Ballistic Ventures is an early stage fund focused on the cybersecurity space
Venture capital used to be a cottage industry, with very few investing in tomorrow’s products and services. Oh, how times have changed! While there are more startups than ever, there’s also more money chasing them. In this series, we look at the new (or relatively new) VCs in the early stages: seed and Series A.
But just who are these funds and venture capitalists that run them? What kinds of investments do they like making, and how do they see themselves in the VC landscape?
We’re highlighting key members of the community to find out.
Jake Seid and Roger Thornton are Founding Partners at Ballistic Ventures.
Seid has a unique combination of operating and investing experience, which supports founders as they grow their businesses. Previously, as sole founder of Stone Bridge Ventures, 12 of his early-stage investments grew to become unicorn companies. Prior to that, he was president of TenX/Auction.
He started his tenure in venture capital as a member of the team that launched Lightspeed Venture Partners and became a key Managing Director helping drive the firm’s early growth. Early on, he was a Cisco product lead for the team that commercialized broadband technology, helping the group grow from startup to a $1B revenue run rate in 2 years and drove many important cybersecurity-focused innovations into his products.
Seid holds an SB in Electrical Engineering and an M.Eng in Electrical Engineering and Computer Science from MIT. At MIT, he was awarded the Karly Taylor Compton Prize, the highest honor given to a student. He is a long-serving board member of the MIT Club of Northern California. In 2009, he was named a Young Global Leader by the World Economic Forum.
Thornton is a driving force behind hundreds of technology products and services that have formed and grown companies across a range of industries. As a founder and CTO, his visionary product and technology leadership helped create cybersecurity industry leaders Fortify Software and AlienVault. As an investor, mentor and board member he has helped multiple generations of entrepreneurs build more than 15 successful cybersecurity companies.
In his General Partner role at Ballistic, Thornton taps into over 30 years of experience and counsels future generations of cybersecurity founders who are focused on building great products as a foundation for great companies.
VatorNews: Tell me what Ballistic Ventures is, what your philosophy, your methodology is. Where do you fit into the venture ecosystem, and what are you trying to accomplish with your firm?
Jake Seid: Our focus is early stage cybersecurity and cyber related investing. We have a $300 million first fund and this is a group of very experienced investors, entrepreneurs, operators in the cybersecurity space that came together. Collectively, we’ve founded and operated 90 cybersecurity companies and we felt that level of domain expertise could really be valuable in helping the next generation of entrepreneurs trying to solve big problems. Why do these problems matter? Ultimately, in this day and age, and as we move forward, we really think about what we do to help protect freedom. As you know, we live our lives more and more online, cybersecurity protects the freedom to do that but, as we saw in 2020, you can’t go to the hospital without the cybersecurity working, you can’t get gas without the cybersecurity working. So, our offline lives are protected by cybersecurity as well and that’s why this is not just about backing companies that have great returns, but also doing a lot of good in the process.
VN: Obviously, cybersecurity is a pretty broad category; it touches everything. Are there specific verticals that you are interested in? And why those verticals in particular?
Roger Thornton: As a mandate, the firm covers anything within cyber; we’ll even look at things adjacent to cyber, so big data, AI, stuff like that, that are really important building blocks for cyber. The way we zero in on specific areas, picking up on Jake’s point, is every single person in our fund came to cybersecurity in their own way, but all of us feel that it’s just absolutely fundamentally important and it’s not anywhere near where it needs to be. There’s this mission element that drives us, so we’ll look at segments of the market in terms of the impact they can have and then we also feel very comfortable that things that have a big enormous impact are going to be great investments. We shy away from minor refinements on something that’s being done well enough and we’ll look for more of the big areas where there’s a lot of risk exposure
A couple of examples: anything around the area of software security, the way things are built, and that might be built better, is terribly important because if things were built better than we wouldn’t have to be responding so much later. And there’s areas in the air, like the explosion of the supply chain that you have today, because it’s no longer that a company that will build their software, instead they’re pulling web services and open source together and this is creating all sorts of problems. Another interesting area is disinformation and deep fakes, just insanely impactful technology that the bad guys are starting to utilize. I was on a call just a few minutes ago with a company, it’s not a really big company, and they’ve had all sorts of inbound telephone calls from their CEO, his voice being faked, compelling the employees to do all sorts of different things. And so, we’ve hit the point now where this is a really important area.
JS: Some key themes for us have been data security; we made two investments in that space: Concentric.ai, a next gen DLP, and Veza, which is doing an authorization layer for data security, answering a simple but important question, who can do what with my data as that data moves to the cloud? The whole theme around APIs has been very key for us. We funded a company called Pangea, founded by repeat entrepreneur Oliver Friedrichs. You can think of them as Twilio for cybersecurity. Shadow IT is another theme, Roger funded a company called Nudge in that space. We think about the evolution of endpoint security, we funded a company called Talon Security, which is building a next generation secure, enterprise web browser, which is the browser being, effectively, the new operating system, because we access everything through SaaS and web apps these days, and that’s only becoming more pervasive. And so, these are themes where we made some initial bets and plan to make more
VN: Roger, there was something you said that I wanted to touch on: it sounded like you don’t believe that we’re taking cybersecurity seriously enough, that’s the impression that I got. Do you believe that’s true?
RT: A great data point regarding this is that a major bank will spend, if I recall right, roughly about 14% to 20% of their IT budgets on security; the average enterprise is somewhere between 5% to 7%. So, that implies the average enterprise is four times more efficient than a bank, or just woefully not quite taking it seriously enough yet. There’s really good data out there to suggest that. And then you’re like, “why the banks?” and there’s that famous old saying when they arrested the bank robber in the 1920s and asked why he robbed banks and he said, “that’s where the money’s at.” So, the banks were the first that really felt this pain and impact before others. And now with ransomware and all sorts of other blackmail type techniques, I don’t have to hit the bank; frankly, if I hit the banks, I’m going to have the coordination of international law enforcement all over my case but if I go after the big companies, well, they’re not really able to come back. I think it’s human nature to not be prepared for security, we’re a wonderfully positive thinking species. And so, that part’s okay, but our response is where it’s at. There’s the security haves, DOD and banking and telcos, and the security have nots is everybody else; it’s pretty boring for a bank and a telco and DOD if everyone else is blacked out, they won’t have any customers.
VN: Is there anything else that you’d like to touch on about some of the macro trends you’re betting on?
RT: In cybersecurity, we oftentimes look at some of the most basic elements because they need to be redone. When you think about modern work, you’re going to be on your home computer, you might be on a computer at the airport, you might be on a tablet, you might be on your friend’s computer. And so, the idea of an endpoint being secure doesn’t really matter anymore because you’re the endpoint, the person is the endpoint and I’ve got to be able to secure you, and so what we thought was endpoint security gets redefined. You find that in cyber a lot, and it’ll be because the general computing architecture has changed.
Then the other area, and I’ll use it as an example, is artificial intelligence. So, self-driving cars and all sorts of decision making processes are being done by neural networks rather than people; just imagine the opportunity for crime and real world harm. Again, this is an area where the new functionality of all the cool stuff precedes the security game, and it’s just the way people work. Crypto is another area.
It gets to why we think it’s so important that there’s a cybersecurity venture fund, or a dozen of them someday: the space is so big, so dynamic, and so complex, that when I was an entrepreneur, and I was seeking funding, I really did appreciate the very few people that really understood the industry and we could sit down and have a great discussion and they could give me advice and guidance and that’s what we’re trying to do at Ballistic is be that party.
VN: Very different from being a generalist firm.
RT: We think so.
JS: It’s interesting: the other thing that it really allows us to do is build a pretty deep bench beyond the people around this table, the people who funded the 90 companies previously. So, we launched BallisticX, which is our platform of value-add services, advisors, and communities, around helping entrepreneurs with go-to-market, messaging, sales, customer introductions, talent introductions. And what we can do in a very unique way is have everybody, 100% of the advisors, the communities, the customers, be for the cyber entrepreneur. And so, that notion of focus not only is meaningful for the people who are here day to day as the partners of the firm, but also for the platform of services that we’re building as well.
VN: I believe you said you have a $300 million fund, so how many investments do you make a year? And what does that come out to in dollar amount in the initial investment, as well as over the life of the company?
JS: It’s a little bit artificial for us to think about in those terms, because we just want to back great entrepreneurs tackling big problems. And given that we’re probably 12 months into our journey with this fund, we don’t have a statistically sample size but, generally, we’re looking to back about six companies to eight companies a year. Our focus is leading or co-leading rounds, we try to play a very active role and so we’re not looking to make a lot of investments given the time that we put into each company we get involved with.
RT: When we put the fund together, just like a startup company, we talked about our mission and our goals and culture and all that stuff. And one of the things we knew is that our experience and our passion is really in the early stage and so we focus on that being that first money that an entrepreneur would take, or we’re coming behind those angel investors. At that stage, there’s usually not a product yet and probably not customers and so a really good understanding of the market, a really good Rolodex of great customers that you can go to and really get the straight story on, “is this something that’s really important?” is valuable. By virtue of that, our check sizes are generally seed and round sizes, so they’re a bit smaller. That was also attractive with valuations being what they are, but it doesn’t mean if we see something at a later stage that we think is the greatest thing, that’s going to have a great impact on the world, and our investors will appreciate it, that we wouldn’t do that too, but we’ll tend towards earlier stage.
JS: Roger brings up a great point, which is that, as a firm focused on early stage investments, that’s also really our point of entry. We don’t stop supporting the company after its early stages, so we really view ourselves as partners with entrepreneurs through their life’s journey with their company, through later stages, through an IPO. And so, our model is we stay with the company and support the company and add all our resources to the company during the full life but just our starting point with the company is generally the early stages.
VN: It sounds like traction is not something that is important to you, because you just said they may not have a product, they might not have customers, they might not have revenue. So, it doesn’t sound like you have a minimum threshold for any of those metrics.
RT: Yeah, not at all. I mean, we evaluate everything at some point based on its merits but somebody who’s a great entrepreneur that really wants to do something big in the market, if that’s where you’re at, give us a call and we can help you figure out what that is. In fact, because all of us had good careers in cybersecurity, and we do marketing, we get a lot of companies that come our way; when we reach out, we tend to reach out to people that we think are about to start a company. Let’s say your company was acquired and you’re sitting at some large company for a year, I generally want to talk to you about what’s next. So, we like to be there at the very beginning.
VN: How do you identify those people in that scenario that you just mentioned? How would that person exists? Who does that research? Are you usin some algorithm to pull that out or how does that work?
RT: This is another benefit to cybersecurity: there’s 3,500 some odd companies and $5 billion in venture capital that went it, but it’s still one of those industries where it’s very rare to find a connection point that’s two degrees of separation. And so, the acquisitions will happen, and I’ll use one that we can very easily talk about, so Mandiant is now acquired by Google, it’s official, the deal closed the other day and there will be a lot of people there that will make great Google employees, and they’ll love being part of a big company. There’ll be some that it’s just not what they were meant to do and so that would be a peson where we would say, “Okay, who do we know over there? Let’s get together and talk about who might be who,” and in that case Kevin Mandia is a close friend and a strategic partner to the firm and that’s why I use them as an example. Usually it’s one degree of separation, sometimes it’s zero.
VN: Cybersecurity still sounds like a pretty tight knit, small community.
RT: It is and I feel this way: if somebody in the cybersecurity community reached out to me through a friend to talk, I’m going to meet with them no matter what. If you’re in cybersecurity, I know you’re trying to save the world.
VN: What are the qualities of the entrepreneur, when they sit across from you, for you to say, “this will be a good partner for me”?
RT: A great team with a bad idea can be a great team with a great idea after a 45 minute argument; a mediocre team may be able to improve but it’ll take years. So, the team, the problem they’re trying to solve, and then what do you look for? If I were to layer, the most important is probably a tie between that person or team’s access and insight to the market and their grit. Like, are they going to be received by the market and respected and do they know everybody? It’s very, very valuable. How well do they have access to the problem? And then grit: I can tell you, having been directly involved with building two companies, indirectly with a dozen, there is at some point you hate that company. You want to go jump off the bridge. And not doing that is grit. There’s other stuff, but those are the two.
JS: No early stage team is complete. And so, we liked founders who understand what their strengths are, where they want to complement themselves, and having an incredibly high bar for the right talent at the right stage, and also being able to recruit talent. We want founders who can recruit people into their company who have no business being in their company because you’d think, “wow, you’re taking that job with that little startup?” but that’s what the best founders do. They’re able to bring people in who have no business being in that company because they’re just so great at attracting and convincing talent. So, those are the elements of the team but it’s also their insight into a problem and a market opportunity, those “a ha” moments when you’re talking with an entrepreneur who explains why they’re a solution that can be important now. And, in cybersecurity, there’s so many things we should be doing that people will never do, so that really articulating why what they’re doing is something people must do, as opposed to something people shouldn’t do, becomes very, very important in this space. Even more important, I’d say, than other spaces.
VN: Dive into that a little bit. What’s the difference between cybersecurity and those other spaces? What exactly do you mean by that?
JS: A great example that we’ve seen over the decades is encrypting data. I’ve seen startups over 20 years ago being built around, “all data should be encrypted, and if all data is encrypted, hey, you’re not going to get worried if your data is breached.” Well, it turns out, for a lot of reasons, that’s turned into a nice to have and not an absolute must have. But, on the flip side, when we talk about, “I want to find out who can do what with my data as it moves to the cloud. I’ve given people access to data, I need to track who I’ve given access to, what access I’ve given, because that data is exposed to people that I want to empower them but I need to make sure that the right people have the right access.” Well, we’re finding that’s a must have and that’s why we made a bet on Veza. And so, some of these other categories have that fine line distinction, and this is why in cybersecurity it’s so tricky: because there are certain things that we’d all nod our head, be like, “Yeah, we really should be doing this,” but ultimately, when push comes to shove, and there’s limited budgets and limited time, what actually is going to get done? That’s the key thing that we have to decipher.
RT: There’s, “In a perfect world, here’s what I would do to be secure,” and then there’s what’s low enough friction, and reasonable cost, to be secure. And that second one is where realities happen. If you come into cyber and haven’t really been in the market, and you don’t understand that, there’ll be all these straightforward things, like, “If I just do this, it’ll make the world better,” but when you get down to it, really sophisticated security is about good enough security that’s not hindering the business. So, imagine when we swipe our credit card, there’s all sorts of things that could happen: you can get a call, the team can swoop down and do facial recognition, but then our economy will fail. I’m being funny but just even a little bit is friction; the really good security is low friction, reasonable cost, and it’s effective.
Ultimately, there’s three principal adversaries in cyber: intelligence agencies around the world working for companies whose job it is to steal data; military organizations whose job it is to be able to debilitate infrastructure if they were at war; and, more and more commonly, the criminals who just wants to make money. And so, if you’re a business working on some brand new, state of the art algorithms for drug campaigns, you’re probably going to be a target of intelligence agencies and maybe criminals. If you’re processing lots of money, you’ll be dealing with criminals. You’ve got to know who your adversary is and then, based on that adversary, you’ve got to look at what they’re doing and what’s the reasonable response. So, your response is driven by very practical reality, versus, “let me be completely secure.”
VN: We do a lot of work in healthcare and there are so many tools that are supposed to be helpful to a physician and the health systems that it actually becomes a burden. If you have 20 tools to help you, that means 20 things that you have to learn, and that actually slows you down eventually. The reality is, you only have so much in your budget for this, and you only have so much time that you can put into learning all these different things.
RT: Exactly the same in cyber, you’ve nailed it. A lot of times we’ll look at a company where maybe the big innovation is making you throw away 20 tools so you only need one, or “can I maintain the same level of security for a third of the price and consume the rest?” The greatest sales call I ever had in all of the thousands and thousands of cybersecurity sales calls was a bicycle manufacturer; I won’t use their name but I was so psyched because I was a customer there since the beginning. I met them and it was their CIO and Head of Security and their President was there and we’re talking about bikes and then they’re like, “oh, yeah, we have to talk about security. We just want to make bikes! Why do we have to do this?” I just felt like that was the most genuine and honest thing, like every company sees it the way they do it. “How do I just make bikes or make planes or deliver healthcare? Can we really make security lower friction, lowest cost, and out of mind?” And one way to do that is to ignore it, but that’s not the right answer, and the other is with great solutions.
VN: Let’s talk a bit about valuations. As we all saw over the last nine months or so the markets really crashed. Before that, valuations of companies really ballooned. I’m not sure about cybersecurity, but now everything is deflated. What have you seen happen in that time period and what does that say to you going forward? Has that changed the way you invest?
JS: Certainly the market has cooled off. And what does that mean? It means we have more time to do our work and valuations are more reasonable. But, ultimately, our job as venture investors is to be involved with the best entrepreneurs and the best companies and my belief in venture is that it’s a business where you make your money on the sell, not the buy. And so, if you’re focused on looking for deals, you’re going to opt out of the best companies. A great example of the venture model recently in the news is Figma: they raised a round in the peak of the bull market, in the middle of 2021, everything was riding high at $10 billion, and they got acquired last week for $20 billion. That’s a 2x step up in 12 months, over 50x revenue because it’s a special team, it’s a special business model, it’s a special market opportunity. Did the people in 2021 “overpay” by paying the rich valuation? You can argue, yes. Did they just make double their money when the rest of the market in tech went down by 50%? Yes. And so, that’s always the tension for venture capitalists, we have to be mindful of structure and terms, but not to the extent of opting ourselves out of being part of the best teams and companies that we’re hoping to be a part of for our particular stage of investing, which is really stage.
VN: It sounds like what you’re sort of saying is the cream rises to the top, which I’ve heard other VCs say when I asked them that question. What they really say is companies that were getting funded that shouldn’t have been won’t anymore, and the companies that should have been funded will continue to get funded.
JS: I’ll add one more step to that, which is that the great companies will get funded at market price. I’ve been through the ‘01 downturn, the ‘08 downturn, and now this; it was the same in ‘01 and ‘08, that the best companies were not cheap, they were always expensive, relative to the market. But that’s the tension and the art of early stage venture. If you’re going to pay market, you’re going to pick your shots and you want to make sure, first and foremost, to be involved with the best entrepreneurs and best ideas but you’re going to have a multiple to do that.
RT: It’s funny, my background is entrepreneurs and technology, but I spent a little sprint at eTrade where I built the commercial system; part of what I did there is I had everyone on my team take the Series 7 broker exam, and so did I, and so I learned retail stock markets, to a degree. All markets are supply and demand and so if the prices are high, there’s more people that want them than the supply. The conversation you guys just had is this general truism: really great entrepreneurial teams, going after really great opportunities, there’s not a lot of them, there’s always a limited supply, and as more and more money comes into venture capital, prices go up and that’s what’s expected. Part of the reason why we feel more comfortable at the very beginning is you really can’t be that crazily priced at the beginning because what that first money buys you, as the entrepreneur, is the ability to build an MVP, get into the market, iterate with the customers and figure out if it’s a mistake and if you need to pivot. The cost of doing that has gone up and up and up, where these inflated valuations still buy that. So, it’s these later stages where a company that might be booking $20 million to $50 million in revenue, and then it’s all sudden worth billions and brings hundreds of millions of dollars in, but they didn’t really necessarily need that. We’re not in that stage in the market.
One of the things that’s really interesting right now is if look at the at P/E ratios of public cybersecurity companies, they’re still 55 or 100. They’re still terribly expensive stocks, they were just absurdly expensive before. And so, the crash is bringing them into a premium. Does that go back up? I don’t know, but think about all the public company CEOs from the history of time, if you told them, “you’re going to have to live with a 131 price to earnings ratio, they would be doing back flips.” So, putting it all in perspective, there were some inflated prices that were brought down.
JS: There’s still another interesting dynamic here, which is that good companies are raising more money because there’s just more capital available in the private markets. So, part of valuations actually get driven by reverse engineering: certain funds that have lots of capital want to put X amount of capital to work, the entrepreneur only is willing to sell Y percent of their company. Well, you put X and Y together and you get a valuation. And so, there’s that dynamic that, structurally, the venture industry is very different than 20 years ago in terms of how much capital is available in private markets.
VN: Tell me about your differentiation as a firm, starting with your LPs. Are you going after the same LPs as other firms? Are you going after LPs who are more strategic and in the cybersecurity space? And what’s your pitch to them to say, “here’s why I should be the one to deploy your capital for you”?
JS: Our fund is an institutional fund so we have traditional LPs that other top venture funds would have but we’re also very thoughtful in terms of bringing value-added folks into the ecosystem. One of the things we did was, in addition to our own network of great entrepreneurs who build successful cyber companies, we’ve included about another three dozen successful cyber entrepreneurs who were outside of our network to become LPs in our fund to work with because we think this all benefits the ecosystem. We think this helps catalyze the ecosystem for the creation of the next generation of great companies. So, that’s really where we’ve taken a different approach, or an additive approach, to the usual LP base in adding a large group of individuals who are repeat successful cyber entrepreneurs who would be helpful to the next generation of young entrepreneurs that we back.
VN: I also want to know about your differentiation to entrepreneurs and that gets back to what you mentioned earlier, Jake, about BallisticX. So, it would be great if you can do a deep dive into how that works and what you’re offering to entrepreneurs and anything else that you believe differentiates you beyond that.
RT: Myself, Barmak Meftah, and Kevin Mandia, we’re founders of cybersecurity companies. We were all active angel investors but, first and foremost, we were on your side of the table. Jake founded a company out of his experience at Lightspeed and Ted Schlein was the co-founder of Fortify Software. So, every single one of our partners founded a company, two of them are phenomenal institutional investors, so the first differentiator is we’ve been on both sides of the table. I just can’t tell you how, as an entrepreneur, I know the difference that makes in the sense of empathy, and the sense of understanding what I’m doing, and the sense of understanding my market.
The second piece is, and this gets into BallisticX, a lot of firms have phenomenal venture partners, but you get someone who’s great at FinTech, you get someone who’s great at medical or healthcare, you get someone who’s great at enterprise security, so it’s the brand and the firm and the individual. All of our deals are unanimous buy in and all of the partners have worked, to some degree, on all the shields. So, you’ve got a firm that does what you do for a living and several of them sat on your side of the table, a big differentiator. When we put together our value-added services platform, we didn’t have to have a FinTech expert, a semiconductor expert, a crypto expert; all of the experts on BallisticX are cybersecurity experts and we launched with 12 individuals, many of whom their first assignment is to build communities around them. They include Phil Venables, who was the head of security for Goldman Sachs for decades and he’s now currently the head of security at Google; Holly Rolo who was the Chief Marketing Officer for RSA, so she really knows how to sell security as one of the big security companies; Nicole Perlroth, she was a writer at The New York Times covering cybersecurity. and she wrote a book that’s been incredibly well received called “This Is How They Tell Me the World Ends” and she’s an amazing storyteller, so she helps company’s craft their message; John Spiliotis, ran sales at Palo Alto Network through its major growth; and Jamie Blasco, one of the world’s leading security researchers. What we’re trying to do is put a collection of people together that can help the entrepreneur in all of these various different facets of cybersecurity but, ultimately, recruiting talent, getting the message right, and getting in front of customers.
JS: I would highlight the power of focus. As Roger just articulated, our entire services platform is for the benefit of cyber. Most venture firms invest in 15 different areas and their platform needs to serve those 15 different areas, versus ours being undiluted. The power of all the founding partners being focused breakfast, lunch, and dinner, morning, noon, and night, meeting with customers who are irrelevant to any of our companies, meeting with talent who are relevant to any of our companies, you truly get the power of a team, because 100% of what every partner does here is cybersecurity.
We’re a team where entrepreneurs always get a senior partner. We don’t have teams of junior folks where the senior partner makes the investment, but the junior person is the person who spends time with the company; when we make the investment it’s a senior partner, and only a senior partner, working hand in hand with the entrepreneur over their lives. Again, since we’ve all been in the shoes of an entrepreneur, all walked in the shoes of somebody trying to build a business, those were things that mattered to us and something we wanted to bring to entrepreneurs with this new firm.
VN: You had mentioned a few companies earlier in the conversation. If you want to talk about those or maybe a couple others, it’s always great to hear about the companies you’ve invested in that you’re some of the ones you’re most proud of. What was it about them that made you want to invest?
RT: Let me talk about Nudge a little bit, Jake touched on it and I’ll explain why we think it’s so transformational. If you think about the way that we work today, we come to work, maybe at home or maybe at the cafe or maybe maybe in the office. And when we run into problems, we go online, and we find cool little tools and SaaS services that are that are targeted towards us; when we when we see companies come into pitch they’ll say, “we’ve got a freemium version, we get people to try it for two weeks,” and this is what the analysts call the consumerization of IT. This is a wonderful new world: I run into a problem, I search for solutions, I find it, I buy it, I use it, I get my work done, productivity goes through the roof. Well, the IT department doesn’t see the world that way. “We build a network and we buy you the tools, and you use these tools, and you’re productive.” And so, the first thing Nudge does is it comes into companies, and they always ask, “how many solutions do you think your employees are using to get their jobs done?” And the average answer is 35, and they typically find about 200 to 300. So, it’s like, “Okay, those are the 35 that you guys bought, they’re just figuring stuff out and solving problems.” And the historic reaction was, “well, they can’t do that.” And the other word for this is called shadow IT. “We’ll tell them that they can’t.” Well, remember when we talked about friction versus security, employees figuring stuff out, solving problems, getting stuff done is awesome, you have to empower that and make it secure. And so, Nudge, is the name comes from the behavioral psychology nudge theory and the idea is rather than just try to say no to everything, and your employees are going to leave, what if you were able to give them little nudges? “We see you’re using this new product, awesome. Do you mind filling out a little form so we can put it in our supply chain management system? Now we know this vendor is a vendor of ours,” or, “click on here and we’re going to integrate that cool new product you’re using with our single sign on solution.” So, instead of putting up walls and saying, “no,” you bring things back on to the corporate reservation. There’s a whole process to that; frankly, there’s some things you might want to tell the employee, “you really shouldn’t be running this at work because your employers can monitor everything, let me help you get that out of the work environment.” There’s stuff that comes back on the reservation, there’s some stuff that’s experimental stuff and let’s figure it out but none of that’s being managed today. And so, with Nicole’s help they describe what they’re doing as security for the modern workforce.
JS: There’s one, led by our partner Barmac, called Concentric.ai and this was in the state of security theme but it also touches on another theme that we think about, which is, how do you reinvent new categories with new architectures? There’s been a long-standing category called data leakage protection; people buy solutions to protect sensitive data going in and out of their enterprise and people have traditionally used an architecture called regular expression matching, which is false positive, error prone, hard to scale, hard to manage, and takes a lot of human intervention, but there’s a new architecture that’s touching every area of technology, artificial intelligence. And so, the founder of this company identified that this could be a really compelling area to apply an artificial intelligence based architecture to, to address all those common problems with regular expression matching, to be more scalable, less error prone, less human intervention. That’s one we got quite excited about.
The other in data security, that I mentioned, is Veza. Octa built a pretty big company with this notion of authentication and authentication was really at the application layer. The folks at Veza had this insight that, when you look at data, there’s many different layers between the user and that data: there’s your identity management layer, your application layer, your pass layer, your infrastructure layer, your Snowflakes, and, ultimately, the data that resides in Snowflake. Well, you actually have to understand the authorization at each one of those layers to know who can do what with your data. While Octa has done quite well creating a business focused on authentication at the application layer, our view was authorization could be the hook into every layer and solve big problems, like this notion of who can do what with my data as it moves to the cloud. Near term and longer term, it can solve other authorization problems up and down the stack.
VN: It sounds like you both have had long careers in the cybersecurity space and been on both sides of the table. So, since becoming VCs, what are some of the lessons that you’ve learned? If somebody said, “I want to become a venture capitalist,” what advice would you give them?
RT: One of the pieces of advice I would give, being new to it, is make sure you have a partner like Jake and Ted that can teach you. So, I had the luxury that my partners have done it for years. It’s funny, Ted has told me this long before we started, “don’t do it because you think you’re at your golden years, and you’re going to relax and take it easy. If you want that, be an angel investor. It is way more intense than an operating job, to be honest. And so, that is really important, because I do know that some people come to it thinking it’s going to be really easy, and it’s not. So, those would be my tips. If you do it, do it because you want to make an impact and really care and you have empathy for the entrepreneurs. And make sure you’ve got somebody like Jake to teach you how.
JS: I’d emphasize that it’s a mentorship, apprenticeship, type of career path. I started at Lightspeed when I was 24, I spent 11 years there and got mentored and apprenticed under the best of the best, so that’s how I learned this skill. And then the other advice I’d give is, you need a positive selection bias strategy. There’s a lot of money out there, there’s a lot of VC firms out there, if you’re getting into Vc, if you’re starting a fund, you have to have real clarity around how you’re going to add value to a very competitive ecosystem. You heard about our value-add and our differentiation but, for anybody new, just having money is not enough. You have to have the right strategy to add value in a unique and powerful way.
VN: What’s the part of the job that you really love the most about being a VC? When you go to work every day, what motivates you to do this?
RT: The entrepreneurs, 100%, and the customers. The entrepreneurs and the mission they’re engaged in.
JS: For me, it’s the people we get the chance to work with and what we do as a cybersecurity focus fund, there’s truly an opportunity to do well and do good at the same time.
VN: Is there anything else that either one of you would like to get across? Anything we didn’t touch on anything, want people to know about you, or the firm, or the space?
RT: To the entrepreneurs that are reading this, don’t be afraid to reach out to us or anyone. If someone is rude to you from the venture world, who cares? Move on to the next person. Don’t be afraid to reach out to us at email@example.com or firstname.lastname@example.org.