A handful of security startups raked in almost $100 million in just the last few weeks.
Between late June and early July, ThetaRay raised $30 million bringing its total funding to $60.5 million. Preempt raised $17.5 million bringing its total funding to $27.5 million. Jask raised $25 million bringing its total to $39 million. And Balbix raised $20 million bringing its total to $28.6 million. All of these were Series B rounds.
Investors, it seems, funnel an endless supply of cash to security newbies. Still, the sheer number of startups outweigh the money pool. So how do venture capital firms decide which security companies will be smart investments?
“It always comes down to the basic three fundamentals,” said Deepak Jeevankumar, investment manager for Dell Technologies Capital. “Is the space interesting? Is the team interesting? And do you have some unique go-to-market strategy.”
Jeevankumar oversees security investments for Dell Technologies’ venture arm, which has made investments in 81 companies since 2012. It remained in stealth mode until 2017, however, and in its first year out of stealth completed 24 investments and 11 exits. These include three unicorn initial public offerings (IPOs) worth more than $11 billion.
Zscaler was one of these unicorn IPOs. The network security company raised $192 million from its March IPO and now has a market cap of $4.77 billon. Dell Technologies Capital (DTC) led Zscaler’s first institutional round in 2015.
In an interview with SDxCentral, Jeevankumar discussed what DTC looks for in security startups.
“Cybersecurity is one of the most heavily invested areas every year, and there are about 3,000 [security] startups across the world today by some accounts,” he said. “It is also one of the most challenging areas to figure out which startups to invest in.”
Look at Jask
For its part, DTC invests about $100 million annually in technology startups. In the past year, a third of the new investments focused on artificial intelligence (AI) and machine learning (ML), and at least 25 percent focused on security, although “there is a strong overlap between AI and security,” he admitted. “Cybersecurity startups use AI a lot — Jask being one of them.”
The venture firm puts security spending into one of two buckets: existing security problems and new ones such as securing software-as-a-service applications via cloud access security broker (CASB) technology. Jask falls into the former. Its technology helps solve an existing problem: the enterprise security operations center (SOC). But it comes at it in a new way. It automates much of the work of a tier one security analyst by correlating and analyzing data and summarizing the important information via streamlined notifications.
“The space is interesting because it is taking the existing SOC and introducing automation to it,” Jeevankumar said.
The founding team is interesting, too. Jask CEO and co-founder Greg Martin spent a decade in the SOC space, and Martin and VP and co-founder Damian Miller led ArcSight’s security operations business. HP acquired ArcSight for $1.5 billion in 2012. Martin also founded security company ThreatStream, which later rebranded as Anomali.
Jask CTO J.J. Guy was a founding team member at endpoint security company Carbon Black, which went public in May. And Jask VP of Engineering Roy Frey was previously senior security architect at Netflix, where he invented FIDO, a patented open source security orchestration platform.
“So we have the industry experts, the technology experts, the product experts,” Jeevankumar said.
And finally, Jask’s platform uses AI, which differentiates it from other SOC platforms. “Attacks are getting automated, defense is not, so JASK is using automation,” he said.
‘Creation’ Security Startups
DTC’s security portfolio also spans several companies focused on solving new problems. These include CASB startup Netskope, cloud threat defense for infrastructure-as-a-service (IaaS) company RedLock, container security firm Twistlock, and cyber risk quantification company RiskLens, among others.
Jeevankumar calls these “category creation” companies. DTC takes a slightly different approach to investing in them. “Here in the category creation market timing is everything,” he said. “Are you too early? Too late? You also need to be far more evangelical because in most cases CISOs don’t have a budget line item for these things. CISOs are bombarded by 20 to 30 new startup pitches, so how do you create a credible story and rise above the noise?”
Also, catching a technology tailwind can help startups pull investors. “IaaS is a great tailwind, and RedLock is catching that,” he said. “SaaS is a great tail wind, and Netskope is catching that.”
On the flip side, some interesting technologies and companies are still ahead of their time. “One of the things we keep hearing about is quantum security,” Jeevankumar said. The security concern here is that quantum computing will break existing cryptographic algorithms, thus allowing hackers to easily read encrypted data.
“But we don’t have quantum computers yet,” Jeevankumar said. “We will want to invest in that — but not today.”
The Next Big Thing
So what is the next big thing in security technology? Jeevankumar says serverless is definitely high on the list. “We are also keeping an eye on blockchain to see if it can solve any unknown or new security problems,” he said. “And another one that’s closer than those two: how do you secure AI?”
This is the flip side of AI. It’s not about using AI to make security strong, but rather securing AI modeling.
“By sending the wrong data, some AI models will be trained in the wrong way, and that is becoming a bigger challenge,” Jeevankumar said. “Think about autonomous vehicles: if they get hacked, and the wrong data is used for their training, they will have a very different view of the world.”
While most security technologies keep information safe, this area is literally a matter of life and death. The question of how to secure AI still looms large, but it’s a safe bet that a number of startups are already working to solve the problem. And their company pitches will be coming soon to a VC firm near you.
Editor’s Note: An earlier version of this story incorrectly identified Greg Martin as a founder of ArcSight. SDxCentral regrets the error.