Group of CISO Angel Investors Supports Promising Cybersecurity Startups With Funding and Valuable Expertise
Silicon Valley CISO Investments (SVCI) is a new and so far unique approach to angel investment in security startups. A syndicate of practicing CISOs invests its own money and personal expertise into the success of the syndicate’s portfolio companies.
SVCI was formed in September 2019 by seven CISOs and Oren Yunger (currently with GGV Capital, but formerly CISO at Clicktale), and has already invested in three security startups.
The syndicate grew out of an earlier year-long project called Security for Startups, where the CISOs sought to instill security concepts into the foundation of new companies. What they realized, however, was that just eight working practitioners could provide huge insight into the needs of new security products.
“That idea,” Yunger told SecurityWeek, “was that we have very smart people within the group — but putting the group together would create a force with a collective value greater than the individual parts.”
SecurityWeek talked to four SVCI CISOs for a deeper understanding of the purpose and process of CISO-focused security investments
After Security for Startups, it was natural for the participating CISOs to expand their ambition from helping innovative startups be secure, to helping startup vendors produce innovative and effective security products — and to do that by investing themselves into the startups. What started late last year as a group of eight CISOs has now grown into an Angel syndicate of 46 CISOs, focused in the Bay Area but with members across the country, drawn from all the major industry verticals. The investment from the CISOs is both financial and a supply of unparalleled experience and expertise.
This is a win-win situation. The CISOs financially support promising vendors while simultaneously helping to shape solutions to the very security problems they grapple with every day. The vendors get financial support for their company (perhaps not to the level that can be provided by mainstream venture capital companies), but more importantly, they get an implied endorsement by 46 practicing CISOs — and most importantly, they get practical feedback on what is needed in their products, supplied by the nation’s top experts.
The motivation for the financial support is less to do with making a monetary profit when the portfolio company succeeds, and more to do with making a commitment to help shape effective, innovative security solutions for the most pressing and illusive security problems of today. “We feel that the equity or the capital that SCVI brings to the table is not financial per se,” said Yunger. “We’re motivated, and we decided to put financial capital behind companies because that ties us into the mission — we have more on the line when we have a stake in the game — but the greater value of SVCI is mostly our expertise and experience and knowledge of the subject.”
Harshil Parikh, head of security at Medallia, added, “It is surprising how many security products and vendors there are in the community, but they don’t listen to us. As security practitioners we come across so many companies and products where we just wish they would listen to the practitioner feedback and build a solution that solves our very legitimate problems. From my perspective I think we are all participants in SVCI to make our voices heard, and drive change within the innovation that startups are delivering.”
Avi Shua, CEO and founder of the first investment — Orca Security — supports this view. “There is no shortage of money in the market,” he told SecurityWeek. “A company like Orca would have no difficulty raising finance. But this unique feedback opportunity from SVCI is something I have not seen elsewhere. So, we jumped at the opportunity.”
He explained the nature of the feedback. “We have a Slack channel between Orca and SVCI,” he said. “Just three months ago we used the Slack channel to discuss a feature we had in the product and whether it works for the more regulated industries. We learned that it might be problematic for larger organizations. The feedback from SVCI comprised dozens, maybe a hundred messages, providing advice on alternatives, how to implement the feature, the pros and cons. We took the advice and re-implemented the feature and it was immediately sold to a bank and is currently being evaluated by a large Fortune 100 company. This wouldn’t have happened without the SVCI advice, because if we had presented it as was, we would have just been told, ‘it doesn’t work for financial institutions’: they wouldn’t or couldn’t take the time to work with us on how to make it work.”
There are two obvious side-effects to such an effective concept. The first is that the major VC companies might be tempted to use SVCI as a sounding-board to augment their own due diligence. If SVCI isn’t interested in investing, then maybe they shouldn’t either? “It’s true that we get a lot of ‘inbound’ from VC companies that want to introduce companies into the mix,” Yunger said. But the bad news is that the syndicate has its own process for finding and evaluating potential investment opportunities.
CISOs tend to know what’s going on around them. “They get emails with introductions to new products all the time. Every now and then, they’ll raise a hand to the syndicate and say, ‘listen, this is a really interesting problem that I’m trying to solve, and I met this team that is dedicated and I can see how this company is going to evolve and become meaningful. We should take a look at it together.’ This is how all our new opportunities come to life.”
Each opportunity is discussed by all members. A small sub-set of the companies is invited to present to the syndicate, and this is again discussed internally by the entire membership, which may be followed by a request for proof of concept demonstrations. “For each of these steps,” continued Yunger, “we have dedicated teams and individuals to enable us to make good decisions. At the end of this, there is an allocation process where people decide whether and how much they may individually wish to invest in the company.”
Orca may be a little different. The initial introduction came from a meeting at Black Hat — but from then on, the opportunity due diligence process was followed.
The second side-effect is the potential for the SVCI syndicate to be overwhelmed by applications for membership from other CISOs. But while there is no set maximum membership figure, the process of joining is difficult. “We’re an invite-only group,” explained Harshil Parikh. “Potential new members have to be referred by an existing member, and seconded by five other members; and of course, must be an accredited investor.”
From then on, material qualification is not difficult. Ian Amit, CISO at Cimpress, demands commitment to participation. “It’s less about the size of your bank account,” he told SecurityWeek, “and more about your commitment to be part of the process from start to finish.– to participate in sourcing, in due diligence, in working with the portfolio companies… really being part of that fabric that makes SVCI so unique, and to be able to contribute to the entire process.”
Craig Rosen, CISO at ASAPP, added, “For me, engagement is key. There’s nothing worse than asking for feedback on a specific technology or platform and having it fall on deaf ears, so it’s important that the engagement level stays high. It’s our objective to make these new products work well. We’re trying to solve really hard problems, many of which have not been solved. We’re looking for the level of acceleration that this group provides, and I think given it’s focus, given its membership, given the background and experience of its members, we really have an opportunity to accelerate and help solve the problems we’re trying to solve faster.”
However, it is also worth mentioning that the syndicate has a commitment to diversity. An applicant from within an under-represented vertical, or with a new set of skills, would likely be viewed more favorably.
As it stands, it is difficult to imagine a more compelling endorsement for a new product or technology than the financial backing of almost fifty CISOs, nor a better methodology for product improvement than continuous and active engagement with the top security experts in the country.