Our Early Road Maps in Cyber Security
Bessemer Venture Partners is a multi-national $4 billion venture capital firm that develops investment strategies based on internally developed road maps. Each road map documents important changes in the global economy (e.g. technological, geopolitical, regulatory, demographic, medical, perhaps soon climatic…), and the entrepreneurial opportunities that arise from them. Road maps typically last between three and ten years.
The firm’s first formal road map meeting took place in December 1992, twenty years ago. At that first meeting we approved five technology road maps, one of which was cyber security.
It was the dawn of the commercial internet, and although we couldn’t appreciate just how important it was, we were intrigued with the implications of TCP/IP networks spanning multiple enterprises. At the time we were still assessing the opportunity to fund Performance Systems International (PSI), which would soon become the first venture-backed Internet Service Provider. Although there was no HTTP web traffic for PSI to carry in 1992, we saw that SMTP email had started flowing. This was really the first time that computer networks connected competing parties – before the spread of TCP/IP, every computer network had been contained to a single government, university, or company. So there had never been much thought put into securing network protocols, and TCP/IP was no exception, having been developed by DARPA strictly for US military use.
We concluded that shared computer networks must somehow be enhanced to incorporate security. Although the problem was only theoretical at the time, we decided to bet on the inevitable value of cyber security. We commissioned a new road map in the space and in early 1993 we started looking for teams to back.
This was a contrarian move, since there hadn’t been any venture success in security. The exception was Motorola’s acquisition of Codex, which sold encryption boxes to the government. David Cowan recalls a conversation in 1992 when the Codex CEO Per Suneby put his arm on David’s shoulder, advising him, “Son, don’t ever invest in security.”
Firewalls represented the first important security market. Unfortunately we passed on Checkpoint because the market was fragmented (PSI was using Morningstar) and we didn’t expect Sun to be such a strong distribution partner. But we did fund Altiga, a VPN firewall startup, which Cisco acquired and still uses today.
By 1996 we made several investments in computer security, all of which went public during the boom of the late 1990’s. One of them was VeriSign, which we founded and incorporated in our offices in January 1995 as Digital Certificates International, before cutting a deal with RSA to exchange technology for equity. VeriSign was the first security company to deliver its product purely as a service (SSL certificates sold as annual subscriptions), and so it also fit into our road map for hosted services, or what today we refer to as Cloud Computing. Since then, most of our security investments have also been cloud-based companies, such as Valicert, Counterpane, Qualys, and Postini. Cloud computing is especially relevant to security companies since cyber security solutions must constantly incorporate new technologies and signatures.
Several other commercial product categories emerged in the 1990’s to protect enterprises and consumers – particularly vulnerability scanners, intrusion prevention appliances, URL filters, and anti-virus software for email servers and desktops.
Follow the Hackers
The years 1999 to 2002 were good ones to be invested in enterprise security because the large integrators went on a buying spree. By late 2002 they all had Swiss Army Knives with more products than any enterprise customer could actually deploy, and the acquisitions slowed down.
That’s about the time we noticed a rise in hacking for profit. Until then, cyber attacks had been committed for ego, mischief and occasionally political expression, but hackers were discovering profits in spam and phishing fraud. So at Bessemer, we shifted our attention from protecting enterprise assets to protecting consumer assets. We funded companies like Postini, Cyota, and SiteAdvisor. As hackers moved into identity theft, we funded Lifelock, BillGuard and Reputation.com.
Later in the decade, we saw another shift of hacker activity, this time into cyber warfare. This development brought governments to the commercial cyber security market. For the first time, the security industry needed to develop “active defense”, or the ability to identify cyber intruders and possibly disable them. ThreatTrack Security, for example, is a Bessemer company that arms many federal agencies with malware diagnostic tools.
Military and intelligence agencies are also interested in first strike capabilities. In the last two years, the public has gained visibility into the high level of cyber activity among governments, including attacks launched by the US, Israel, China, Gaza and Iran. Cyber warfare has become a fact of life, and a critical component of most military missions. Those nations with the best capabilities will enjoy strategic advantages at a tiny fraction of the price paid by conventional militants in money and lives. Cyber warriors have emerged from the closet, as the US Congress scrambles to legislate the rules of engagement for private companies, law enforcement, intelligence agencies, and the military. Based on trends in the US military budget, cyber startups will likely command an increasing share of the US defense industry.
Another exciting active defense company is Endgame Systems, whose directors include industry luminaries like ISS founder Tom Noonan and General Ken Minihan, former NSA Director. Bessemer, Columbia and Kleiner funded the Series A round of Endgame in 2008, and Bessemer Operating Partner Nathaniel Fick joined the company as CEO.
In the last couple of years, as Cloud Computing has altered the landscape of IT, we have followed the hackers into the cloud. Today it is commonplace for hackers to use cloud-based resources such as bot armies and virtual servers to launch their attacks. Also, they now routinely attack cloud-based service providers who store valuable data for their clients, but without mature security infrastructure. We predict strong demand for startups that obstruct these new, cloud-based attack vectors.
We believe that startups can also use Cloud Computing to develop new and stronger defenses. First, they can migrate existing security products to the cloud, where they are easier to deploy, correlate across customers, and update in real time with new attack signatures. Second, they can harvest data from the Cloud to profile reputations, identify fraudulent transactions, and analyze bot traffic. And third, startups can use the cloud to secure mobile devices by analyzing their network streams (since mobile devices lack the battery life and processing speed to run persistent anti-malware agents).
Bessemer’s Cyber Team
Our cyber investment team includes:
|David Cowan||Cowan is a Partner in Bessemer’s Menlo Park office. Cowan founded VeriSign in 1995, and Good Technology in 1996. He has also led investments for Bessemer in Postini (acq. by Google), Lifelock (NYSE:LOCK), Cyota (acq. by RSA), Tumbleweed (acq. by Axway), ON (IPO, acq. by Symantec), Worldtalk (IPO, acq. by Tumbleweed), Valicert (IPO, acq. by Tumbleweed), Endgame, Finjan (XOTC:FNJN), Counterpane (acq. by BT), and Qualys (NASDAQ:QLYS).|
|Chini Krishnan||BVP Operating Partner Chini Krishnan is CEO of GetInsured, the leading provider of secure health exchanges. Krishnan serves on the board of Lifelock, and in 1995 he founded Valicert to commercialize his patented inventions in Public Key Cryptography.|
|Nate Fick||BVP Operating Partner Nate Fick is CEO of Endgame Systems. Prior he was CEO of the Center for a New American Security, and a Marine Officer recognized for utilizing innovative technology in Iraq and Afghanistan.|
|Adam Fisher||Adam Fisher, a Partner in Bessemer’s Israel office, serves on the board of BillGuard.|
|Jeremy Levine||Jeremy Levine, a partner in Bessemer’s New York office, invested in eEye and Intego.|
|Byron Deeter||Byron Deeter is a Partner in Bessemer’s Menlo Park office and leads our Cloud Computing practice. He also led our investment in DocuSign.|
|Rob Stavis||Rob Stavis, a Partner in our New York office, leads our Financial IT practice. He invested in both SiteAdvisor and Kroll Consulting.|
|Steve Kraus||Steve, a Partner in our Cambridge, MA office, leads our healthcare IT practice.|