Cloud, Data and Zero-trust: Here’s Where VCs are Putting Their Cybersecurity Investments

The last year was a busy one for cybersecurity investors, with a record $7.8 billion flowing into the space in 2020, according to Crunchbase. With remote work, increasingly sophisticated hackers, and more mission-critical data getting stored in the cloud, plenty of deals will continue to be made in the years ahead.

Where those dollars will go was a central topic of discussion during a panel, I hosted at the BMO Cybersecurity summit, which took place on May 25. The panel discussion, which focused on venture capital-related opportunities in the cyber landscape, featured some of the leading experts in this sector, including:

• Greg Dracon, General Partner, 406 Ventures

• Deepak Jeevankumar, Managing Director, Dell Capital

• Will Lin, Managing Director and Co-Founder, ForgePoint Capital

• Prasad Parthasarathi, Director and Global Head of Cybersecurity, Cisco Investments

Betting on the Cloud

While each panelist approaches cybersecurity investing differently, many see similar opportunities across the market, including cloud security. Lin says that while millions of dollars have already been invested in cloud security operations, it’s still a fragmented space without a clear leader. “There isn’t clarity yet on what the winning solution is,” he explains. “As a result, I’m spending a lot of time thinking through how I can apply cloud security in different contexts and verticals.”

Lin is also seeing opportunities in the data security space, where many of the leading companies are now multiple decades old. “That means the sector is ripe for innovation,” he says, adding that he’s sees more early-stage data security companies. “It’s one of those spaces, like cloud, that is maturing, evolving, and crystallizing, but there’s still plenty of uncertainty. There is no best practice in terms of how you do data security in the cloud-native world.”

For Dracon, there is a big opportunity in cloud-based app security. Given that most cloud services are managed by third-party companies, such as Microsoft and Amazon, businesses will become increasingly more focused on securing the programs they’re creating. “As cloud services are adopted, there’s less and less to secure, so it forces your hand up to the application layer,” he explains. “So we’ll see more focus on app security and within the cloud.”

Making Life Easier for Developers

Developer tools are another area of growth for investors, says Jeevankumar. Given that every business is essentially a tech operation these days, companies across all sectors are hiring developers to create new tools and programs. Yet, many of these developers aren’t creating with security in mind. “How do you empower the new age of developers with easy-to-use security?” he asks. “We’re just at the beginning of the developer-influenced security phase.”

The move to help developers easily integrate security into work is part of a broader move to simplify IT, adds Dracon. It used to be that the buyers of security tools were “tech geeks like we are,” he says. Now that people across organizations are interested in security, marketing and sales, its influencing what people buy rather than just tech. For Dracon, that means investing in easier-to-use tools. “We’re seeing non-security people buying and using tools,” he says. “So these have to be super easy to use and deploy.”

At the same time, many companies are finding it increasingly difficult to hire good cybersecurity talent, which means more areas will need to be automated, says Jeevankumar. “We need to figure out where the acute talent problems in the cybersecurity industry are and what parts of it can be automated or enhanced using automated principles,” he notes.

Zero-trust Future

All four panelists are also focused on zero-trust, which looks at trust as a vulnerability in the security process. Typically, once a security tool trusts that a user is legitimate, that person can do what they want within a system. However, given that it’s now easier for hackers to gain that trust, more companies want to move to a verification model, where someone must verify who they are every time trust needs to be established.

This idea of zero-trust is a significant shift for the industry, says Parthasarathi. “Zero-trust is contrarian to all the principles that the IT landscape has operated on over the last two decades, which has been focused on integrations enabled through least privileges,” he explains. “Zero-trust flips the model on its head and requires us to view these integrations as fundamentally contaminated. Instead of least privileges, Zero-trust demands adaptive, contextual and granularly vetted access.”

For Lin, who invests in early-stage security companies, new categories bring new investment opportunities. “The whole point of venture capital is to create new categories, to create innovation,” he says. “And so what that means is time is a critical factor to these categories we’ve created. For example, if someone tried to create a zero-trust company (a few years ago), it would have had a really tough time as people just weren’t ready for it. So we spend a lot of time thinking about the timing of markets and what we can do to be helpful in terms of solidifying those markets as they (grow).”

Big Ideas

When it comes to finding investment opportunities, every panelist agreed that working with businesses that can truly solve security industry problems is key. “We’re (investing) in people, and we’re looking for people who not only know the problems in this space but are trying to figure out where problems will go down the road,” says Dracon. “We also look for very big disruptive companies that can become platforms.”

Before Jeevankumar invests, he must be convinced that a chief information security officer (CISO) will put that technology at the top of their stack. Ideally, companies would use a handful of technology tools in their business, but as time goes on, they’re using more and more, he says. That’s why he needs to be sure that CISOs will put the company he’s investing in at the top of their priority list. “Vendor consolidation is always a priority, but it never happens,” he says. “CISOs are willing to experiment with your companies, but how do you convince them that the product that you have is time-critical, not just mission-critical, to the whole security portion of an organization? So we look for people who can convince the CISOs that that’s the case.

Two critical investment decisions that Parthasarathi considers are ease of deployment and how long it takes to prove the company’s value. Given how quickly decision-makers change in a company, vendors can’t afford to have long sales cycles. “We like elastic deployments and easy-to-demonstrate proof of value,” he says, highlighting his recent acquisition of Duo, a zero-trust security solution. “That’s one security solution that any of us can sell within a week, without a sales background.”

In the future, Jeevankumar expects to see more private equity buyouts of lower multiple cybersecurity companies. Lin thinks there will be more activity in the security operations center space, as many of those companies are now large and generating a lot of cash. “I can see a future where some of those companies get acquired because they can be cash-flow positive pretty easily,” he says. “They also give companies a lot of scale.”

For Parthasarathi, extended detection and response (XDR) will see a lot more M&A activity in the future. “The focus being on security analytics, security forensics, remediation,” he says. “Other sectors broadly require super-hardened, deep security capabilities that platforms have cultivated over multiple decades. However, startups have an advantage in analytics and forensics with high velocity innovations across AI, ML and NLP. This space is ripe for sustained inorganic activity.”