Venture Capital's Role in Security
Why Now is a Great Time to Invest in Security Technology
What's the role of venture capital in today's information security market? Alberto Yépez of Trident Capital describes start-up companies and the unique qualities that separate winners from losers.
Yépez, managing director of Silicon Valley-based Trident, says investors are often looking for start-ups that aim to solve large problems with a global scope. "Is this [solution] addressing a very specific problem or a broad problem?" Yépez asks in an interview with Information Security Media Group [transcript below].
After establishing whether the solution is applicable to a global marketplace, investors turn to their extensive network of professionals, including chief security officers, to see whether the solution addresses a real-world problem. "It [needs to be a] large market opportunity, [with] disruptive technology validated by customer demands," he explains.
Investors then turn to companies that will make the start-up successful. "We will go to the system integrators that will probably be the ones deploying the solution," Yépez says. "We try to work with them in saying, 'If we were to invest in a company like this, are we going to be adding to your roadmap?'"
Lastly, having a strong team is essential to the success of the company. "That's where we begin adding value, where we can get the entrepreneurs partnered with experienced executives that have maybe done the same thing and helped build not only executive teams, but ecosystems with a relationship with customers and partners," Yépez explains.
In a interview about the role of venture capital in today's information security marketplace, Yépez discusses:
- Why now is a great time to invest in security;
- Qualities that distinguish winners from losers;
- Regional security trends that are gaining global attention.
Yépez is a managing director of Trident Capital and joined the firm in 2008. He is an experienced investor and entrepreneur, actively investing in IT security, enterprise software and mobility. Before joining Trident, he was an entrepreneur with a successful track record in building global businesses. He was founder, chairman and CEO of enCommerce, co-CEO and president of Entrust and chairman and CEO of Thor Technologies. He also held senior management positions at Oracle and Apple.
In addition, Yépez worked as an "entrepreneur in residence" at Warburg Pincus, served as executive chairman of a Bain Capital portfolio company, and was a consultant to the U.S. Department of Defense as part of the DeVenCI Initiative.
Role of Venture Capital
TOM FIELD: It's certainly an interesting time in the security marketplace. We're seeing lots of growth, and the growth is in response to the evolving threat landscape. Give us a sense please. What's the role of venture capital in a marketplace like we're seeing today?
ALBERTO YÉPEZ: I kind of get on both sides of the equation, being an entrepreneur looking for venture capital and now being on the venture capital side. I believe venture capital provides the partners with entrepreneur to build global businesses and that really helps in a lot of different aspects of fostering innovation, creating the differentiating technology, building the right team, helping them build the board with executives that can help them enter into specific markets, and also helping them acquire their first customers.
Let me give you a good example. When it comes to helping boards, we have relationships with many former government executives that have made a big difference. For instance, Howard Schmidt was the former cybersecurity advisor to Obama. Before that, he also was the cyber czar for the Bush administration. He's someone that we have been working with, not only helping us with what types of investments we should be making, but also helping us think through how we [can] best service the government community. We have General Peter Pace, who was former chairman of the Joint Chiefs of Staff and really brings a lot of credibility to our companies when we're trying to service or trying to get into the DoD or the intelligence community.
We have been very, very fortunate to surround ourselves with very experienced operational executives, as well as government officials, that can help our entrepreneurs get into specific market opportunities.
Our [goal] doesn't stop in just providing them the money and keeping a score. What I mean by keeping a score is that there are a number of venture firms that in the past always come in and they always look at the financial performance. We look at the financial performance as an indicator of growth and need to help entrepreneurs. We take it very seriously by creating an ecosystem of buyers. We have a group of global chief security officers from financial institutions, from healthcare companies and from government that provide us guidance and help us be better investors.
We also have a lot of relationships with the large companies that can prove to be very good go-to-market partners for our companies and that entrepreneur gets introductions to help them build their business. They evaluate their ideas first, get their first customers, help design the product, help deploy the product, give the feedback, and eventually drive go-to-market partnerships with the likes of new great platform companies that are global in size.
Good Time to Invest
FIELD: It strikes me that three years ago we were in a time of economic uncertainty, and now we're in a time of security uncertainty with the ever-evolving threat landscape. Why then is now a particularly good time to invest in the security market?
YÉPEZ: What's going on today is the awareness level has risen. I think it has always been a very good time to invest in security. Trident has a track record investing in security since 1999. One good example of a company was Qualys that we built creating a platform for building security using the cloud as a delivery service.
Let me tell you why specifically now is a great time to be investing in security. We call it the "perfect storm." We believe that innovation in security doesn't happen in the lab. Innovation in security happened because there are shifts in technology and shifts in platform. In the past, we've seen these platform shifts happen in material. As we move from a centralized environment, from mainframe to client/server, we created certain white spaces or vulnerabilities between the client, the server, and the network, and great companies got built in the client's side to address antivirus - Symantec, the McAfee's of the world, the Trend Micro's of the world - and the network level using Check Point, trying to address the issues with firewalls, etc.
As we see these shifts of platforms, this time we have what we call a "perfect storm" because we have four major platform shifts happening at once. We have virtualization. Everybody is trying to use virtualization as a way to transform data centers and be more efficient. We have the cloud as a delivery mechanism for people to consume information and consume services. We have mobility which is effectively bringing the consumerization of enterprise, and we also have social media and social networks. These four shifts are creating new threat vectors, new vulnerabilities, and if you look at the CISO or the person responsible for information security in the company, they're trying to keep the perimeter secure. They're trying to keep their information secure. Now they have to be able to deal with four different vectors that are new and they have to deal with how to protect them. Number one is because of the platform shifts.
Number two is you're beginning to see the level of awareness in the role the government is beginning to play. In short, for the longest time our intellectual property has been compromised, and we've been losing customer data, technology or trade secrets and I think it's finally come to bear. I think [it was great that] Mandiant and Kevin Mandia's team [was] able to publish that report on how we're being attacked. The attack is serious and it's well-funded. It's very sophisticated and enterprises are being challenged to defend, but also protect, intellectual property. We believe that the level of awareness and the threat vector has become more sophisticated than ever before and it's well-funded and state-sponsored.
But besides technology and looking at the threat vector, we also look at the regulatory environment and we see a lot of discussion in Washington, and not only in Washington but governments around the world, of what is the role of government in protecting privacy and protecting critical infrastructure. I was very encouraged to see President Obama yesterday hosting the 13 CEOs of large corporations to talk about cybersecurity, and the fact that it's okay to have an issue. ... But the big question is: what should we be doing about it?
To summarize, you look at the "perfect storm" going on in technology transformation. You see the threat vector becoming more sophisticated. You see a regulatory environment that's actually becoming more heightened in awareness, and you also see the large corporations that were the innovators in security, were the leaders in security, that have not done much in innovation, therefore [they're] investing in security. And the role of venture capital is to create these new platform companies that eventually are going to help solve the problems that we're facing as a nation, facing as businesses, and we're facing as individuals.
Qualities in Winners vs. Losers
FIELD: A few moments ago, you spoke about the diversity of your own portfolio. I see that within Trident Capital's investments, you get recognizable companies such as Arxan, HyTrust, Qualys and Voltage Security. When you look at all of the different options that you have that you can invest in, what are some of the different qualities that you discern in the winners versus the losers?
YÉPEZ: I would say in venture capital and technology, having been again an entrepreneur as well as working with a very good team at Trident, there's a blend of financial investors understanding financial engineering and operations. The way we look at investing in security is, first of all, we're in this business to solve big problems with a global scope. We're here to build global businesses. What's the criterion to define these companies? Number one, is there a large market opportunity? You see the regional piece and a global piece, and is this addressing a very specific problem or a broad problem? We first look at the market opportunity and we try to get to things that what we're going to be investing in has an opportunity to disrupt, to change and to help the big problem.
The second one is we look at how disruptive the technology, the approach, the solution is that the team is bringing about. Obviously, the intellectual property is the core of venture-backed companies and therefore we spend a lot of time not only validating what they're telling us, not necessarily just by making assumptions, but what we do is we use our extensive network. Like I told you, we have a very extensive network of chief security officers that really welcome the opportunity to work closely with us, and when we see an interesting solution we give them a call and say, "Look, do you have a problem in this area? Yes. How are you solving it? Well, we're trying to build it ourselves. We don't have any commercial technology. Would you like to see a company that we think has that solution?" Then we encourage them to have that initial meeting. So, [it's] large market opportunity, disruptive technology validated by customer demands.
The third one is we go to the typical companies that will make a start-up successful. We go to the system integrators that will probably be the ones deploying the solution. We go to the existing platform companies that drive some of the decisions that have the existing customer base that we would actually leverage from our go-to-market strategy. We try to work with them in saying, "If we were to invest in a company like this, are we going to be adding to your roadmap? Are you trying to solve the problem already? If not, let me introduce you to an innovative company solving this problem that's relevant to your current platform. And then after we invest, we can have a go-to-market strategy that can help the company.
The fourth area that we look is the team. Everybody says location, location, location. It's the team, the team, the team; the people that are creating the value, the team that have the passion to solve the problem. But also, that's where we begin adding value, where we can get the entrepreneurs partnered with experienced executives that have maybe done the same thing and helped build not only executive teams, but ecosystems with a relationship with customers and partners.
The final aspect of looking at the criterion investment is who had been their core investors? In-Q-Tel for instance is one of our partners. In-Q-Tel is the CIA's venture capital arm, and they always find some very interesting problems to solve in great companies. If In-Q-Tel invests in a company, we have a lot more confidence that we're trying to solve the problems that are going to be hitting us in the next three to five years just because of the sheer amount of data and the coverage that we have to provide for our intelligence community. We look at investors.
Global Security Trends
FIELD: It strikes me when you talk about your global network that you were so plugged into organizations both mature and very young. With these contacts that you have and the context that you have, what are some of the global security trends that you're seeing right now, even some that might be specific to some of the regions of the world that you deal with?
YÉPEZ: It's a great question because all the emerging economies are getting an opportunity to take a bigger leap on technology. They don't have to deal with legacy. Latin America or Asia Pacific, they're able to have perhaps a much bigger footprint in mobility and a much bigger opportunity to leverage the cloud, because they don't have an existing infrastructure that they have to migrate from or try to deal with or integrate with.
What we're seeing is not only a different type of threat, because the mobility and the interaction with business is more driven from a mobile device and actually leveraging cloud services. Managed services or hosting services - what ever you want to call it - I think we see different types of threat vectors but also we see very interesting and intriguing solutions on how to solve the problem.
Let me give you a very specific example. Two or three years ago we came across a company in Madrid, Spain. The company's name is AlienVault. It's one of our portfolio companies. It was a team that was trying to solve the problem of, "How do I integrate all of these security solutions that are all dispersed and not integrated and bring them all together?" They had this open-source project called OSSIM, Open Source Security Information Management, that, with very little venture money, had been able to assemble 20,000 customers, or downloads, of people using in their technology, and we say, "Wow, this is very interesting. They're solving the problem that a lot of our companies here in the United States are trying to figure out, [which is] how do I integrate all of these different solutions?" Here we're in Madrid looking at a company that already had that solution.
What we did is partner with entrepreneurs ... and we convinced them that the best way to become a global business, rather than a regional business, was to bring the company to Silicon Valley and then we invest in the company. We brought the team together, not Trident, but together with them we selected a team which were experienced professionals from HP and some successful security companies and put a team that was very motivated to make an impact on the global footprint.
Shortly after our investment, which was only two years ago, last year we got a follow-up investment from Kleiner Perkins and Sigma, which are companies that we work with all the time, and we raised another $22 million round. It's a company that's now primed to succeed in solving a real problem, a global problem.
If we had been in an emerging economy where they are more sensitive to value and sensitive to price, not having to deal with legacy and having to deal with the new model of computing, I guess we wouldn't have been able to be fortunate to be able to create a great business. AlienVault is a great target right now to pick up, probably one of the next-generation security platforms in the marketplace. The amount that went in to build, because of the open-source community, with an open-threat exchange where people are anonymized and the threats that are going they're willing to share that among the community, it's very much in-tune with what Washington is encouraging to exchange information. They already have that with a community that's now more than 200,000 people using OSSIM and the commercial product as well. It's a very good example [to show] that innovation doesn't necessarily just happen here. Emerging economies around the world [are] also facing problems, or slightly different threats, but they have created solutions.
The role of venture capital is indeed to partner with entrepreneurs to build these companies, and we're very proud here at Trident that we don't necessarily just invest in companies in Silicon Valley. We're willing to take the flights to Madrid and to Toronto to be able to find our companies. We're very fortunate to have found a number of entrepreneurs that have the passion to solve the real problems.
Advice to Emerging Start-Ups
FIELD: One of the things that struck me when you and I first met was you talked about your experience with Apple Computer back in the '90s. And the statement that you said that stuck with me was, "We had the better technology, but we lost." I came away thinking that really gives you a unique perspective on this business. With that perspective and with your experience, what advice do you offer today to someone at an emerging start-up that wants to prove themselves in this marketplace?
YÉPEZ: That's very dear and close to my heart, because I was at Apple during the golden years and now there's a renaissance. I guess the best technology now wins; you always have to have the customer evaluating, especially if you're an entrepreneur trying to bet your livelihood and your professional career on something that you believe and value you're creating. The quicker you can get your technology to be touched by customers, the better you will be because you will find scenarios which you never thought your technology will be used and they need to be integrated in other places, and therefore you will find areas where you probably wouldn't have thought about to be able to create additional value.
I would say ... get customers for your technology, more in a partnership. Find partners so they can help you shape up your offering. Do that and create technology and customer advisory boards where they help you with a roadmap. They also will become your biggest advocates because, as they decide to use your technology, they'll be the ones providing the references.
Innovation without solving real problems in a global scale doesn't go anywhere, so therefore really focus on the customer. Even Apple, their focus on the customer and user experience, now, we lost it when Steve left. But now you can see the renaissance. I bring that analogy to always to make the customer the center and try to bring that level of validation sooner rather than later.
The other thing is the biggest blind spot of entrepreneurs when I was one of them was the ecosystem you need to create. You cannot just deploy and send an engineer with your solution. It has to be easy to deploy and easy to commercialize. You have to have the partners that are going to help you get there.
Career Advice: Venture Capital
FIELD: There are a number of people that have got many years in the information security field, and they may want to make a career change. As someone who has made the move, what advice would you offer to somebody that wants to shift into a career in venture capital?
YÉPEZ: We all come from a very different perspective. The value of Trident and the reason I decided to work with Trident is they were a board member. They were an investor in my last company. They were so thoughtful. They brought the ecosystem. They brought the advice of former operating partners, but also they have a sophistication of the financial engineering to be able to do that. Depending on where you're coming from - the operating background, platform background or the financial background - look to not only make sure that you're good at what you do, but also try to look for a team, a group of people that bring together a blend of skills that can actually make the investments successful.
I would say some of the very tactical things that you could explore is venture firms often try to look for EIRs, Entrepreneurs in Residence, people that have either exited from a company because the company got acquired. They want to be able to sit down and help us guide our investment strategy. Look for EIRs and venture partners and try to form that opportunity. Before I went in to become a venture capitalist, I started working with a entrepreneur resident venture partner. I was very, very impressed with the team work and the blend of skills required to be successful, because just having an operating background will help us build businesses, but you need to be sophisticated enough to be able to have the right financial engineering and use financing as a strategic asset to be able to build global businesses. I think it's a combination of things.
The opportunity is such that I would say that more and more successful venture capital firms [have] teams that have operating backgrounds and financial engineering backgrounds that can bring together not only those skills, but also the relationships.
I would say, [when looking] at someone potentially becoming an EIR, how successful have they been in what they've done? What relationships did they bring out to source deals, to be able to close those deals and to add value to those deals? Our EIRs don't often become just venture capitalists, [but they] become board members and become executives in the companies that we invest in.
I would say it's a very interesting opportunity to work with individuals who have been successful in their right, and that your contribution is one element that will make a place unique. I'm very fortunate and happy to be here at Trident because I think I get a lot of support from my partners that have been doing this for 20 years. I come from an operating background and I'm trying to set my mark and have been here only for the last four years, but as a full-blown partner in the last three. I think that's very tactical advice for how someone can jump into venture capital.