Security Experts:

How a VC Chooses Which Cybersecurity Startups to Fund in Challenging Times

While cybersecurity is somewhat insulated from the ravages of the general economy, it is not entirely immune

Despite plummeting valuations of companies in public markets and concerns over the economic climate, venture capital is still available, especially for cybersecurity startups.

It would be fair to say the VC market is nervous. In May 2022, the world’s largest investor, Japan’s SoftBank, posted a loss of about $27 billion to its Vision Fund for the latest fiscal year. Tiger Global is reported to have lost $17 billion. These figures are based on last year’s performance largely from before the additional turmoil of the Russia/ Ukraine war. 

But despite this, investment in cybersecurity firms has continued to grow – up from $6.3 billion in 2020 to $22.5 billion in 2021. This level has shown ebvery sign of continuing through 2022 – but now the world is on the brink of a possible global recession.

To understand why cybersecurity investment is insulated from other effects, and what might happen over the rest of 2022 if the world slips into recession, SecurityWeek spoke with Jake Flomenberg, a partner in Seed and Series A specialist funding firm Wing Venture Capital.

State of the market

The first thing to note is that despite rapidly dwindling amounts of disposable income available to individual investors, the venture market still has mountains of cash available. It is estimated that venture capitalists have around $500 billion of what is described as ‘dry powder’. And it is their job to invest it. The question is not one of whether venture funding will continue, but where it will be directed.

The second point is that the very cause of much current economic uncertainty – the Russia/Ukraine war – is driving continued corporate investment in their own cybersecurity. Increasing threats from partisan cybercriminal groups at a time when many organizations are engaged in the process of digital transformation means increased cyber defenses are required. The alternative – a pause in the process of digitization – will threaten the companies’ competitiveness, while poor cybersecurity could threaten their existence.

The result is that when VC firms decide in which market to invest their $500 billion, cybersecurity appears to be a good option. But while cybersecurity is somewhat insulated from the ravages of the general economy, it is not entirely immune.

Cybersecurity layoffs are not unique to 2022 – serious problems started with the pandemic. OpenText, parent of Carbonite and Webroot, announced it was cutting 5% of its staff in 2021. FireEye announced it was laying off about 6% of its staff in 2020; and in the same year, Herjavec Group cut 8% of its workforce. 

More recently, ADT Cybersecurity announced it will close its Greensboro operation before the end of 2022 and lay off the facility’s workforce as part of what the company describes as a “total closure”. Belden, which bought Tripwire for $710 million in 2015, sold it to HelpSystems in February 2022 for just $350 million – who, in May 2022, began laying off ‘dozens’ of Tripwire staff.

And in May 2022, Lacework announced it was cutting 20% of its staff, just six months after raising a massive $1.3 billion in a Series D funding round. Cybereason and OneTrust have also slashed roughly 10% (100 employees) and 25% (950 employees), respectively, of their workforce.

In short, the VC companies have access to a huge amount of money that they must invest; cybersecurity is one of the safest industries in the current period of economic uncertainty; but even cybersecurity is not immune to the economic fallout. The question, then – and the one we asked Jake Flomenberg, is ‘How does VC choose where to invest in cybersecurity in the current economic climate?’

Choosing the company

Wing Venture Capital specializes in Seed and Series A funding. These are the startup companies. Series B and C funding is for growth – the company exists, is beginning to have a track record, and can potentially grow into a major force. Series D and above are more mature companies preparing for VC exit – either through an IPO or sale to or merger with another company.

The last is the most difficult. IPOs are risky in recessions, but M&A activity remains an option – consolidation of two successful companies may be a safer home for funds than two separate companies. Growth funding is still possible, but the VC companies are being more careful; perhaps investing smaller amounts than they would have done a year ago.

Startups, however, are something different. Flomenberg believes that the current economy is a good time for startups, and startups are a good place for investors. “Assume we’re entering a recessionary period,” he said. “You can probably count on one hand the number of recessionary periods that have gone on for more than 24 months in this country. So, the likelihood is that within two years, and hopefully sooner, the economy will turn again.”

His argument is that companies that should be growing might struggle to grow, while mature companies will not maintain their current performance. Startups, however, are not yet in their growth stage while being cushioned from the effects of the recession by their funding. They might not deliver much, but they aren’t expected nor need to deliver anything.

“When these companies are ready to grow, in a couple of years’ time, the economy will be better and they will be well-positioned to take advantage,” he said.

That leaves two fundamental questions for the startup VC specialist: how does it locate potential investment opportunities, and – from those – how does it choose which companies to support? “Sometimes we find them, and sometimes they find us,” he said. But that is against a backdrop of his own extensive market research.

“We do a lot of our own firsthand homework,” he continued. “For example, we have an event around RSAC, where we’ll gather around 200 CISOs from companies valued at north of $10 billion. We ask them about their top three priorities for the next 12 months, and where are they looking for solutions.” This has two benefits: it indicates where there is a demand, and where there is a paucity of existing solutions. “It’s not to influence them in any way, but to learn from them and inform our own investment decisions.”

The remaining question is how, from all the investment opportunities he finds, does he choose which to fund. “It’s team, technology and traction” he said. “We look at their technology and the market they’ll be serving. But at the end of the day, it’s the people. What superpower does this team have that gives them a unique insight or a unique capability relative to the market to bring something to bear that's going to make a dent in the universe.”

He almost places more emphasis on the quality of the team involved than in the details of what they’re doing. “When you analyze which products break out from the run of the mill, most times it’s down to the management team. Sometimes, entrepreneurs come to me with a research paper they’ve read, and want to tell me how far they have solved the issue. And ‘ll say, ‘Stop. That’s great. I’m super interested, and I would love to geek out with you forever – but I trust you. I believe you will do that. If I didn’t believe you will do that, we wouldn’t be having this conversation.’”

So, Flomenberg's formula is to find the demand, locate the startups working in that field, and then choose the investment opportunities based on the qualities of the people involved. And more than anything, he believes this is the right time to invest in cybersecurity startups.

RelatedTen Eleven Ventures Raises $600M Fund for Cybersecurity Investments

RelatedYL Ventures Closes $400 Million Cybersecurity Investment Fund

RelatedIndustry Veterans Form Cybersecurity Investment Fund

RelatedThe VC View: Hot Trends in Security After the Pandemic

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.