Frankly Speaking, 2/18/20 -- Finding Disruptive Security Companies
A bweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, blockchain, and cloud.
If you were forwarded this newsletter, you can subscribe here, and view old newsletters here.
Hope everyone had great long weekend! I've been hearing a lot of my VC friends haven't been getting enough breaks. I can definitely relate. RSA is next week, and I've been working overtime on deals and portfolio support. So, I'm personally surprised that I had time to write a Frankly Speaking newsletter this week. However, thanks to jury duty and a diverted flight, I found myself having a lot of free time on my hands. Happy to share my exciting travel and jury duty stories during RSA if you come find me.
LET'S BE FRANK
Last week, I talked about . I also enjoyed Martin Casado's article on AI businesses. Interestingly, he is one of the few enterprise infrastructure VCs with a PhD. I always enjoy other PhD's perspectives on startups and markets. It gives me nostalgia.
I was inspired to write up my thoughts on how I think about potentially big startups. Before I continue, I'm going to do what is known as "defensive writing" in academia to provide the proper context. I'm talking about a very specific opportunity -- companies that I believe can fundamentally disrupt a market, i.e. become a $1B+ company. There are a lot of great businesses that can do well without fundamentally disrupting the market. Similarly, the large risk here is that the disruption never materializes, so the company bricks. VCs don't only have to invest in most disruptive businesses as they need to deal with portfolio theory. The kinds of companies I'm talking about are Zscaler, Palo Alto Networks, Crowdstrike, Okta, etc.
So, where am I going with this? At the beginning of my PhD, I asked someone the purpose of a PhD and why it's necessary for research. The response is that PhDs allow students to communicate and recognize disruptive ideas. So, what do I think can be disruptive in security?
Let's take a step back. When I look at a security company, my first question is if the market can be big or if it's not big, what can make it big? Next, I consider if the team can uniquely solve this problem. That's very similar to a research problem. First, are we solving a problem that people care fundamentally about (sufficient market), and can we, the PhD student, solve this problem (right team)? If you really think about it, startups are like research projects where there's a lot of experimentation. I have to say that as a PhD student, some problems were too hard for me, but the problems I thought were easy, others thought were hard. One key thing to note is that the ability to communicate is key. That's why messaging is so important for startups and companies in general.
How does this apply to security? Well, we can't keep doing what we're doing in security. The cybersecurity problems aren't improving despite more products and spending. There have to be some fundamental shifts in the way we do security.
First, I think security has to stop focusing so much on sales and marketing. The problem is that it imposes high costs on a company and imposes solutions on to customers, not always solving their problem. That's why I think a developer-driven security product could disrupt the market. The developers are on the ground, deep in the weeds, where they have the best visibility into the problems and how they should be solved. For a company, their sales and marketing costs are lower because they no longer have to do traditional, top-down enterprise sales, and for the customer, they actually solve the problem their developers are seeing in their infrastructure. I classify this as GTM disruption.
Second, security products need to be differentiated. Many times, a security product is just an incremental improvement. We need to change our approach to certain problems in security. For example, Crowdstrike has a very well-built agent that does analytics in the cloud, disrupting the previous signature-based models of anti-virus. Okta did single sign-on for SaaS, eliminating the need for passwords. Our portfolio company Remediant* uses just-in-time PAM to eliminate the need for password vaults.
There are a lot of problems in security that need solving. Incremental solutions are really a band-aid. They are necessary short-term solutions and could be good businesses, but I don't think they will generate the next big security company.
TWEET OF THE WEEK
Great advice! Similar to the advice that I got for VC: Always invest in companies that are doing well.
