There are two types of enterprise startups: those that create value and those that protect value. Cybersecurity is most definitely part of the latter group, and as a vertical, it has sprawled the past few years as the scale of attacks on companies, organizations, and governments has continuously expanded.
That may be a constant threat for the executives of major companies, but for cybersecurity VCs who pick the right startup targets for investment, it’s a potential gold mine. Here at Extra Crunch, we compiled a list of top VCs who have invested in cybersecurity and enterprise more broadly and asked them what’s interesting in the space these days. We compiled ten of their responses as part of our investor survey and you should definitely take a look for their interesting takes on the space.
But we wanted to go a bit deeper on the topic to learn more about what’s happening right now in cybersecurity. So today, we talk with Arif Janmohamed of Lightspeed Venture Partners, one of the leading investors at one of the top enterprise VC firms in the world. He’s invested in companies ranging from cloud-access security broker Netskope and search analytics platform ThoughtSpot to Qubole (big data analytics), Nutanix (hyper-converged infrastructure), and Arceo.ai (cyber risk management).
Arif Janmohamed. Image via Lightspeed Venture Partners
TechCrunch’s security guru Zack Whittaker, managing editor Danny Crichton and operations editor Arman Tabatabai sat down with him to discuss what he’s seeing at the earliest stages in cybersecurity, which trends are being ignored by the industry and what he sees as the future of security in an always-changing present.
Introduction and Background
The following interview has been condensed and edited for clarity.
Danny Crichton: Let’s start with a bit of your background.
Arif Janmohamed: Sure. I’m on the early-stage side, so I have the most fun when I’m working with founders at the very earliest stages of company formation, where I can focus on company design, product and go-to-market and then find the right balance of teams to fill that out.
I’m on the board of Netskope, which is a cloud-security company. That one I did the Series B back in 2013. I’m on the board of TripActions, which is a corporate travel company, I did that one and then led the Series A and the Series B. I’m on the board of Moveworks, which is an AI engine for IT that was seeded by me and then I’ve supported them through their subsequent financing. I’m also on the board of a number of other companies.
Am I purely security-focused? The answer is no, I’m very much enterprise-focused. Security in my mind really fits within that rubric of the enterprise stack that’s getting rebuilt for a cloud-first world.
What’s snake oil and what has real value?
Zack Whittaker: So I’ve got a question that I just want to jump right in with. I’m always curious about this, especially when it comes to the very early stage, how do you go about distinguishing between potential snake oil and the things that seem really viable in the security world?
Janmohamed: Yeah, we’ve been lucky in terms of doing this. What we over-index on is finding people who have an unfair advantage, and that unfair advantage tends to be either an architectural insight or a technical insight, which lends itself to a new platform. And so when we look for companies in enterprise, we don’t look for companies that can be features, but for companies that can be a platform, and it takes a special type of individual to go build a platform.
So if you look at Netskope’s team [Lightspeed’s portfolio company], for example, the CEO, Sanjay had spent a number of years at Juniper Networks and was the fastest-rising star inside that company. By the age of I think 35, he was managing almost 3,500 people inside that organization and had been promoted multiple times in a very, very short amount of time. So again, we over-index on people because we believe that people are a future indicator of what could be achieved.
Whittaker: Makes sense. And how do you think about the security space today?
Janmohamed: In security, we look at it from a framework perspective:
- Endpoints were traditionally laptops, but that’s extending to mobile and servers in the data center. The last generation of platform companies were companies like Symantec, McAfee, and then the new generation were companies like Cylance and SentinelOne and Carbon Black, which was just acquired.
- Identity is another really big platform, and the new kid on the block is Okta, and we were in SailPoint as one of the last generation, but Auth0 is in identity also.
- Network security, we believe, is a major pillar. This is where Palo Alto Networks plays, but we believe that Netskope has an opportunity to redefine network security, and that’s a $20 billion market growing quite rapidly.
- There’s analytics, this is the world that Splunk and ArcSight are in but again, we believe that this is a platform play, because this is a system of record for logs, log analytics and for finding problems.
- Then there’s vulnerability and penetration testing, and that’s the world of Qualys and Tenable.
- Finally, there’s email.
So when we look at companies, we try to figure out do these founders have clarity of thought about how they can take their initial wedge and turn it into a longer-term platform opportunity.
What’s new for early-stage startups
Crichton: What are you seeing at the earliest stages? What are entrepreneurs really focused on these days that’s exciting to you?
Janmohamed: There are two trends I’m watching.
The first one is this extension of the cloud. Cloud is a story that’s been playing out for 10 years, but I would argue we’re still very much in the early innings, especially on the enterprise side.
For security specifically, I think of the cloud as really redefining the perimeter that needs to be protected. Historically, the perimeter has been a data center or a series of data centers that have been managed by IT and that you needed to put walls around. Check Point and then Palo Alto Networks took advantage of that concept of, ‘Hey, there’s got to be a wall around my prized assets.’
As a result of those walls being a little leaky, there popped up a whole new industry of peripheral products that we call analytics that would look at things that got through the wall. That’s where ArcSight and Splunk more recently have been building their businesses.
In today’s world, that perimeter has been extended, and now spans multiple clouds, not just one cloud. It’s AWS, it’s Google, it’s Azure. It’s multiple applications, and those applications have become systems of record. You’ve got data that’s sitting in SaaS applications and via APIs. So you’ve actually got sensitive data that’s sitting in the cloud based on the workloads that you’ve put into infrastructure.
The way I look at it is — remember, I gave you that framework of endpoints, analytics, network security, potentially email, penetration, testing, etc. — how does that rubric change in a world where the perimeter has dramatically expanded outside the traditional view of an enterprise perimeter?
Crichton: That’s great, and you mentioned there was another trend?
Janmohamed: Analytics, I think is changing in a different way. Historically, analytics has been pretty much a system of record. It’s been a place where you throw your logs into and then the modus operandi has been to talk about having very, very well-trained security analysts that can go through and sift through those logs and figure out what’s going on.
We saw the first step of automation happen with companies like Demisto and Phantom Cyber. Demisto was acquired by PAN [Palo Alto Networks], Phantom Cyber was acquired by Splunk, and Exabeam has its own orchestration product also. But this was the first step in the automation of analytics.
Where things get really interesting is a world where machine learning is now getting democratized. So you now have very rich datasets plus specialized individuals that can train models, which can now lead to better fidelity around finding the things that people should spend time on.
So I think the biggest plague that security has is there are tens of thousands of vulnerabilities, there are thens of thousands of issues that people can spend time on, but it’s limited by human capital. And I believe that over the next few years, we’re going to see human capital continue to be extremely expensive and a lot of that gets shifted away from not just workflow orchestration, but truly AI-driven automation.
We’re still in the early innings, and there’s a lot of companies that lay claim to that from a marketing perspective. But I think we’re just in the early stages of seeing people really start to productize this.
Cloud, cloud, cloud
Crichton: Are you seeing new ways of creating solutions in security?
Janmohamed: I am. Just the same way as you get a marketing cloud and a sales cloud and a service cloud and a human resources cloud with companies like Workday and ServiceNow, you now have the advent of the security cloud and that really hasn’t existed until recently.
People wanted to lay claim to it, but until now, the security cloud has been a federation of various clouds. First you had your SaaS application cloud, then you had your web security cloud, and then you had your malware cloud and then you had your endpoint cloud and your VPN cloud.
I think what you’re going to see over time is just this federation of clouds collapse into one cloud, one platform. Just the same way that in the old world, you had a federation of boxes, I believe over time, you’ll see the services collapsed into a series of platforms that are cloud native, and that recognize that the perimeter has extended in a cloud-first world the way that I’ve talked about.
Founding teams, skeptical trends, and more
Crichton: And from your perspective, what kind of founding teams are generally best for creating these sorts of products?
Janmohamed: That’s a really great question. I think we’re going to see more and more cross-functional teams come together, where there is security domain-specific expertise paired up with data/machine learning-specific expertise.
Arman Tabatabai: Are there certain trends in security that you are more skeptical of?
Janmohamed: Well this sort of ties into what we just talked about where I think every security company that’s coming in for funding is talking about being AI-driven and being AI-first. But the reality is the majority are not. It’s a little like in the early days of cloud, every company was a cloud company, and then it just became part of the narrative.
I think right now every security company and even more broadly speaking, every single enterprise company is talking a big AI game, and it’s our job to really figure out who’s got something that’s truly differentiated and who’s really latching on to the buzzword du jour.
Tabatabai: If there was a startup that you could invest in today, but you haven’t seen yet, what is that startup?
Janmohamed: This problem of data being much more federated is going to become an acute challenge. I’m less focused on data leakage, and more focused on data federation, data compliance and control over your data in terms of who gets access to it, where it lives, how it’s getting used, because in an API-first economy, you have much less control over the data as your data is federated across multiple clouds, multiple SaaS applications, and multiple third-party applications that tend to use your data. So I’m very interested in the fingerprinting of data and the control of data over the next few years.
Whittaker: Is there anything in cybersecurity we haven’t covered yet?
Janmohamed: I guess what I’d say as a macro statement is cybersecurity is one of those gifts that keeps on giving, in the sense that the solutions come up, the solutions get deprecated by new technologies. It’s a cat-and-mouse game with very, very smart people that have incredible tools at their fingertips and who are trying to do bad things and so that just creates an ongoing set of opportunities to try to outsmart and out-innovate the bad guys.
The last thing that I’ll talk about, which I’m super-excited about, is that I believe that we will see a decreased focus on just selling products, and more of a focus on selling risk management. I think we’ll see some blending of business models over the next five to 10 years, in terms of how CISOs really start to evolve their thinking in terms of managing risk. How do you combine the best of products to deliver risk management and protection against hackers? How do you couple that with cyber insurance, which really takes care of the monetary side? That’s going to be a very interesting development in the coming years.
Whittaker: Thanks so much for joining us, Arif.