February 2002, a sparsely populated RSA Security show, security investing at rock bottom, and my first month as a venture capitalist at Sierra Ventures. I met Marty Roesch, founder of an open source project called Snort. Two million downloads, adopted by large enterprises and major government agencies, but no one was willing to fund this opportunity. Questions abounded, “Isn’t open source the enemy of security? How are you going to make money on open source?”
Well, we took that bet on Marty’s company Sourcefire and an IPO followed by a $2.7B acquisition made it look like a smart move. But was it really a no-brainer opportunity? What did we learn and what are we looking for?
Platform shifts create security opportunities
Whether it was Sourcefire, acquired by Cisco systems, applying open source to intrusion detection; Frontbridge, acquired by Microsoft, protecting against the rapid rise of email spam or RedLock, recently acquired by Palo Alto Networks, defending public cloud environments, every platform shift has created opportunities for security software companies. The increase in mobile threats led to Sierra’s investment in Zimperium and the proliferation of bots made Shape Security a good fit for us.
"It’s nice to “catch a tiger by the tail,” but more often it takes patience as markets evolve"
We must be able to both look around the corner in markets as well as have the conviction to place that bet. Believe me, it was not easy to convince my partners with little evidence (no revenue traction) that Sourcefire could successfully apply open source to security. But disruptive companies are built on strong convictions!
Well, we can’t share all our trade secrets (so I kept it to just the ABCDs) but here are some of the spaces, being created by platform shifts, that excite us.
• API proliferation is creating tremendous opportunities for security entrepreneurs. Twilio and Apigee nailed the management part of the shift to APIs, and the time has come for the security plays in this area to step into the spotlight.
• Blockchain will “eventually” have an impact, but we are seeing some clever uses in authentication and identity. Identity governance and administration(IGA), identity as a service (IDaaS) and Privileged access management (PAM) are well suited for the early adoption of blockchain.
• Cloud has opened Pandora’s box for security including cloud security posture management (CSPM) for multicloud, cloud workload protection programs (CWPP) and vulnerability management (VM).
• Data is being used in smart ways to power the next generation of security information and event management (SIEM) along with security orchestration automation and response (SOAR) tools that can orchestrate and automate response.
When opportunity knocks, break down the door
Markets often develop at a different pace. We have seen spaces like endpoint protection and cloud threat defense grow rapidly while others like mobile security and data leak prevention take time to develop into mainstream markets. It’s nice to “catch a tiger by the tail,” but more often it takes patience as markets evolve.
We have to recognize the patterns and when there’s “real” product-market fit (sometimes different from entrepreneur optimism), it’s time to step on the gas! At Sourcefire, I still remember helping hire a CRO, VP Sales for East and West and a VP of Business Development in the first quarter after our investment. It allowed the company to grow from a standing start to $10M in revenue within 18 months and to well over $100M in the next 5 years.
1. Is there a consistency of RFPs?
One strong indicator of product-market fit is the consistency of the RFPs (request for proposals). It’s pretty simple, if customers are asking for the same thing, there must be a real need.
2. Is there a market-model fit?
“Different horses for different courses.” We believe that there are a variety of go-to-market approaches that work. Founding teams have to think about the customers’ needs and the best way to get to them whether it’s open source, freemium model, or the four-legged enterprise sale.
Helping in The Early Days
Entrepreneurs often ask us “how do you help your companies?” or “what’s different about your firm?” The truth is that most early-stage VCs should contribute in two main areas; helping build the extended team and customer validation (both feedback and actual sales).
1. Building the team
My partners often joke that I would have been a recruiter if I had not found my VC calling. But for founders, there is nothing more important (after fundraising!) than finding that early team. We spend a disproportionate amount of time helping entrepreneurs recruit the right folks, period! The network matters and pattern recognition matters even more.
2. Helping with early customers
Most entrepreneurs ask about customer introductions and all VCs promise great relationships. We have painstakingly built the Sierra Ventures’ CXO Advisory Board over the past15 years with over 75 of the leading CIOs and CTOs from Fortune 2000 companies like PG&E, Morgan Stanley, Merck, Dow Dupont, USAA, and more.
So, in summary, we are looking for platform shifts, product-market fit, and entrepreneurs who embrace market-model fit. And we will bring talent and customers.