Security Confessions of a Venture Capitalist

In this must-listen episode of the Security on Cloud Podcast, we sat down with veteran cybersecurity venture capitalist, Sean Cunningham, Managing Director at ForgePoint Capital. With over 25+ years of cybersecurity venture capital (VC) investment experience — as well as 25 startups and 18 successful exits — Sean shares how he started his VC career as well as his thoughts on what’s “hot” in the cloud security and enterprise security spaces today. Follow along as we discuss:  

• How the Covid-19 pandemic has impacted trends in the cloud security market. 
• What’s hot in the enterprise security space or a cloud security space. [08:07] 
• The company attributes that VCs might be looking at if they’re interested in investing. [17:55]
• Ways that ForgePoint Capital is more than just the venture arm for startups — and how they actually help build them. [23:17] 
• Sean’s personal confessions of the “do’s and don’ts” for companies seeking VC funding. [26:17]

 

More Ways to Listen: Apple Podcasts | Spotify | Pandora | Google Podcasts | Deezer

 

---

Episode Transcript 

 

John Vecchi: Welcome everybody. You’re listening to the Security on Cloud podcast, live on Anitian radio. I’m your host, John Vecchi. 

Scott Emo: And I’m Scott Emo. The security and cloud markets are jam-packed with companies, from large mega brands to small security startups. On a previous episode we had with guest Richard Stiennon, we’re topping over 3,000 known security companies. And as far as we know, that doesn’t even include those still in stealth mode. 

John Vecchi: That’s right. This enterprise security space is really unlike anything else relative to the sheer numbers of companies all competing for market share and mind share in this space. With over 3,000 companies in many different dynamic security sectors, it’s incredibly fascinating to look at what trends are shaping the landscape, especially after a year like 2020. With that, we thought it would be fun to explore and discuss what’s making this space and sector so interesting for venture capitalists, especially those who focus on high-tech cybersecurity startups. There’s no better way to do that than by welcoming our guest for today’s episode. 

He joins us today as the Managing Director of ForgePoint Capital, the premier venture capital investor for early and growth-stage cybersecurity companies. He’s renowned as a top-tier cybersecurity investor for over 25 years. He’s invested in 25 cybersecurity startups during his career, leading 18 of them to exit. He is well-respected by entrepreneurs, co-investors, board members, and go-to-market partners and was cited as one of the top cybersecurity investors by market analyst firm, CB Insights. Where, by the way, he’s listed as their board of directors of who’s who in cybersecurity. Prior to ForgePoint, he was focused on cybersecurity investments with Intel Capital. He holds an MBA from Gonzaga University and is, of course, a huge Zag basketball fan. It’s my pleasure to welcome my good friend, Sean Cunningham to the Security on Cloud Podcast. Welcome, Sean! 

Sean Cunningham: Thanks, John and Scott. I appreciate the opportunity. I’m just wondering if you’ve got some spare time, could you use that intro to my family? 

John Vecchi: I can certainly do that. I’ll just record this separately and send you a copy. Just so that they remember what you do every day of your life, right? 

Sean Cunningham: Yeah, we all have that. The parents are the dorks. 

Scott Emo: So, Sean, how did you actually become a venture capitalist, focused on security?  

Sean Cunningham: I actually took a little different route than the classic VC. First and foremost, most venture capitalists are from a technical background with minimum education. My background is more sales and marketing. Worked for 15 odd years in corporations doing sales and marketing. I joined Intel and as part of doing a couple of startups at Intel. We had a group called The Green who funded a couple of startups, sold those companies off and then the venture capital group, Intel Capital, which is the largest venture capital group in the world, said, “Hey, why don’t you come on over,” and I said, “No, I wanted to do another startup.” So, I did another startup then I joined them in 2000. At that time, there was no “cybersecurity.” It was enterprise security and no one really wanted to look at that segment. 

I was very fortunate and one of the first deals that I was able to source was with the company that John knows well, Zoned Labs. And they were three dogs and two cats in the back of Howard Street in the alley in San Francisco at the time, and they had some pretty interesting business models. They had the freemium model and then they were going after the enterprise. I learned a lot just from that very first investment. And then we sold that to Checkpoint and the rest is history from 2000. But that’s how I ended up kind of an enterprise.  

I did that for quite a number of years and then actually did healthcare for a couple of years and realized that that’s all about business models again. So, I went back and did enterprise security and then joined a spin-out from, Trident Capital, which is ForgePoint Capital, in 2015. We’ve since raised two funds, about $750 million under management, have invested in 25 companies, and all cybersecurity investments. And we invest primarily in Series A, Series B companies, and some growth companies. 

John Vecchi: That’s incredible. What a career path to get to where you are today. You mentioned something there that I want to touch on really quickly. When you were first with Intel, others weren’t particularly looking at this enterprise security or that space. Like you said, you were kind of fortunate enough to kind of move in that direction. When you look back from there to where we are today, can you summarize just how dramatically different it is today from the number of venture capital firms that are all focusing on enterprise security? It’s dramatically different, right?  

Sean Cunningham: Where it really hit home was when we were out doing the fundraising for our first fund and it was pretty clear that the shiny object back in 2015 was cybersecurity. All the VC firms wanted to have some type of investment in cybersecurity, and the limited partners who invested in the funds were worried about saturation. We made it pretty clear to them through our analysis that there wasn’t going to be an issue with saturation.  

The big difference now is, as you’ve mentioned in a previous episode with Richard Stiennon, are the 3,000 startups; that’s about 2,700 too many startups in cybersecurity. But there’s a lot of consolidation, and the key is that there is no silver bullet. There are so many different angles to the hackers and their motivation to continue to either monetize these hacks or be able to, for example, the state-sponsored hacks from a political perspective or just as our former president said, the 400-pound person sitting on the bed for the sport of it. 

There’s no shortage of motivation to continue to create havoc in corporations and in the private sector. The breaches are not going to be reduced. That’s probably the biggest thing that’s changed; the motivations have escalated into quite an enterprise for some of these countries, the unemployed technical talent that is not prosecuted for their bad behavior. 

Scott Emo: Let’s actually fast forward to 2020. In your opinion, what spaces are particularly hot in the enterprise security space or a cloud security space? What’s getting your attention now?

Sean Cunningham: It’s pretty interesting if you look at the overall number of investments and where people are putting their dollars. When we put together our mapping for investments, we have non-goals and then goals, and some of the non-goals are a lot of the technologies you’ve seen out there. And I don’t want to say endpoint, but I’ll say endpoint and a lot of legacy, network-type activities. We are very heavily focused on if you bump it up, not just segment, but we’re also interested in areas that really changed the dynamics of a business. We focus on a lot of technologies that — if you look at the old term “shadow IT” — are now decentralizing the security aspect and putting it out into the business units. These business units now need to build their own, not necessarily just IT infrastructure, but they need to solve their security solutions for their applications. We’re seeing a big increase in cloud security as well as the automation of their technologies.  

We look at security as a business enabler and we want security as design One of the big trends right now is this DevSecOps. The reason why it’s so important is developers are being forced by security organizations to build security into their products. That’s not what they do, and they don’t do it well, nor should they do it well as it’s a distraction from what they need to do. You’re seeing vendors out there that are doing a couple of things. One, helping them with the tools to provide them with that capability. And, if you can start at the beginning, tools to help these developers write secure code. We invested in a company called Secure Code Warrior which actually does training gamification for these developers. 

And then the other thing is you, you end up making it so that developers don’t have to put all these security puzzle pieces together. The biggest advantage to all of that is that if they can just take a stack of security, automated software, put it into their application, and then let the company who’s put those pieces together actually run that security aspect from what we call an MDR perspective — Manage Detection and Response, which is kind of like a mini MSSP — that business unit never has to worry about the security on that application. And that’s the beauty of being able to put all these pieces together in the cloud space. 

John Vecchi: Yeah, it’s cool. And, and of course, full disclosure, right? Sean, you liked what you saw with Anitian and you’re an investor in Anitian probably because of what you just outlined. And the fact that the cloud is exploding. After a year like 2020 with the Covid-19 pandemic, you have a lot of companies embracing digital transformation mostly because they absolutely had to. It was imperative to the business with everyone working offline and remotely. I imagine that the idea of automating security in a cloud and native way, for something like DevSecOps and those DevOps teams, was something that was pretty interesting to you with a company like Anitian and others who are driving the cloud security space forward. Is that accurate? 

Sean Cunningham: Absolutely. And the other piece of that is, who’s buying and where are the budget dollars? As we saw, there were very large winners and quite a few losers during this pandemic. Anyone who could actually make that transformation quickly, particularly to the cloud, ended up seeing their valuation, either private or public expand substantially. And so, as we look at companies, we look at who’s actually going to benefit from these trends. One of the things that’s unique is that we’ve typically shied away from companies that are focused on the federal market, but interestingly, the federal market, and particularly with this administration appears to be going to spend a lot of money on cybersecurity kind of indirectly. One of the things that we like isn’t companies that are directly competing with other security tools or innovative solutions in the federal space, but companies that are enabling the ISV who want to get those bids. 

One of the things that’s interesting is if you can enable a SaaS-based company with this solution. And this all goes back to the fact that business units need to sell their products, but they can’t sell in the federal space without actually having FedRAMP compliance, something that Anitian helps with, as well as other aspects of compliance. And we also invest in companies who are looking at the identity management space, which also plays into this same idea that you’ve got to have the solutions to be able to enable the business units. One of the things about security is that in most cases, there’s never an ROI, it’s just overhead and a hassle. But if you can actually show there’s an ROI to security and a time-to-market improvement, that’s a huge win. You’ll have security folks and the DevOps people on board, so the appeal gets purchased. 

John Vecchi: It’s true. Companies are pivoting, especially after a year like 2020. They need to move fast and, in many cases, they need solutions that empower them to move fast through things like cloud security application automation and DevSecOps. There are more and more statistics coming out on the size of, specifically, the DevSecOps market. One forecast shows that market growing to a $5.9 billion market by 2023 which is pretty big, and I think a lot of that is based on what makes Sean excited about that space; enabling these teams who need to move fast. They’re developing in the cloud and it’s all about cloud applications and moving quickly. And on the security landscape, security technologies that can enable that and move as fast as they do are certainly hot right now. 

Sean Cunningham: It’s interesting. If you look at it from a public markets perspective, you look at the cloud providers and what their evaluations have done — as well as on the public or private side — just skyrocketing. If you do the comparison, even look back 10 years ago. Intel, for instance, was all about moving data centers to the cloud and they had to do a hybrid because the biggest impediment to moving to the cloud has always been security. This is a bit of a red herring, but that was actually what CSO’s use, they want to put their crown jewels out in the cloud. But the statistics now even show that you’re still less than 50% adoption of enterprise applications out into the cloud. There’s an incredible amount of headroom.  

That’s the reason why we believe that companies that need to move their applications to the cloud, in any element, should be able to enable that — whether it’s through the DevSecOps aspect or through an authorization aspect — and eliminate or minimize the chances for breach. This is really where we’re trying to invest and be proactive. And a lot of that comes down to the technology; if you’re not using cloud-native technologies and the new go-to-market aspects of really selling through strategic alliances as opposed to the old enterprise model of having reps at every NFL city. It all kind of plays together and the cloud is actually able to help make that transformation from a sales perspective as well as an implementation perspective. 

Scott Emo: You mentioned that when you’re investing in a security company, you’re looking at a couple of attributes that a company might have. You mentioned ROI and time-to-market as just two attributes you might be looking for. I just heard you say cloud-native technologies are another big one. Or, just cloud in general. Are there any other attributes of a company that you might be looking at if you’re interested in investing in them?

Sean Cunningham: There are a lot of different opinions. I think it’s really a tough question because every investor looks at an opportunity a little bit differently. Some are saying, “Hey, you know what? I want the next absolute disruptor in the industry that’s going to turn everything sideways.” Well, those home runs don’t happen very often. Innovation is important, but at the end of the day, I take a little different approach, being a non-technical guy. I look at everything from an investment, from a business perspective, as opposed to the technology. Technology has to be there underlying, but at the end of the day, the peels are not getting cut. Differentiation is important, but the best technology is addressing, “What’s the best solution that integrates into your product and how fast can you get to market?” 

And a lot of VCs fall in love with companies because the technology is really cool. But to try to get that implemented and sold, the messaging gets very muddled and it can be difficult to get the value proposition across. So, I’m a big fan of staying away from legacy environments and moving to the next generation of technology. But at the same time, it doesn’t have to have all the bells and whistles. It has to have that roadmap. And so, as we look at deals, we’ll talk about whether it’s a seed deal or series A, B or C, so it makes a big difference from an attribute perspective. 

Scott Emo: That’s a great answer. Drilling down to that next level, what are you looking at for A versus B versus C? Are there different things that you look at in that process? 

Sean Cunningham: It’s one of those things where everyone likes to talk about the team, the traction, and the next billion-dollar deal, right? I don’t want to say, “team is number one,” but you have to have the fundamentals of a team. I think one of the things that’s unique to me is if that team actually has a characteristic called self-awareness and understands where the gaps are in their team. As founders, it’s difficult to step aside and say, “Hey, I really am better at a certain thing. And maybe I’m not in that position today, so let’s find the right person.” That’s one of the things I’m looking for — a team that really understands what success would look like for the company as opposed to, “Hey, here are the numbers. We can hit it. Let’s just go.” — being able to want to augment that team with the right bodies. 

Since we don’t do seed deals, we really need to have the technology “complete”, as in they need to show traction. We don’t need to see that they’ve made $1 million dollars or $5 million dollars or whatever the ARR needs to be. It’s really more about have they validated this technology? Does it actually work in an environment? Does the customer actually care? Does it really help improve their business processes or sales even better? So that’s kind of how I look at deals a little bit different than a lot of other venture capital firms. Most of us are operators as investors, so we do roll up our sleeves and help companies understand these attributes and truly partner with them. 

And I don’t want to say “Hey we’ll come in and work with you.” Sometimes we have to replace or put people and entrepreneurs in different roles. But we don’t come in like a private equity firm and do wholesale changes. On the other hand, it’s pattern recognition, right? That’s one of the things that VCs do well; they see these things and after 25 deals, I’ve seen most of these plays and it’s a matter of helping these companies recognize what is success and how to get there. 

John Vecchi: I’m sure it’s interesting for our listeners because a lot of us don’t really get a chance to hear from your perspective, Sean. And I don’t want to overlook one of the roles that you and others play and that’s that you help the company build. It sounds like you would prefer to get into the company earlier and help the company build, all the way from the team, to their approach, to the strategy. Can you talk a little bit about how that plays in? Because sometimes people just think in terms of “you’re just financing it” and maybe you’re sitting on the board. But as you said, you roll up your sleeves, you’re helping the team build, you’re helping the team structure. You’re potentially even rebuilding a team in some cases. Can you dive a little bit deeper into that for our listeners?

Sean Cunningham: One of the things that I encourage entrepreneurs when I have discussions with them is that VCs are doing a lot of diligence during the process. But before I would write a term sheet, I give them an open book to every deal I’ve done and contacts, if they want them, and let them go and do a reference check on me. We’re going to be “living together” for the next two to five years or longer and if you can’t feel comfortable working with this entrepreneur or this VC, it’s not going to work. When you sit down and talk about your organization and there’s an arm wrestle about, “Is this the right person for the sales leadership? How do we augment that? What kind of legs do they have for the future? If we bring somebody in, what type of individual do we need now, or what do we need in the future?”  

So be it marketing, messaging… There’s a company in our portfolio that I’ve been spending a lot of time with recently and we brought in some outside consultants to help them work on messaging. We’ve been meeting once a week and while I don’t have the answers, at least I can help guide them as a very interested third party. But we don’t come in and say, “We have the answers,” we’re just trying to put out a playbook for them to walk through with them. And it doesn’t typically end up around the technology side which is a bit of a misnomer that most people think that VCs are going to come in and change this technology. At the end of the day, it’s really about product-market fit, go-to-market, and having the right bodies in place to pull that off.  

Scott Emo: I had a question when you were talking about all the companies that you were looking at. If there’s a company — whether it be a security, cybersecurity, or cloud computing company — that’s actually interested in getting funding from a VC, do you have any tips that they should know about before they approach you? 

Sean Cunningham: One of the things that feels a little difficult for people to actually get their arms around — it’s a bit annoying — is that most VCs don’t take cold calls. If you’re not networked or you’re not introduced through a trusted person in that VC’s network, it’s going to be difficult to get their attention because we see a lot of business plans, as you could imagine. That’s one of the biggest things is making sure you use your network and come in properly referenced. And it’s like anything else, right? To me, everything’s about sales 101 at the end of the day, and during that first meeting or that first discussion, make sure you focus on what’s important.  

It’s not about spending the hour that you have deep-diving into the nuts and bolts of the technology, it’s about doing a broad overview of where the business is and the problem you’re solving. That’s the biggest key. I find that entrepreneurs come in and they can talk about the segment, they can talk about the technology, but what’s the problem they’re solving for the end customer? Why are they going to pull out the checkbook? Who cares? What’s the “so what?”

“I find that entrepreneurs come in and they can talk about the segment, they can talk about the technology, but what’s the problem they’re solving for the end customer? Why are they going to pull out the checkbook? Who cares? What’s the ‘so what?’”

 

I’m a pretty simple guy and at the end of the day, that’s what I really care about. How are they going to be successful? What’s the differentiation? You can talk about the competition and so on, but it’s really about how are you going to make the buyer successful in their job? How are they going to improve their businesses by buying your product? 

John Vecchi: That’s really good advice. And listeners, for those of you building a startup, you heard it here. Leverage your network! VCs don’t really take cold calls, so leverage that and find a way to use that as a reference and get introduced. I think that’s a key piece of advice. 

Sean Cunningham: It’s a cold, hard fact that on the surface, it’s pretty obnoxious, but in reality, that’s just the way it works. 

John Vecchi: It’s the way it works. And we talked about how many companies there are, there are so many. How can you keep track of that? So, good advice. How about this: what should they not do, Sean? We heard about what they should do — which was really good advice — but what should they not do? Tell us an example. You’ve been pitched probably so many times, you forget to count, but there must be one that stands out as “please don’t do this.” So, if they do get that precious hour of your time, what should they not do? 

Sean Cunningham: Without going to school on any company, obviously, I think some of the things that are really important that you have alluded to is that when companies have made the decision to go down the path and take money from the vulture capitalists — I mean the venture capitalists — a lot of them ended up saying, “Hey, I’m going to do a day trip down to Silicon Valley and I’m going to go hit the proverbial Santo road trip and I’ve set up five appointments in one day.” Well, you know what? That is a disastrous model because you can imagine the things that happened. Some of the things that happen are as simple as the pitch deck having the wrong VC name on the cover. I’ve seen that movie.  

Or they’re late for the meeting because, logistically, you can’t get up and down to the different places. People coming into the valley hear about the traffic, but until you get to experience it, well, it’s a problem. And some of the other ones…

You’re starting the meeting, they open their notebook to hand out their business cards and, lo and behold, cards from the three previous firms fall on the table. “Oh really? You were at X talking to these guys?” That’s probably not endearing. And the issue with that is that we then have a feel for who they’re looking at, and it’s not even competition. One of the misnomers is that we don’t actually talk to other people doing deals in this space, but we do collaborate. Sometimes we even syndicate deals. Sometimes you want to get a feel without mentioning names. It’s okay, we know that they’re not just exclusively talking to us.  

But the most important thing is that the passion for their product — for their company — is lost. It turns into a canned pitch when they’ve given it three times already that day. My key advice here is don’t try to cram too many into one day. Unless, of course, you really don’t care about it and kind of do a fly-by with some of these folks because maybe they want to meet them, but you’re not going to be able to put your best foot forward. 

John Vecchi: Yeah, it’s really about quality, right? And I agree. We knew this would be an interesting discussion. I know we could talk for a lot longer but we’ll have to have back again, Sean, as we get even further into 2021. It’s such a dynamic space and things are changing all the time. Thanks so much for joining us today. And again, if any of our listeners want to learn more about you or hear about you, where’s the best place for them to go, Sean? 

Sean Cunningham: John and Scott, I’ll just say thanks for the opportunity and happy to come back at any time and speak more about specific portfolio companies and/or technology. Reaching me at forgepointcap.com is probably the best way. You can get my email there. 

Scott Emo: This was so great, Sean. Thank you for joining us. And folks, remember the Security on Cloud Podcast is brought to you by Anitian — the leading cloud application security and compliance automation provider, delivering the fastest path to security and compliance in the cloud. 

 

---

About Our Guest 

Sean Cunningham – Managing Director, ForgePoint Capital
Sean is renowned as a top-tier cybersecurity investor for over 25 years and has invested in 18 cybersecurity startups during his career, leading 13 to exit. He is well respected by entrepreneurs, co-investors, board members, and go-to-market partners and was cited as one of the top cybersecurity investors by market analyst firm CB Insights. He is listed in their “Board of Directors: Who’s Who in Cybersecurity.” Prior to ForgePoint, Sean was focused on cybersecurity investments with Intel Capital. Sean holds an MBA from Gonzaga University and is a huge Zag basketball fan.