Angel investing in cybersecurity: the basics, investment math, and ways to get started
A practical deep dive into angel investing in cybersecurity
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks, folks!
Thanks for supporting Venture in Security!
I have previously talked at length about factors that make cybersecurity a unique investment area: Investing in cybersecurity: a deep look at the challenges, opportunities, and tools for cyber-focused VCs. While most of what was discussed can be equally applicable to other types of investing, in this piece, I would like to zoom in on angel investing.
Angel investors are private investors that finance early-stage, high-risk startups in exchange for equity. Unlike venture capital (VC) firms that use the capital raised from institutional investors and high-net-worth individuals commonly called LPs (limited partners), angels use their own money. Angel checks are commonly smaller, and unlike VCs, angels do not typically do investing full-time. Michael Sutton, ex-CISO of Zscaler, is one of the few exceptions to this rule in the cybersecurity space. Having started investing while he was still working at security startups, after the Zscaler IPO, Michael got an opportunity to become a full-time angel, something rarely seen in the angel space.
There are many ways in which angel and VC financing models differ, but for both to be successful, investors need to have:
A deal flow (access to startups to invest in),
The ability to assess the companies from the technical and business standpoint, and
Access to the capital.
While a VC firm has a budget and a team that does deal sourcing, investing, and post-investment support full-time, angels have to do all of this on their own, typically on top of their main occupation, whether it’s running a business or working full-time.
In this piece, I will be looking at select aspects of angel investing, including the ways to get started. The hope is that it can provide a good starting point for people working in cybersecurity to get exposure to early-stage investing so that they can help shape the future of the industry.
The two ways to angel invest
Many people develop an interest in angel investing by thinking “I’ve saved up some $50,000 and I would like to invest”. As this is a common approach to investing, it’s worth looking at the fundamental math of being an angel.
Before getting into investing, people new to the angel world need to decide if angel investing for them is an investment strategy or a game of chance (like a lottery ticket). Either is acceptable, but it’s important to make this determination consciously.
Angel investing as a capital allocation strategy: the unicorn math
Early-stage investments are incredibly risky, and the chance of losing capital is much higher than the chance of getting any gains. While there are different numbers floating in the space, it is commonly accepted that roughly 50% of the angel deals will lose money, about 20% will return the amount invested, and another 20% will bring a reasonable return, somewhere around 3X to 4X. If we were to do the math on this 90%, we would conclude that angel investing is not a good way to use capital (investing in S&P 500, for instance, would likely yield a higher return and would definitely be less risky). Success in angel investing comes down to the outliers: you need at least one in ten deals (10%) to be a home run.
Following this logic, one would need to invest in 10 deals at an absolute minimum, and that is assuming 100% certainty that the math will work out perfectly. Building an investment strategy on an imperfect assumption of perfect probabilities is not wise. If one was to maximize their chances of success and treat angel investing as an investment strategy, he or she should plan to invest in 20-30 deals.
That in itself is not the end as angels need to have the ability to invest in the follow-on rounds. In other words, once one of the portfolio companies is growing, the angel should have the capital to invest in the following round to retain their equity stake and prevent dilution (note this assumes the angel has secured pro-rata rights which is something that should always happen in early-stage deals). It is obvious that follow-on investments require capital, and if the angel is not able to do it then they miss the opportunity to increase bets on the winners in their portfolio.
The conclusion is that to pursue angel investing as a capital allocation strategy, one needs to have access to sufficient capital. If one only has $50,000, to invest in ~25 companies, and to reserve roughly 50% of the capital for follow-on investments, they would have to divide that by 50 (25 investments of $1,000 plus $25,000 for follow-ons). Needless to say that with this amount of capital, it’s nearly impossible to secure an allocation (to put it simply, few founders will bother with the paperwork to accept such an insignificant investment). Most importantly - the effort involved will very unlikely be worth it for the angel because the resulting equity stake will be too small.
Angel investing as a lottery (the more common way)
The alternative to angel investing as a capital allocation strategy is angel investing as a game of chance, akin to buying a lottery ticket. This approach involves allocating money to a few deals based on a personal connection to the founders, a belief in the idea, or any other factor. Angels doing this are not necessarily trying to achieve a specific return objective, but rather support something they believe in. It’s worth noting that this is a more common path in angel investing as the majority of angel investors do not have the resources (time, deal flow, capital, and expertise) to treat the investment as a well-thought-out capital allocation strategy.
Compensating for the lack of capital by syndicating deals
For people who live & breathe cybersecurity, have an established network and have access to exclusive deal flow, there are ways to bypass the capital limitation. Angels that are not sitting on millions of dollars can organize a syndicate - a group of investors that pool their money into deals through what’s called a special purpose vehicle (SPV).
The syndicate model generally looks as follows: the syndicate leader will negotiate with the startup founder an amount of money that will be reserved for the syndicate to invest (“an allocation”). Once that is done, the syndicate lead will put in some money on their own (can be as low as 5-10% of the total syndicate investment amount) and reach out to the members of the syndicate who can then pull their capital up to the total allocation amount. The syndicate lead commonly charges 10-20% carry (carried interest) on investments made through the syndicate.
The syndicate model requires two components: the deal flow, and the ability to attract investors. Sites like AngelList make the creation of syndicates simple as they handle most of the admin overhead for a relatively low fee. For example, AngelList will take care of K1, one of the tax documents that have to be issued to the syndicate members every year. Angel syndicates that do the setup and admin on their own, would need to hire a chartered accountant (CPA) to prepare this form at the end of every year. AngelList is not the only option as there are many others such as Vauban and Odin (this article offers a great overview of what’s available).
Note that even angel investors who do have enough capital to invest on their own, can still benefit from setting up a syndicate. This can become especially handy when they have pro-rata rights in companies they’ve invested in before, but the pricing of the subsequent rounds becomes too expensive to do a follow-on investment on their own. When this happens, having the ability to bet on the winner by pulling funds from other investors and potentially earning carry on top can be highly beneficial.
Getting started with angel investing in cybersecurity: reading, angel syndicates, and angel networks
For those new to angel investing, getting started may look hard. There are three steps people new to angel investing can take to make the process easier and less intimidating:
Read “Angel: How to Invest in Technology Startups - Timeless Advice from an Angel Investor Who Turned $100,000 into $100,000,000” by Jason Calacanis. This is an essential read for anyone interested in angel investing, as it provides a deep-level practical overview of how the whole process works, and what a person new to the space needs to know as they are getting started and building their investment portfolio.
Join an angel network. Angel networks are communities of investors who come together to learn, network, share experiences and deal flow, help one another with due diligence, and otherwise support each other on their investment journey. An example of an angel network that invests, among other areas, in cybersecurity is DC-based Blu Venture Investors (about half of their portfolio are cybersecurity companies). Aside from being an angel network, Blu Venture Investors now also has a Cyber Fund for Series A deals for both follow-ons to their seed investments and for new investments in companies that have matured beyond the seed stage. Angel networks are good places for companies to find investment between their angel rounds (which are often pre-revenue, pre-MVP) and their first institutional round, which is often somewhere between pre-seed and seed.
Join an investment syndicate. While organizing an investment syndicate can be a great way to build one’s own track record in investing, joining an existing syndicate can be a great way to get started.
Angel networks and angel syndicates come in all shapes, sizes, and focuses, so cybersecurity founders should do their own research to understand the nuances of each group they are talking to.
Cybersecurity-focused investment syndicates
The following is a non-exhaustive list of cybersecurity-focused investment syndicates.
Silicon Valley CISO Investments (SVCI) is a group of Chief Information Security Officers (CISOs) that operates as an angel investor syndicate. SVCI is an invite-only group, and new angels must be recommended by the existing members. Established in late 2019, SVCI has already invested in over 13 startups, including Cyral, Orca Security, and Tines.
Cyber Club London (CCL) is a community of over 50 cybersecurity executives and experts, working together to foster the next generation of cybersecurity innovators. It is an invite-only organization that facilitates group investments in early-stage cybersecurity startups and provides advice, expertise, and what is needed to propel their success.
KMEHIN Ventures, based in Israel, is on a mission to identify and invest in early-stage security startups with great potential. Similarly to Silicon Valley CISO Investments, KMEHIN is a group of CISOs from several leading companies.
The Security Syndicate is one of the largest communities of security founders, executives, and leaders at F500 & G2000 organizations that focuses on partnering with early-stage security founders.
Shenandoah Cyber Investments (SCI) is a vehicle to help cyber start-up entrepreneurs. SCI is also a way for members to assist their friends who want to invest in cyber startups but have a hard time finding opportunities or can’t afford to invest very much.
Super-angels investing in cybersecurity
It would be a miss if I did not call out some super-angels with a great track record of investing their own capital in cybersecurity startups. StoneMill Ventures run by Michael Sutton, Secure Octane Investments run by Mahendra Ramsinghani, and 90 Degree Ventures run by Tyler Shields are great examples of this less common investment strategy that relies on the presence of capital, creative thinking, disciplined approach to capital allocation, and deep industry knowledge.
How angels can win in cybersecurity
The cybersecurity market is projected to grow from an estimated value of USD 173.5 billion in 2022 to USD 266.2 billion by 2027. This is no surprise as the increased adoption of the cloud, the emergence of hybrid work arrangements, and continuing digitization across all industries, pushed the number of cyber breaches to record maximums.
In the context of the current economic downturn, it is worth noting that as angel investing has a long time horizon, it does not follow the same cycles as public markets. Regardless of what the economic conditions are when the investment is made, the angels will be expecting to exit a few years later; by that time the economic environment would have changed. What matters much more than the short-term fluctuations of the market are the characteristics of the company itself: the team, the problem it is solving, and the customer demand, to name a few. A great startup solving an important problem is a great startup regardless of the economic circumstances as security is a non-discretionary expense, and companies need to defend their networks in any economy.
Cybersecurity is a hot industry, but due to the deep levels of expertise required to assess companies and a multitude of other factors I have discussed before, a lot of investors don’t have access to the deal flow, especially at the early stage (i.e., pre-seed and seed). Angels are uniquely positioned to fill the gap that later-stage VCs and family offices cannot.
While angels investing in cybersecurity do not generally have formal CISO and security counsels, they can and should involve relevant people from their network to help evaluate new investment opportunities. This is especially important as security products tend to address niche sub-segments requiring deep levels of highly specialized expertise. The book by Jason Calacanis mentioned above offers some great instructions for assessing early-stage ventures. The following are arguably three of the most important questions angels should ask when talking to founders:
Is this the right team that can execute on the idea? Even if the idea isn’t perfect - the right team can move fast, learn fast, and pivot as needed. Repeat founders are great, but most rockstar repeat founders will get funding from VCs they already have relationships with; it’s the first-time founders that need someone like angels to give them a chance.
How will this company differentiate? Cybersecurity is a very crowded market, and therefore “me too” doesn’t work in this industry.
What are the barriers to entry or an unfair advantage the startup has that others don’t? While not all companies can establish solid technical barriers to entry, founders need to understand how they are going to succeed in the competitive market.
As angels have limited resources and the ability to conduct due diligence, for many it is important to co-invest alongside investors they respect and trust. When the lead investor in a company is an unknown family office without any expertise in cybersecurity, and all reputable investors in the space have passed on the deal, it can sometimes be a red flag. The angel may very well know something others don’t, but they should be extra careful when evaluating these opportunities.
Exits for angel investors (not always the same as for VCs)
When we think about successful startup exits, we commonly think of three ways it can happen: initial public offering (IPO), acquisition, or merger. It’s worth noting that mergers are fairly uncommon in the startup world and are most often seen among established enterprises.
For angel investors, exits may look somewhat different.
Before we discuss it in more detail, we need to briefly explain the concept of a capitalization table, commonly called a cap table. A cap table is a document generally presented in a table format, that lists parties who have ownership in a company. If the startup receives capital from a syndicate, then the cap table will only have one entry for the whole syndicate, regardless of how many individual angels have invested as a part of the syndicate. When the early-stage startup accepts investment from individual angels, the names of each of these investors (or entities that represent them) go on the cap table. After one or two funding rounds, the cap table can look pretty complicated, as it details the founders’ ownership stake, along with the equity ownership of all the investors - angels, VCs, family offices, angel syndicates, and alike.
When startups go to raise money from VCs at series B or later, VCs may try to structure the deal in a way to give angels an exit (to buy their ownership stake). This happens for two reasons:
VCs want to see a clean cap table. Each line item on the cap table means a signature, a point of view, and a person to coordinate with. Naturally, VC firms prefer to have fewer cooks in the kitchen. It can be said with high confidence that if there are 15-20 names on the cap table, the VC will most certainly want some consolidation.
VCs will normally have a target startup ownership percentage for them to invest (say, 15-30%). As the valuations go up and financing rounds progress, it can often become hard to achieve these ownership targets directly by leading the round. Instead, a VC firm can approach angels with the idea that they came in early, made a good chunk of money, and can now sell a part (or all) of their equity to the VC at a discount from the round’s valuation.
If the startup is doing well, exit opportunities will normally keep coming up as the company is going for the subsequent investment rounds. It often happens that when a company is doing well, VCs are looking to buy out angels who, in turn, want to keep their ownership. Or the other way around the company isn’t doing all that great, and some angels would like to exit, but VCs are either not interested in acquiring their ownership stake, or offering to do it at a discount that does not meet the return objectives of the angels.
Angels who are actively involved with their portfolio startups, develop a deep insider knowledge of the company affairs and growth trajectory. When an offer comes to sell their ownership at a discount, they can reasonably well evaluate if that’s a good idea or not. Investors that are disengaged and fully hands-off, often have a hard time making a sound decision as they are not aware of the real state of affairs in their portfolio company.
Angel exits via initial public offerings (IPOs) and acquisitions look similar to those of other investors, and therefore we’ll not be discussing them here in detail.
Beyond investing: other ways to earn equity in startups
While angel investing is commonly regarded as “the” way to earn equity in early-stage ventures, it is not the only one. The following are some of the most common ways to earn ownership without having to put in the capital:
Joining an early-stage startup as an employee. While this one is obvious, it is worth highlighting that joining a startup early as one of the first employees can yield outsized returns. While not every startup will become Google, being a founding member of the new promising venture can be a smart move.
Becoming a startup advisor. This option is accessible to people with skills and experiences that are in demand by early-stage startups, such as engineering, product, go-to-market strategy, fundraising, and others. Founders can greatly benefit from tapping into experiences that can propel growth and unlock new opportunities for the company. This is one of the problems we are planning to tackle with the Building Cyber community initiative announced a few weeks ago.
Working with VCs. Some VC firms have ways for industry professionals to earn a percentage of carry (carried interest). Most commonly, this is done through venture scouting arrangements (when a person who brings the deal the fund ends up investing in can earn a stake in that deal), or some advisory work (help with due diligence, understanding the market, etc.).
The list of ways to earn an ownership stake goes far beyond the above-mentioned options. Startups have a lot of needs, and a person willing to get their hands dirty is very likely to find a way to help, especially at the pre-seed and seed stage when the team is still small and the amount of work that needs to be done is insurmountable.
While it may not always feel that way, cybersecurity is a young industry, and there is a lot of room for innovation. Most of the security is done by startups; there is a fairly small number of publicly traded companies (granted, a number are also owned by private equity firms).
Angel investing is becoming increasingly accessible - through angel groups, AngelList syndicates, and crowdfunding platforms to name a few. For those starting on their investment journeys, joining an angel group or a syndicate can make it easier to shorten the learning curve without the pressure to do all the parts of angel investing such as deal sourcing, due diligence, and legal on their own.
I have previously talked about ways CISOs can benefit from getting more closely involved with cybersecurity startups. Security professionals can reap many benefits as well - from getting familiarity with the business side of cybersecurity to diversifying their investment portfolios and maybe even gaining the experience needed to later start their own company.
It goes without saying: this piece is not investment advice. Remember: most angel investments fail; do your own research and make your own decisions.
Thanks to Michael Sutton, principal of StoneMill Ventures and one of the investors in LimaCharlie, for the great conversation about angel investing that inspired this piece. Opinions and conclusions are my own.