In this episode of Security Economy, Ron Gula discusses the state of cyber security startups in light of COVID-19. He shares his investment philosophy and key points early stage companies should consider.
Hey, everyone! I don't know about you, but I am extremely curious about how cyber security companies get funded - or perhaps don't get funding.
With the whole COVID situation, I've been seeing rumors on VC Twitter that funding has slowed down considerably. Is that really true? What does COVID mean for young cyber security startups?
Let's chat with Ron Gula about this. Ron was the Co-Founder of Tenable Network Security and now is the President and Co-Founder of Gula Tech Adventures.
Ron's really in the thick of investing in startups. He's invested in dozens of cyber security startups, and he's here to share his thoughts with us today.
Let's see what he has to say. I'm Katelyn Ilkani, and you're listening to Security Economy. Hi, Ron, thanks for joining me today.
Hey, thanks for having me on. Congratulations on your new podcast.
Thank you! It's been a lot of fun. I've had great guests, and I'm really looking forward to our conversation today in particular.
Before we get too far in, can you tell us more about yourself and why you decided to become a venture capitalist?
Thank you. So I started out in the Air Force and thought I was going to be a fighter pilot. I did not do that.
I almost directly got involved in what we call cyber security now but nobody called it cyber security in the mid-90s. I got to do penetration testing for the DoD and the intelligence community.
And that kind of set me up to just understand a lot of the different issues with with cyber, whether it's compliance or real risk or just how the technology works.
I had a chance to work at a startup that was doing cloud. And while I was there, I had to chase some hackers who were breaking in, and I had the opportunity to develop some technology in the network intrusion detection space.
I asked my wife Cindy, if she could help start the company with me. And within 18 months, we had sold it. And I was like, wow, this is great.
So the next company I started was Tenable Network Security. I had a couple great co-founders and ran that for a really, really long time. And then when it got time to leave, I said, "I really want to help other people start companies."
And we were, you know, fortunate enough to do quite well at Tenable and had the wherewithal to not only offer some good advice, but offer some good capital, whether it was at the Seed level or the Series A level and that's what we're doing at Gula Tech Adventures.
What a great story that you had such early success with your own companies and then that has led you to be able to invest now, which I'm sure gives you a really interesting perspective just on the state of cyber security in general.
So, what's your approach to funding companies in this space? And where do you think capital is moving?
So, it's interesting. When we left tenable, we didn't want to just, you know, write big checks and, sort of be the sugar daddies behind behind some company. Right?
So we started out with writing really small checks, and which might have been big for some people, but the idea is we weren't writing million dollar checks, now we are doing that kind of stuff.
So, initially, our thought was that we wanted to be able to help people find that product market fit, have teams that we could work with, that we trusted, and that also did things that really changed the industry.
The world doesn't need yet another widget that's 5% better than than what's out there. What they need is access to new markets. How do we bring endpoint security to the SMB? That's we're doing with Huntress Labs, for example.
How can we bring two-factor authentication to things like political campaigns, which is what we're doing with Defending Digital Campaigns. So, we're trying to really apply cyber in many, many different areas.
Obviously, we want to get a return, but we really want to invest in things that are going to move the needle for the country.
I think that's very commendable and very needed.
You've mentioned some of the companies in your portfolio, including Huntress Labs. What kinds of companies overall are in your portfolio?
We tend to focus on cyber, and cyber, you can loosely kind of squint your eyes and they say that includes AI, could be IT management; it could be cloud management.
You know, usually if you're adding cyber security into a solution at the end of your IT lifecycle, it's a little too late. Now, you still need things like pen testing and anomaly detection and whatnot.
Really, really good design from the ground up is going to be better. So, for example, one of our companies is called RackTop.
RackTop has a platform that allows you to manage petabytes of data and not have to say that, well, your long term strategy is just to put it in an S3 bucket on Amazon. You can really put controls around it and make it easy to access.
And this is a really important building block. Many people sort of just throw their hands up and say, "Well, we're just going to put endpoint protection and DLP everywhere and not really have a data management solution." So that's the kind of stuff that we really like to look at.
Very cool. Yes, I've was in security sales for quite some time. And I went into quite a few clients who were thinking very specifically more towards that widget kind of conversation to your point.
They were thinking about, "Okay, well let's just put DLP in." But true security is thinking about having a layered posture, having many controls.
So for example, we volunteer a good bit, and I'm on the board of this thing called Defending Digital Campaigns.
So, if you run for congress someday, you have your staff of volunteers who all have different email addresses and personal laptops, and they're doing what they can to get you elected.
You stand no chance if China or Russia or your opposing party comes after you.
Yet when we have direct conversations with these groups we're like, so you have two factor authentication. They're like yeah, and they hold up their Titan keys and say, "oh, yeah, I'm good."
No, you need antivirus; you need patching; you need anti-phishing; you need an understanding of all your assets.
So it's such a complex conversation. The cyber industry has done a good job coming up with widgets all across that spectrum, but not a good job holistically telling people what they need to do.
Yes, and we need to make the conversation approachable for people that might not be cyber security experts. That's something we all really struggle with.
The world has changed quite a bit very rapidly with the COVID-19 pandemic. I'd like to hear if your investing philosophy has changed because of COVID-19.
So, it hasn't really changed. Cyber, in many ways is more important now than ever. Not only are we more dependent upon the networks to get us to work, we're more dependent upon authentication, on encryption, on high availability.
So that has not changed. It's not going away. At the same time, I'm assuming we're going to be out of this by the end of the year.
There is going to be a whole host of new regulations coming from both the DoD and the US Congress. The Cyber Solarium convened and concluded their reports; they made eighty-five different recommendations.
A lot of these are being put into law in Congress right now in a bipartisan manner. This is going to create new types of regulations that are going to really empower CISOs and give organizations some clear guidance on what they should be doing.
This is going to create a huge opportunity for all cyber companies. And even more tactical things like the Department of Defense's CMMC program, which talks about supply chain management, is going to also create a huge opportunity for vetting your people, demonstrating that you've got cyber hygiene, demonstrating that your partners have that kind of stuff.
So I think the future of cyber security is very, very bright. It still is one of our main focuses of investing. We're very excited about the future of trying to keep things safe and secure.
Yes, I recently heard that the DoD is moving forward with CMMC with no changes to the timeline even with COVID-19.
So in a lot of ways, I think that's a good thing, right? Because you don't want to slow the momentum. It already took so long to get it in place.
Yeah, and it's a good program. I mean, it basically simplifies a lot of the things contractors have to do to work with the Department of Defense.
And I think a byproduct of that is you're going to see contractors who work with civilian agencies have better hygiene and be better set up. So, I'm very big fan of this program.
So going back to this idea of investment in the era of COVID-19, I think it's a good thing to hear that cyber security has a bright future and that actually COVID-19 may be accelerating some cyber security investments in the business world.
But I've been hearing a lot that typically now venture capitalists are pulling back or slowing down in making an investment decision. Have you seen that? Are you hearing about that?
So to a certain point. There's different types of venture capital funds out there. So we're limited partners in six, soon to be seven, different funds who focus on cybersecurity.
When COVID hit, everybody put on the brakes because they didn't know answers to some big questions.
Should they restructure their investments so that their portfolio could take advantage of PPP loans? Should they conserve cash, such that the investments they had maybe could do 18 months of runway?
I know a lot of funds where they have slightly different approaches for doing these things. None of them have stopped 100%. They're still taking meetings.
And then there are some venture capital funds that are simply not doing investments right now. The way they're structured, they have to raise money from LPs, and the LPS don't want to put money in. Because they just took a big hit on the stock market.
But having said that, I have not seen any reduction in the number of companies starting right now or the number of companies asking for funding.
You know, if anything has changed, what's changed is the focus. If you cannot pitch, if you cannot install your product quickly, you probably don't have a company that's worth investing in.
And certainly if your company has something that's 5% better than the existing market, for example "my VPN is 5% faster; I detect 5% more vulnerabilities than Tenable; I detect more malware instances than CrowdStrike." That's not a reason to change.
If you're not dramatically changing the efficiency of the workforce, dramatically reducing the threats of what's what's out there, then the company is probably not worth investing in.
So, that part has made things a lot more focused on what people want to invest in. But I have not seen as much of a pullback as people are talking about.
Very interesting. And you are now seeing that some of the best companies are coming to the fore.
It's really weeding out the ones that, to your point, may not have had a solid solution to begin with.
And there are tactical readjustments. Let's say you had a large enterprise, and they were in the middle of rolling out SentinelOne or CrowdStrike.
And now all of a sudden their workforce is working from home. And they're stuck on what I consider a traditional VPN; they do not have a CASB to get to the cloud. In other words, they're hair pinning everything.
Well, maybe that endpoint solution got delayed now. And now we're rolling out a different CASB type of solution, an alternative VPN. That doesn't mean we shouldn't invest in VPN and endpoint companies.
But on a tactical basis, those things can be very dramatic. I have a number of companies where they had sales processes completely derail, and almost across the board, they had new processes or an opportunity open up almost immediately.
So this gets into this discussion about traction. Some companies are really accelerating traction right now.
And some may be kind of getting their feet under them with the new environment, like to your point about how SentinelOne may be seeing projects stalled right now. So what are you seeing overall with cyber security startups and their traction? Are you seeing a general trend? Does it really depend?
So across the board, Q1 2020 was record quarters for almost everybody in cyber security. Now, Q2, we'll see what happens, right?
Maybe there is a lot of disruption. Maybe it's going to be flat, and it's going to be down a little bit.
We've seen some IT budgets get completely blown up. And we've seen other IT budgets get completely, you know, have sort of the spending caps or the CIO and the CFO, more or less say the budget is unlimited.
So it really depends on what you're doing. I have a couple companies who were with the cruise lines, and guess what, they're not doing that well. Hotels are not doing that well.
So if you happen to have a services business or a product that was catering to that, they're not going to be doing that well. So there will be some softness. On the other hand, cyber is still a very, very important thing for a lot of organizations.
So specifically for startups, when you're small and you're getting your first customers, you're very intimate with them.
If you're in a situation where your intimate first 10 customers are spending money during COVID, you're seeing no change. If unfortunately, you were dealing with maybe movie theaters, hotels and cruise lines, you might have seen 50% or 60% of your business disappear, and now's the time to optimize and change and find new customers.
There's always a crisis when you're a startup, and COVID just gives everybody a common crisis.
What's your advice on how startups can weather the pandemic?
Anybody who raised money in late 2019 or early 2020, if they raised enough, then they thought they had 18 months of runway.
If they focus on things like hiring freezes, not going to conferences and not traveling, then they might have 24 months of runway.
Well, if you're a startup and you say I have 24 months of runway to work on my next two or three product releases, I'm seeing across the board that people are pulling in their roadmaps.
If you can pull in your roadmap and still demonstrate you have some revenue, when you're a small company, that's huge. Because if you can demonstrate that you can deliver a roadmap and you can get customers - this is going to sound you know, kind of crass - but it really doesn't matter if you're a million dollars in revenue, $2 million in revenue, you might be able to actually, you know, bring in a roadmap that you were shipping in 2021 sometime this year, that could dramatically change your outcome as far as being of interest to potential acquirers.
For example, Protego and a number of other companies have been acquired recently. Palo Alto recently also acquired a couple companies where the revenue wasn't a huge market.
These larger organizations are making acquisitions ahead of those markets, so they can stay relevant against Amazon and Google and whatnot.
The more people that can demonstrate innovation and ability to ship, that's really, really good.
So that's my biggest advice for people. If you've raised money, pull that in and ship your roadmap sooner rather than later.
What about startups that are getting ready to raise? Or were in the midst of their next round when COVID started?
So the question is, do you need the money?
If you absolutely need the money, the question is, what do you need it for? I just had a pitch last night from a company that wanted to raise between half a million and a million.
What is it? You know, are you gonna raise half a million and hire engineers? Are you gonna raise half a million and hire salespeople? What if we gave you 1,500,000?
I think a lot of founders are very technical, and they should be just as technical about what they're going to do when they raise these things.
So, if you told me, "I want to raise $400,000, and I'm going to hire four $100,000 a year entry level engineers. And within 18 months, I'm going to pull the current roadmap in."
Well, now as an investor, I could really kind of play return on investment and determine where this company is going to be. So none of that has changed with COVID.
People are still sort of being nebulous about, well, let me see what the market can kind of give me and stuff.
The best way to be effective about your fundraise is being very specific about what you want to accomplish, and then let the market decide what kind of valuation they're going to put on that. So that hasn't changed with COVID.
So you mentioned earlier that you think we'll be coming out of this COVID situation hopefully by the end of the year.
What are your projections for a post COVID cyber security VC environment? Do you think we'll see changes again?
I think there's going to be two or three things that are going to be impactful.
So one, the federal government is going to be spending a lot more money. And when I say there's a lot more money, we're talking about very, very large procurements for just really large things.
I hate being vague, but I think there's going to be a lot more spending coming. And predominantly, you don't see with cyber startups a focus on US government. It's kind of looked down upon, right.
And, even with Tenable, we were doing $50 million a year, and I still remember people saying, "Oh, yeah, you're all government services." We were like, "No, no, it's all product." And a lot of it was commercial.
I think that late this year, early next year, you're going to see these very, very large procurements. You're also going to see a change in the way the DoD is buying things.
If you look at things like Cyber Command Stream Court or DIU. A lot of people think that these are the same things as In-Q-Tel.
The reality is that they are very, very rapid ways for the federal government and the DOJ to buy cyber technology, AI technology, and drone technology. And if this is not on people's start
up radar, they are going to be missing out.
That's going to be one of the big changes that are coming in. And then the second big change is that CMMC and the new types of disclosure laws, like the California CCPA, those are going to be nationwide.
Those are all going to be reasons for small businesses and large businesses to look at and reassess their cyber program. So that's going to be the market going down the road.
Now, are there going to be less companies or are small businesses going to go out?
Are we not going to go to theaters anymore? Not going to restaurants anymore? I have a hard time predicting that.
I kind of think we're going to go back to the way things were, maybe within two years, but certainly you're going to start seeing some major changes back to normal. I think by the end of the year, if not sooner.
People will want to go back to the way things were. But what happens if those businesses don't have enough capital to wait? Right?
If the smaller movie theaters or the smaller businesses, who would want to reopen, couldn't weather the shutdown?
Well certain things like restaurants and shopping malls, their business models were kind of on the downward anyway, right?
We already saw that happening. I mean, one of the big things with COVID is that we're accelerating a lot of these changes.
People would rather buy online than go to a shopping mall.
Until you go to a shopping mall, and you realize there's a lot of other social aspects to being around people.
The human race has done a really horrible job of predicting the future. Are we going to spend more money with Amazon? Sure. What if there are 10 times as many competitors to Amazon coming up?
It's an interesting time to really try to break into those things.
It is. I really love understanding things like behavioral economics and how our brains work, and you're right, we are terrible at predicting the future.
We predict linear change, and we're not built for exponential change. And COVID-19 is a perfect example of this.
It looked like there weren't very many cases until everything just exploded because we were on an exponential growth curve. And when you apply that to the business world and how technology could really change the future, it's hard for many of us to grasp.
That's well said, that's well said.
And, you know, one of the things that's kind of going on with anybody working from home is that they're all kind of doing their own IT.
And with that in hand, what's the IT workforce of tomorrow going to look like? Are we going to be able to do a better job to recruit minorities of all types into the field of cyber?
I like to think we can. I mean, every stereotypical little girl that's home right now saw mom or dad bring the computer home and work from home. And get the VPN working, get the camera working.
That's all stuff that we're exposing a whole generation to right now, which I think is just amazing.
There are some exciting changes.
It's also interesting to think about the kids that are now going to school online. Where before they've just been in a classroom.
How many of them will want to continue doing so? Will we see even more changes just to education, which could roll into how people think about their careers of the future as well?
It's very interesting.
So, we've invested in three different sort of education programs.
One is the National Cyber Education Program.
It's a partnership with Discovery Education, where they're trying to basically fold computer science and cyber security into into common core.
Another one we've invested in is Cybrary.
Cybrary has done an amazing job during this time as far as meeting the demand of more home users who are taking the opportunity to do more training.
And they're also embracing businesses who want to take their certain cyber stack, and then you know, basically work with Cybrary and entice people who have those right certifications to come work with them.
And then lastly, we invested in another company called Catalyte. Catalyte can help procure full Scrum teams anywhere you want in the world, predominantly in the US, though.
And with this sort of angst over having Dev teams done outside of the US, they're going to be sitting quite well as people want to move that stuff back to the United States.
I think it's going to be a very interesting world once we do more things here in the US.
I've been also watching this trend around how some things may actually get outsourced too, though.
We used to want everyone to be in the office. I think it was something like only 5% of the workforce used to work from home.
And now organizations, including IT teams, can see that, well, people can work from home and they can get things done.
Will this help drive different attitudes about outsourcing? So I feel like we're at an interesting time as we rethink how we work and how we get tasks done.
Yeah, it's one of the things I don't know enough about are these these building organizations.
So, for example, I'm in the Washington DC, you know, Maryland, Virginia, DC kind of kind of Metro system, and we've got a huge corporation, right here in Columbia, Maryland, where they're building the new Tenable headquarters.
And if you are a large enough organization, where you have to think about your campus and your building, you don't realize that those companies are actually working hand in hand with the cities and with the economic development teams.
So the question is what happens now?
What happens now to those plans and stuff. Everybody's working from home? What changes?
Because the plan was, let's create these pockets where the millennials who don't want to have cars can be in an apartment, so they can basically walk to work.
If you look across the country, that's kind of what you're seeing. That's why there was such a draw to big cities, but also to what I consider these urban hubs, where you have these kind of pockets of high net, high paying jobs, with cool places to live for young people who don't want to have cars.
Now if that gets changed after COVID, who knows what the world's going to look like?
It's an interesting time to be alive as we see these changes.
Well, Ron, I'd love to hear if you have some last thoughts for our listeners today.
If someone's working in a startup, if they're thinking about having a startup, what would you advise them to do if they were to focus on one thing right now?
They should be able to think about their business, and what I call the five slide pitch deck.
And I blogged about this. I've told people to steal this, but it's about focus.
First thing is what problem you solve.
The second thing is how do you solve it?
The third thing would be, can you have some sort of proof to do that.
Fourth thing is, if somebody was going to help you with an investment or some advice, what do you want from that? What are you going to do with that money?
And then lastly, do you have a vision for what the world is going to be like when you're successful?
If you can't answer those five things, and you can't answer them consistently to your spouse, your co-founder, your employee, the media, your investors and your customers, you're probably doing something wrong.
You're probably not being honest with yourself about the problem you solve. And it's okay not to have those questions answered.
But if you don't know the answer to them, then you know, you got to have an answer there.
One of the questions I always ask people is if I invested a million dollars in you right now, or if I bought your company for $4 million, $5 million today? Would you be happy?
You know, is this your goal, and if you don't know what those goals are, and you can't reverse engineer back from that, you're probably not being honest with yourself.
And I've talked to amazing cyber engineers who can do reverse engineering, who can find threats and botnets and commands, and who don't know the first thing about taxes, or what it means to make a million dollars versus $10 million dollars, and what it means for their employees if they're making that kind of stuff.
So they need to have that sort of full view of everything that goes on in their business.
If they don't, they're probably missing out on something.
Great advice, Ron. I think the advice to focus and really think about who you're serving will help everyone all the time, even if we're not in a COVID-19 situation.
Thank you for your time today. It's been great having you on the show!
Thank you and good luck.
Stay healthy. We'll get through this. And thanks for the opportunity to share some thoughts today.
And that's a wrap. Thank you for joining us for this episode of Security Economy. Check out our episode lineup at battleshipsecurity.com, and don't forget to subscribe. See you next time.