Do you have something cool to share? Some questions? Let us know:
TIMOTHY: Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Tim Peacock, the product manager for threat detection here at Google Cloud, and Anton Chuvakin, a reformed analyst and esteemed member of our cloud security team here at Google. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud.withgoogle.com/cloudsecurity/podcast.
Did you know, listeners, I dream about that URL? It just comes to me in my sleep now. If you like our content and want it delivered to you piping hot every Monday afternoon Pacific time, please do hit that subscribe button. You can follow the show and argue with your host on Twitter as well, twitter.com/cloudsecpodcast.
Anton, we're talking about security security's today or, in other words, investing in security startups.
ANTON: Correct, and this was the episode I kind of have to have a horrible revelation on the air by saying that Tim really wanted to be in this episode, but I scheduled it over his day off.
TIMOTHY: Ah, yes.
ANTON: So it's completely my fault, nobody else's. You can't blame the intern. Do we have an intern? We don't, right? So we can't even blame that person.
TIMOTHY: No, we should get an intern someday.
ANTON: To blame.
TIMOTHY: No, no, no-- to teach and educate in creative ways to accept responsibility for the mistakes of their elders, I think, is what we would teach them.
But no, this is a fun episode because we've got one of my favorite members from CapitalG, James, on the show, right? We did get James for this?
TIMOTHY: Yeah, fantastic. So perhaps, without further ado, let's turn it over to today's guest.
ANTON: Now our guest today is James Luo, a partner at CapitalG. Hi, James.
JAMES: Hey, Anton, how's it going?
ANTON: It's a good day so far. So you deal with investments. So this episode today would be kind of different compared to our normal security cloud security best practices or challenges in the SOC. So I want to jump straight to the fun part. You've looked at many security startups in growth stage-- probably hundreds. So what's getting funded, what's not getting funded, and what's the difference?
JAMES: Yeah, I mean, that's an interesting question, especially now, I would say that my answer to this question would have been different six months ago than today.
TIMOTHY: Oh, wow.
JAMES: So six months ago before all the market turmoil that's happened, I think what it took to get funded at the growth stage was having a company that had a really clear market opportunity that it had demonstrated pretty strong product market fit for, and so it's a traditional kind of VC hockey stick growth-- you're small but you're growing really rapidly. And VCs were very willing, six months ago, to say, you know what, I'm going to invest tens of millions, if not hundreds of millions, of dollars behind you at the growth stage so you can chase the market opportunity.
I think today, the environment is a little bit different, and folks are still trying to figure out exactly what their risk appetite is. And by that I mean, VCs are still trying to figure that out.
So not only do you need those things still that you needed six months ago-- you still need the strong product market fit, you need the kind of massive market opportunity-- but you also need to demonstrate that you're going to be able to spend wisely to be able to attract that opportunity.
And so what that means is that not only are you spending a decent amount of money to try to go add new sales, but that that sales is generating at an efficient pace. And so that's something that's probably not very specific to security startups. It's probably what we're seeing in the market in general these days. But I think it's become even more salient today than ever before.
I think a more security specific angle to the question is that security tends to be comprised of a lot of-- it's a very large pool of spend comprised of a lot of little micro buckets. Every US company tends to spend on dozens of different security tools.
I think what has gotten a lot of growth funding in the past is if you can find those buckets where it's not really like a lifestyle enhancement or a choice that companies make, but rather something that's critical and mission critical to their day-to-day security needs, and so you're trying to find the big pools or the bigger buckets of spend within those little micropockets. And if you found a market opportunity there, then that's typically been pretty lucrative for you in the last five years or so.
ANTON: That one is actually a good metaphor for me, identifying these kind of buckets of money and the larger the bucket you find the better, but so this to me sounds like a product market fit is almost built in. But I still think that, if I wear my former analyst hat, I still see people finding things that, to me, do not have product market fit.
So, for example, they are an ideal solution for cloud natives, and they are not a fit for a traditional company, but their market plans assume they would sell to everybody. In that sense, they have product market fit, but they don't have the product market fit with the market they want to cover. So how can this be fixed or addressed, if I may ask?
JAMES: Yeah, so I think what's-- this is a cloud security product, so let's talk about cloud security for a second. I think a lot of folks, when they look at the cloud security market, think that if you project 5, 7, 10 plus years out, which is typically the business of venture investing-- you're looking at a pretty long time horizons-- that the majority of workloads at that time will be cloud-based. And so while some enterprises are 80% on premise or in their own data centers today, that in the investment time horizon, that the vast majority of enterprises will be majority cloud.
And so that's enabled a lot of the investing in cloud security because people look at it and say, you know what, even if, today, this is not super addressable to the company that has 90% data center environment, we want to invest here because it will be super addressable seven years down the road. And because the pace of transition for some companies is earlier than others, that market continues to form and grow at a nice enough pace for you to sustain business momentum.
I think where that can go wrong is you make some assumptions about what the cloud environment may look like today and then extrapolate that out five years. And if that doesn't turn out to be true, then you may end up with some issues. But I think it's largely been able to justify these investments in spite of most companies being very hybrid today.
ANTON: Yes, and I think I like that. And to me-- how about this? Your explanation is probably the crispest I've heard on this one because I've seen people who basically assume very high transmission rates or transmission growth rates, and when they don't pan out, they die or they have challenges. But I think that, in your estimation, sometimes the transformation to cloud may accelerate, it may slow down, but everybody agrees it will happen. So as long as you are willing and able to hold until enough companies transition, you'd have a market.
JAMES: Yeah, and I think people look at analogs in cloud-- they look at companies like Snowflake, and they say, wow, how can a company with billions of dollars of AR still be growing that quickly? In spite of the fact that a lot of people still have data warehouses on prem without using a cloud data warehouse, whether it's Snowflake or BigQuery or someone else, and they look at it and say, wow, the market must be big enough. If you think infrastructure as a service or platform as a service are going to be $1,000,000,000,000 of spend, then you can, I think, pretty easily get to the conclusion that security will be tens of billions of spend, if not more, in that environment down the road.
ANTON: Actually, that makes sense. So, hopefully, this is a useful tip for our audience as well, so let me try to switch gears a little bit. And I know everybody who deals with investments gets asked about the whole current market environment, but you kind of started answering this question already about the differences between now and, say, 6 to 12 months ago. Any other advice or any other views on the current market environment for security startups' growth stage?
JAMES: Yeah, I would say if you're a security startup today, you're actually in a better position than some of your peers in other sectors. I think over the last five years especially, people have really realized that security is pretty foundational to infrastructure and pretty foundational to cloud and SaaS.
And you see that with public companies like CrowdStrike and Zscaler, which we were fortunate enough to invest in, even seeing with companies like Palo Alto reinventing itself as kind of a cloud-first security business, such that people aren't concerned about whether there's going to be a market for security or not. In fact, many people acknowledge that it will be a massive market opportunity.
And so the current environment, if you're a security startup, is actually more favorable to you than to your peers in other industries in infrastructure or in other parts of software. And so the trading multiples for the public companies are higher for security than they are for a lot of other types of software that's out there, and it's because of a lot of the built-in recognition that these companies have gotten over the last five years, and it's a true sustaining category.
So if I were security company, I would say focus on the core fundamentals of the business. Focus on the market you're serving. Focus on your product. Focus on delighting your customer base. And the funding will be there. There are security startups still being funded. There might be a little bit more rigor applied to how you're spending that money and deploying that capital, but security is a pretty good sector to be in, I think, especially today, but in all cases we've seen.
ANTON: And I like it, and I think that's a very-- it's actually kind of exciting because it's security-related advice, but it's like really optimistic.
JAMES: It's funny, we try to be optimists as much as-- a lot of people think VCs are pessimists, but I think if you want to do this job, you kind of have to be optimistic because inherently, you're betting on something that doesn't quite exist in its current form today, and you're kind of imagining what it could be. So hopefully, we can be a little bit more optimistic in general.
ANTON: So I want to switch gears to some of the more kind of exciting areas, at least for us in the Cloud Security Podcast. So sometimes we see startups, and they seem to be solving problems that are worthwhile. I mean, they do have product market fit, but it also sounds like the platform vendors-- like ourselves, Google Cloud, other big cloud companies, hyperscalers-- would also solve. So do you have any particular thinking about how to decide, is this startup you're funding in a growth stage, or is this problem something that will be solved by cloud providers themselves?
JAMES: Yeah, that's a tricky question. I think the cloud vendors and Google, in particular-- not that I'm biased or anything on this podcast-- but I think the cloud vendors have done a fantastic job of focusing their business and their product in the last few years on security because I think there's been an acknowledgment that a big question that CIOs and CTOs and CISOs have in the transition to cloud is, am I going to be safer there or am I going to be safer controlling my own entire infrastructure stack? So I think a lot has been done, and massive platform improvements.
That being said, I think there's always going to be a case to be made for focus. And as a cloud vendor, there's almost an infinite number of things that you could try to go build, whether it's a security product, a data product, a machine learning product, whatever it might be. There's almost an infinite set of choices. And for certain security categories, I think it makes sense to have really dedicated independent third party focus on that category.
So a couple of examples-- a lot of CISOs that we talked to mentioned the need for kind of single pane of glass. While many CISOs have dozens of security tools, I think everybody wants to have fewer. And similarly, if most companies are going to be multicloud across two, three, maybe even more clouds, we get the sense that a lot of folks want a consistent solution that spans all of those environments. And by consistent, I mean not just the visualization of it, but also the deployment, like it installs the same way on AWS as it does azure as it does GCP. And it works the same no matter what you're looking at and it pulls alerts that may look different on each platform, but it consolidates and aggregates and makes it all look uniform across the platforms.
ANTON: But there's a multicloud argument. I would call this part of your argument to be the multicloud argument. I totally buy the multicloud argument, but are there more arguments?
JAMES: Yep, so that's one argument. The second argument-- which I kind of started getting to and then moved away from the multicloud argument-- the second argument is the focus argument. So a lot of the companies that we invest in literally have hundreds of developers and engineers and product people working on one core problem. And so in cloud security, I think you've spoken to some of our companies in the past, companies like Orca, they literally have hundreds of people working on a very specific set of problems.
And while the cloud vendors are large and have a lot of engineers, to the point earlier, there's a bit of a focus question of how many engineers can you feasibly-- your trade off as a cloud vendor is a lot more meaningful and difficult in the sense that you're always trying to figure out, if I have more engineering resources on product A that may not be a security product, I may have to give up some of the engineering resources on product B.
And we've found, historically, that the pure play focused vendors tend to do pretty well. And that's the reason why platform incumbents, even Microsoft if you think back to like the endpoint Windows days-- like Microsoft Antivirus, the older generations of Defender-- they didn't really work as well, not because Microsoft didn't care-- you can argue there was a time where Microsoft cared not enough-- but not because it wasn't a priority, but because there were always so many other things that you could be doing, and so it enables third party vendors and independents to arise.
And then we think a very similar thing is going to happen kind of in this market environment, as well for large independent vendors to supplement and complement the big cloud vendors.
ANTON: These arguments make sense, both the focus and the multicloud argument, but isn't there also an agility argument, namely that a small startup or even a medium-sized startup would always be faster with responding to customer needs, industry needs-- they can build better cloud security for healthcare, for finance. So would you also buy an agility argument or not?
JAMES: Yeah, I think that's a reasonable argument as well. I think we found platforms and large CSPs to be, in some cases, more reactive than proactive because instead of deploying resources, you'd rather wait and see that a market exists before deploying resources. So typically, the most cutting-edge product thinking we found-- recently, at least-- is in the hands of startups versus the incumbents. And then the large platform providers can be very quick followers to some of those ideas, but the startups have the benefit of always being able to innovate and trying to build new products, trying to expand into other areas.
And then the last thing I'll say is I think a very real buying consideration for CISOs is-- or CIOs in general-- is the idea of vendor lock-in. I think there's scar tissue historically from vendor lock-in in the IT world, and we've heard the argument that if I'm going to put all my data there, if I'm going to have on my compute there, then my security I want to entrust elsewhere, or my X function I would rather entrust to a third party provider.
I think all those arguments together make the adoption of cloud security solutions in particular faster than we've really ever seen any traditional on prem security solutions really be able to blossom
ANTON: I think that I like that and I think that sometimes I heard a variation of your last argument, where the CISO brings up almost like a separation of duty inspired concern, where they want to have the data, the compute, the everything else inside the cloud provider, but they want security to be elsewhere because they're not sure if they trust the CSP with securing stuff they also own.
And, of course, you can always-- like if it's a cocktail conversation they're having beers, and I would say, but James, cloud provider knows the technology better, so surely there's an advantage? And then after another beer, it's a pillow fight or something. So I see how it's a debate, but I also see that as a crisp argument from the separation of duty slash third party trust. Definitely agree to that.
JAMES: Yeah, totally. And at the end of the day, CISOs are going to consider multiple solutions for this. And I think it shows up in the RFPs and in the product comparisons that those CISOs do. And ultimately, a lot of these arguments will distill down to, which product will serve me the best?
ANTON: So in essence, our next prepared question is kind of almost like asking the same thing slightly differently, but I want to possibly use this as a chance to drill down into something that fascinated me for quite some time. And I think I get your arguments-- and these are reasonable arguments, not just your arguments, for why startups would kind of own a significant part of cloud security.
But sometimes, I hear about the evaluations about some of the startups, and I say, wait a second, people are giving money to a startup, yet at the same time, the same people acknowledge that cloud service providers are doing security really well. So Google is, of course, known for its leadership and security. Other cloud providers have successes as well. But the idea is that despite the belief in the market that cloud providers would do security well, the same market has given money-- and frankly, a lot of money-- to security startups. So is there a paradox in that, or your arguments mostly explain it?
JAMES: I don't think there's a tremendous paradox. I think maybe a couple of thoughts-- one is valuations up until the last few months haven't been elevated relative to historical valuation multiples.
ANTON: So it's like rising tides and cloud security boats got risen as well.
JAMES: Exactly. It's not just security that's seen these. We've seen really high valuation multiples in the private markets at least for a couple of years now, and growing. And a lot of this was kind of a post-COVID phenomenon too. If you look at public stocks as one and the run up. And so it's not necessarily specific to cloud security, but I think if I may go back to an earlier comment I made around-- if you do think that IaaS and PaaS are trillion dollars of spend, and you think security is some percentage of that, it's easy to see yourself in a world where the cloud security market is tens of billions, if not more, 5, 7, 10 years down the road.
And in that world, leading businesses in that space, that can generate hundreds of millions to billions of dollars of revenue a year, are worth a lot of money. And so people were willing to take that this company, even though it looks very small today, could become one of those winners.
And if it became one of those winners, then my valuation today can be 3, 5, 10 times as much if it truly becomes that type of winner. And so a lot of the underpinning of it was this broad-based belief-- which, by the way, I still personally believe in that, that this market opportunity is really massive, and it's kind of groundbreaking in the way that people think about securing themselves.
ANTON: But then, so there is a still a bit of a sliver of the market betting against cloud service providers fixing the problem start to finish. They are not betting against us having good security, but they're betting against-- market is betting against us solving the problem end to end. In my head, there's no more paradox because I think that's how it's ultimately solved.
JAMES: I think that's right. No one's betting against the cloud vendors being able to offer security. I think what they're saying is that the pie is so large and for the 3-4 reasons that we discussed, independent third party vendors should exist to help address that pie of opportunity such that you can have very large independent outcomes as well. And so I don't necessarily see it as any sort of paradox. It's just the opportunity sizing is quite big.
ANTON: No, that makes sense, and thank you for clarifying this. So I want to just get a time machine and transport ourselves to the world of 1990s with security being antivirus and firewalls. And then when I was a Gartner analyst, I've noticed that a lot of companies live like that in 2010s. So how are these discussions about cloud security and possibly trillions of cloud spend, tens of billions of cloud security spend, how do these affect companies that haven't really moved their security thinking from, well, the 1990s?
And, of course, the easy answer that I can give myself, without asking you, that it just matter of time-- just wait. But if we had the same conversation in, say, 2014, you may tell me, Anton, in about 8-10 years, they would all transition. We're now in 2022. Some of them haven't started transitioning yet. So how do we solve for the fact that many organizations are barely moving off the 1990 security?
JAMES: Yeah, so this is a variation of the it will happen gradually answer, which you alluded to. And the way I think about it is that you need to give folks easier on-ramps to be able to make those changes. So one thing that I find difficult is when we think about areas like SASE, or kind of just rethinking what network security or networking looks like is because you're going to CISO or CIO and you're telling them, here's everything you've done for the last 30 years. We have to change it.
It's like, basically, we have to reconstruct it from scratch sometimes. And I think you have to give folks more of the easy on-ramp to one thing at a time. And so I think a lot of that actually is in the hands of the cloud vendors, the CSPs, because the CSPs have the most effective way of convincing somebody to start to make that transition which is simply to say, put one workload or one set of things into our cloud. Put one database into our cloud. Put one data warehouse into our cloud, and start with that. Just start an experiment with it and build the muscle to learn what it's like to build a modern infrastructure stack.
And then, over time, we will help you transition into a more modern way of doing things and into more cloud-native environment. And I think that will help security vendors also transition folks off of the antivirus and firewall security that you're referring to of the '90s as the underlying infrastructure makes those changes as well.
And so while it is a little bit gradual, with the benefit of time, a lot of it is also partnering with CSPs, if you're an independent security vendor, and working with them to try to get customers into the more modern, more secure way of doing things in infrastructure. And so there is a little bit of control that you can exert on that process as well.
I will say, COVID and the lockdowns were a once in a generation-type positive shock-- I don't want to use-- I guess positive [INAUDIBLE]--
ANTON: Yeah, but you're right. It's effect. If you look at the numbers, it's not about it being positive or good for humanity, but if you look at the numbers, it did affect them upwards. So it's positive from the mathematical point of view, not the value judgment. I get it. I think we're on the same page. No real need to apologize.
JAMES: Yeah, like an increasing tailwind behind the adoption of distributed technology, more modern infrastructure, distributed systems, et cetera. And that's caused a lot of people to think about their security architecture because you can't operate in the I just have antivirus installed on manage laptops and a person can only access stuff within my corporate network if they're in an office on the Wi-Fi network. It just didn't work anymore. And so we've seen a tremendous shift over the last 18 to 24 months, I guess, of folks really rethinking, how do we make this bridge?
And the vendors that are really successful are the ones who make it easy to consume, where it's not like, here's a six-month implementation project you have to do to get this to work. It's we can start small, we can get this up and running in a few weeks, and then we can work through the rest of your infrastructure as we go. That's the model that we've seen work better.
ANTON: I think so, and I think that it kind of goes back to the whole shared faith, when we do things jointly with customers, rather than just give them a piece of cloud and say here. Get a piece of cloud. See you later. That approach that some of our competitors are doing to me is a little strange, at least for the less mature clients, because they do want to be helped.
OK, so now that we are almost at time, I want to get to our traditional questions. Any recommended reading and any one tip for startup founders doing security? I mean, as far as tips, feel free to aim it to whoever you want, but recommended readings would be kind of helpful too.
JAMES: Maybe I'll do the tip-- the recommend reading [INAUDIBLE], and let me think about for a second-- but on the tip, I think it's some of the stuff that we've talked about. One is make sure you're really delighting your customers. And this is not, by any means, a unique or differentiated insight. But I think you really need to delight your customers because those customers are the ones who go to your next set of prospects and tell them how amazing it is to work with you and how much value your product brings to them. So I think focusing on that in a market opportunity that you think is really significant, a significant problem for those customers will win you a lot of brownie points and win you a lot of early traction.
And I think the other tip is really to-- especially in this environment-- think about how to make it easy for your customers to consume what you're selling. And sometimes, it's really clear prototypes use cases-- like here's five specific use cases we can deploy in the next three weeks really helps the CISO or the CIO understand the value and understand that it's not a science project that will take many months to actualize.
And even if you may have this beautiful, big vision of what you're going to solve for the customer, if that beautiful, big vision feels like it will take a long time, especially in this environment, it probably will get less play than if you gave them very concrete, discrete things you can support them on today. And so that would probably be the more salient piece of advice. But it's all about the customer and focusing on how to deliver value to them as soon as possible.
ANTON: I agree that it's about delighting the customer and not just satisfying their needs. I think I liked your emphasis on this, making it easy, making it consumable, making it amazing. And even for security, these things are possible, and they're definitely done by some of the, well, startups and independent vendors, so I agree with you and I like that highlight. So thank you very much James. This was really hugely useful. I hope that more of our audience would kind of understand how all this functions-- not just the technology, but also the investment that makes technology possible.
JAMES: Yep, thank you, Anton. Thanks for having me on.
ANTON: And now we are at time. Thank you very much for listening and, of course, for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website cloud.withgoogle.com/cloudsecurity/podcast. Please subscribe so that you don't miss episodes.
You can follow us on Twitter-- twitter.com/cloudsecpodcast. Your hosts are also on Twitter @anton_chuvakin and @_TimPeacock. Tweet at us, email us, argue with us, and if you like or hate what you hear, we can invite you to the next episode. See you on the next Cloud Security Podcast episode.