Discover more from Venture in Security
Announcing angel syndicate to help cybersecurity practitioners shape the future of the industry
Looking at the gaps in today’s cybersecurity funding model and announcing Venture in Security Angel Syndicate - a cyber-focused angel syndicate to help security practitioners shape the industry
Imagine if security practitioners, not traditional investors, got to decide what security products and tools should exist on the market. The Venture in Security Angel Syndicate was built so that we can stop imagining and see it for ourselves.
In this issue of Venture in Security, I am announcing Venture in Security Angel Syndicate - the only cybersecurity angel syndicate for security practitioners and technical security professionals.
To learn more, visit the website or continue reading below.
A full year of observing and documenting the evolution of cybersecurity
This coming Thursday will mark a full year since the first Venture in Security article. I published it on Medium before moving to Substack to escape from Medium’s paywall and make deep-level industry analysis accessible to more people.
Over the past year, I have had the pleasure to talk to over a hundred people in cybersecurity - security practitioners, founders, angel investors, VCs, industry analysts, community leaders, and many others. Almost every week, I would share my learnings about the space covering everything from open source, security services, channel partners, venture capital, product-led growth, and much more. Over time, I got the opportunity to help investors understand the trends in the industry, help startups with their go-to-market strategy, and started angel investing. At the end of 2022, I was humbled when over 200 people - startup founders, advisors, and investors - joined Building Cyber Collective to shape the next generation of cybersecurity.
I have observed again and again that cybersecurity is evolving. I shared about many trends I am seeing in the industry, including the move from promise-based to proof-based security, the importance of engineering principles, and the rise of security engineering. More and more companies are starting to realize that security is a process, not a feature or a product that you can buy, enable, and instantly become “safe”. That, in turn, forces product resellers to become technical or die and changes what people expect from service providers. The industry is maturing, and the number of vendors continues to grow and will be growing in the foreseeable future because of how innovation in security works.
Security professionals are at the epicenter of the industry's evolution
At the center of all the changes we are seeing in cybersecurity are people - security practitioners. This isn’t just because there is a talent shortage, but also because attackers are well-funded and well-motivated people, and we need people on the defense side to stop bad actors from causing harm.
The realization that people, not technology, keep organizations safe
There was a time when companies would buy tools, deploy them in their environment, and press a red button somewhere in the web application to “activate the shield and become secure”; that time is over. Today, mature organizations understand that security is a process, not a feature, and that tools are just that - tools, whether or not they have AI, ML, or any other latest technology built in. To keep organizations secure, we need people - experienced security professionals capable of thinking critically, understanding and adopting the attacker’s mindset, and making the right decisions to focus on what is important.
Community as a driver of innovation
The cybersecurity community is a tight-knit incubator of security innovation. In Discord channels, on forums, at CTFs, meetups, and industry events, many creative ideas are born, validated, and shared. While CISOs are forced to deal with more and more admin overhead, coaching leaders and board members, getting the buy-in for security strategies, and looking for ways to build and develop high-performing teams, hands-on security practitioners are always looking for what’s new, testing new approaches, reading about new vulnerabilities, and tracking the behaviors of the adversary.
Growing influence on the purchasing process
Security professionals are critical to securing their organizations and advancing the practice, and they are also critical to how buying decisions are made in the industry: every day, their voice matters more and more. The time when company execs would attend tens of demos, go to dinners with vendors and negotiate five-year-long contracts is going away. Today, CISOs are focused on defining the security strategy, growing teams, building relationships with other departments, working with boards and peers from the leadership, and other high-level matters. More and more tool selection is done by security professionals staying on top of what’s happening on the ground, keeping track of emerging threats, and continuously testing new approaches in their home labs.
When I ask CISOs how they select what solutions to solve security problems in their organizations, the answer I hear the most is that “people on the team try stuff and recommend what works and what solves our problems”. While the final sign-off and the buying process would still typically be orchestrated by CISOs, most security leaders delegate it to their teams to do initial assessments and proof of value.
The vendor market has not caught up with these trends
Despite the ever-growing need for the industry to evolve, the vendor market seems to perpetuate what it did years before. Cybersecurity companies seem to repeat the same old playbook:
Build black-box magic tools that promise to “stop 100% of breaches, zero days, and APTs”
Develop marketing materials that don’t offer any hints about what the company does, how the product actually works, and what their solution costs
Hire a large sales team and unleash them to call everyone and everyone to offer their “Cutting-edge, AI-powered, ML-infused, Zero Trust Next-Gen” solution
Funnel anyone interested into four-to-ten demos with sales before they can even see the product, and - if they are qualified - maybe get access to a supervised sandbox environment
Give away the F1 car at RSA
Get acquired within four to seven years
This short-term thinking that plagues the industry simply cannot help us shape a secure future. For us to build a world in which people and organizations don’t get hacked every second, a world in which security teams do not have 350+ point solutions to manage in their environment, and a world in which cyber attacks do not destroy our critical infrastructure, we need to think long-term. We cannot keep doing what we are doing, building thousands of point solutions, looking for quick exits, and thinking that the problems this creates can be solved by someone else, tomorrow.
To build the security of tomorrow, we need a new generation of investors
If we keep funding the same companies, we will keep seeing the same results
There is a saying that “doing the same thing and expecting a different result is a sign of insanity”. We understand this intuitively, and yet when it comes to funding cybersecurity innovation, we keep doing exactly that, repeating the same thing and relying on a small number of forward-thinking security leaders and an even smaller list of security-focused VCs to decide what vendors should get support. If we want the future of the industry to look different, I think this needs to change. For us to get more practitioner-focused, transparent, open, and mature vendors, we need to start betting on early-stage founders who want to do things differently.
Traditional investors struggle to make sense of this complex industry
As cybersecurity is becoming more technical, traditional investors are struggling to evaluate ideas and solutions of the future, often funding tools that make big promises but don’t solve real problems. This is no surprise as to make sense of all the complexity, one must live and breathe cybersecurity, fully immersing themselves in the space. Cyber-focused VCs are a big step forward as, unlike “tourists”, they understand the nuances of the space and know what kind of support their portfolio companies need. However, they are not as close to real innovation as security practitioners who spend their weekends and evenings learning about new ideas, testing new tools and approaches in their home labs, contributing to great open source projects, and even building their own tooling.
The biggest challenge is around early-stage investing
Not all startups are ready or have access to venture funding, understand the expectations venture capital creates, or even should be looking for VC money at the stage they are at. Most importantly, there is not enough capital to support early-stage startups as they are incredibly risky and often take a long time to validate their approach. This is where angels typically come in who believe in innovation and provide support when the risks are the highest. However, few angels understand cybersecurity and hence cannot evaluate if an idea makes sense. CISO-focused angel syndicates are a huge step forward, but they gather only a select number of CISOs, leaving behind practitioners who now play such a critical role in the industry.
Early-stage cybersecurity startups need a lot of help and support
Early-stage cybersecurity startups need a lot of help and support, particularly around validating the problem they are trying to tackle, getting feedback about the solution, understanding who would be the right customer, and finding use cases to best demonstrate the value they offer. Few traditional investors are ready, willing, and able to provide this kind of support, as it typically requires deep domain expertise.
Security practitioners can bring long-term thinking to the industry
I believe security engineers, SOC architects, detection engineers, penetration testers, threat researchers, practitioners turned founders and other hands-on practitioners have the right skills and expertise to understand if the problem a specific tool is solving is real if companies will be willing to pay for it, if the solution itself is feasible, and if the competitive landscape makes sense. Not only that, but I think those who know what securing organizations look like, are best positioned to decide what is a valuable solution and what’s not. Qualified cybersecurity professionals who fully understand the high risk associated with betting on early-stage startups, should have the opportunity to help fund the security they would like to see in the world.
Over the past decade, the nature of angel investing has changed. If in the past, it was only accessible to millionaires, today any accredited investor can put in as little as $1500-$2500 to support companies they believe in via syndicates.
This is why we started the Venture in Security Angel Syndicate. Most members of the Syndicate - angel investors - are security practitioners who use their own capital to support companies they believe in. They do not have the pressure to exit their portfolio companies within 10 years as do traditional VCs. Angels are long-term thinkers. Security practitioners are long-term thinkers. Unlike traditional investors, they are in cyber not because it’s a “hot space to invest in”, but because this is their profession, their mission, something they want to do in life, and most want to (and will) stay in the industry decades from now. They have all the incentives to build robust security infrastructure, and support founders that solve real problems. They are not looking for shortcuts. Security practitioners now have the tools to bring the long-term thinking we so badly need into the industry.
Closing thoughts: the long road ahead
The way cybersecurity is seen is changing, how security is bought is changed, and how it’s done is also changing. What has not changed is how security companies are funded, and I think the changes are long overdue.
For us to build a secure tomorrow, we need to start thinking long-term. This means building products secure by design (the so-called “shift left”), educating kids about cybersecurity from a young age (something Israel has been doing for many years), and supporting the new generation of security innovators, even before they can commercialize their ideas. Thinking long-term is only possible when there is no pressure to optimize for short-term outcomes. It’s this push for meeting short-term goals that incentivizes companies to develop aggressive vendor lock-in schemes, trigger black-box detections, avoid transparency, and cause all the cybersecurity marketing nonsense.
I have no illusions: the funding model in the industry cannot be shifted overnight. I am, however, convinced that it is one of the culprits that leads to the short-term thinking mentality. We don’t need less venture capital in cybersecurity; instead, we need more optionality. We need more funding options so that security founders can choose what they need and at what stage. For that, we need a new generation of angels, and no one can do it better than cybersecurity practitioners.
I am excited to see the Venture in Security Angel Syndicate accelerate the changes in the industry and provide this optionality, along with true value-add, to early-stage cybersecurity founders.
For general inquiries and to learn more, contact Venture in Security Angel Syndicate.
By having technical security professionals invest in your company, you are building a unique connection with your champions, and potentially - your future customers. Most importantly, when security practitioners invest in your company, they truly want you to succeed, and unlike traditional investors, they will always go the extra mile to help make it happen.
Venture in Security Angel Syndicate enables security practitioners to influence the future of cybersecurity by supporting practitioner-focused cybersecurity startups that are shaping the industry of tomorrow.
Disclaimer: This announcement does not constitute a solicitation of a proxy, consent, or authorization with respect to any securities or in respect of the proposed business combination. This announcement also does not constitute an offer to sell or the solicitation of an offer to buy securities, nor will there be any sale of securities in any state or jurisdiction in which such offer, solicitation, or sale would be unlawful prior to registration or qualification under the securities laws of any such jurisdiction. No offering of securities will be made except by means of a prospectus meeting the requirements of the Securities Act of 1933, as amended, or an exemption therefrom.