6 tips for VCs looking to build an investment thesis in cybersecurity
A brief guide for VCs looking to start investing in cybersecurity
Overcoming the fear of investing in cybersecurity
There has been a lot of hype around cybersecurity in recent years, and rightfully so: cybercrime is on the rise, ransomware is affecting companies of all sizes and industry segments, the COVID pandemic has accelerated the digitization of society and the move to hybrid work arrangements, and cyber insurers have been limiting the payouts to customers suffering data breaches. With thousands of vendors, confusing abbreviations, and emphasis on deep technical expertise, cybersecurity is still an intimidating space for investors, even though the industry has been rapidly growing in the past five years, and has been resilient to the economic downturns. In fact, as the uncertainty increases and the economic conditions worsen, we have seen cyber crime go up, and with that - the need for companies to protect their crown jewels.
The cyber industry does not lack access to funding, but it does lack investors with an understanding of the space whose value-add goes beyond providing capital. While a few funds specialize in cybersecurity investments, generalist VCs seem to face a number of hurdles in developing a thesis in cybersecurity, for a few reasons:
It’s a highly technical field which makes it hard for non-security experts to make sense of what is happening
It’s the only industry with an intelligent, well-motivated, and well-funded adversary actively working to undermine the work of security vendors and their customers
The trends, technologies, and risks in need of addressing change overnight making every 2 or 3 short years feel like a whole historical period in the industry
A large number of vendors and approaches to solving problems make it hard to pick winners, and even if successful - winners in the industry tend to own a relatively small percentage of the market, with 3-5% seen as an incredible result
Despite all the challenges, the total addressable market is there, the growth projections for the coming years are high, and given security is far from being a problem solved, the opportunity to back the next unicorn in the industry is ripe as well - all the ingredients that make this space attractive for VCs.
Not every VC should build a thesis in cybersecurity (but many can)
In terms of the complexity of the space, cybersecurity is similar to biotech in that it is not a space for tourists and part-timers: responsible investors looking to make good investment decisions will need to develop deep knowledge of the space. The most common approach is to have a person or a team fully dedicated to cybersecurity, but even having someone get deep into the space, attend industry conferences, and soak in the knowledge can be a good start.
What makes cybersecurity suitable for most VC funds is the fact that, unlike most other specialties, cyber is a horizontal, not a vertical. In other words, no matter what vertical you invest in - agritech, IoT, hardware, web3, sustainable energy, fintech, or even spacetech - all of them need to be secured. This realization makes cybersecurity investment suitable for many funds, especially those with deep expertise in a specific industry segment.
A great example that illustrates how it can work is Canapi Ventures, a venture capital firm investing in early to growth-stage fintech companies. The secret sauce behind Canapi is its base of limited partners (LPs) from more than 60 US banks and financial institutions. Over the years, investors at Canapi have developed deep expertise in supporting fintech companies selling into banks, including payment companies, compliance software, identity providers, and others. While Canapi had long recognized the importance of cybersecurity to financial institutions, the spike in high-profile attacks of the last few years catalyzed the fund’s decision to develop a more concerted investment thesis in the field. Canapi Ventures had an advantage - a robust network of CISOs from their LP banks who helped them understand the pain points security teams are experiencing and the solutions available on the market. One of the important realizations the Canapi team made was that the cybersecurity issues that their bank LPs face are the same issues that many other large enterprises contend with as well. As such, whereas some industries require investors to pick first place player to win the market, in cybersecurity, the outsized market opportunity means that as long as the correct theme is identified, investors can likely pick first, second, or third place players, and still achieve outsized returns.
Starting late is better than starting early
For new VCs, it is easier to start building familiarity with the market by first looking at a later stage where they can focus on financials and the business side, taking advantage of the fact that the validation of the technical piece has been largely outsourced to the market. In other words, if the company has surpassed $10 million in ARR, the reference customers include mature security teams from large reputable enterprises, and the churn is low, the product must be solving the problem it was built to solve. The level of due diligence security teams do for them to adopt a new tool is incredibly high, so it can be used as a strong indicator that the technical piece is working. Surely, no responsible investor should outsource their technical due diligence to any other party, but the main idea is that at the later stage, numbers and customer testimonials will often speak for themselves.
From the deal sourcing and the ability to lead perspective, it is definitely valuable to have solid industry expertise and a name in the market as a cyber fund. However, cybersecurity companies at the growth stage and later are primarily looking for ways to supercharge their growth - new connections, new markets, new customer segments, operational & expansion expertise, and so on. For investors able to bring something new to the table this provides an opportunity to leverage their angle and unique networks to win the deal and become a value-add VC.
Early-stage investing (from pre-seed to Series A) in cybersecurity is a different game. Here, the ability to judge technology is as important as the ability to judge the team of founders. Industry knowledge in early-stage cyber investing is critical as there are many ideas that sound great to outsiders but that will never be adopted in the industry. And, some products sound incredibly basic, but the need in the market is so strong that CISOs and security practitioners will stand in line to get early access. The ability to judge founder-market fit is important, but certainly not enough to make sure investors are not bamboozled by founders selling snake oil and evaluate companies at the pre-product and pre-revenue stages.
There are several effective ways to develop the ability to evaluate cybersecurity startups, especially:
Partnering with funds that have it and developing the in-house expertise over time
Establishing an expert advisory board by building relationships with industry leaders, serial founders, and analysts (an example of a successful advisory network is Team8 and their Village)
Over time, the fund will naturally develop the ability to pattern match as is the case with other industries.
Crafting the value proposition
Atlantic Bridge is a global growth equity technology firm with over €1 billion of assets under management across eight funds, investing in technology companies in Europe and the US. The firm has built a robust cybersecurity portfolio with the value-add of helping European entrepreneurs access the US market and vice versa. The above-mentioned Canapi Ventures leverages its robust network of CISOs from US banks offering startups introductions to their security leaders. While neither firm started as 100% cyber-focused, both leverage their strong sides to their advantage which makes their value proposition clear and unique: if you are a security startup looking to sell to banks - talk to Canapi Ventures, and if you are ready for cross-border expansion - to Atlantic Bridge.
Most funds that have been able to survive and thrive do so because of their unique value proposition. Arguably, value-add in VC is all about unlocking new networks and establishing connections that have the potential to result in new revenue, geographic expansion, company growth, hiring the best talent, or similar. Using your existing investment thesis can be a great way to differentiate and craft a unique value proposition as an investor in cybersecurity startups.
The importance of good market research
It took Canapi Ventures around six months to learn the industry vocabulary, build a foundational understanding of the space, and identify a few sub-sectors within cybersecurity that are worth diving deeper into, but of course, their work is ongoing. Cybersecurity as a whole is too big even for the most experienced domain experts, so the logical starting point a VC firm can take is to talk to people from their existing area of focus and understand their security needs. Customer research firms such as Tegus and AlphaSights help streamline the process by sourcing professionals based on the VC’s needs. It’s a great idea to also reach out to your limited partners (LPs) asking for introductions. This solves a few problems: tapping into the existing networks, gauging the interest level of existing LPs, and planting seeds for gaining their buy-in in the future.
Aside from expert calls, great resources for understanding the industry include industry analysis and market reports, especially given the number of now-public cyber companies; these reports include those by Gartner, TAG Cyber, Altitude Cyber, and others. These materials will help investors identify market trends and understand the fundamentals of the space - the total addressable market, where the capital is flowing, what problems are most pressing to customers, and what the existing vendor landscape looks like. The outcomes of the market research are important not just to refine the learnings, but also to educate LPs about the space.
Staying humble at the start
Cybersecurity is a complex, impactful, and fast-paced field that takes years to fully grasp. It is therefore not surprising that some of the most successful VC firms investing in security were either started by former security practitioners or have ex-security engineers and ex-CISOs on their teams.
For investors new to the space, it’s important to start with an understanding of their place in the ecosystem and the role they are comfortable playing. This may mean becoming a strategic co-investor or a follow-on investor instead of looking for ways to lead immediately.
Cybersecurity presents a tremendous opportunity for investors willing to put in the work. In 2023 alone, the space was projected to grow by over 11%; even when the IT budgets are being cut, security spending only goes up.
