The cyber industry faces a dilemma. On one hand, the need to close every possible security breach gives birth to an ever-growing pool of start-ups, each with their own speciality. On the other, organizations lack the expertise needed to navigate the dozens of different solutions.
This dilemma also dogs venture capitalists in the field. They need to figure out whether the entrepreneur standing before them is capable not just of solving a specific problem, but of actually creating a large company that goes beyond one specific feature.
If investors don’t understand their customers’ needs in-depth, it’s hard for them to assess a start-up’s potential and value. This is also why players in this market are always afraid of excess investment in cyber and some even suggest a bubble.
The cyber market is actually now in an optimistic phase: The coronavirus forced managers and workers to work remotely, and many processes that used to be done physically have moved online. Remote working has left organizations substantially more exposed to cyberattacks. As a result, the cyber market is booming, and start-ups are also enjoying the benefits, including some that haven’t even yet been founded.
“There’s a significant rise in the level of investment in seed companies, and competition in financing rounds has become ‘violent,’” Ofer Schreiber, a partner in the venture capital firm YL Ventures, said in an interview with TheMarker.
“In recent years, the market has really been pretty saturated, and there were too many start-ups,” he continued. “Not all of them will become big companies.
“What does this stem from? The cyber world is in direct correlation to the pace at which organizations adopt technologies. There are a lot of business advantages to connectivity and data production, but these are accompanied by risks. Therefore, this is a more dynamic field than other software fields. In addition, hackers are always a few steps ahead of the defenders.
- He was a hacker by 15. Now this Israeli wants to revolutionize cybersecurity
- Anyone can fake Israel’s vaccination certificate - here’s how easy it is
- Israeli cyber firm sold spytech to South Sudan, investigation finds
“The coronavirus itself didn’t really change anything essential in the field of security, but it accelerated existing trends. The world was already moving into the cloud, and workers who don’t physically come into the office also already existed. However, what happened is that the entire world was scared into taking these to the extreme and the pandemic forced an acceleration of these processes.”
How do you make sure companies won’t end up doing nothing more than developing a feature?
“All the major security players aspire to be the player, but they have trouble foreseeing what the next threat will be. Therefore, there’s always room for more start-ups to come along and innovate.
“The art of cyber entrepreneurs that do want to build large companies and not just be bought by some other company lies in their ability to identify a niche,” he explains.
“There are big players in the security world that are less innovative. A company whose sales total $1 billion a year focuses on its existing customers and the products it’s familiar with. The time to build a product isn’t when your customers are screaming at you that they lack something, because by then, there are already 10 start-ups in the market solving similar problems.”
Do organizations generally understand that they need security capabilities?
“I think many organizations, and certainly relatively traditional ones, haven’t really made the conceptual shift and understood that they possess sensitive assets that constitute a real target for hackers. We saw this, for example, with Shirbit” – an Israeli insurance company that was hacked a few months ago.
“There are many advantages to remote working and having things open, but data has a lot of value worldwide. People have to come to the understanding that they are much more vulnerable and that there are bad people in the world.
“Naturally, not every company is Bank of America, with a budget of tens of millions of dollars for buying the world’s most up-to-date products. But security begins with the smallest of things, for example training workers not to click on strange links and so forth. You don’t have to ‘buy this.’ You just have to buy security solutions to improve the situation.”
From IVC to a VC fund
Schreiber, 37, served in the army’s Unit 8200, but in an intelligence position rather than a technological one. He then studied law at Tel Aviv University, but never did his clerkship. He got to the VC industry through having worked at the research firm IVC while in law school; this gave him exposure to the industry.
Two years after Yoav Leitersdorf founded YL Ventures, Schreiber emailed him. Leitersdorf is based in California, and he hired Schreiber as an analyst who would help him locate investment opportunities in Israel. Four years after joining the firm, Schreiber became a partner, and today, eight of the fund’s 15 employees worldwide work at the Israeli branch.
YL Ventures also has a third partner, John Brennan, who is also based in the United States (Brennan has no relation to the former head of the CIA). He’s an early-stage investor who currently manages $300 million in four different funds. The latest fund has $135 million, and Schreiber said it plans to invest in just 10 companies.
The firm’s most noteworthy exits include Twistlock, which was sold to Palo Alto Networks for $450 million; Hexadite, which was sold to Microsoft for something between $80 million and $90 million; and FireLayers, which was sold to ProPoint for $55 million.
“If in the past, two guys from Unit 8200 would leave the IDF with a cool technological idea and want to build something around it, today, we’re seeing more experienced entrepreneurs, or serial entrepreneurs, people with a lot of experience in the industry,” Schreiber said.
“There are fields that more hardcore – for example providing protection against sophisticated attacks is connected to the talent that people bring with them from the army,” he says, refrencing the unit’s so-called cyberwarriors. “But I think that at most security companies, the focus is on providing value to the customer more than on pure cyber defense. Value in the sense of reducing costs, simplifying processes, enabling organizations to do things they couldn’t do before, managing security software and so forth,” he says, explaining that high-end defenses are only part of the market.
“If you’ve been in the position of the attacker, you know what an attack looks like and you have a set of very strong technological capabilities. But many of the new developments are more at the level of the product and less at the level of the technology. You have to understand how a security organization works, what its challenges are, and build a product that may be based on powerful technology, but is primarily a product that customers like using and find valuable.
“There are a lot of talented people and a lot of problems that need solving, but not all of them will make it possible to build a billion-dollar company. If you solve the problem the information security manager ranks 32nd in importance, you won’t get attention and funding. Therefore, someone who has lived in the information security world for years and has the connections to get feedback from people there has an advantage.”
Schreiber’s connections are a network of around 90 information security managers from global companies like Walmart, Nike, Microsoft and CrowdStrike. In recent years, the VC funds Glilot Capital Partners and CyberStarts have set up similar networks, and the venture fund 8Team has devised a model for founding companies that includes cooperation with partners.
“We rely on this network,” Schreiber said. “Our strength lies in meeting two entrepreneurs in Israel who tell us an interesting story and, within 48 hours, putting them across from 10 information security managers in the U.S. who will give us feedback about the entrepreneurs, the direction and the technology.
“We’ve built a great many capabilities that help us make the right decisions. We’re in the business of decision making. This reduces the risk when it come to seed investments. For the vast majority of the companies in our portfolio, the difference between the initial idea and what they do now is very small.
“We feel very comfortable writing a large check after the process we go through, and therefore, there’s also pressure. Our starting assumption, our philosophy, is that no company should fail; they should all succeed. I think this ethos is very much felt by the entrepreneurs.”
‘Our entrepreneurs aren’t pampered’
You don’t invest in many companies. That increases your risk as investors.
“There’s an approach that advocates diversifying investments among different fields, writing small checks to every company and thereby hedging your investments. That isn’t our approach.
“We’re more focused, both on the cyber industry and on a few investments – three new investments a year. We lead seed rounds of $5 million to $6 million and reserve a lot of money for follow-up investments.
“But money is relatively cheap. What isn’t cheap is our ability to help our portfolio companies. We are the companies’ marketing arm and also help them recruit workers.”
There’s an opposite approach – that companies have to get along on their own.
“Make no mistake, our entrepreneurs aren’t pampered. They aren’t spoon-fed. But when there’s a start-up that consists entirely of five developers, it’s a little hard for them to talk with 100 customers in two months. We know how to do that.
“This happens mainly in the early stages, the seed stage and the A round, when the companies are mainly building their product and speaking with customers and need to find the appropriate partners. At a later stage, these functions are moved within the companies. They perform them themselves, and we take a step back.”