The economy is shifting, and budgets are tightening. Cybersecurity must shift with it. We sit down with Marcus Bartram, General Partner, Titanium Ventures, to discuss cybersecurity VC investment in this economic climate, identity-based threats, and what cyber issues CISOs and the industry should keep their eyes on in 2023. All this and more on The Cyber Jack Podcast.
Cyber Jack 00:04
Today, Marcus Bartram, general partner at Titanium Ventures, joins us to talk about what investors look for in a cyber leader, the effects of the economy, and identity -based cyber threats. Really interested to hear your insights on venture capital investment in cybersecurity.
Marcus Bartram 00:46
We’ve been investing in sort of broader markets and cybersecurity, but in cybersecurity specifically since 2014, we invested in a CASB called Elastica with Rihangilil as the founder.
At different points in my career I have worked in cybersecurity and run a little consultancy business, and have tried to launch cybersecurity products into different markets.
I think in at least one of those jobs, we were deploying the very first versions of NetFranjix as an RDS and checkpoint firewall.
We can see this evolution of IT technology, which I think is sort of a leading indicator to where cybersecurity is going and where threats are going to come from and where innovation will occur.
We wrote a paper about that in our fund, which led to a whole series of investments in the sector. And the IT world has continued to evolve and architectures have continued to change.
So we continue to see innovation. And we continue to see criminal behavior change. And the economic incentive for criminal behavior has gone up. So we still think from an investment point of view, there’s lots of innovation that can still occur and needs to occur to help solve and protect companies from some of these problems.
Cyber Jack 03:35
What makes a strong cyber company?
Marcus Bartram 03:50
There’s literally thousands of cybersecurity companies created every year. It’s a really busy job. Try to meet as many of them as we can.
We’re really looking for founders who have a deep understanding of the problem and are able to articulate that in terms of the customer problem and the customer benefit is probably the starting point for where we’re interested.
Then the second thing is really the team, who’s in the team and what sort of capabilities do they bring? And where we’re investing, like the earliest investment we’ll do is early revenues of a series A -type company.
At that stage, the companies build an MVP, they’re priced and in market and selling it or have you design partners around it who are converting to sales.
And so what’s the bones of the team that are there and how do they think about building it? What’s the culture of the company that they’re creating and how do they think about that? And how do they think about growing it?
What resources do they need and why? And how do they think about going to market and why? And then the last dimension is a function of the customer problem statement, which is how big is the market for what they are selling?
And cyber is a very, I’d say cluttered market. There’s a lot of companies vying for the attention of the CSO and their team. So we try to figure out: is this a real innovation that a customer will pay money for?
Or is that sort of a feature extension of another platform? How many of these customers have this problem and can we actually reach a bunch of folks in a network who might resonate with this problem that’s being solved?
Team, product, market, and then sort of trailing because where we invest is generally some sort of early financials. So yeah, it’s a little bit organic as a process.
We think about where we think the ball is moving and try to find companies that are operating early in those spaces and can help us validate how we think and invest in those guys.
Cyber Jack 07:22
What does the cybersecurity VC space look like right now with the current macroeconomic trends?
Marcus Bartram 07:35
There’s been a little bit of movement on a Series B company evaluation and a little bit on a Series A company evaluation.
There’s been two huge shifts in both the valuation and the amount of activity in that market from a venture point of view is much, much lower than it ever has been in the last decade.
So for our first investments, we’re really active. We think this is still a very good time for us to invest. And when we invest at that stage, we’re really thinking about what this company will look like over the next decade?
So there’s some level of immunity to the short-term market dynamics. But those market dynamics become more and more important in how we think about working with our existing portfolio.
There was definitely a period where lots of companies were trying to raise extensions to financings that they completed in 2021 and hold those valuations and try to buy more time by raising a little bit more capital.
That sort of activity has probably dropped off pretty considerably in the last two months. And it’s the right thing for those companies to do because being able to extend the cash -run way and survive through these isimportant.
Cyber Jack 09:59
What are your thoughts around identity -based cyber threats?
Marcus Bartram 10:04
Identity has been a really interesting place. We invested in Auth0 and a company called Cloud Knox that was looking at privileged access and identity controls in infrastructure that Microsoft acquired.
We recently invested in another company called Strata. Identity, which is really solving a problem around how organizations deal with the complexity of identity in their environments and migrate and modernize applications and move to the cloud, which I think is a huge issue.
I still think there’s lots of opportunity in the identity market, both as an investor and for practitioners. I think this move to a trustless model is still, from an identity point of view, the key to the actual architecture of that.
But how do you build identity into some of the business functions that you operate? So you want to make a change to ABC. You need to hit your fingerprint or your thumbprint to authorize the change. And how do you build those step functions into your application architecture so that you can create an audit trail, but also layer in higher levels of identity control into the critical business functions that someone might have today have a blanket privilege to execute on.
But now you have a way to protect yourself at another layer or protection. So I’ve been talking to a number of CISOs who were implementing some of those controls in their environments. What they believe is ultimately by creating their step authentication and control functions, you make it harder for criminals to move through an organization and make changes that allow them to attack particular assets.
So you steal a credential, but still need to deliver this authentication moment as you want to make changes in that environment. So I think that’s one idea. And I think even in the SMB market, go use a password manager rather than just have folks using manual passwords.
I think it’s some really basic stuff that can be done. Go use last pass or one password, the simple stuff managing those environments. There’s a lot to do in that space.
It’s still a big opportunity for lots of improvements to be made.
These three things we’re thinking about, if the broader economic market continues to change for the negative, I think there’s this issue of cyber budgets. I don’t know if they’re gonna be compressed, but they’re definitely gonna be held flat.
We think people should invest in this continuous validation of your security controls as a way to identify what to do and when as it relates to risk.
So using tools to give you the insight to support that prioritization. I think the software supply chain continues to be a topic that bubbles up.
Third party supply risk continues to be a source of risk and problems for enterprises, with a number of attacks and threats that have evolved over time through that.
We still see this organization continually trying to digitize their environments. And I think if in that economically more depressed world, that work is gonna continue to occur because there’s economic benefits to it and you strip cost out.
So how does the security team get on top of that and have the tools and services wrapped around to understand the footprint of assets?
We’ve seen a bunch of breaches related to API security.
There seems to be more exploits and more opportunities for criminal behavior that bubble up through that. It’s a bit endless really.