When I first met Dug Song in Ann Arbor in 2012, I was blown away. He was just at the beginning of building what was to become the most beloved company in security, Duo. Like many of my fellow Midwesterners, Dug is very humble, has a balanced work ethic, and is quite pragmatic. What left me excited after our first meeting was how his personality traits manifested in his product vision: a clearly documented, authentic product that delivered value quickly, brought people together, and was at the heart of the entire company.
The environment for creating security startups is more vibrant than ever. For criminals, the economics of cybercrime have never been better. Criminals share techniques to create attacks faster, rent cheap infrastructure to launch attacks at a lower cost, target larger swamps of data to find larger bounties, and monetize their prey more effectively in the darkweb. Ransomware, account takeovers and the rest generate an estimated $1.5 trillion for criminals every year, according to research presented at RSA last year - and these attacks could be costing businesses $5.2 trillion in lost revenue over the next five year according to Accenture.
"When I’m evaluating a new product, I value pragmatism over novelty."
That represents a significant threat to every business, and a challenge for each of them to manage their security, trust, and safety effectively. Unfortunately even the world’s largest companies, the Fortune 10, struggle to recruit, train and retain security experts, and for small to medium sized enterprises the challenge is even greater.
We’ve invested in companies that protect new threat surface areas (like mobile devices, SaaS applications, the cloud), help create coordination between security/operations/and development teams, and enable their clients to measure and manage security programs. All these companies are oriented towards pragmatic and easy-to-use products that deliver value to an individual in under a minute, to a team in under one hour, and to an entire organization in under one day.
When I’m evaluating a new product, I value pragmatism over novelty. I’ve heard countless pitches where entrepreneurs push a next-gen firewall, or an ML-based antivirus, or AI driven remediation. The truth is that it’s really hard to separate noise from reality. For practitioners who are under resourced & staffed, and can’t possibly buy all the technology they are pitched, much less operationalize it, buzz words are a quick way to lose credibility. When we spoke to customers and prospects about Castle, an account security & management startup, we found that practitioners weren’t really swayed by a company’s unique approach to supervised machine learning; they just wanted a product that would actually work, be easy to use, and scale across their environments.
When we compare notes with security practitioners, we speak holistically, rethinking ‘security’ in the context of the four pillars of ‘risk management’: people, process, product and risk transfer. In thinking differently about security, we’ve been able to build trust and relationships with tastemakers that have become crucial in our decision-making process. I made a rapid decision, in about 72 hours, to invest a large amount of money in Adallom. I’ll never forget introducing the founder to Craig Rosen, the CISO of AppDynamics. Craig literally pulled out a stopwatch, asked the company to deliver on the promise of getting started in less than 10 minutes, and had a big smile when the product was live in less than 5 minutes. When considering investing in AttackIQ it was invaluable to have Jerry Perullo, CISO of ICE the parent company of the NYSE, help us think through the importance of quantifying risk management frameworks like MITRE to communicate effectively in board meetings.
Inevitably, a great product within a great theme can still fall short without strong leadership. We look for founders who have deep understanding of what will be most valuable to their end users. That understanding can drive a product that feels simple to use without compromising the complexity of the problem, especially for larger organizations. One company I worked with struggled to focus: they found small companies, large companies, and government customers were all willing to pay for their product. However, each customer had different demands and desires and ultimately the lack of focus compromised the simplicity of the product. Having that kind of respect & focus on a core customers’ needs drives their resourcefulness, gravity and clarity of thinking - all the raw ingredients needed to attract and build a strong management team.
Once we invest in a business, I aim to meet often, listen a lot, and ask questions. I typically get together with the leaders of each of my companies every week, including the five or so most senior executives. In doing so, I’ve been able to help understand teams more deeply and recruit the right folks at the right time, for the right company, like Andrew Becherer who I met in a cabana in Las Vegas at BlackHat who joined as CISO at Datadog. I look for mentors for up-and-coming startups, and, where appropriate, help founders think about how to really make ‘advisor’ relationships work for both sides. I learned early in my career that most advisory relationships don’t amount to much — while they begin with good intent on both sides, there’s a pretty fast decay rate because busy people are, well, busy. Instead, I encourage most founders to organize the initial part of an advisory relationship around a deliverable; this allows both sides to buy in and find value on a specific outcome. One executive who ran the product organization from the get go to a what is now a $9B market cap company, for example, is helping one of my companies clarify their product roadmap and think about their product org design.
Businesses need to embrace their responsibility in delivering safe, trustworthy and secure services. To do so, there will be two mega trends we hope to surf in the future. The first is related to risk transfer. Just as homeowners buy insurance to transfer risk related to externalities like earthquakes, and business buy insurance to protect against liabilities related to workers’ compensation, businesses will inevitably transfer risk by either (i) buying cyberinsurance (ii) outsourcing security operations. Second, infrastructure will become privacy-aware. The future is abound with opportunity and we’re beginning to see cameras being replaced with depth sensors to count people with identifying them; we’re seeing more startups wrap their products around differential privacy; and we look forward to more entrepreneurs building safety into our world.