Why It’s Hard to Invest in Cybersecurity

At Differential Ventures, our investment thesis is to invest in the technology around the future of data. This mandate includes investing in data science, machine learning, artificial intelligence; platforms and software systems that support data science; data engineering and communication; and cybersecurity. As the CTO at Differential, I have real-world experience deploying systems in all of these areas. That experience, combined with my education (formal and informal), has prepared me well to evaluate investments in all of these areas, with one glaring exception: cybersecurity.

First, let me clarify what I mean by “cybersecurity,” as an investment focus. We invest in companies that protect digital environments in four different ways:

1. Protecting technology from outside intruders,

2. Protecting technology from inside intruders,

3. Protecting data at rest and in transit, and

4. Providing platforms to create transparency about the threat-level of the technological ecosystem of an enterprise

There are, of course, exceptions to these categories, but these four categories cover the vast majority of the companies we see as investment opportunities.

So, why is investing in cybersecurity any harder than, say, investing in machine learning technology or data engineering technology? I would boil the answer down to three core reasons:

1. Cybersecurity is adversarial in nature;

2. The founders are necessarily opaque about their solutions;

3. The solutions tend to be inefficiently siloed

Cybersecurity is Adversarial in Nature

Cybersecurity products are dynamic in nature because the problem they are solving is dynamic in nature. Cybersecurity is a war, and the adversary is intelligent, highly motivated, and highly dynamic.

SaaS works as a product sales model because once the software is built, it can be sold on a massive scale. Software teams need to continually enhance the software, adding features and responding to customer needs. But typically with SaaS products, the problem the software is addressing isn’t actively trying to work around the software solution. 

Cybersecurity adversaries are doing just that. As a result, the teams that produce cybersecurity software solutions aren’t close to done with their job once they produce their first product. As soon as they produce a successful software tool for combating some cyber threat, the bad actors who have been temporarily thwarted will actively look for a new way of attacking systems to work around the software’s successful solution.

Artificial intelligence that uses machine learning to dynamically adjust to evolving threats is one approach to addressing the dynamic nature of the cybersecurity foes. However, those enemies are also deploying artificial intelligence, and this escalating AI arms race is hard to win. The bad guys are just as smart as the good guys and sometimes smarter.

The adversarial nature of the cybersecurity product deployment environment means that good cybersecurity products are only as good as the teams that continue to enhance them. So, when you are investing in cybersecurity companies, you can’t just evaluate the effectiveness of the product or the present-day market adoption. You have to evaluate the potential for the team to grow, adapt, and continue to succeed in the escalating and evolving war against cyber threats. And that evaluation is made even more challenging, because...

Cybersecurity Companies are Unusually Opaque

Usually, when you are being pitched a company for an investment, you can ask the founders about the detailed experience and background of their key team members. In the cybersecurity field, however, the best players come out of environments that are known for secrecy: military intelligence, corporate espionage, and black-hat hacking. The best developers are people who have faced cyber threats in the real world, which usually means there is a veil of secrecy around their most significant accomplishments. You want those attributes in the founders of your cybersecurity companies, but it makes it especially hard to validate the qualifications of the founding team.

When you are considering investing in a software company, and certainly after you have invested, you will typically get a detailed look at how the software works, what problems it solves, and how it goes about solving them. Again, with cybersecurity software solutions, this isn’t generally the case. The value of the intellectual property in a cybersecurity solution is significantly diminished by detailing its methodology. Certainly, if an investor hasn’t committed to investing in a cybersecurity solution, the founders will be quite cagey about the details of how their solution deals with the most pernicious aspects of the cyber threats. Even after an investment, there will be certain IP secrets that are best kept close to the vest, in the interests of all of the investors. That necessary secrecy makes valuing these companies, at each stage of investment, more difficult than valuing the typical software company.

You want your cybersecurity portfolio companies to be successful at shielding the specifics of how their software works from the outside world, including your fellow investors. At the same time, you need to know enough to explain the value of the company’s product, to your own investment team and to later-stage investors. And, while you want to know details about the specific relevance of the founders’ experience to prove their appropriateness for solving the problem the company is claiming to solve, the more you know about a cybersecurity expert’s experience, the more you can reverse-engineer the details of their solution. So, cybersecurity companies and founders have every reason to be vague and evasive about the details of their approach to solving some aspects of the cybersecurity problem.

At some level, product performance and revenue traction and retention will make a strong argument for the value the company offers. But the opacity of the product and the team thwarts the usual investment valuation process, which adds another challenge to cybersecurity investing.

Cybersecurity Solutions are Typically Siloed

Cybersecurity founders tend to develop effective solutions to thwart cyber threats because of the specific experience they have in real-world environments combating specific types of threats. They may have confronted a set of difficult problems in a military or corporate environment, and based on those experiences, they came up with a product idea that effectively solves that problem for a broad set of customers.

Again, the secrecy of the cybersecurity community means that the practitioners who solve these specific problems are unlikely to share their collective knowledge to create a team to solve the broader cybersecurity problem in a holistic way. More likely, they will individually develop a siloed solution to protecting a customer’s infrastructure from a narrow set of threats, specifically the ones with which they have direct experience.

In the event a team of cybersecurity practitioners band together, they can aggregate their knowledge and experience to produce a holistic solution. More likely than not, however, they will create a siloed product that will need to be combined with many other siloed solutions in order to produce a complete cybersecurity solution.

Customers, enterprise and SMBs, typically will prefer a one-stop shopping solution to a problem like cybersecurity. They are unlikely to want to piece together a collection of incompatible best-in-class solutions to individual subproblems. They will likely prefer a monolithic solution that offers adequate cybersecurity in one product.

So, even when you have identified a company that has developed a clearly superior solution to an aspect of cybersecurity, you have to extrapolate how customers will react to having to integrate this new solution into their overall strategy for cybersecurity defense. In many cases, the new solution will be incompatible with their existing cybersecurity solution, and the customer will need significant in-house technological expertise to figure out how to deploy the combination of different software solutions to achieve maximum security. If the customer’s security team botches this effort, the risks they create by mis-designing the deployment might outweigh the benefits of the superior solution to the aspect of cybersecurity addressed by the new product.

Conclusion

For all of the reasons described above, investing in cybersecurity SaaS products is qualitatively a different process than other SaaS solution companies, driven by the natures of the cybersecurity threats as well as the people who are best suited to solve them. For us, the problem is amplified by the difficulty in learning more about the true nature of cybersecurity threats.

I’m the CTO of Differential Ventures, and I’ve done a lot of work in a lot of areas of computer science: artificial intelligence, natural language processing, machine learning, software development, and beyond. And what I don’t know in-depth, I can learn about. But I’ve never done cybersecurity as a professional. I’ve never served in the army and dealt with digital threats to national security. I’ve never worked in intelligence or defended a corporate environment against cybersecurity adversaries. I understand other areas of computer science well enough to read the scientific literature with a trained eye, to understand what aspects of it are theoretical and impractical and what aspects are useful and relevant to products that will work in the real world. Unfortunately, when it comes to cybersecurity, for reasons discussed above, I don’t feel as capable. We rely on our investment partners, entrepreneurs, and CISOs in our network to support our decision-making in cybersecurity investing. But I struggle to analyze cybersecurity with the same facility I look at other technologies.

Sure, there are any number of books, papers, online courses, and published lectures on cybersecurity. But without the practical real-world experience, it is hard to know which material is most credible and practically useful. In fact, I suspect most of that material is rendered less useful by virtue of it being publicly available. In my old world of quantitative trading, we viewed the published financial literature with disdain. If anything was published for public consumption, we assumed it couldn’t be valuable, because anyone who knew something valuable would use it for personal profit, not share it with the world. And even it once had value, once you published a predictive signal to the world, you made everyone aware of it, which makes it all but impossible for any individual to profit from it. The same is likely to be true for cybersecurity solutions. Any solutions you talk about too openly become instantly subject to counter-programming by the adversaries you are hoping to stop with it. The best cybersecurity solutions are likely kept secret, and the most relevant observations about how to protect against cybersecurity threats are probably closely guarded and kept out of the literature.

I will always keep trying to learn about the science, theory, and practice of any area I invest in, including cybersecurity. But the nature of the field makes that effort challenging, and that challenge will always make it difficult to evaluate the cybersecurity software industry.

More News & Insights