This following is the (lightly edited) transcript of a fireside chat from the SecurityWeek CISO Forum 2022.
In this conversation, SecurityWeek Editor-at-Large Ryan Naraine is joined by venture capital investors Sidra Ahmed Lefort (Principal, Munich Re Ventures) and William Lin (Managing Director, Forgepoint Capital) for a frank discussion of existing market conditions, cybersecurity ‘unicorns’ and potential exit strategies, emerging trends in security innovation, hot (and cold) product categories, and some market predictions as we head into 2023.
Ryan Naraine (SecurityWeek): Let’s start with some introductions…
Sidra Ahmed Lefort: I’m Sidra, I’m with Munich Re Ventures. I head up their cybersecurity investments, and also invest in other areas like digital health and InsurTech. Munich Re Ventures is the venture capital arm of Munich Reinsurance, we’re based in San Francisco and invest globally in areas of risk. We’re early stage investors, which means we come in at that Seed to Series B stage and we lead funding rounds.
William Lin: I’m Will Lin, managing director at Forgepoint Capital. We have about 40 active companies in the world of cybersecurity. You’ll know some of our investments, companies like Bishop Fox, IronNet, 1Kosmos, and Symmetry Systems are growing really well. We focus on early-stage Series A and Series B rounds, some Seed rounds. I really enjoy making lots of investments in a couple of key pieces over time. So recently I’ve been doing a lot in data security. I think my last three investments were all in the data security category.
Ryan Naraine: At a very high level, how would you describe the venture capital investment climate, specifically for cybersecurity investments? Would you say this has been a tough year for you guys?
Will Lin: It’s been a tough year, sure, but I’d say it’s more about a year of change, reacting to new realities, figuring out what a new normal looks like. In the end, start-up valuations are based on what the public market is doing. Even acquisitions, M&A activities, are going to follow what’s happening on the public markets.
We’ve seen public market valuations grow so quickly and then drop so quickly, and we’re still figuring out what the new normal will be. There’s still a lot of uncertainty. I don’t think any of us really knows what the rest of the year will look like or what the new normal will be. It’s all part of the ebb and flow of the economy.
Venture tends to follow the stock market when it’s going up really quickly. If things are going up, we’re going up really quickly. When things start to go down on the public markets, we (venture capital) actually take a little while to recalibrate to what the public stock markets are doing. So in some ways, we have some stability when the markets are correcting, but then we also have excitement when the markets are going up.
Ryan Naraine: Last year we saw more than $20 billion in venture capital investments in the security sector, with early stage startups scoring massive valuations. The list of cybersecurity unicorns is really long. Do you think this ‘recalibration’ will start to affect early-stage startup deals? Are we less likely to hear about more unicorns popping up everywhere?
Sidra Ahmed Lefort: So it’s interesting because the number of unicorns — and I wonder whether we should still call them that, there’s so many of them — has definitely decreased. The last I saw, there are like 74 unicorns in the cybersecurity world that now need to find a path to exit.
So, the interesting thing then becomes, how quickly can they get [to a successful exit] and how much time and money have they already spent becoming these unicorns? And so that’s the calibration that Will talked about. We need to understand venture capital itself is an asset class where the venture industry needs to get its own investors, we need to understand exactly how long it’s going take to return those funds back to our own investors.
And so understanding that calibration of how long it takes to get to an exit, how much it’s gonna take to get an exit and where the markets are moving is very, very important.
Yes, we’ve had a muted public market cycle for cybersecurity, but the private market transactions are expected to increase and are likely to continue to happen. We just saw quite a few of them in the last quarter as well so I would say it’s a mixed bag. There’s not a lot of data that’s available when it’s those private market transactions, so we tend to place a lot of emphasis on public market numbers.
But we do expect to see a lot of exits coming down the pike. And I think it really is gonna depend on where these unicorns stack up in terms of how much they’ve currently valued themselves…
Will Lin: It’s always fun when people share different perspectives, especially when people make guesses on timing. It’s really, really hard to get that right so it’s sort of putting yourself out there when you do that.
One example I saw was from Sequoia. They publish these presentations that they share with the portfolio companies and one of the timing things that they shared in their presentation was that these companies will take five years to get to the valuation that they’re currently at. I’m like, holy moly!
Ryan Naraine: Why is that a ‘holy moly’ data point for you? You expect that timing to be shorter?
Will Lin: It should be. Because, usually when companies raise financing, they raise for about a year to three years of runway. And so inherently every unicorn shouldn’t, probably doesn’t, have the funds to keep growing for five years.
And so they’re gonna have to do something. There’s going to be a point where something has to happen and some of them will actually grow into the valuation. Some of them may actually exceed the valuation. But I think it’s safe to say that there’s a decent chunk of these unicorns that won’t grow into their current valuations.
Ryan Naraine: You both mentioned ‘recalibration’, which is a fancy word for ‘hold onto your cash and cool down your burn rate’. How should we interpret what we are seeing with layoffs and other belt-tightening among security startups?
Sidra Ahmed Lefort: I think companies are optimizing for cash-flow right now. We are in an environment that’s focused on profitable growth and not growth at all costs. And so there is that recalibration that’s needed. And it means that there might be some downsizing, there might be some changes in hiring strategies.
I think the interesting thing is that there’s still a lot of capital available from an investment standpoint. And some of these companies, as you mentioned, are unicorn status and have large amounts of money in their bank accounts as well.
I think it’s just really coming down to how do you get that path of profitable growth and steady growth. In a market of uncertainty, how do you extend that cash runway so you have the ability to maneuver depending on how the market reacts. And right now, it’s a little unclear how that’s gonna go for the next 18 to 24 months. It’s never great to see but right now, given the uncertainty there, there is an emphasis on optimizing for that cash flow.
Ryan Naraine: The idea of “profitable growth” from VC-backed companies isn’t something we’ve become used to. We’ve become used to ‘growth-mode’ companies operating without a leash. Is this market uncertainty changing htat mindset?
Will Lin: It definitely has changed. I think that the bar is different as well. Let’s say two years ago, if you’re a public company growing above 30%, you were looked at differently than if you’re a company growing below 30%.
If you’re growing above 30%, you’re usually valued based on revenue, you’re usually in a different multiple group as well. And the public markets will look at all the other factors, like what’s the quality of that growth? What’s the profitability? You’re just in a really great group and there are a lot of things you could do, a lot of flexibility. If you’re growing less than 30%, you are viewed as a profitable growth business. And so they’re looking at the revenue growth but they’re also looking very closely at the burn as well.
No matter what, your multiple would just be lower than the other companies. In prior markets. I think that’s still similar. Two years ago, the bar was super low, every single company was prioritizing growth and not profitability. And as long as you were talking about 100% to 300% growth, burn was not as important because the public markets were also supporting that sort of thesis as well.
And now that the public markets aren’t supporting it, we’re now looking closer at what profitable growth looks like? But if you’re still projecting and can credibly show more than 100% growth, like a doubling or tripling, the private markets will still treat you similarly to last year and the year before that, but it’s about how credible that growth is.
Ryan Naraine: Do you think this is a temporary thing? Sidra, you mentioned an 18- to 36-month window for entrepreneurs to try to navigate these rough waters. Let’s say the stock market comes roaring back, are we going to smoothly go back to the old ‘let’s just burn money and build this thing out as fast as possible’ mentality?
Sidra Ahmed Lefort: If only I had a crystal ball. I would say that it’s unclear, right? Because it’s so unclear that the range that I’m giving you is also pretty wide in terms of where we’re hoping companies would be from a cash flow perspective.
It’s really going to depend on a lot of factors. You’ve got interest rates, you’ve got the recession that we’re currently in. You’ve got a [tense] geopolitical environment. So there’s a lot of different things happening right now. We’re all coming out of a pandemic. Supply chain issues are still a big thing.
There’s not much clarity on any of those things so entrepreneurs will have to find that discipline to think about profitability, capital efficiency and how your customers are going to themselves be evolving will also be very important. So, 18- to 24 months is a range…
Ryan Naraine: Is that a hopeful range?
Sidra Ahmed Lefort: I’m not sure at this point. The good thing is, as Will mentioned, companies that are doing well and have demonstrated the ability to get their metrics right, are still seeing a lot of investments coming in as well.
Sometimes you’re seeing companies that just completed rounds adding one or two new investors and creating a new round or sometimes extending their funding round. There’s definitely still a lot of interest and there’s a flight-to-quality for sure but no, no clarity yet in terms of where and when we’re going to land.
Will Lin: I started my career in venture at the tail end of a bad market as well. And so I just saw the pain and, on my end, I think we’re looking at a three-year window [of this efficient-growth mindset].
But the good thing is that right now there’s still a lot of ‘dry powder’, meaning there’s a lot of people who have capital to invest and Sidra’s point about flight-to-quality is exactly right. The quality businesses will still do great. One key thing that’s different now than in the past is distribution of software. It’s very different now, it’s a lot easier for companies to grow capital efficiently than it was in the past. And so as a result, if you’re in the right place at the right time, you’re a good company, I do think you will still be able to raise capital.
I do still think that they’ll be able to grow efficiently at really impressive growth rates. So I still think that we’re gonna see lots of successful exits in public companies in cybersecurity, even during this correction environment.
Ryan Naraine: Are these factors affecting deal sizes? During the boom, we saw Seed-stage round sizes look like Series A rounds. We saw $30 and even $50 million seed rounds…
Sidra Ahmed Lefort: It’s interesting because I invest in cybersecurity and other verticals as well. And in the cybersecurity world, the round sizes when it comes to Seed or Series A, are actually very large compared to some of the other verticals. Even from a valuation perspective, while we’re talking about valuations coming down, they’re still higher than the [non-cyber] verticals that we’re looking at.
So, to some extent there is definitely a correction happening. But if you compare cybersecurity to other enterprise software companies and other sub-sectors, it’s definitely higher.
There is a premium on cybersecurity companies that’s here to stay and that’s very much driven by the way the industry is valued.
Will Lin: I’m seeing that as well. I still remember when we were doing Series A rounds and the valuation guidance back then was in the teens to mid-twenties for companies approaching $1 million in revenue. Today, the seed rounds are in the $20 million – $30 million range with ‘two people and an idea’ kinda seed rounds.
I think that security is taking a little longer to do the correction. It probably will, especially as all these unicorns start feeling some pain, then people will start recalibrating how they want to invest in security and how aggressive they want to be.
Even though public market valuations for security companies are doing better, on average for enterprise software, there are still too many unicorns. A number of them will feel pain, and the investors that are invested in them will feel that pain and they’ll change how the industry works again.
Ryan Naraine: If the IPO market remains cool for an extended time, can we expect to see M&A driving market consolidation? What’s the realistic exit strategy for folks over the next two years?
Sidra Ahmed Lefort: That’s always going to be the case with cybersecurity because there are so many companies, too many in some sectors. Right now, there are about 300 data security companies. So yes, that consolidation needs to happen because customers and CISOs are definitely inundated with the amount of cybersecurity companies that approach them.
If you look at the historical numbers, cybersecurity acquisitions have been below the $100 million mark. We will probably see a lot more of these types of exits than the breakout winners. There is a need to go down the path of a platform plan and I think the successful platform companies will be able to break out of that bar and become breakout winners.
Ryan Naraine: Which sectors do you think we’ll see this active consolidation?
Will Lin: I think when a public company has really great currency or they have really good access to capital, they can have a little bit more fun than others. [Richer] companies were using a lot of equity to make deals because valuations were really high. Okta buyingAuth0, for example, included a lot of equity to make that happen. There’s still a bunch of companies with a ton of cash, like $200 million, $300 million, $500 million worth of cash that they’re planning on using for M&A.
So when we think about consolidation, a lot of it will be driven by public companies. We will also see private equity drive a ton of consolidation and they seem to be showing up right now in the Identity category, for example. So I think we’ll see private equity buying up Identity businesses and rolling up a bunch of companies in the email security space.
Private equity as a whole, we should think about them as a more consistent consolidator for the next couple of years because venture capital is all dry powder. Private equity has even more dry powder.
Ryan Naraine: Explain dry powder…
Will Lin: Venture capital and private equity firms raise capital from LPs and we usually have a five-year timeframe to invest it. Last year was a really great time for VCs and PE firms to fundraise, so they did, and they raised record amounts of money.
Now they have five years to deploy that capital [dry powder] and they’ll be looking for good investments to do and one of those, especially if you’re private equity, is you buy a platform business and then you use that, you use it, put in additional capital to buy smaller businesses.
Will Lin: Exactly. Exactly.
Ryan Naraine: Despite all this money pouring into cybersecurity, organizations are still struggling to secure the assets. Malware attacks are soaring, ransomware is everywhere, the U.S. government is issuing executive orders. Are we not investing in the right things? Where do you still see places for big foundational bets?
Sidra Ahmed Lefort: It’s interesting you said that, because you’re right, the risks haven’t changed at all. We haven’t fixed anything. It’s just the speed of the adversarial innovation has gotten much faster. You’re absolutely right in the sense that we’re going to have to see more innovation in the space and what we’re really excited about right now and this is probably a little contrary, but hardware security is an area that we’re thinking we’ll see a little bit of a renaissance as security attacks shift more from the IT to the OT world.
We’ve seen some of the attacks on the critical infrastructure recently so that’s an area of work that will become more prominent. One key issue is having visibility around all your hardware assets and being able to reliably manage those risks. Existing solutions rely on data gathered and analyzed from layer two of seven, but layer one, the physical layer, is really left behind.
And so this visibility gap and the ability to manage that and remediate on that level becomes very interesting. Hardware security is an area that’s a little contrary but we’re spending some time there.
Will Lin: Tracking these hype cycles is a lot of fun. As early stage investors, we get to meet a lot of these companies before the hype has built up. And then sometimes we think, ah, this space will never go anywhere. And then the hype happens and we just have to wait until things die down to see what actually happened.
I’m bullish on the data security space. I’ve been involved with data security since before the hype and now there’s a ton of it. I’m like, whoa, what’s gonna happen once the hype subsides?
Ryan Naraine: There are some security categories that fade over time. Mobile security, for example, never became a big thing like we thought it would. Do you have a sense of which sectors are clearly being overhyped?
Sidra Ahmed Lefort: It’s an interesting question because last year a lot of funds were deploying a lot of capital really quickly and we were very nervous about valuations. So we were really cautious and actually didn’t deploy as much.
So, sitting out I think is a muscle that we as investors all need to use a lot more.
Ryan Naraine: Is that a difficult thing to do? To sit out a hype cycle…
Sidra Ahmed Lefort: It’s difficult. It’s difficult because you don’t know where things are going until the very end and hindsight’s really easy. So, for the most part, I would say there’s a lot of things happening on the Identity side, and I’m sitting out a little bit and waiting for it to shake out and see where the puck lands.
There’s a lot of innovation happening in different sectors, which I think could mean that Identity becomes encapsulated, for example, in the cloud security space, the space we think about cloud data and identity. If that convergence does happen, it would be interesting to see how the Identity companies manage that shake up.
We’re sitting out some things but I’m at the edge of my seat because it’s difficult to not be deploying capital.
Will Lin: I’m still confused by the threat intelligence space. When you look at the TAM, it’s actually a decent number and if you look at the growth rates, they’re actually decent. But my confusion is when I look at customers buying, and they talk about it, they usually don’t talk about it as something that’s strategic or core to their security program. They talk about it as a way to stay up to date, augment, and a nice-to-have thing.
So the threat intelligence category is looking like a big bummer for me because I really want to see a huge winner or multiple huge winners there. But I haven’t seen that yet.