. Any solution that removes the humans from the loop, that automates security, is drawing a great deal of attention.

Several panelists expressed an interest in seeing evolution of more offensive tools, and of more deception. The Internet-of-things clearly needs new approaches, and several of the speakers expect to see more machine-vs.-machine operations, and defensive tools need to get better at this.