164. The Cat and Mouse Game of Cyber Security — Israel, CISOs, and GDPR (Yoav Leitersdorf)

Yoav Leitersdorf Full Ratchet: The 'Softbank Effect', Financial Discipline and the Interworkings of a Top Seed Investment Firm

Download_v2Nick Moran Angel List
Yoav Leitersdorf of YL Ventures joins Nick to discuss The Cat and Mouse Game of Cyber Security — Israel, CISOs, and GDPR. In this episode, we cover:

  • How the emergence of new technologies have changed cybersecurity
  • The framework to think about cybersecurity from a VC perspective
  • Where innovation in cybersecurity stems from and how VCs impact this innovation.
  • Industries that have the most volume of devices and the most threatened by breaches
  • The purchase drivers for CSOs/CISOs today and how they determine ROI
  • The impact of GDPR on the cyber industry
  • Asset-centric vs threat-centric approaches toward information security
  • The cybersecurity Cat and Mouse analogy
  • The biggest misconception of cybersecurity


Guest Links:

Quick Takeaways:

  1. YL Ventures is the only seed stage focused VC investing in Israel and based in SF.
  2. YL uses a special research platform to track activity in Israel and search for potential investments.
  3. The cybersecurity industry is still emerging and fueled by fear, uncertainty, and doubt. With an ever-present threat of breaches, security budgets perpetually increase.
  4. VC investment opportunities are either a) Blue Ocean or b) existing enterprise. Blue Ocean opportunities include startups pursuing solutions for advanced fields, such as autonomous cars. Existing enterprise opportunities assist CISOs (Chief Information Securities Officers) with efficiency, automation, and organization.
  5. The majority of improvements in cybersecurity come from startups– they are more efficient in driving progress than traditional corporations.
  6. Strong Israeli intelligence backgrounds make for strong startup founder profiles. YL openly critiques founders and suggests different solutions. YL’s EIR program allows founders to work within their offices, allowing access to customers and research.
  7. The medical device industry has the most potential for startup growth. Many IOT medical devices are run by antiquated software and lack basic encryption. Now every large hospital has a CISO.
  8. Cybersecurity is now a board discussion- they can quantify and understand the potential losses from a cyber-attack. ROI is determined by how many analysts an automated system can replace.
  9. GDPR in Europe creates pressure for all multinational companies to improve their cybersecurity– expanding the sector.
  10. Cybersecurity threats impact more than just one singular asset. It’s important to have a combined focus on asset and threat-centric security.
  11. The field of cybersecurity is a cat and mouse game, yet the gap is increasing. Hackers advance in sophistication, leading to more R&D. There will always be a demand for improved, more robust security resources.
  12. Common investors are becoming wary of cyber investing, due to saturation. Expert investors see this as an opportunity– they can choose the best startups and founders from a large pool of options.

Transcribed with AI:

welcome to the podcast about investing in startups, where existing investors can learn how to get the best deal possible. And those that have never before invested in startups can learn the keys to success from the venture experts. Your host is Nick Moran and this is the full ratchet

Welcome back to TFR for a good one. The long awaited topic of cybersecurity is on the agenda today. It was we bring in cyber expert Yoav Leitersdorf at Weill ventures the only SF based venture firm investing exclusively in Israeli based startups. In this episode, we discuss changes in the cyber industry, how you have frames the sector, where the best innovation comes from an outbound approach to deal sourcing the prime issues facing today’s CISOs and CSOs. His take on GDPR and durability of tech in the constant cat and mouse game of cyber. I had a really fun time speaking with you of I hope you enjoy it. Here’s the interview with the CEO of letters Dorf of y l ventures.

Yo of lighters Dorf joins us today from San Francisco UAV is MD of y l ventures, which invests in brilliant Israeli tech entrepreneurs at the early stages. They’re based in Silicon Valley and Tel Aviv and manage $135 million across three funds focused on seed stage deep tech b2b companies in the fields of cybersecurity, enterprise software, and autonomous vehicle technologies you will have is a serial entrepreneur and investor starting his venture career at DFJ Gotham, and subsequently founding y l. Yo. Welcome to the show.

Thank you, Nick. It’s a pleasure to be here.

Yeah. So tell us your backstory. How did you sort of get involved in tech and transition to venture?

Sure, sure. Well, I started programming when I was seven years old. That’s when I first touched a Commodore 64. And I basically spend most of my childhood and my teenage years programming out of my bedroom by the age of 16. I already started my first company, it was called PC entertainer magazine. And it was kind of very similar to CNET in that it was mostly content and reviews of software and hardware and games. I sold that company when I was 18. And then I started another company when I was 21. That was in New York City, a company called exchange bath, which was very much like a paper towel. We sold that when I was about 23 and a half to see MGI for about $25 million. And that was my my first big taste of victory. Yeah, that was great. After that, I ended up going to business school. I started at IMD in Switzerland and went to Columbia Business School in New York. Again, I actually don’t have an undergraduate degree, I was the first person to get accepted to Columbia Business School with no undergraduate at all, not even a day of undergraduate. And I ended up being the President of the private equity club there. And that’s when I also worked for DFJ. Gotham, the VC in New York learned a lot about VC from that whole experience, and then graduated and started a company in the UK called lavota, which was mobile games that are synchronized to TV shows, so that within a year and a half to Bertelsmann, the big German media company and started working there was supposed to be there for two years, but left after one year, because the companies were not, were not for me. And that’s when I spent a few months thinking about what I was going to do next. And my idea was to start a new venture capital firm, which is different in many respects, different from the VCs that I’ve known thus far. And that’s how I got into venture. Got it. So when did you start the firm? While I started the firm in 2007.

Got it. Okay. And then first fund was, can you give us a sense of the size?

Sure. The first fund ended up being in the high teens, the reason it changed was because it was actually a font family, there was the base fund. And then there were a couple of CO invest vehicles and other other vehicles that were tagged onto it. And so you know, that was the first vehicle that and that was in 2007. And then the our second fund was was in 2013. And that, including its vehicles was 37 and a half million dollars. And then the third fund was just last year was raised last year in 2017. And that was 75 million. So in total we manage $135 million dollars today. Got

it. So you’ll have why launch your own fund. Why not just you know, continue with DFJ Gotham or join another venture firm. You know what, why did you want to do it yourself? Yeah,

I certainly thought about applying for and trying to join other firms at that time, but I felt like I needed to do my own thing. I felt like I needed to, I needed to create my own my own brand. My own strategy. I’m an entrepreneur at heart. I mean, obviously I started grew and sold three companies before becoming a VC and and Becoming a VC didn’t mean that I lost my intrapreneurial edge actually, on the contrary, I just, you know, became more and more of an intrapreneur. And when you’re an intrapreneur, you really like, you know, charting your own path creating your own entity. And I had a strategy that was different from from what everybody else was doing. And of course, I can tell you about that. Yeah,

tell us about that. I mean, I definitely share, shared sort of, I think we have it in common that we both wanted to start our own thing. And I think there’s some similar reasons, but but we’d love to hear more about the firm and kind of what the original thought process and origin story was there.

Sure. So we and now we’re 13 full time people. So I mean, when I say we, I actually co founded the firm with a gentleman called John Quigley, who for many years manage the private equity assets for the Princeton endowment, he really helped me get the fund off the ground. So I did have a co founder. And it’s always been a we and the strategy that we set out. And you look at us today, it’s actually very different from from many other venture venture firms. So I’m originally from Israel. I live in Silicon Valley. I’ve been here for for many, many years now. But I still have my roots in Israel, and a very, very deep network over there, as I do here. And here’s where the strategy is unique. We’re the only seed stage focused VC that’s investing in Israel at seed, and headquartered outside of Israel, and especially, especially headquartered in Silicon Valley, which is, you know, the place for, for tech VCs to be to be headquartered. So most other seed stage VCs investing in Israel are Israeli VCs, they’re, they’re based in Israel, all the partners are in Israel. And you know, that’s where most of their network lies. But we’re over here, you know, many 1000s of miles away, but we’re in the tech epicenter of the world where we have access to literally 1000s of potential customers for our portfolio companies, distribution channels, hires, follow on financing. And that’s really what we do, and the way we differentiate ourselves. And the reason that enterpreneurs come to us time and time again, is because we’re here because we have all the relationships here, and we leverage these relationships for our intrapreneurs. So the network is wide and deep gets our companies accelerated very fast with these relationships. And at the same time, we’ve over the past 11 years, we’ve developed pillars of of strategic assistance and value add to our portfolio companies in every every area that they operate, whether it’s marketing, finance, business development, I mean, in every area, in every area of discipline, we’ve got processes, we’ve got people that help accelerate the companies. So being a wild ventures portfolio company means you’re not just getting dollars, but you’re getting a lot of expertise. And most importantly, you get to be part of a very, very good and large network.

Got it? Got it. So the entrepreneurs want to work with you, because you’ve got that that connectivity to the rest of the valley and the talent sources, the capital sources and otherwise.

Yeah, and I would say, not just the rest of the valley, I would definitely say the rest of the of the US where they are, we’re constantly involved in customer introductions, customer engagement all over the country, whether it’s the northeast, whether it’s the Midwest, whether it’s here, we do travel a lot, and also the rest of the world, mostly Europe, I would say outside of the US, I’d say Europe is number two for us. And we have a lot of customer relationships over there, and less so in Asia and the rest of the world.

Got it. But you do have some some boots on the ground in Tel Aviv. So for

meeting with the founders. Yes, absolutely. So the team of 13 is split across here and Tel Aviv every person in the company has value add responsibilities towards our portfolio company. So that is the you know, where we spend most of our time is actually working with the companies that are already in the portfolio. But we have at least five or six people who are we’re also have a very large focus in identifying new investment opportunities. And I will tell you, another thing that makes our firm unique is that most of our deal flow is outbound rather than inbound, it means that most of the companies that we end up investing in are not companies that came to us knocking on our door sending us an email or getting introduced into us, but rather, these are folks that we have found through our own research. And, you know, bear in mind at this seed stage, so there’s very little information out there, but we find them find them early. And we pick up the phone and contact them and that’s been that’s been the majority of our of our deal. So

got it can you can talk about some of those approaches you employ to find startups.

Yeah, absolutely. So there’s actually a really good Wall Street Journal article about us about this specific part of our of our of our business, which I think is the you know, the best piece of content out there about what we’re doing. We’ve got technology that we’ve developed in house we actually have engineers on payroll and working working out while Ventures we developed technology, we we keep it to ourselves. It’s not something that we provide to others, but essentially we’re tracking about 100,000 and people in Israel, which is our our target market for for investments, we’re looking for activity or clues as to activity, eluding to folks who are about to start a company, whether it’s because they’ve just left a VP position at a company that we’re tracking or any any other any other signal, there’s there’s hundreds of different signals. And then we have a team that that an outbound team that reaches out to those individuals and have over 100 Different outbound outreaches per month, you know, there’s a couple of dozen that are highly relevant. And then some of those end up becoming investments.

Got it. So we briefly touched on some of the investment areas that you guys invest in, one of which is cybersecurity. I’ve read some of your content, it seems like you guys are thought leaders, and certainly investing in some of the great companies innovating in that space. So I’d like to kind of go deep on cyber today. Can we start off with sort of how the, you know, the industry, the cybersecurity industry has evolved? And can you touch on some of the emerging technologies in the area?

Yeah, absolutely. So my first cybersecurity investment was in 2010, in a company called secular, which has since then been sold to Radware. And that was a classic, advanced persistent threat detection company. That’s how it started kind of grew into malware detection. But you know, cybersecurity as a whole is, is a relatively young industry, the way it is defined today. You know, of course, there were elements of this dating all the way back to the 70s and 80s, you know, some some early remnants of cybersecurity, but today, it is a very well developed industry selling at over $100 billion a year. And that’s products and services, not including payroll worldwide. So I mean, it is a big and growing industry. And it’s also very fragmented, lots of different players big and small. It’s it’s a unique industry, in that it is fueled by fear, and by losses, losses are now amounting to trillions of dollars a year worldwide from cyber attacks. And so this whole industry is here, because there are 1000s of criminals, that could be nation states, it could be a mob, it can be teenagers in their bedrooms, hacking away lots of different types of cyber criminals, but they’re super advanced. They’re very smart. They they’ve got very strong motives, you know, many of those are financially oriented, others are motivated by other other things, but they are a very strong force to be reckoned with. And the cybersecurity industry is the industry that’s been spawned to help enterprises, governments and individuals protect themselves from cybercrime. Got it?

Yeah, I used to work for a company, I’m not gonna, I’m not gonna name the name of that company. But the sales guys would always talk about their Fudd campaigns. Yeah. And when I was when I was new, I was like, What the heck is this Fudd. And the head of sales said to me, well, fear, uncertainty and doubt. He’s like, you can try and sell hopes and dreams, or you can try and sell utility and value of something. But if you really want to sell, you sell, but yeah,

yeah. And you see that today, you know, you look at the security budgets, which by the way, are always increasing. We just had a meeting this morning in San Francisco with the chief information security officers of a public company, one of the one of the most well, well known companies in Silicon Valley, and we were, we were discussing the budgets and, and the seaso told us that their budget, their security budget has never decreased, it’s almost always increased, or in a handful of years, it’s stayed the same, or just a few years have stayed the same. But usually, it’s, it’s increasing. And that’s, and that’s unusual. I mean, typically, as you go through cycles, boom, bust, etc, you’ll have you’ll have budgets, IT budgets going up and down. This is the one category where it’s always going up. And it’s going up for many reasons. So the you know, and this is stuff that we can we can touch on the growth of the attack vector. So the the, you know, there’s, there’s more and more ways to attack an enterprise, that element of fear results from attacks are actually going on. So companies are seeing their peers blow up, you know, when a when another company loses 30% of its market cap due to a cyber attack. I mean, you can imagine what that does to the cybersecurity budget, and then there’s compliance, you know, GDPR is the latest compliance bomb that hit the hit these enterprises and so they have to comply, they have to comply fast, otherwise, they face fines, and that that also contributes to these, these budgets.

Got it? You off, can you can you give us a framework to think about cybersecurity from a VC perspective, you know, how do you think about the industry and how do you sort of frame up cyber? Yeah,

absolutely. We’re looking for opportunities and gear to invest in in two different types of situations. The first one is what we call blue ocean opportunities. And this is typically when when new technologies or new industries or new areas of business are occurring aidid and security is an afterthought. But security is a very important afterthought. So, you know, some good examples there are, you know, connected cars, autonomous vehicles, you know, that’s really cool. But if you don’t secure that against hackers, then then that’s, you know, that’s gonna die very quickly. And so, you know, shortly after, you know, when connected cars came on the scene, that’s when the security pureplay vendors for securing cars started. And that’s when we invested in karamba security, which is now today the leader in connected cars, and autonomous car cybersecurity. And another good example is virtual containers, Docker, as the kind of poster child of virtual containers. So when that started taking off, you know, everyone was really excited to take advantage of containers. But then, you know, the afterthought was, oh, we also need to secure them. And that’s when some of those vendors came out. And we invested in Twistlock, which is today, the leader in virtual container security. So these blue ocean opportunities where there’s a new market, and you know, you need to secure a new market, you know, that’s, that’s, you know, the first category of opportunities we look for the second category is not necessarily it’s not necessarily blue ocean, but but really what we’re focused on is we’re focused on the seaso, the chief information security officer, and we’re looking at, you know, what’s, what’s their concern? What are their concerns, what’s top of mind for them, and even if it’s in a plain vanilla area, such as vulnerability management or automation, automation of the sock, the security operations center automation of researching and remediating incidents, cybersecurity, incidents, all of that stuff. I mean, this is not necessarily what you would classify as blue ocean, it’s not like there’s a new industry that needs to be protected. But actually, it goes into the nuts and bolts of the of the seaso job. And it’s not just the seaso, it’s it’s the dozens or hundreds of or 1000s of people that the seaso is is managing. There’s their workflows, there are there are basic operations, and those operations need to be made more efficient, especially since the number of attacks is growing exponentially. Also, the sophistication of attacks is growing in security professionals are harder and harder to find, and they’re very hard to retain. They’re actually some of the the churn on security professionals is some of the highest in technology, I think the average for a sock analyst is about 12 months on the job, and then they leave. And so you know, as a seaso, you need automation, you need orchestration, you need to organize your shop. And so the whole other class of of investments that we make are, are in companies that help make the seaso and his team more efficient. Got

it? So it’s those two kind of broad categories, emerging markets, blue ocean, and then existing enterprise and, you know, common challenges for CISOs.

Yeah, the number two area there, you know, we kind of coined it, I don’t, I don’t think I’ve read it anywhere. But basically, we’re looking after the seaso is, is really what we’re doing working, we’ve got hundreds of CISOs in our network, and we talk to them every single day. And we listen more than we talk. And we’re basically just listening to what they need. And we try to find the best companies in Israel that can address their needs. And these are mostly us CISOs. I mean, we do have a network in Europe, as I mentioned, but but really, you know, 85 90% is CISOs in the United States, and what and what their issues are, you know,

you’ll have you mentioned before that you kind of monitor top talent that may leave a particular enterprise or otherwise, and look for what they’re doing next, and where they’re innovating. I’m curious to hear your thoughts on whether you really think that the biggest and best innovations in cyber are going to come from startups, or if there are other sort of centers that are producing, you know, some of the best sort of cyber detection and cyber prevention technologies out there. So yeah, how do you consider sort of your involvement as a VC when it comes to some of these other progress centers for cyber versus, you know, the innovation coming out of startups?

Yeah, so there’s a lot to say there. First of all, I will say that some of the corporations are very good at at, at setting up labs and setting up research centers where they where they can actually come up with with new technology themselves, some names that come to mind or Akamai or RSA. Those are both very good, and there are others. But I will tell you that in this industry in cybersecurity, the vast majority of the innovation is coming from startups. And it’s been like this from the very beginning. And so the cybersecurity industry is this enormous consolidation play. It’s all it’s, it’s consolidating all the time, what happens is startups come up with the innovation and can execute much, much faster than the corporates. I mean, it’s probably a 10x factor, how fastest that startup can execute so, so a venture backed startup could probably come up with a with a good product, new product within about a year, where where it could, it could take a corporate, you know, up to 10 years to to build something new or never and it’s really It really has to do with you know, red tape and corporate processes versus the the agility, the scrappiness and the you know, some of the quality of the people that we find in in startups, not to say that corporations don’t have great people, but the the intrapreneurs, that can actually secure funding, you know, four or $5 million seed rounds, and then eight rounds and B rounds, you know, there’s a, there’s a bit of a self selection there. And you really the ones that are the ones that end up partnering with VC firms like like wild ventures, and some of our peers, end up being some of the best ones. So they execute super fast. And what happens in terms of this mass consolidation is as follows. Eventually, the entrepreneurs and the VCs exit, you know, they end up wanting to sell these companies eventually. And that that happens very frequently in insecurity, that’s when the entrepreneurs and the VCs get the return at the same time to large corporates, you know, the big vendors, such as IBM Security, Symantec, and many others Proofpoint, you know, they, they, they need to acquire, because that’s how they get their innovation. They’re not, they’re not generating enough innovation in house from their own engineers. And so you know, they have the need to acquire. And so that’s what they do. And the third leg to this, it’s actually three legged stool is the customers, so those CSOs that are in our network that we talked to every day? Well, they they’d rather buy from the smallest number of vendors possible. So you know, if they’re, if they’re now they’ve got products from 100 different vendors, they’re actually constantly trying to reduce that number they’re trying to buy from, from less from less people and remove complexities in their purchasing process, and, you know, managing vendor relationships, etc. And so the customers are also encouraging consolidation, they’re encouraging, you know, the, the security vendors of the world, the larger ones to acquire the small guys, because they’re saying, Look, you know, we’d rather actually buy, you know, all these system components from from from one software vendor, can you please find yourself a company in this whatever space, you know, startup to acquire? And so and so that’s, you know, it’s three forces that are working together to to make this one of the most acquisitive industries in the world, there have been well over 600 m&a transactions since the 2000s. It’s a very very acquisitive space.

Got it? Well, you know, keeping with the startup focus, you know, how do you decide which areas to monitor for outbound opportunities? You know, when it comes to sourcing? Are you you know, where are you searching? And where do you think may the biggest opportunities remain unaddressed?

Sure. So I mean, the way we do it is, and I think the only way to do it well and profitably is to listen to the customers to be in touch with the customers and meet with them on a regular basis and make that a core activity of the of the firm. Like I said, this morning, we were with a CISO. In San Francisco, we also spoke with another car, so this afternoon on a video call. And you know, that’s where we get our information. So that’s where we get a really good feel for what’s what’s needed out there. What’s required. Now, sometimes the this the CISOs that we speak with, actually don’t have the answers or don’t know. And sometimes it’s because because of blue ocean areas, you know, they they haven’t yet, you know, if you think two or three years ago, many of them have not yet even implemented virtual containers, and they wouldn’t be able to tell us that we should look for a virtual container security, investment opportunity. So when we’re talking about Blue Ocean stuff, we really I mean, this is the cutting edge of our research. This is where we have, you know, we have entrepreneurs and residents. And that’s, that’s beyond the 13 that I told you about. We have engineers and residents, we’re constantly reading and constantly thinking and constantly talking to try to figure out what the next blue ocean area might be. But like I said, the conversations with the customers. I mean, that’s really fueling our, our priority list. And by the way, choosing to invest in Israel, I think was the was a good move for us because Israel is the number two place in the world to find cybersecurity talent, second only to the US. And I’m talking in absolute numbers, you know, it’s not in relative numbers. And the reason is because Israel is so defense oriented, has such strong intelligence units within the Army, that are doing a very good job of training the soldiers in both offensive and defensive cyber, and turning hundreds if not 1000s of graduates every year, those graduates go on and end up working in other security companies or startups and a few years into that they they end up many of them end up wanting to start their own companies and so that’s when we may find them and and the way we screen them, you know, outside for looking for really looking for the best talent. We’re also matching that that data up with, you know, with the priorities As a nation that we hear from the market in terms of, you know, what solutions are required, sometimes we influence the intrapreneurs, we say, look, and actually, I have a good story about that. Oftentimes, we influenced the entrepreneurs, they come in with an idea that we know, from the market is irrelevant or is solved, or, you know, it’s just not not the basis for a company. And we could encourage them to do something a little different, or something completely different. And then and then we back then when, when the, you know, when they’re when their idea matches what we see in the market. Got

it, I was just going to ask you a few, you know, based on this customer discovery with the CISOs, if you ever considered, you know, where in your venture studio or venture venture foundry hat and kind of work with the entrepreneurs to address the right problem, as opposed to just, you know, going out with interesting tech and putting that against, maybe a problem that, that doesn’t exist? Yeah,

so I mean, we do that in many different ways. The primary way in which we do that is through an intrapreneur. in residence program, we have three entrepreneurs in our office in Tel Aviv right now that are working on on their startups, they’re doing it from from within our offices, and they’re getting the benefit of this access that I that we have to customers and to you know, our own our own research. And so we’re helping them build these companies based on what we hear from the market and our feedback, you know, there’s no obligation for them to take to take capital from us, there’s no obligation, we don’t have to invest in their companies. If this if the stars align, we do make the investment but but but these fine intrapreneurs can sit in our office and leverage our resources in order to come up with the best fit for the market. Got

it. So, you know, in the past, I read a bunch of your writing, and I came across that you’re actively monitoring the number of deployed devices across a range of industries, and you’re assessing the cybersecurity risk. I was curious, you know, you mentioned autonomous vehicles, and in a few other sectors before, but I’m curious, what are some of the industries that you’ve seen that have the most volume of devices, and you know, the potential for the most significant and value oriented breaches?

Yes. So there’s one that really crept up on us, meaning it was not front and center on our radar screen. And all of a sudden bit over a year ago, it kind of came out of nowhere. And that is medical devices, basically the vulnerabilities and potential attacks and attacks that have already been carried out, leveraging, leveraging medical devices, in hospitals, and also outside of hospitals. Also in the home and other places, we haven’t really thought about it for years up until I think, a little over a year ago. But you know, we all of a sudden noticed these these millions and millions of devices. Today, it’s 100 million connected devices, connected medical devices in the United States alone, these are these are medical devices that are connected to the Internet, there are 100 million of them right now in the US. And there’s going to be about 200 million a year from now. Wow. And these devices are some of the most backwards technologies, especially when it comes to cybersecurity that you’ll find anywhere devices. Some of them are running Windows XP, which is you know, not even supported by Microsoft anymore. There are no patches anymore for my for for Windows XP, or other antiquated, antiquated operating systems. Most of these devices employ no encryption. So all the oldest medical data is traveling over the internet, unencrypted, they lack authentication. They lack any any basic DLP data loss prevention, or it’s just it’s just shocking. There’s really no security in most of these devices. And so what we found is that a lot of hospitals and medical providers and the healthcare industry in general, many of those individuals and companies are in a bit of a panic right now. Many of them have have woken up to this in the last couple quarters, I would say. And you can you can tell we’ve been tracking this. So not only have been we’ve been tracking the devices, device types and all that we’ve also been tracking what the what the medical providers and hospitals are doing. And so about two years ago, there were or even even a year and a half ago, there were hardly any hospitals that had chief information security officers on staff is staggering. Almost every large hospital will have a CSO that typically reports to the CIO and is completely charged with protecting the systems in the hospital and medical devices is really one of the one of the top priorities right now in hospitals and other medical providers. And so we’ve been tracking this for a little over a year trying to find the company to invest in this area. And as luck would have it, we found mitigate mitigate we’d like to think is the leader in medical device cybersecurity, we led around of $5.4 million in mitigate, I guess it was six months ago. We have a co invest Are there Blunck Blumberg Capital. And that’s a fantastic team, almost straight out of the Israeli Defense Forces out of the intelligence units over there who have been Devon high hiring aggressively and tackling this problem they’re already installed in, in US hospitals, this is great feedback on the platform. And they’re just, they’re just running as fast as they can, in order to protect this massive, massive Blue Ocean Territory. Love it.

And, you know, I’m curious, you give the medical example here and, and mitigate if a significant threat event or a hack at a big health institution or health organization that’s going to motivate that organization to, of course, hire a CFO, if there isn’t one, but but definitely employ, you know, some sort of cyber protection, if they don’t have it. But I’m curious to hear your take on sort of the primary purchase drivers for CSOs or CISOs. Today, in the absence of a catastrophic event, so you know, how do these folks determine the ROI? And how do they how do they move off the fence to make a purchase decision, when there isn’t a significant event? You know, that’s, that’s impacting that decision.

So well, there are various studies that say that, you know, up to 90% of US companies have already been breached. Now, even if they have been breached, it may be that the breach was not sizable enough to, you know, to get to the level that you’re talking about. But, you know, every cybersecurity is now a boardroom discussion. So every board member has some fiduciary responsibility to know about the subject and to make sure that that the subject is taken care of, I think that every board member can point to, and not at least another company, usually in the same industry, sometimes in an adjacent industry, but usually in the same industry that has been hacked, and that has suffered significant financial damage. And so I think that I think that board members today, boardrooms, understand can quantify the potential losses from an attack. So those numbers do exist, and they are floated. They’re also discussed whenever companies are taking out cyber insurance. So you know, there is there is knowledge about there’s there’s a lot of knowledge about what cyber tax cost. And so that’s one driver of the spending. Another driver, like I talked about earlier, is compliance. So there’s just there’s just so much compliance, and it’s accelerating, you know, the the depth and breadth of regulation in the US and worldwide. So in Europe, now we have GDPR. But but most US companies have to comply with GDPR, because they have European customers, there’s Sox, there’s ISL, there’s, there’s just there’s just so many regulations to comply with, and it costs money to comply with those regulations. And so that’s driving the budgets as well, the other driver is automation. Because I think in the in the last couple of years, most companies have realized that they just cannot hire enough people to take care or to handle the load that is that they’re seeing in terms of cyber attacks, and also vulnerabilities. And so oftentimes, they’ll calculate the ROI by, you know, ROI for for a software solution by how many heads it replaces, or how many full time people it replaces. So an automation solution could potentially do the job of 20 or 30, analysts, you know, those analysts cost 200 grand a year, and you do the math, and that’s how you come with with an order. So it’s all these different factors together that end up being considered being considered when they have purchasing decisions made.

Yeah. So you mentioned GDPR, a couple of times, do you? Do you have some high level thoughts on sort of the impact of GDPR in Europe, and you know, what we might have on the horizon in the States? Yeah,

well, it’s already happening. I don’t remember the the estimates for the size of the market or the size of the opportunity. I think Gartner has has some some really good numbers on that. But it’s certainly well into the billions. And that’s and that’s effectively what companies need to spend on solutions and processes in order to be compliant. It is a European regulation. However, it’s affecting all multinational companies, because of globalization, every large company could be in the US or anywhere else has customers in Europe, and it’s enough to just have one customer in Europe, if you want to continue serving that customer, you need to be compliant. And so it covers many areas, mostly to do with privacy, not so much to do with with with the kind of the classic definition of cybersecurity, meaning, you know, protecting against cyber attacks. GDPR is mostly a privacy related regulation, but it’s really a driver, a driver for the success of, of a lot of companies. There’s one I really liked but did not invest in Unfortunately, called Big ID, which is based in New York, Boston and Tel Aviv is backed by some of our friends. And is the solution helping companies deal with with GDPR. I believe they just won the RSA conference as sandbox Innovation Award, which is a coveted award. And that’s because GDPR is just just so important right now. It’s certainly one of the top three, three topics being data that were discussed in the last RSA Conference, which is the key conference for the cybersecurity industry happens usually every April in San Francisco.

Yeah, it was just about a month ago, there was enough folks emailing me about it. Can you talk a bit about sort of your thoughts on acid centric approaches versus threat centric approaches to information security?

Yeah, yeah, that’s a good question. And sometimes you see companies focused on one versus the other. But we firmly believe that it’s you need to both it’s it’s kind of a ying and yang. And it’s actually quite simple, because, you know, looking at assets and trying to, you know, trying to secure assets without having any context as to what threats, you know, what is threatening those assets, is going to be completely useless when you’re when you’re scanning assets, looking for vulnerabilities, which is something that a portfolio company of ours really helps do a company called axonius. So we know this, this this topic very closely, you can’t be looking at assets without without knowing what sort of threats you’re trying to protect these assets from. At the same time, you know, you can’t really just look at threats without without knowing what assets who you want to protect assets are very different from from one another, you know, there’s there’s IoT assets, like your your IP connected fire extinguisher, or webcam, or Amazon Echo running Alexa or enterprise IoT, there’s, there’s other types of IoT, like the automobiles we discussed, or medical devices that we discussed. And then there are PCs, which are laptops, depths, desktops, and then there’s servers, Unix, servers, Windows servers, there’s just so many different types of assets. And each type of assets has its own set of threats, potential threats that can influence that asset. And so you really got to do both. And, you know, the best success we we feel we find in this domain is for companies that that can marry the two very well, you

have what do you what do you say to those pundits that classify cyber is a cat and mouse game, where even the best cybersecurity companies will not have durable solutions, and their long term value is not secure. So

they’re about the cat and mouse game, we’re constantly chasing. So no, no cybersecurity vendor is going to do well, without very strong research and development and evolution and a strong product roadmap, because it’s a moving target, you know, you could go to sleep one night, and overnight, you know, the the threat, the threat landscape has changed, and hackers have constantly becoming more sophisticated. As a matter of fact, my view is that the gap between the hacking community and the defending community is only increasing and, and I feel like they are winning. And yeah, and winning more and more. And that’s why that’s why the the annual damages from cyber attacks is only increasing. I think I read somewhere recently, that it’s, it’s up to $3 trillion, either now or in the next couple of years. So I mean, that number just keeps, keeps keeps growing. And part of the reason for that is because hackers are, are becoming more sophisticated at a faster rate than, you know, defenders can can catch up. And so that’s actually a piece of very bad news. But it’s good news for this industry, because there’s just always going to be a need for more vendors, better vendors, better technology, more investment. It’s a growth industry because of that. So you know, I agree, I agree with the cat and mouse game. I also agree with the notion that anybody who’s not who’s not innovating fast enough is just going to fall by the wayside. We’ve seen what happened to FireEye, for example, it used to be the, you know, the poster child of cybersecurity, and it has not performed as well in recent years. And I think part of that is because I personally think they might have gotten a little too comfortable with the sandboxing and other products that they had, and didn’t put enough emphasis on innovation and developing the next big thing. So the companies that are doing the best I can think of Twistlock from our portfolio of companies that are just constantly thinking ahead. And they’re, you know, they’re they’re trying to be a few steps ahead. And in many cases, they can even be ahead of the head of the hacking community. And in those few cases, you know, that’s when you’re really seeing outsize return for investors. That’s, you know, that’s when you can really, you know, when valuations really skyrocket is is in companies like that.

Interesting. What do you think is the most misunderstood thing about cybersecurity? Well,

I’m There’s something that’s going on right now, which actually I really don’t mind, which is, there are more and more investors that are that are not investing in cybersecurity anymore, that are kind of leaving the space and, and not doing more investments. And their their reasoning is that there’s too much competition among vendors that there are, there’s just too many cybersecurity vendors, and which, which means that every company, you back, you end up having more competitors. And it also means that chief information security officers are flooded with, with vendors that are pitching them products. And so because of that, they’d rather stay away and do something else. For me, it means that’s competition VCs that have traditionally been competing with us, if they’re leaving the space, you know, that’s more for us, we see no problem in the fact that there’s more I call it more noise in the market, I think that the amount of signal or the number of good companies on an annual basis is still the same or growing. So they’re still, you know, the few really, really good companies. And then there’s a massive amount of of companies that are not worth backing. I mean, last year, we looked at 400 security companies, and we only invested in two, which is about half a percent. So we’re really trying to go for the cream of the crop the you know, the top less than 1%, I think that if you’re going to be investing in security, you need to be an expert investor that can really find that that signal and separate it from the noise, you know, find the needle in the haystack. To do that you need serious deep expertise and relationships that you know how many times a lot of these investments, a lot of these vendors look the same. But you need to have the skills to go in and be able to differentiate and find find the best ones. Now if you’re able to find the best ones, then the amount of noise doesn’t really matter. You know, it just means that it’s a little bit more work, but it doesn’t matter that there’s more noise and on the seaso side, you know, then being overwhelmed with with vendors. Well, this is where we also cut through with our our relationships, I think it’s 1300 CISOs. Now, with some some some number like that, we are able to basically take our portfolio companies almost almost through the you know, the back door or the, you know, the VIP line, when we go to our CC ISOs our relationships and we point to a vendor that we’ve invested in, we’ve essentially vetted that vendor for the seaso. And so, you know, a lot of them rely on our vetting because we’ve had a good we’ve been fortunate had a good track record with these companies. And so, you know, our companies get to sort of preferential treatment. So, you know, so we’re able to handle both concerns of other investors. That’s that’s making them exit the business.

pretty valuable and unique approach that you guys have maintaining these relationships with the CISOs. Not only are you getting your recon, and you’re kind of discovering where the opportunities lie, but you also have the natural customers that for all the companies you’re investing in, which is kind of a nice, nice virtuous cycle.

Yeah, absolutely. And it’s kind of the bedrock of our of our strategy. Certainly the it’s the biggest driver of our of our returns.

You have if we could cover any topic here on the program, What topic do you think should be addressed? And who would you like to hear speak about it?

I’ve listened through many of the what is it about 200 or so episodes almost just about? Yeah. So I find the content extremely interesting. I think your your speakers are outstanding, I find the podcasts captivating. And and actually, I look forward to listening to the ones that I that I haven’t heard yet. I would say I think you should, you should go talk to some of the CO investors that we have, I feel I feel I’ve been very fortunate to share the boards of directors of some of these companies with with some very, very smart people that I really look up to and that I’ve that I learned I learned from every day. And some names come come to mind. So I think it would be great if you had Alex doll from 1011. ventures, on your on your show. He’s He’s another cybersecurity focused investor based over here. absolute genius of a guy another gentleman is Brandon Hannigan, Brandon Hannigan, from from Polaris. He’s based in New York. And he’s another person I’ve learned a lot from. He used to be the general manager of IBM Security, which was a $2 billion business when he was there. Unbelievable company builder. Another gentleman I’d point out is Chris Thomas. He’s based in Detroit. He’s with fontinalis partners. He’s on the board of karamba security with me and he’s, he’s an automotive investor. So not security. But Columbus is cybersecurity for autos, while ventures brings into security expertise, and he brings in the automotive side. And so I’ve learned a lot about automotive from from him. And so those are three people that I I’d be glad to, to introduce you to and hope hope that they come on the show.

I appreciate that. That’s great. So you’ve mentioned a few of your key influences, but is there one in particular that’s one investor that’s influenced you most?

I’ve been fortunate had to work with a with a lot of great VCs and and I think that that from each one you you learn you learn something, hopefully you learn a lot. And I think it’s kind of the combination of those. The the one individual that I’ve learned from the most is John Quigley, who co founded this firm with me. He’s been doing private equity since the 1980s. He’s now retired. He was previously at Adler and shakin in some of the private equity houses in New York. He’s the one that by far taught me the most over over a period of over 10 years.

And then finally, just to wrap up, what’s the best way for listeners to connect with you?

Email yo up at Wild ventures.com

Perfect. Well, you have thanks so much for doing this. This is that this is a lot of fun. I’ve heard so much about the firm and I’m glad our our mutual friend John introduced us and and look forward to connecting soon.

Thank you very much, Nick. It’s been a pleasure.

All right, that’ll wrap up today’s interview. If you enjoyed the episode or a previous one, let the guests know about it. Share your thoughts on social or shoot them an email, let them know what particularly resonated with you. I can’t tell you how much I appreciate that some of the smartest folks in venture are willing to take the time and share their insights with us. If you feel the same, a compliment goes a long way. Okay, that’s a wrap for today. Until next time, remember to over prepare, choose carefully and invest confidently thanks so much for listening