General Partner, Core Ventures Group
While security start-ups represent a large and growing opportunity for investors and corporate customers, the field is also littered with security companies that are unable to demonstrate efficacy, differentiation or ability to scale.
At Core Ventures Group, when evaluating opportunities and assisting portfolio security companies, we categorize our investigations into three key areas: 1) founders, 2) technology and 3) security business factors.
1.) More than most other sectors, security requires the right founding team, consisting of both an exceptional business and technical founder. The role of the technical founder is critically important. In security, even if the ultimate purchasing decision maker is a C-level executive, the sales process almost always goes through a team of highly experienced technical staff. We find that the best technical security founders are usually those who have actually addressed the specific security problem themselves in previous positions. Even an exceptional technical founder is not enough to anchor a successful security startup, an experienced business co-founder is also critically important. For security startups, the business founder needs demonstrated leadership experience in corporate market positioning and financing.
2.) The security industry is populated by a broad mosaic of assets that need to be protected, coupled with avenues for connection to these assets, and security products that have to comprehend these assets and connections. In each sub-segment of the market, the technologies and key success factors are quite specialized. At a high level, Core Ventures Group focuses on some fundamental technology factors when evaluating security startups:
a) Is the vulnerability hypothetically existent or are the vulnerabilities already widespread and being exploited by attackers? In other words, is the vulnerability simply technically possible but not being exploited yet?
b) What is the security detection technology? Are the exploits detected by triggering rules, being matched to signatures of known exploits, or in real time by analyzing the actions that a potential attacker is executing?
c) What is the deployment model? Is the product deployed as enterprise software, a hardware appliance, or as a service in the cloud?
3) In addition to the importance of founder experience and market positioning, there are a couple of industry-specific business issues that good security startups must be able to navigate.
First, by definition, if a security startup is early in identifying a new technology and usage model that needs to be secured, it is highly likely that even a prospective customer who knows they have this need will not have a line item in the current year’s budget to pay for the new security product. Often the technical champion at the company will give glowing references for the new product and promise to buy the product but only in the next fiscal year. The best security startups overcome this challenge by careful market segmentation. The most successful security startups usually find a small sub-segment of the market for which web application security is a critical need, not just a best practice and who are willing to forego some other budget item to fund.
The other peculiarity of the security industry is that the valuation multiples can swing quite drastically, sometimes as high as 10X revenues or as low as 2-3X revenues. Financing is usually hard to control for private companies, but experienced security startup founders employ strategies to carefully optimize their financings. First they keep costs tightly contained to maximize runway. Second, experienced security founders will often raise significant capital when the markets are hot. They don’t inflate valuations falsely, but they will raise capital to “protect against a rainy day.”
We believe that the security industry represents a significant investment field and continues to yield compelling new opportunities. Rather than evaluate each new security startup from first principles, however, we advocate a framework like ours for evaluating and advising the most promising security startups with both technical and business perspectives.