We are regularly asked which areas we invest in and are constantly talking with newly minted CEOs who are eager to get funding and curious if they fit our thesis or not. To speed up this conversation we have decided to make our investment areas public. We are doing this both to expedite conversations with potential portfolio companies, but also when working with partner VCs and LPs who have potential deals, they will know what areas are of most interest to us.
By way of explanation we believe that the one area that needs the most investment is in the area of loss prevention. There are other areas that one could invest in, but we lack the quantification models to predict their market utility, or the market is simply too small or too new to invest in.
If our “true north” is focused on loss prevention, we are wise to look to the groups who have been modeling it for their own needs - the insurance and re-insurance industry. As such we have spent a lot of time cultivating relationships with them to properly understand what works and what doesn’t. While their opinions may change as adversaries shift, for now this seems to closely align with our own views of what appears to have the largest impact for the smallest customer investment. If a new company aligns with the end-user it will have better chances of market adoption and ultimately a successful exit. How we see the world is broken down into the following categories:
Pre-breach loss prevention, including:
- Inbound email protection
- MFA
- EDR
- Phishing training
- Encryption at rest
Post-breach loss prevention, including:
- Backups
- Incident response/disaster recovery/business recovery
- MDR
- Fast detection and response
Ancillary technologies, including:
- DFIR
- Cyber insurance/cyber warranty
These three categories represent the bulk of what we feel adds the most benefit to the market by directly reducing the losses associated with security breaches, or providing ancillary loss mitigation utility. It is not to say that other categories of products cannot improve the loss ratios of companies, but there is no current evidence of that. For instance, while our backgrounds are largely in the web application security space (DAST/SAST/IAST/WAF) and we have deep personal affinity for it as a vertical, it is not a current area of investment interest for us, because the adversaries do not appear to be causing loss there and/or the sample size is too small so the industry cannot reject the null hypothesis. When we asked the insurance industry, they said it is not an area they worry about because the losses are insignificant on custom web-applications, though the same cannot be said for COTS/SaaS webapps. Said another way, the adversaries have shifted away from hacking custom built web applications and we won… in that specific area… for now. That is not to say it will always be the case so we keep our eye on all parts of the market for obvious reasons. Now, according to the data we see, the spend has to pivot with the adversary, to the areas of cyber security I list above.
One thing you may notice is what is missing, and there is a lot that is missing. One such area is vulnerability management. We firmly believe that this area is under-invested, under-researched, and can make its way onto this list, but only by virtue of re-thinking what matters and how it functions, the incentives, and much more. So while something may not be on the list, in some cases it probably should be, but only after the industry fixes it. Also, some areas may not be on the list, like firewalls, for example. We believe that the reason they may not be on the list is because even the companies who have them punch enough holes in them to render them useless for reducing loss, and no current thinking in the firewall market fixes that issue.
One of the benefits of our team is that we can logically work through areas that do actively decrease risk that the cyber insurance industry cannot currently measure. So while the above may look like an authoritative list, those are really the more mature products. So other mature products that aren’t on the list… those have questionable efficacy in reducing risk. We could write volumes about what’s not on that list, but that’s for another day. But if your company is solving a new problem in a novel way, we still want to see it. Lagging indicators of loss aren’t the sole defining metric we use.
There are also areas that we have been very interested in historically that fall outside of the purview of what the Cyber Insurance world necessarily deals with in terms of claims, but do indeed reduce losses, like anti-fraud solutions that add friction to the fraud causing it to shift. That shift saves customers more money than the cost of the service. Easy win!
So, we are focusing on Loss Prevention first, and APT second. Everything else is a backburner for us. Some of those categories I listed have constituent parts that will benefit from fresh approaches that will catch our attention. For instance, just because you have backups doesn’t mean you have off-site backups or test those backups to make sure you can bring them online in a timely manner. Or looking at phishing training - most vendors only count clicking on suspicious attachments as a success/fail metric, but don’t test for another important action: do users actually report suspicious emails? Also, there is nothing to say that one technology from a specific vertical might impact one or more other verticals, such as: GRC can be nice bedfellows with vulnerability management and ASM.
Each of these areas constitutes an area of ongoing interest and research for our team. If you know of or work with startups in the aforementioned areas, we’d love to hear from you.
