Inside the World of Cyber Venture Capital

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 184 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest this week is Mark Goodman, managing director at MassMutual Ventures. Mark shares the story of his circuitous path to the VC world, with stops along the way at a family furniture business, and a PhD in philosophy. We’ll find out what it takes for a hopeful startup to catch his eye, whether or not he thinks cyber continues to be a hot area for investment, as well as his thoughts on what it takes to be a successful venture capital investor.

Mark Goodman:

I've had a long and circuitous journey. Definitely not a straight line. I started my career at a bank in Chicago. It was called First Chicago, which has now since been subsumed into Chase. I was accepted into a program there called the First Scholar Program. They brought in a group of recent college graduates. To get into the program you had to get into either the University of Chicago or Northwestern University's MBA program. We went at night, four quarters a year, all year round. So we finished in two and a half years and concurrently we did five six-month rotations at the bank and mine ranged from capital markets. I did foreign exchange options. I did real estate. I did credit analysis. I did what else? Syndications and asset sales.

So fairly broad exposure to corporate finance and capital markets while doing the MBA at night and finished that in 2.5 years, 30 months, and took a permanent position, which ended up not being very long, but finished the program, went permanent, as I said in Manhattan, moved from Chicago to Manhattan and stayed there for another six months or so, and decided that I was ready to get back to Boston and do something more entrepreneurial. So I came back to Boston and joined a family business, actually a retail furniture business, which is what my father, brother, and grandfather had all done. Discovered that I did not in fact have the retail gene and decided to pursue something totally different.

I had developed an interest in philosophy as an undergrad, and I decided to get a master's degree in philosophy. Long story short while I was there, I was encouraged to apply to the PhD program, which I did and got in. And so I ended up doing a PhD in philosophy. I taught as a doctoral candidate for a couple of years. I taught subsequently as a lecturer after I got the PhD at Boston College, but ultimately, decided that I wasn't going to be able to make a living as an academic philosopher, at least not the kind of living I wanted to make and decided to move on.

And fortunately, I had that First Chicago, and MBA experience sitting in the bank there. And I was able, after a few false starts and career gyrations, found myself with an opportunity to get into venture capital in a semi-random way. I had become friendly with a very successful entrepreneur, and we had some common interests, common friends, just became acquaintances. And I saw that he was doing a lot of angel investing in a very casual way. And so I thought about how we might turn his hobby into a business and I made a proposal to him and I got about 30 seconds into my pitch and he said, "Great, let's do it." And all of a sudden I found myself as a venture capitalist and not knowing really anything about it.

Subsequently making pretty much every mistake you can possibly make as an early stage investor. I won't list them all here, but suffice to say that I made, I think all the normal ones, I think I invented some new ones. But in the end, that was a good experience even if it was the blind leading the blind. We eventually gained some sight and those mistakes, painful as they were at the time, I think it probably shaped how I look at opportunities even today. Now I should mention that one of our first investments was in cybersecurity back in 2004, an intrusion prevention company. So that was my introduction to cybersecurity, I ended up seeing a fair amount of deals then not focusing on it exclusively, but certainly became more and more aware of what was going on in the cybersecurity world.

My partner, the capital partner, ended up jumping into that company. I was having some trouble, he fixed it and ended up getting acquired by McAfee. I spun out, started my own small shop in Kendall Square, Cambridge. I got interested in clean tech and advanced materials and did some deals there with a group of investors. Did not go very well. I think the strategy, the clean tech sector did not play out very well. And I was no exception to that. But during that process, I got in touch with a friend of mine who had been running Siemens Venture Capital, and we discussed deals from time to time. And he said, "Hey, I'm talking to MassMutual. They want to start a venture capital group. Would you have an interest?" And I didn't know much about MassMutual at the time. But I said, "Yeah, I'd love to at least talk to them." And that's how my colleague, partner, Eric Emmons and I ended up joining MassMutual to start a venture capital fund for them.

Dave Bittner:

And we should mention that MassMutual invested in Recorded Future. So they're one of the companies that you championed throughout your career.

Mark Goodman:

That is true. Recorded Future was an early investment. Rich Miner at Google Ventures who provided the seed capital to Christopher Ahlberg at Recorded Future is a friend of mine, good friend of mine. And when I set up the fund at MassMutual, we were discussing possible Google Ventures portfolio companies that might be a good fit for what we were doing. And I'll say that the idea behind MassMutual Ventures is to, well make money, to be good venture capitalists. And we do report up to our chief investment officer who gives us a balance sheet capital and expects top core tile, venture capital asset class returns. So we are investors, but we certainly take advantage of the fact that we're in a fortune 100 financial services company with very deep pockets of expertise that we can tap for due diligence purposes, deal flow purposes.

And also that we can use, frankly, for the benefit of our portfolio companies, to help our portfolio companies make the right connections inside MassMutual and its subsidiaries like Barings and more broadly in the industry to get early deals, get contracts, those really difficult early enterprise sales. So it's very good, I think best of both worlds where we're a financially focused venture firm, but we get the benefit of the fortune 100 financial services' expertise, potential customer relationship, potential distribution relationship.

So cybersecurity is obviously an area important to MassMutual. We've got a great cybersecurity group. In fact, about a year, year and a half ago, MassMutual hired a CISO named Jim Routh, who many of the people who listen to this podcast will certainly know. He's a rock star in the industry. And that has been a wonderful collaboration for me to have a great CISO and a great team of practitioners in cybersecurity, helping me understand the cybersecurity space better, helping me vet deal opportunities, providing opportunities themselves, working with some of our portfolio companies.

So it's been a terrific partnership. Going back to Recorded Future, we invested in Recorded Future in the spring of 2015. Spring of 2016, Recorded Future, MassMutual became a customer. And I would not say that it was because we were investors. I mean our cybersecurity colleagues, our data science colleagues decide what to buy. We decide what to invest in, and we certainly want the two to meet, but it's really up to our colleagues to decide what's the best product or solution for their needs. But we do certainly make sure that our portfolio companies get a good look and we facilitate as much as we can.

Dave Bittner:

Can you give us some insights in the venture capital community, and I'm thinking particularly in the cybersecurity vertical. Can you give us some insights as to what the ecosystem is like in terms of the various players? And what brings people into that world? Folks like yourself? Because it's my perception that there are a lot of different sizes of organizations who are investing different amounts and they have interests in companies who are in different stages of their development and so forth. Can you share with us an overview of how you see it?

Mark Goodman:

Sure. Yeah. That's a good question because cybersecurity is such a hot area. You do have a lot of different types of investors. Starting in the early side, you have seed stage, angel investors, frequently successful entrepreneurs from the cybersecurity world, of which there are many individuals who have sold companies in cybersecurity and now are out helping entrepreneurs. And that's an interesting source of deals for us. We typically start around series A so we spend a lot of time socializing with the angel and the seed stage investors. So in addition to those angel investors, you have seed stage funds that are frequently either cybersecurity-focused or have cybersecurity as a main focus area. And there are several of those. Then you have the cybersecurity only specifically focused funds.

I think off the top of my head, I would say ClearSky Ventures. You got Jay Leek, who was the CISO at Blackstone joining ClearSky a year or two ago. In the Boston area, you've got TenEleven Ventures, Mark Hatfield, you've got Bob Ackerman at AllegisCyber. In Israel, certainly some excellent seed stage funds in cyber, Glilot is one that I've co-invested with. YL Ventures and others. So a really good group of cybersecurity experts, cyber-focused seed stage investment funds that I think do a lot of very high quality deals. And I'm always eager to see what they're doing at the seed stage and to hopefully engage as the companies mature.

And then you've got the larger generalist funds that many of which have cyber practices now. And everyone for all the ones that everybody knows, all the brand names, Battery, NEA, Sequoia, Summit, Kleiner Perkins, all have significant cyber practices. And I pretty much only stick with U.S. and Israel, but obviously outside of those geographies are still other investors. Then of course you have the corporate venture groups of cybersecurity companies or companies with some kind of cybersecurity efforts. So yeah, it's a broad landscape of interested parties. And I would say a lot of smart money in cybersecurity, but it's a crowded space so it's not easy.

Dave Bittner:

Do you still consider it to be a hot area? Is it as hot as it has been I suppose?

Mark Goodman:

I think it is. With COVID last March, I think everybody was waiting to see what the impact was going to be in cyber. And I think what I think people would have imagined in theory has played out in practice, which is that as the economy becomes increasingly digital and remote, cybersecurity only becomes increasingly important. And I think we're seeing that. So I think it is the case that 2020 budgets, top line budgets for startups probably have most of them gone out the window with elongated sales cycles and drop deals and general caution. We are actually seeing the opposite in some cases where things have really accelerated and overall, I think high quality cybersecurity companies are commanding very high multiples, actually. Even in the midst of a pandemic this is purely anecdotal. There's nothing scientific about this, but I've seen several companies looking for 20 times ARR valuations over the last few months, which I choke on. But it's out there.

And so I think that the persistence of the problem and needs around cybersecurity, the always evolving threat landscape, the always evolving threat techniques and vectors, the always evolving innovation because there's so many smart people in the space and so much really good innovation, whether it's coming out of the various Israeli cyber and technology programs in the army or the U.S. robust ecosystem, there's just a tremendous amount of innovation, a very large market. You do have ... I think the incumbent players who are the public cybersecurity companies of which probably only about 20 or so are becoming increasingly ... Broaden their offering and so become platforms.

So you have that layer of an ecosystem, that upper layer of where the M&A is happening, and a lot of strategic acquisitions to round out these larger offerings, which does speak to the need to ... It comes back to valuation. If your portfolio company is going to get picked off between 100 and 200 million, then you better not get an evaluation of 80 million posts. It's tough to make a living that way.

So there are, of course, the rare, always rare breakouts, like a Recorded Future that I think succeeded so well or is succeeding so well. Because first of all, they were a category killer. I mean, they just absolutely nailed their specific space in threat intelligence. And then by listening to the customer, were able to offer broader and broader contiguous solutions and offerings to further cement the value they brought to their customers. So it is possible to create a standalone large public or large acquisition type cybersecurity company. But there are also a lot of smaller companies that become acquihires, or small acquisitions for the larger players.

Dave Bittner:

And I think about personally, when I go to a tradeshow like RSA, or one of the other tech or security conferences. One of the things I like to do is walk around the edges of the show floor where those smaller booths are because you run across something where somebody has an idea that you didn't know you needed, but now you feel like you can't live without it. I was wondering what does it take to catch your eye? What sort of things spark your interest?

Mark Goodman:

Yeah, good question. So I do the same thing. I walk along the edges, whether it's RSA or Cybertech in Tel Aviv or some of these other shows, because the giant booths in the middle aren't particularly interesting to me anymore. It's the small booths. I think there are areas that we're all looking at. Cybersecurity, I guess like all areas of tech have more than their share of buzzwords and acronyms. So areas of interest. If I see startups in an area of interest that I'm seeing other startups in, I'm starting to get a sense of a space emerging and common themes. So now I'm looking for an interesting angle on that theme, an interesting team that is maybe better positioned than other teams based on where they're coming from to address this emerging space. I guess areas of interest for me now, certainly data privacy, data privacy as both a problem and ... Well, the opportunity and the problem around data privacy and data sharing.

So data is obviously the core problem in cybersecurity, but it's also obviously a very big opportunity for enterprises who are increasingly putting together large data science teams and buying data science tools and platforms and training machine learning models, and building AI algorithms. And so you get a tremendous opportunity with how you can use data, but you've got an increasingly strict regulatory regime that you have to be compliant with for how you use that data and how you share data. So the big one obviously is GDPR in Europe, but CCPA in California is also in effect and having a major impact. And there are bills in many other states, and I suspect we'll be going to a national law like GDPR in the E.U. around privacy. So consumers, I think we're seeing, are increasing singly aware of the fact that all the free stuff they're getting, all the free Google searches and everything else isn't actually free.

Their personal data is strewn across the internet in places they are probably not aware of. They might be upset if they knew about it. And I think people are increasingly aware of that fact, but also the consequences, because as people understand that data breaches are not the exception, they're the rule, if there are inevitabilities. And so if you have a large digital footprint that you are consequently more apt to suffer the consequences of a data breach. If you shrink your digital footprint, then you're less likely to suffer the consequences. On the enterprise side, there's a tremendous opportunity locked away in enterprise data. That's not a controversial statement. There are opportunities for cross selling either between different groups in the same company or among different related companies. There's collective security. If you share data for, let's say fraud, there are benefits for collective security.

There's data sets for training machine learning models. There are all these ways that data analytics, data sharing can be extremely beneficial for inside an organization and with collaboration among others organizations. But it's also for reasons of confidentiality, wanting to keep data sets proprietary. In the regulatory structures that we mentioned, it's hard to do. So you've got this a huge opportunity on one side and major friction on the other. So there's a whole crop of companies out there now, helping essentially companies share data without sharing the data. So share the data while maintaining the confidentiality. So there are companies that do that using a homomorphic encryption, companies like Enveil or Duality. There are companies, one called QEDIT, that uses a variety of privacy enhancing techniques for similar use cases. So emerging, I would say, space, but one that I think will become increasingly important.

Dave Bittner:

What is your advice for that person who may be coming up, may be coming through school and thinks that the VC world is an area that they'd like to pursue professionally? And any guidance for what the best pathway is into that?

Mark Goodman:

Sure. Given my own path, I'm probably the last person to be offering that advice.

Dave Bittner:

Get your PhD in philosophy.

Mark Goodman:

I essentially stumbled into it. So yeah, the first thing I would do is get a PhD in philosophy.

I think venture capital is a really odd field. It's not like accounting or law or investment banking or banking where you have, or consulting, where you have a real set recruiting process, a clear path. It's a small industry. It's a very ad hoc industry with a lot of small shops. You'll obviously get some big brand name shops, but a lot of small shops. I would say that there are lots of ways.

So maybe that's the bright side, that people come into venture capital through either being an entrepreneur themselves, or having worked at an early stage startup company. They come because they have expertise in a particular field like software development, or other kinds of engineering. You have people who come up through finance, banking, and come up more in the traditional finance route. But it's a hodgepodge of background. So I think finance obviously, or even large technology companies as well.

So there's no clear path. Some of the larger firms will hire a crop of young people and put them through with the idea that many will leave and do other things before they come back. But it's an odd industry. I think the best way is to get the relevant experience in a startup, or even try to intern at a VC. But I think the key is, having just hired some folks over the last few months, I think what we ended up gravitating towards were people who were really, I hate the word passion, everybody's talking about they're passionate about this and passionate about that, but really had a feel for the venture capital industry, entrepreneurship, the startup world, and had a view on a space or two, companies that they really admired, companies that they were watching.

I think a lot of venture capital is teachable. There's a lot of pattern recognition over time. The things that aren't teachable are enthusiasm and real interest in particular sectors, the players, the entrepreneurs, the companies in those sectors, the investors who invest in those sectors and are really developing a view that you bring to the table. The stuff about analyzing companies and financials and markets and competition. And I think that's all pretty teachable, but I think having a relevant background and a real enthusiasm and interest and engagement in the startup world is probably the key prerequisite.

Dave Bittner:

Our thanks to Mark Goodman from MassMutual Ventures for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.