Vetting Cloud Security Companies: Scale VC Sets The Scene
[Corrected 5/11/16, 12:59 pm. See below.] When Ariel Tseitlin joined Netflix in 2011 to help it transition from a movie DVD rental company to a Web-based streaming entertainment service, his team had to build Netflix’s cloud architecture. There was nothing out there to buy, Tseitlin says.
The cybersecurity industry was also a fraction of its current size. Netflix hired a cloud security architect as it created its Web-based infrastructure, Tseitlin says. The risks of data loss were lower then—-at least for Netflix. A hacker might be able to find out if you’d had the bad taste to rent a stinker like “Ishtar,” but Netflix kept more critical information like credit card payments in its own data centers at first, he says.
In the intervening years, both cybersecurity and cloud computing became much bigger business sectors. Tseitlin was recruited as a partner by Silicon Valley venture firm Scale Venture Partners about two years ago. He’s now spending his time looking for new companies that can help secure cloud-native infrastructure, applications, and data. Much of what’s needed now still has to be built anew, because technology keeps advancing and hackers keep probing for fresh weaknesses.
“It’s still an unsolved problem,” Tseitlin (pictured above) says. Scale, which closed its fifth fund at $335 million in January and has $1 billion in assets under management, has intensified its focus on cybersecurity. The firm has invested in companies including Frontbridge and Tripwire. Among Tseitlin’s portfolio companies are San Mateo, CA-based Agari, which protects companies against e-mail phishing attacks, and Boston-based Cloud Health Technologies, which offers the kind of cloud infrastructure management that Netflix had to build for itself. [An earlier version of this story included Scale’s statement that it had $1.85 billion in assets under management. Scale now reports the actual figure at $1 billion. We regret the error.]
There are now layers upon layers of cybersecurity companies to help businesses guard against the kinds of massive breaches that have hit victims ranging from retail giant Target to the US Office of Personnel Management—-a repository of private information about federal employees.
Tseitlin cut his teeth as a software engineer before becoming an executive, but I wondered how hard it is for venture firm partners to keep up so they can evaluate cybersecurity companies as investments.
The field is much more complex than it used to be even 10 years ago, Tseitlin agrees. That changing landscape, however, creates big opportunities.
“There’s a lot of budget from IT flowing into security,” Tseitlin says. Cybersecurity fixes inevitably lag behind technological changes, such as the proliferation of connected devices, that raise new vulnerabilities. Rather than drawing a ring around a fixed data center full of company computers, businesses have to figure out how to shield data accessed from the cloud by thousands of mobile devices carried by employees who may be at home or at Starbucks, Tseitlin says.
In the past, most of a company’s security budget went into breach prevention. “Today that’s just not practical anymore because most of your assets are sitting out there, not under your control,” Tseitlin says. “Preventing all breaches is nearly an impossible task.”
In this environment, evaluating a cybersecurity company can become an exercise in relativism. Even the best cybersecurity companies can suffer breaches themselves, Tseitlin says. He cites the 2011 case of prominent data protection company RSA Security, which fell victim to a phishing attack that opened the door to malware. Hackers focus their attention on such big security companies because that’s where the payoff of finding a vulnerability is greatest. “They’re the target, because they’re sitting on so much gold,” Tseitlin says.
Given that breaches are inevitable, Tseitlin likes to invest in security companies that help clients detect hacker intrusions earlier, and minimize the damage done while the invaders are tunneling their way through company networks. That threat visibility is one of the features that Tseitlin praised in a blog post when Scale announced its investment in Boston-based security monitoring company Threat Stack last month.
But how can VCs assess a young cybersecurity company’s own exposure to hacker attacks? In some ways, Tseitlin says, evaluating the security of a cybersecurity company is less a concern for a venture firm than assessing the security of other kinds of companies looking to raise money, such as app developers.
If a cybersecurity companies didn’t have a handle on security, they probably wouldn’t have been able to create their own products, Tseitlin says. Not that Scale doesn’t evaluate their internal security. “It certainly is one of the check boxes.”
Even if a cybersecurity startup is well guarded against a breach of its own systems, how can a venture investor tell whether the startup’s services for its business customers will perform as pitched?
This could be more challenging for venture firms that deal with very early startups, but Scale invests in companies that are already starting to generate revenues from customers and are ready to expand. Such customers—-other businesses—-spend a lot of time thinking about how to weed out ineffective security products from the host of those on offer, Tseitlin says.
“Mature security professionals will have an array of tests they can run against their security products,” Tseitlin says. They might set up a separate test environment in which no corporate data is at risk, then release malware into the environment and see how the security tool at issue copes, he says. It’s also a common practice among businesses to divide their employees into opposing red and green teams. The red team will try to create a breach. “If the red team is successful, the defense (green) team can learn from this,” Tseitlin says.
When Scale is mulling an investment in a cybersecurity company, it consults its network of security experts, Tseitlin says. The firm also looks to customers of security companies for … Next Page »