Frankly Speaking - Almost all cybersecurity VCs are confused.
Luck doesn't equate to knowledge.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I know much of the tech industry has been affected by layoffs this week. If you or anyone you know is looking for jobs, we’re hiring at dbt Labs! If you don’t find an available role on our website, feel free to reach out to me.
LET’S BE FRANK
I’ve been getting feedback on my takes on how I think Crowdstrike and Zscaler might fail, and surprisingly (or unsurprisingly), most of it has been from VCs. I’ve heard a range of feedback telling me that I bring up interesting points to the fact that I’ve overestimated the power/influence of the developer and how executives make all the major technical decisions. However, I feel like the reasons for their arguments/objections are not strong. It’s frustrating because many of these VCs haven’t worked in an organization recently or even at all! With that said, I do think there are some thoughtful and talented cybersecurity VCs that have certain traits that help them navigate changing trends.
This week’s newsletter is not to criticize VCs or address the points they brought up to me. However, it’s exploring where the disconnect between me and them is. For context, I have a PhD in the intersection of distributed systems and cybersecurity. During my PhD, I started an incubator for early-stage cybersecurity startups and worked in VC for about 3.5 years investing in cybersecurity companies before going back into engineering. I don’t claim to know everything or all the answers, but I have seen both sides.
I’ve concluded that cybersecurity VCs are confused, but it’s not their fault. Changes are happening quickly in the industry, and it’s impossible to keep up.
What do cybersecurity VCs (or VCs in general) do?
Before diving into possible disconnects, we should talk about what VCs do. VCs’ primary job is to invest in startups that can lead to outsized returns, i.e. returns that are better than investing in the stock market and S&P 500. The top VCs regularly beat that benchmark.
More tactically, VCs are trying to develop theses on what the next market-defining startups are. This involves a large number of learnings, usually through networking.
Although reading research reports might be helpful, they usually talk more about existing markets rather than potential market disruptions. If the market research groups have identified the trends, then it is probably too mature for an early-stage VC to invest in. As a result, many of them build their network and try to gain insights from that. Also, many VCs used to work in the security industry, so they can combine insights from their networks with their own experiences.
This is where I believe most of the disconnect lies: Their insights only reflect a microcosm of the industry, and as a result, they might misunderstand or totally miss broader trends. This problem is not unique to cybersecurity and also happens in industries where innovation and trend changes happen quickly. For example, the power of the data analyst was totally underestimated, and as a result, “conventional” VC wisdom said that no one would want to pay for a tool like dbt Cloud in the data space. But back to cybersecurity. I believe there are a number of reasons why this happens.
Network confirmation bias
A large part of a VC’s job is to network. The idea is that they can understand trends and gain insights from their network. However, the problem with this is that there’s inherent confirmation bias. More specifically, investors tend to attract people who are similar to them and have similar views. For example, former CISOs are more likely to know and network with former CISOs. It’s much harder for them to network with developers. Similarly, people who worked in finance tend to network with others who worked in finance and might now be in corporate development.
It’s hard for VCs to identify trends outside of their network and sometimes see broader trends. Even if those trends are emerging, it’s hard for them to internalize them because their network is not validating them. That’s why many investors don’t fully understand the influence of the developer as well as someone like me because it’s likely their network has limited software developers or engineering leaders.
Outdated (or lack of) operational experience
One way to solve the network confirmation bias is to use their operational experience as a way to have insight into trends. However, it takes some time to ramp up in VC, and the cybersecurity industry has shifted so quickly with companies moving aggressively to the cloud and changing the way they manage their infrastructure. Consequently, these shifts have resulted in organizational changes, such as changes in influence and reporting structures. For example, we are increasingly seeing more traditional infrastructure and security functions move into engineering. Therefore, a VC’s operational knowledge and experience have become less relevant as they were operating in different organizational setups.
Many VCs also have never worked at the types of organizations they invest in. For example, many VCs come from finance backgrounds, but they are investing in tech companies. Some VCs don’t have any operating experience at all! However, they might have a broader network, but it’s harder to understand the implications of these changes without working in that setting.
A shift in the broader community
I believe that cybersecurity has been one of the fastest-growing sectors of technology in the last decade. With increased focus from the board as well as technological shifts, such as the cloud. There’s been substantial and fast innovation, which has resulted in the cybersecurity community growing both in size and diversity. When I started working in cybersecurity, there were fewer and smaller conferences. Knowing how to code was a rarity, but now there is an emerging group of software engineers that have become an important part of the community. It’s clear that plenty has changed.
What this means is that for most VCs who have been in the industry, their “sample” of network and operational experience might not be representative of broader trends in the cybersecurity community. It was easier to have a representative sample when the community was smaller. Now it has grown in a variety of ways that have made it extremely difficult to keep up. As a result, it’s easy for a VC to have the illusion of understanding whereas they are caught in a bubble.
So what now?
I’ve spent most of this post talking about why most cybersecurity VCs are confused. Therefore, we shouldn’t take VC allocation of funding into various sectors as a signal of emerging trends. In fact, many heavily VC-funded cybersecurity sectors are slowing down, such as asset management, privacy engineering, and data security. It’s great that there is more VC funding in cybersecurity, but we shouldn’t trust VCs to know what’s actually happening. As cybersecurity professionals, we should continue buying and advocating for tools we believe solve problems and share them with our peers.
For VCs, not all is lost. I do believe that there are a number of smart VCs. They know what they know, and they acknowledge their gaps. In order to be successful in keeping up with cybersecurity trends, VCs should spend more time identifying their knowledge gaps and networking to fill them rather than spending time identifying trends with their current network. This is against conventional operator wisdom of playing to your strengths. Some ways of doing this are talking to skip levels or networking with people traditionally outside of your network, e.g. developers if you come from a finance background. Without a doubt, there is luck involved in VC, but with this strategy, one can increase the opportunities to be lucky! Filling these knowledge gaps might be crucial to finding the next major deal.
This is an exciting time in cybersecurity. There’s a lot of innovation happening and seismic shifts for the better.