Why top investors typically avoid CyberSecurity
I spent some time with some investors I really respect last week.
They all have helped build name brand great companies as engineers and product leads. And then have followed up with an amazing portfolio of investments. Also if you back channel them, the reputation is that they are indeed curious, brilliant, direct and empathetic. Tough but fair.
Nothing structured in our conversations. We are not fundraising right now. But I did want to get some free consulting from them about the space, our general approach, our amazing initial team and so on.
Long story short — for this crowd — they are dismissive of much of what passes for start-up innovation in cyber security as either BS or as building features for companies with distribution.
BS — one investor mentioned, roughly 2/3rds of products built and sold in security are basically CYA for FUD. They accumulate as shelf ware over time and are a major reason for product sprawl in cyber.
Building features for companies with distribution — this is the other side of the same coin. Because CISOs are often not technical and often run highly secretive organizations that are unable to metric their own performance, they can be sold into buying CYA for the FUD of the day. And, similarly, these CISOs are more prone to trust the major vendors because “no one ever got fired for buying X.”
As a result, you see most top tier investors waiting on the side lines. They see cyber funds with influence networks (not kick backs exactly but…) that are sized and positioned to play the current game in cyber. It is a profitable approach if you can create pipelines of companies that fill a fear and that will be bought by a network of closely aligned CISOs and that can be tucked in by the big vendors to be be sold as a product extension.
The problem is the attackers won’t play along. Even if a lot of venture investment in cyber does not result in fundamentally better products or approaches — the attackers are innovating. As a result, a few investors, such as those I hung out with last week, are interested in whether there might be an opportunity to reinvent cyber to be massively more outcome focused. Ironically the innovation of the attackers may help to force a step function shift in the way software is built and delivered in cyber security.
Let’s hope that top tier investors do jump into cyber. If and when they do so (and some already have of course), it will be a sign that long overdue new approaches may be starting to emerge. And that in turn will be a bay day for the adversaries, when approaches emerge that take the initiative and innovative spirit back from the attackers.
*** This is a Security Bloggers Network syndicated blog from Stories by Evan Powell on Medium authored by Evan Powell. Read the original post at: https://medium.com/@epowell101/why-top-investors-typically-avoid-cybersecurity-3a10a3b505a0?source=rss-36584a5b84a------2
