Do you need a blockchain?

Blockchain technology is set to have a profound impact on a wide variety of industries, ranging from capital markets to the music business. While some use cases may seem obvious, the technology is still surrounded by its fair share of hype and uncertainty. As a manager, how should you approach the subject, and when should you put your money where your mouth is and actively aim to implement blockchain technology?

According to Juniper Research, six of 10 large corporations are either actively considering or in the process of deploying blockchain technology. Amongst companies that have reached the Proof of Concept stage, two-thirds (66 percent) expected blockchain to be integrated into their systems by the end of 2018.  The research claimed that those companies that would benefit most from blockchain include those with the need for (1) transparency in transactions, (2) current dependence legacy storage systems and (3) a high volume of transmitted information.

Looking at the reasons for implementing blockchain, there is an inherent risk that managers eager to explore new technologies jump to conclusions without exploring alternative options. According to the research, systemic change rather than technological may provide both better and cheaper solutions to the issue at hand.

For many corporations, the go-to approach to investigate potential use cases for blockchain is to look for inefficiencies in current processes.This approach is guaranteed to provide some results, but often the solution is to truly re-design legacy processes to fit a digital world rather than exploring new and unknown technologies.

One reason why blockchain often emerges as an answer to many problems is that it is easy to imagine high-level use cases of blockchain technology. However, as we venture under the surface of such use cases, applying blockchain technology to a known problem is all too often a theoretical solution.

If we look at it, blockchain in its simplest form is an alternative to the traditional database. Blockchain differs from a database in many ways, but the most significant exception is the decentralized nature of blockchain. While a database requires a central authority to maintain and manage data, blockchain offers a decentralized approach to storage and verification of data. However, this feature comes at a cost. Blockchains in their current state (at least public ones) have some scaling issues, making them slower than traditional databases. In addition, users must pay a fee for each “transaction” on the database, which is fluctuating and unpredictable.

A potential switch involves rethinking everything, recoding most things and betting on a new technology that will need many years of work to become as mature as whichever database you’re currently using.

To make things a bit more confusing, the term blockchain has become a bit diluted as the hype has continued to bloom. Terms like permissioned versus permissionless and private versus public blockchains are circulating; the term has become so widespread that it may lose some of its meaning. Permissioned blockchains are operated by known entities such as stakeholders of a given industry, whereas private blockchains are operated by one entity. These approaches have become particularly popular in the financial industry, as they focus on immutability and efficiency rather than anonymity and transparency. However, if we look closely at the inherent properties of a private or permissioned blockchain, they resemble a shared database, and critics argue that the term private blockchain is just a confusing name for a shared database.

Estonia’s digital identity solution is an example of the use of the blockchain as a marketing tactic, as the company providing the underlying technology rebranded its offering from “hash-linked time-stamping” to “blockchain technology” just in time to ride the blockchain hype. With last year’s crypto-craze, there is no shortage of companies claiming to be a “blockchain-company” in order to boost valuations.

With this in mind, there are a couple of simple control questions to help guide one through the decision process as to whether one should explore blockchain technology or just stick with a good-old database.

First of all, if it works, don’t fix it. If you’re satisfied with your database setup today, there should be no rush to replace this. A potential switch involves rethinking everything, recoding most things and betting on a new technology that will need many years of work to become as mature as whichever database you’re currently using.

Are you depending on a third party to carry out transactions or to create trust between multiple stakeholders? If the use of a trusted third party to establish and maintain trust across stakeholders is in play, it may be the time to investigate the use of blockchain technology.

On the other hand, if performance and transaction speed is the most important factor, you should stick with a database… for now.

Do you need to handle highly dynamic data with a clear audit trail? Blockchains offer a flexible capacity by enabling many parties to write new entries into a system of record that is also held by many custodians.

To make things somewhat easier, there are numerous flowcharts circulating on the internet for when to use a blockchain (many of these can be found here).

While there are many reasons to steer clear of blockchain technology, there are equally many potential valuable use cases — such as royalty distribution in the music industry, cross-border payments, management of shared ownership such as timeshares, health records and many more. For instance, a decentralized Facebook might have mitigated the current array of scandals related to deliberately spreading misinformation to influence public opinion and the misuse of personal data.

For managers looking to explore blockchain, it is easy to both be dazzled by the promises of new technology as well as dismiss the unknown. In this case, it is important to stay curious and have a practical approach, while still being able to have a vision that spans beyond the daily operations.

Enterprise AI will make the leap — who will reap the benefits?

This year, artificial intelligence will further elevate the enterprise by transforming the way we work, securing digital assets, increasing collaboration and ushering in a new era of AI-powered innovation. Enterprise AI is rapidly moving beyond hype and into reality, and is primed to become one of the most consequential technological segments. Although startups have already realized AI’s power in redefining industries, enterprise executives are still in the process of understanding how it will transform their business and reshape their teams across all departments.

Throughout the past year, early adopting businesses of all sizes and industries began to reap benefits. AI applications with AI-powered capabilities introduced opportunities to change the way the enterprise engaged customers, segmented markets, assessed sales leads and engaged influencers. Enterprises are on the edge of taking this a step further because of the amount of knowledge and tools leveraging the potential of AI within their entire organization.

“New breakthroughs in AI, enabled by new hardware architectures, will create new intelligent business models for enterprises,” says Nigel Toon, co-founder and CEO at U.K.-based Graphcore. “Companies that can build an initial knowledge model and launch an initial intelligent service or product, then use this first product to capture new data and improve the knowledge model on a continuing basis, will quickly create clear class-leading products and services that competitors will struggle to keep up with.”

The category is evolving, and large companies are finding distinct ways to innovate. They can uniquely tap into decades of industry experience to develop horizontal AI, built for specific industries like healthcare, financial services, automotive, retail and more. These implementations, though, require deep industry expertise and industry-specific design, training, monitoring, security and implementation to meet the high-stakes IT requirements of global organizations.

“In 2018, AI is entering the enterprise. I believe we will see many enterprises adopt AI technology, but the (few) leaders will be those that can align AI with their strategic business goals,” says Ronny Fehling, associate director of Gamma Artificial Intelligence at BCG.

2018: AI will start separating the winners from the losers

Early industry successes (and failures) proved AI’s inevitability, but also the reality that wide-scale adoption would come through incremental progress only. This year, we’ll see AI move from influencing product or business functions to an organization-wide AI strategy. Expect the winners to move fast and remain nimble to keep implementing off-the-shelf and proprietary AI.

The companies that win the AI talent war will gain exponential advantages, given the category’s rapid growth.

Hans-Christian Boos, CEO and founder of Germany-based Arago, adds: “2018 will be a make or break year for enterprise and the established economy in general. I believe AI is the only viable path for innovation, new business models and digital disruption in companies from the industrial era. General AI can enable these enterprises to finally make use of the only advantage they have in the battle against new business models and giants from the Silicon Valley, or rather giants from the new age of knowledge based business models.”

The AI talent challenge

A boon in enterprise AI will also mean a further shortage of talent. Industries like telecommunications, financial services and manufacturing will feel the talent squeeze the most. The companies that win the AI talent war will gain exponential advantages, given the category’s rapid growth.

Hence, enterprises will try to attract talent by offering a powerful vision, a track record of product success, a bench of early client implementations and the potential to impact the masses. It’s about developing high-functioning and reliable solutions that become a new foundation for clients.

Developers and data scientists, however, are only the beginning. Winning enterprises must adopt their organizational structures that attract a new generation of product managers, sales, marketing, communications and other delivery teams that understand AI. This requires an informed, passionate and forward-thinking group of professionals that will help customers understand the future of work and customer engagement powered by AI.

AI adoption and employee training

Digital transformation, powered in large part by new AI capabilities, requires enterprises to understand how to extract data and utilize data-driven intelligence. Data is one of the greatest assets and essentials in maximizing the value in an AI application, yet data is often underutilized and misunderstood. Executives must establish teams and hold individuals across departments accountable for the successful and ongoing implementation of digital tools that extract full value from available internal and external data.

This transformation into an AI-native organization requires it to hire, train and re-skill all levels of employees, and provide the resources for individuals to adopt AI-powered disciplines that enhance their performance. Most workforce, from top to bottom, should be encouraged to rethink and evolve their role by incorporating new digital tools, often enabled by AI itself.

Expect AI and other digital technologies to become more prevalent in all business disciplines, not only at the application layer, as Vishal Chatrath, co-founder and CEO of U.K.-based Prowler.io emphasises. “Decision-making in enterprise is dominated by expert-systems that are born obsolete. The AI tools available till now that rely on deep-neural nets which are great for classification problems (identifying cats, dogs, words etc.) are not really fit for purpose for decision-making in large, complex and dynamic environments, because they are very data inefficient (needs millions of data points) and effectively act like black-boxes. 2018 will see Enterprise AI move beyond classification to decision-making.”

What’s next

However, the spotlight will shine on data governance as businesses adjust entire departments and workflows around data. In turn, data management and integrity will be an essential component of success as consumers and enterprises gain greater awareness about how companies use customers’ data. This opens a large field of opportunities, but also will require transparency in how companies are using, sharing and building applications on top of customer data to ensure trust.

“Every single industry will be enhanced with AI in the coming years. In the last years there was a lot of foundation work on gathering standardized data and now we can start to use some of the advanced AI techniques to bring huge efficiency and quality gains to enterprise companies,” says Rasmus Rothe, co-founder and CTO of Germany-based research lab and venture builder Merantix. “Enterprises should therefore thoroughly analyze their business units to understand how AI can help them to improve. Partnering with external AI experts instead of trying to build everything yourself is often more capital efficient and also leads to better results.”

The shift toward AI-native enterprises is in a defining phase. The pie of the AI-enabled market will continue to grow and everyone has an opportunity to take a slice. Enterprises need to quickly leverage their assets and extract the value of their data as AI algorithms themselves will become the most valuable part when data has become a commodity. The question is, who will move first, and who will have the biggest appetite.

US early-stage investment share shrinks as China surges

The global early-stage investment pie is getting bigger… a lot bigger. Just four years ago, investors were putting less than $10 billion per quarter into early-stage deals (Series A and B). The past two quarters, however, have all come in over twice that level. Q1 2018, meanwhile, looks to be a record-setting one, with Crunchbase projecting $25 billion in global early-stage investment.

But while overall investment is on the rise, the U.S.’ share is dwindling. A few years ago, North American startups reliably received at least two-thirds of global early-stage investment. No more. For the past three quarters, North America’s share has dwindled to less than half, as the chart below illustrates:

The rise of China’s startup scene, combined with local investors’ penchant for jumbo-sized Series A rounds, goes a long way to explaining the shift. Venture ecosystems in Southeast Asia, Brazil and elsewhere have also been in growth mode, and thus accounting for a more significant share of global early-stage investment.

Huge Series A rounds are huge in China

Before we venture further, it should be noted that although we associate Series A with early-stage companies, this is not always the case. Some of the largest Series A rounds globally have gone to companies that were relatively mature but previously bootstrapped or spun out of large corporations.

Recent data shows both the U.S. and China have their share of spin-outs and older companies gobbling up so-called early-stage rounds. OneConnect and Ping An Healthcare, subsidiaries of Chinese insurance giant Ping An, which raised $650 million and $1.2 billion, respectively, are examples of such activity.

Venture investors in China also put far more into Series A and B deals than U.S. counterparts. A Crunchbase News analysis found that the average Series A round for a China-based startup in 2017 was $32.8 million, just over triple the size of the average Series A for a U.S. company.

The momentum is holding up in 2018. So far this year, at least 12 Chinese companies have raised early-stage rounds of $100 million or more, altogether bringing in more than $4 billion (see list). Recipients of some of the largest rounds include:

  • Ziroom, an apartment rental service provider based in Beijing, raised $621 million in its Series A round.
  • Black Fish, a consumer finance platform, raised a $145 million Series A round.
  • Pony.ai, an autonomous vehicle startup with significant operations in both Silicon Valley and China, raised a $112 million Series A.

U.S. is no slouch in big A and B rounds, either

The U.S. has also had a dozen startups (plus Pony.ai) bring in $100 million or more in early-stage rounds this year. However, the aggregate total these startups have raised — about $1.8 billion — is less than half that of Chinese counterparts.

As mentioned previously, many of the largest early-stage round recipients are mature companies or spin-outs of mature companies. The list includes two companies founded in 2009 that closed Series B rounds of around $100 million this year: Joby Aviation, a developer of electric planes, and Vacasa, a vacation property management company.

Healthcare spin-outs are also attracting big dollars, including Celularity, a developer of placental stem cell-based therapies, and Viela Bio, a developer of therapies for autoimmune diseases.

But while big rounds are still getting done, the number of U.S. early-stage rounds of all sizes has declined a bit over the past four years. Over the last two quarters, Crunchbase projects fewer than 900 early-stage rounds are closing quarterly. Globally, however, the number of early-stage rounds has been trending up:

Part of the pattern is that the dynamics of early-stage funding have changed over the years. In the past, Series A and B rounds were for startups to develop working prototypes, hone market segments to target and attract the earliest customers. Scaling on a national or international level was generally for later stages, after a company had proven demand and a working product.

These days, markets move faster, and it’s not uncommon to see startups move in just a few quarters from concept to scaling en masse. Just look at Bird, the scooter sharing company that raised $115 million after mere months of operation with a business model intended to terrorize pedestrians and motorists provide a last-mile transit solution.

The entire bike, scooter and moped sharing sector has blossomed over a couple of short years, with big early-stage rounds all around. And it’s an area where China was the early leader for scaling. But fintech, biotech, agtech and other fields are also providing fertile ground for substantial early-stage funding rounds.

Should we worry?

So is the declining share of North American early-stage funding a source of worry for founders and investors in the region? Or is it a predictable evolution following economic growth in China and elsewhere?

We won’t attempt to answer that here, but others have tried. Sequoia Capital’s Michael Moritz drew wide criticism earlier this year for an essay sounding the warning bell on what he perceived as superior work ethic among Chinese entrepreneurs compared to their U.S. counterparts.

Purely following the money, the takeaway is this: Investors globally have decided the early-stage opportunity is a lot bigger than they thought a couple of years ago. And while investors are putting a bit more into mature ecosystems like the U.S. and Silicon Valley, they are putting a lot more into China and other regions with underdeveloped venture markets relative to their size and technology prowess.

We’re listening to: Acquisitions Inc. and The Adventure Zone

This week's IRL is about podcasts. Or games. Or both? Kris Naudus loves role-playing games — the ones with dice rather than pixels — and she also loves podcasts. Combining the two should be a dream, but Kris has struggled to get into some of the mo…

Diversity and inclusion, data privacy and security ops will be on everyone’s mind at RSA

This week, 50,000 security professionals will descend upon San Francisco for the 27th Annual RSA Security Conference, arguably the largest global security event of the year. And for the security community to win against “the bad guys,” we’re going to need at least 50,000 more people.

Yes, the well-established “security skills gap” will be a hot point of discussion at this year’s RSA Conference. But in a year fueled by industry controversy (including backlashagainst RSA Conference itself), the conversations on stage and in the Expo Hall are expected to be the most lively since 2014, when the debate around Edward Snowden came to the forefront on security’s biggest stage. Unlike RSA’s conference rivals, Black Hat and DefCon, RSA is an industry event attended by a balance of security analysts and business executives. This group has historically bred an interesting mix of opinions on topics related to privacy, inclusion and disclosure.

From Facebook’s public data privacy crisis with Cambridge Analytica and a long overdue movement calling for the security industry to finally break the glass ceiling, here are the three things that will be on everyone’s mind at RSA this year:

Diversity and Inclusion

Throughout my 20+ years in the security community, the unfortunate reality remains that a gender bias exists. Finally, we’re approaching it head-on, but there’s lots of work to be done. When RSA initially announced their keynote roster this year, the list was dominated by men – in fact, the only woman announced as an initial keynote was Monica Lewinsky. In response, a one-day alternative conference was announced – OURSA – which promised to deliver content from a more diverse group of experts. Bravo. The event sold out quickly – my company Splunk was lucky enough to get a handful of tickets.

A lack of diversity in the security community is not just wrong from a social-psychological sense – it is a business issue. There is a huge talent gap in security jobs. Many organizations are ignoring a significant portion of the population by not recognizing contributions, and not creating opportunities for positive role modeling. OURSA, which seeks to help correct that, will be talked about for some time. In fact, their impact is already being felt – RSA has added a number of female and POC keynote speakers in response to the controversy. Good on them.

Data Privacy

A perfect storm of data privacy is brewing. First, you have General Data Protection Regulation (or GDPR) – the acronym on every vendor’s lips this year. Designed to strengthen data protection for individuals, GDPR will change the way every business that operates in the EU handles the personal data of its users and customers. This will have a massive, global impact on the ways companies operate and disclose data breaches. Solutions specifically designed to address GDPR will surely be unveiled at RSA this year as the global security community tries to make sense of what new compliance standards they have to meet. Then – you have what might be the biggest topic at RSA this year – Cambridge Analytica. With CEO Mark Zuckerberg under fire from the media and Facebook users, you can bet that an elevated discussion on the ethics of data will be had at RSA. There are quite a few talks on security and privacy on this year’s RSA agenda, and given event attendees are typically bent towards business and organizational leadership, data privacy will be top of mind.

Security Operations

Many in the industry are wising up to the fact that buzzword bingo created by vendors is hurting, not helping the security community. Every year at RSA, attendees listen to topics ranging from security leadership, to cryptography, to keynotes on threats. And every year security professionals must ask themselves, how can this knowledge be operationalized – how can all the practices, technologies and ideas be put to effect in any given organization? A lot of this boils down to what we can bucket as “Security Operations,” a simple and understandable term that encompasses everything that happens within a Security Operations Center (SOC) to keep companies aware, secure and analytics-driven. Last year, the key trends driving growth in Security Operations were machine learning and artificial intelligence. But is the hype over? Or is automation the new thing?

The Bottom Line

As I’ve written in TechCrunch before, cybersecurity is a moving target. People want to talk a lot about “the good guys” winning or “the bad guys” winning, but the truth remains that our best way to make inroads to combat emerging threats and hit that target is by working together. And that doesn’t just go for security analysts – it applies to security vendors too. More than anything, RSA presents a great networking opportunity for security professionals to come together and learn from each other on what trends are helping them find threats faster. I predict that as always, the community will help each other understand what substantive state changes people need to make when they get back to their offices.

The United States needs a Department of Cybersecurity

This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subverting our democracy.

For good reason. There is now clear evidence of Russian interference in the election with Special Counsel Mueller’s 37-page indictment of 13 Russians yet the attack on US sovereignty and stability has gone largely unanswered.  The $120 million set aside by Congress to address the Russian attacks remains unspent. We expelled Russian diplomats but only under international pressure after the poisoning of a former Russian spy and his daughter.

Recent sanctions are unlikely to change the behavior of the Putin administration. To put it bluntly, we have done nothing of substance to address our vulnerability to foreign cyberattacks. Meanwhile, our enemies gain in technological capability, sophistication and impact.

Along with the Russians, the Chinese, North Koreans, Iranians and newly derived nation states use cyber techniques on a daily basis to further their efforts to gain advantage on the geopolitical stage. It is a conscious decision by these governments that a proactive cyber program advances their goals while limiting the United States.

Krisztian Bocsi/Bloomberg via Getty Images

We were once dominant in this realm both technically and with our knowledge and skillsets. That playing field has been leveled and we sit idly by without the will or focus to try and regain the advantage. This is unacceptable, untenable and will ultimately lead to potentially dire consequences.

In March of this year, the US CyberCommand released  a vision paper called “Achieve and Maintain Cyberspace Superiority.” It is a call to action to unleash the country’s cyber warriors to fight  for our national security in concert with all other diplomatic and economic powers available to the United States.

It’s a start but a vision statement is not enough.  Without a proper organizational structure, the United States will never achieve operational excellence in its cyber endeavors.  Today we are organized to fail.  Our capabilities are distributed across so many different parts of the government that they are overwhelmed with bureaucracy, inefficiency and dilution of talent.

The Department of Homeland Security is responsible for national protection including prevention, mitigation and recovery from cyber attacks. The FBI, under the umbrella of the Department of Justice,  has lead responsibility for investigation and enforcement. The Department of Defense, including US CyberCommand, is in charge of national defense.  In addition, each of the various military branches  have their own cyber units. No one who wanted to win would organize a critical  capability in such a distributed and disbursed manner.

How could our law makers know what policy to pass? How do we recruit and train the best of the best in an organization, when it might just be a rotation through a military branch? How can we instantly share knowledge that benefits all when these groups don’t even talk to one another? Our current approach does not and cannot work.

Image courtesy of Colin Anderson

What is needed is a sixteenth branch of the Executive — a Department of Cybersecurity — that  would assemble the country’s best talent and resources to operate under a single umbrella and a single coherent policy.  By uniting our cyber efforts we would make the best use of limited resources and ensure seamless communications across all elements dealing in cyberspace. The department would  act on behalf of the government and the private sector to protect against cyberthreats and, when needed, go on offense.

As with physical defense, sometimes that means diplomacy or sanctions, and sometimes it means executing missions to cripple an enemy’s cyber-operations. We  have the technological capabilities, we have the talent, we know what to do but unless all of this firepower is unified and aimed at the enemy we might as well have nothing.

When a Department of Cybersecurity is discussed in Washington, it is usually rejected because of the number of agencies and departments affected. This is code for loss of budget and personnel. We must rise above turf battles if we are to have a shot at waging an effective cyber war. There are some who have raised concerns about coordination on offensive actions but they can be addressed by a clear chain of command with the Defense Department to avoid the potential of a larger conflict.

We must also not be thrown by comparisons to the Department of Homeland Security and conclude a Cybersecurity department would face the same challenges. DHS was 22 different agencies thrust into one. A Department of Cybersecurity would be built around a common set of skills, people and know-how all working on a common issue and goal. Very different.

Strengthening our cyberdefense is as vital as having a powerful standing army to defend ourselves and our allies. Russia, China and others have invested in their cyberwar capabilities to exploit our systems almost at will.

Counterpunching those efforts requires our own national mandate executed with Cabinet level authority. If we don’t bestow this level of importance to the fight and set ourselves up to win, interference in US elections will not only be repeated …  such acts will seem trivial in comparison to what could and is likely to happen.

Lessons from cybersecurity exits

To: ceo@cybersecuritystartup.com

Subject: Lessons from cybersecurity exits

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and two nice acquisitions – Zscaler’s great debut on wall street,  a $300 million acquisition of Evident.io by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited.

Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley.

Evident.IO Investment Rounds and Return estimates

Date

Select Investors

Round Size

Pre

Post

Dilution

Estimated Returns / Multiple of Invested Capital

Sep 2013

True Ventures

$1.5m

$5.25m

$6.75 m

22%

44X

Nov 2014

Bain Capital

$9.8 m

$18.1m

$28.0 m

35%

10.7X

Apr 2016

Venrock

$15.7 m

$35.0 m

$50.7 m

30%

6X

Feb 2017

GV

$22.0 m

$73.6 m

$95.5

23%

3.1X

My math is not that good but looks like even some VCs made a decent return. Back of the envelope scribbles indicate that True Ventures scored an estimated ~44X multiple on its seed investment. Others like Bain snagged a ~10X on the A round investment and Venrock which led the Series B round took home ~6X.

We see a similar pattern with Phantom Cyber, which got acquired by Splunk for $350 million. A little bird told me that they had booking in the range of $10 million. But before we all get too self-congratulatory, lets ask – why did these companies sell at $300 million to $350 million when everyone in the valley wants to ride a unicorn? Clearly, funds like GV, Bain and Kleiner could have fueled more rounds to make unicorns out of Evident.io and Phantom Cyber.

Phantom Cyber Investment Rounds and Return estimates

Date

Select Investors

Round Size

Pre

Post

Dilution

Estimated Returns / Multiple of Invested Capital

April 2015

Foundation Capital

$2.7m

$8.3 m

$11.04 m

14.50%

31.7

Sep 2015

Blackstone

$6.5m

$26.7 m

$33.2 m

15.90%

10.5

Jan 2017

KPCB

$13.5m

$83.0 m

$96.5 m

13.90%

3.6

(Data Source: Pitchbook)

Some of the board members might have peeked at the exit data gathered by the hardworking analysts at Momentum Cyber, a cybersecurity advisory firm. Look at security exit trends from 2010-2017. You might notice that ~68% of security exits were below $100 million. And as much as 85% of exits occur below $300 million.

Agreed that there are very few exceptional security CEO’s like Jay Chaudhry who grew up in a Himalayan village, and led ZScaler to an IPO. This was Jay’s fifth startup and he kept over 25.5% of the proceeds, with another 28.3% owned by his trust. TPG Growth owned less than 10%. After all, he himself funded a substantial part of the company (which raised a total of $110 million).  But not everyone is as driven, successful and it’s ok to sell if the exit numbers are meaningful. Remember what that bard of avon once said:

For I must tell you friendly in your ear,

Sell when you can; you are not for all markets.

(Shakespeare, As you Like It, Act 3, Scene V)

(68% of security exits occur below $100 million. M & A Data from 2010-2017. Source: Momentum Cyber)

My friend Dino Boukouris, a director at Momentum Cyber, offers some sage advice to all founders who are smitten by unicorns. “Before a founder raises their next round, I would reflect on the market’s ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops.” Dino has a point, you see. As we inflate valuations, your work, my dear CEO, becomes much harder.

If you don’t believe Dino, let’s look at another recent exit, PhishMe, which was acquired by a private equity consortium for $400 million. That’s a nice number, correct? At the first look, you’ll notice that the dilution and financial return patterns are similar to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and capital efficiency matter as much as exit value. It’s not just the exit value ~ but how long and how much. Back to my man, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median value was $68 milion. Read that last sentence again — very slowly. $68 million. Ouch!

PhishMe Investment Rounds

Date

Round size

Select Investors

Pre-money Valuation

Post

Dilution

Returns / Multiple of Invested Capital

July 2012

$2.5m

Paladin

$10 m

12.5 m

12.20%

32.0

March 2015

$13 m

Paladin

$61 m

$74 m

13 %

5.4

July 2016

$42.5 m

Bessemer

$155 m

197 m

21%

2.0

(Data Source: Pitchbook)

Two years ago  in Cockroaches versus Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders were urged to avoid the unicorn hubris. A lot of bystanders, your ego included, will cheer you as you get higher valuations. But aren’t we all rational human beings, always making data based decisions?

Marc Andreessen will remind you that his best friend, Jim Barksdale, once said “If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC friends have funded 1242 cybersecurity companies, investing a whopping $17.8bn. But chief information security officers say that they don’t need 1242 security products. One exhausted CISO told me they get fifteen to seventeen cold calls a day. They hide away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating the successful sale of Evident.io. They pointed out that the founders — Tim Prendergast and Justin Lundy had lived the public cloud security problem in their previous lives at Adobe. “Such deep domain expertise allowed them to gain credibility in the market. It’s not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an “easy to deploy” solution that could scale to customers with 1000s of AWS / Azure accounts. Customers were more willing to be reference-able, given this aligned relationship.”

(Source: Momentum Cyber)

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner at Accel Partners says, “CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.” According to Cack Wilhelm Partner at Accomplice, “Security analysts have alert fatigue, and CISOs have vendor fatigue.”  You are one of those possibly, wouldn’t you agree?

Besides indigestion and fatigue, the CISO roles have become demanding. William Lin, Principal at Trident Capital Cyber, a $300m fund pointed out that “the role of CISO has bifurcated into managing risk akin to an auditor and at the same time, managing complex engineering and technology environments.”  So naturally, they are managing their time more cautiously and not looking forward to meeting one more startup.

Erik Bloch, Director of Security Products at SalesForce says that while he keeps an open mind and is willing to look at innovative startups, it takes him weeks to arrange calls with the right people, and months to scope a POC. And let’s not forget the mountain of paperworks and legal agreements. “It’s great to say you have a Fortune 100 as an early customer, but just be warned that it’ll be a long, hard road to get there, so plan appropriately” he pointed out.

So, my dear founder, as the road gets harder, funding slows down. Look at 2017 —  despite all those big hacks, Series A funding dropped by 25% in 2017. Clearly, many of our seed funded companies are not delivering those Fortune 100 POC milestones. And are unable to raise a Series A.  Weep, if we must, but let us remind ourselves that out point solutions are not that impressive to the CISOs.

All the founders I know are trying to raise a formulaic $8m Series A on $40m pre. But not every startup that wants 8 on 40 deserves it. Revenues and growth rate, those quaint metrics matter more than ever. And some investors look for the quality of your customers.  Aaron Jacobson of NEA, a multi-billion dollar venture fund says, ”A key value driver is a thought-leader CISO as a customer. This is often a good indicator of value creation.“

Stage

Expected Revenue Run Rate

Estd. Round Size

Angel

None

Up to $2m

Series A

$1.5m to $3 m

$5m to $8m

Early VC

$5 m to $8 m

$15m to $25m

Late Stage VC

$6m to $10m

$30m to $50m

When markets get crowded and all startups sound the same, investors seek quality, or move to later stages.  They like to see well proven companies, that have solved a lot of basic problems. And eliminated riskier stumbling blocks. Like product-market fit, pricing and go-to-market issues. Naturally, the later stage valuations are rising faster. Money is chasing quality, growth and returns.

Median Post-Money Valuation by stage for cybersecurity companies (Source: Pitchbook)

The security IPOs offer a sobering view. This is a long journey, not for the faint of heart. Okta moved fast, consumed ~4X more capital as compared to Sailpoint and delivered great returns.

Company

Year Founded

Years to IPO

Total Capital raised prior to IPO

Revenues (2017)

Post Money of last round prior to IPO

Market Cap at IPO

ZScaler

2008

10

$180m

$176 m

$1.05 bn

$3.6 bn

Okta

2009

8

$231 m

$160 m

$1.18 bn

$2.1 bn

Forescout

2000

17

$159 m

$220 m

$1.0 bn

$806 mn

SailPoint

2004

13

$54.7 m

$186 m

N/A

$1.1 bn

Security IPOs (Source: Momentum Cyber, Pitchbook)

Innovating with go-to-market strategies

In the near term,  the big challenge for you, dear security founder, is selling in an over crowded market. If I were you, I’d remember that innovation should not be restricted to merely technology, but can extend into sales and marketing. We lack creativity when it comes to marketing – ask Kelly Shortridge of Security ScoreCard. She should get some kind of BlackHat award for developing this godforsaken Infosec Startup Bingo. If you find any startup vendor that uses all these words, and wins this bingo, please DM me ~ I will promptly shave my head in shame. We got here because we do not possess simple marketing muscles. We copy each other while our customers roll their eyes when we pitch them.

Sid Trivedi of Omidyar Technology Ventures wants to work with the developer focussed startups. He says, “Look at companies like Auth0. The sales efficiency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and point out that X number of developers are paying to use my technology. Here are their names, why don’t you talk to them? And then, let’s discuss an enterprise license for the full company?” That approach works like magic. Overwhelming majority of the software IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If you go top-down in a hurry, you can crash and burn. I am aware of an impatient security vendor who used executive level pressure at a Fortune 50 company. They kicked their way into the POC. And got kicked out by the infosec team. The furios infosec team destroyed the vendor in a technical assessment. I was told that the product was functional but the vendor’s impatience and political gymnastics killed the deal. Let us not forget simple truth: many times CISOs turn to their subordinates for advice and decision-making, so don’t just sell to the top. Nor ignore the rest of the people in the room.

With more noise, the buyers freeze. Margins shrink. Revenues and growth slows down. Which means it’s harder to get to your milestones before your next round. Running out of cash is not fun. Nor is a down round, layoffs and such. So while this is easier said than done, please raise less and do more. And maybe, just maybe, you can keep 40% of a $350 million exit.

If you have questions or existential dilemmas, you can always find me, chatting with a friendly VC in South Park.  Or I’m always around in a trusted secure world of Signal.

Stay safe at that annual security stampede called RSA.

Kindly,

Mahendra

PS: Let’s not forget to express our gratitude to those analysts at Momentum Cyber and Pitchbook for painstakingly tracking every investment, analyzing and presenting meaningful data. They help us look at the forest, and make our journey easier. Send them a thank-you tweet, some wine, chocolates, flowers or home-baked cookies.

Is America’s national security Facebook and Google’s problem?

Outrage that Facebook made the private data of over 87 million of its U.S. users available to the Trump campaign has stoked fears of big US-based technology companies are tracking our every move and misusing our personal data to manipulate us without adequate transparency, oversight, or regulation.

These legitimate concerns about the privacy threat these companies potentially pose must be balanced by an appreciation of the important role data-optimizing companies like these play in promoting our national security.

In his testimony to the combined US Senate Commerce and Judiciary Committees, Facebook CEO Mark Zuckerberg was not wrong to present his company as a last line of defense in an “ongoing arms race” with Russia and others seeking to spread disinformation and manipulate political and economic systems in the US and around the world.

The vast majority of the two billion Facebook users live outside the United States, Zuckerberg argued, and the US should be thinking of Facebook and other American companies competing with foreign rivals in “strategic and competitive” terms. Although the American public and US political leaders are rightly grappling with critical issues of privacy, we will harm ourselves if we don’t recognize the validity of Zuckerberg’s national security argument.

Facebook CEO and founder Mark Zuckerberg testifies during a US House Committee on Energy and Commerce hearing about Facebook on Capitol Hill in Washington, DC, April 11, 2018. (Photo: SAUL LOEB/AFP/Getty Images)

Examples are everywhere of big tech companies increasingly being seen as a threat. US President Trump has been on a rampage against Amazon, and multiple media outlets have called for the company to be broken up as a monopoly. A recent New York Times article, “The Case Against Google,” argued that Google is stifling competition and innovation and suggested it might be broken up as a monopoly. “It’s time to break up Facebook,” Politico argued, calling Facebook “a deeply untransparent, out-of-control company that encroaches on its users’ privacy, resists regulatory oversight and fails to police known bad actors when they abuse its platform.” US Senator Bill Nelson made a similar point when he asserted during the Senate hearings that “if Facebook and other online companies will not or cannot fix the privacy invasions, then we are going to have to. We, the Congress.”

While many concerns like these are valid, seeing big US technology companies solely in the context of fears about privacy misses the point that these companies play a far broader strategic role in America’s growing geopolitical rivalry with foreign adversaries. And while Russia is rising as a threat in cyberspace, China represents a more powerful and strategic rival in the 21st century tech convergence arms race.

Data is to the 21st century what oil was to the 20th, a key asset for driving wealth, power, and competitiveness. Only companies with access to the best algorithms and the biggest and highest quality data sets will be able to glean the insights and develop the models driving innovation forward. As Facebook’s failure to protect its users’ private information shows, these date pools are both extremely powerful and can be abused. But because countries with the leading AI and pooled data platforms will have the most thriving economies, big technology platforms are playing a more important national security role than ever in our increasingly big data-driven world.

 

BEIJING, CHINA – 2017/07/08: Robots dance for the audience on the expo. On Jul. 8th, Beijing International Consumer electronics Expo was held in Beijing China National Convention Center. (Photo by Zhang Peng/LightRocket via Getty Images)

China, which has set a goal of becoming “the world’s primary AI innovation center” by 2025, occupying “the commanding heights of AI technology” by 2030, and the “global leader” in “comprehensive national strength and international influence” by 2050, understands this. To build a world-beating AI industry, Beijing has kept American tech giants out of the Chinese market for years and stolen their intellectual property while putting massive resources into developing its own strategic technology sectors in close collaboration with national champion companies like Baidu, Alibaba, and Tencent.

Examples of China’s progress are everywhere.

Close to a billion Chinese people use Tencent’s instant communication and cashless platforms. In October 2017, Alibaba announced a three-year investment of $15 billion for developing and integrating AI and cloud-computing technologies that will power the smart cities and smart hospitals of the future. Beijing is investing $9.2 billion in the golden combination of AI and genomics to lead personalized health research to new heights. More ominously, Alibaba is prototyping a new form of ubiquitous surveillance that deploys millions of cameras equipped with facial recognition within testbed cities and another Chinese company, Cloud Walk, is using facial recognition to track individuals’ behaviors and assess their predisposition to commit a crime.

In all of these areas, China is ensuring that individual privacy protections do not get in the way of bringing together the massive data sets Chinese companies will need to lead the world. As Beijing well understands, training technologists, amassing massive high-quality data sets, and accumulating patents are key to competitive and security advantage in the 21st century.

“In the age of AI, a U.S.-China duopoly is not just inevitable, it has already arrived,” said Kai-Fu Lee, founder and CEO of Beijing-based technology investment firm Sinovation Ventures and a former top executive at Microsoft and Google. The United States should absolutely not follow China’s lead and disregard the privacy protections of our citizens. Instead, we must follow Europe’s lead and do significantly more to enhance them. But we also cannot blind ourselves to the critical importance of amassing big data sets for driving innovation, competitiveness, and national power in the future.

UNITED STATES – SEPTEMBER 24: Aerial view of the Pentagon building photographed on Sept. 24, 2017. (Photo By Bill Clark/CQ Roll Call)

In its 2017 unclassified budget, the Pentagon spent about $7.4 billion on AI, big data and cloud-computing, a tiny fraction of America’s overall expenditure on AI. Clearly, winning the future will not be a government activity alone, but there is a big role government can and must play. Even though Google remains the most important AI company in the world, the U.S. still crucially lacks a coordinated national strategy on AI and emerging digital technologies. While the Trump administration has gutted the white house Office of Science and Technology Policy, proposed massive cuts to US science funding, and engaged in a sniping contest with American tech giants, the Chinese government has outlined a “military-civilian integration development strategy” to harness AI to enhance Chinese national power.

FBI Director Christopher Wray correctly pointed out that America has now entered a “whole of society” rivalry with China. If the United States thinks of our technology champions solely within our domestic national framework, we might spur some types of innovation at home while stifling other innovations that big American companies with large teams and big data sets may be better able to realize.

America will be more innovative the more we nurture a healthy ecosystem of big, AI driven companies while also empowering smaller startups and others using blockchain and other technologies to access large and disparate data pools. Because breaking up US technology giants without a sufficient analysis of both the national and international implications of this step could deal a body blow to American prosperity and global power in the 21st century, extreme caution is in order.

America’s largest technology companies cannot and should not be dragooned to participate in America’s growing geopolitical rivalry with China. Based on recent protests by Google employees against the company’s collaboration with the US defense department analyzing military drone footage, perhaps they will not.

But it would be self-defeating for American policymakers to not at least partly consider America’s tech giants in the context of the important role they play in America’s national security. America definitely needs significantly stronger regulation to foster innovation and protect privacy and civil liberties but breaking up America’s tech giants without appreciating the broader role they are serving to strengthen our national competitiveness and security would be a tragic mistake.