Reflections on our Decade-Long Focus on Cybersecurity
Cybersecurity is a large and growing market that continues to gain importance as the threat of cyber-attacks becomes more pronounced. Cybersecurity is consistently the #1 top spending priority for CIOs, and recent attacks this year have increased the spotlight on its importance. As more companies digitally transform and are connected to the internet, increasing complexity of IT environments and the proliferation of attack surfaces will drive continued need for innovative cybersecurity solutions.
As the underlying IT architecture shifts, security needs to change too.
It was the early 2010s when we started to notice rapid change occurring in the IT landscape that we believed would have an enduring impact on the way people thought about cybersecurity. Security isn’t standalone technology in isolation – It’s about protecting IT infrastructure, just like an alarm system in your house. In 2013, when the environment around us started to shift amid a rise and growth of web, email, and SaaS applications, security needed to change too. This placed a spotlight on the role of corporate networks and marked the start of cybersecurity’s transition to the cloud, along with the underlying IT architecture being protected.
We evaluated a few of the key players in the network security space, and from that work developed a thesis for what we thought was the right way to approach cybersecurity at the time: cloud-first, single architecture, with a service provider mindset. Through this thesis we discovered Zscaler, a next generation provider disrupting the network security market. We led the company’s $100 million Series D round, which valued the platform at more than $1 billion. Three years later, Zscaler went public, and today, the company’s market cap exceeds $30 billion (July 2021).
Security is like a layer cake.
Around the time of our investment in Zscaler, there was a massive advancement in firewall technology, which is like the moat or castle wall around a corporate network. There was a line of thinking at the time that because of this technology – which manages and blocks traffic coming in and out of a corporate network – endpoint security would no longer be necessary in the way it once was. Essentially, that securing individual computers didn’t matter as long as the network was protected.
Our approach to cybersecurity is always to think about how things should work, which is not necessarily what we see happening in the market. To us, the idea that the endpoint was dead didn’t make sense. We see cybersecurity more like a layer cake than it is a substitution – you are safer and better off with all of it. On top of that, CIOs take on significant risk by ripping out any cybersecurity solutions, in the event that an attack happens that could have been prevented. We believed endpoint was an essential ingredient that would only become more important as applications moved out of closed networks and into the cloud.
Roughly a month after our investment in Zscaler, we made what was then considered a contrarian call and led a $120 million growth funding round in Tanium, a disruptive leader in endpoint security. This conviction in the endpoint space gave us the confidence to reach out to Intel about a potential carveout of McAfee. Following a two-year relationship with Intel, we acquired McAfee in a transaction that valued the new independent entity at $4.2 billion. Since the carveout, we’ve worked with McAfee management to execute several operational enhancements and business-building initiatives, including their transformative acquisition of SkyHigh Networks, a cloud security startup. McAfee went public in 2020, and today has a market cap of more than $11 billion (July 2021).
Identity as the next frontier.
The same approach that led us to make a contrarian bet on Tanium shaped our belief in the strategic and growing importance of a part of the market called identity security, specifically, privileged access management (PAM).
There has been a steady acceleration of several IT megatrends over the past few years – from the explosion of cloud services, to the growing interconnectivity of networks. On top of this, more and more companies are feeling compelled to transform their businesses to digital-first, resulting in a proliferation of privileged accounts within the modern business and new potential attack surfaces within areas such as DevOps. In an increasingly remote, disperse, and complex environment, it made sense to us that protecting these privileged accounts – a company’s proverbial “keys to the kingdom” – would be critical.
One of the insights we’ve gained over our years of investing in this space is that cybersecurity technologies start out in a back corner of IT, but at some point, they break and become big business user markets. In 2015, we were introduced to Centrify, a then emerging PAM leader, and met with the team nearly every year after as we waited for this subset of the market to evolve. In that time, PAM went from a niche market to one of the fastest-growing areas in cybersecurity.
We invested in Centrify earlier this year out of our buyout fund, and shortly thereafter merged it with Thycotic, a next generation PAM provider. Through this combination, we saw a unique opportunity to build a leading identity security vendor offering scalable, cloud-first products, in an environment where cyber-attacks are increasing in both frequency and sophistication – Forrester estimates that 80 percent of all cybersecurity breaches involve privileged credentials. Now operating under the interim name ThycoticCentrify, the integrated platform brings together complementary product capabilities, best-in-class technology, and deep expertise to better enable and protect the modern, hybrid enterprise.
We believe we are only scratching the surface on the new network topology. Some of the most influential companies today have no corporate network – their entire IT estate is cloud-based. This has its advantages from a cost and flexibility perspective, but it also welcomes some very complex security challenges. How do you use cloud security to protect a company that has its entire development system in the cloud? How do you protect against supply chain attacks and third party risk? This brings us back to the drawing board once again.
We are also spending a lot of time studying data and privacy, which are two separate but related areas that are becoming increasingly important as companies need to leverage data in all aspects of their business in a privacy-compliant way. Enterprises and individuals both want better control of their data without limiting the ability to use the data for analytics. We believe this demand will create a significant need for tools that provide better visibility, transparency, governance, and protection of data.
Finally, we’re focused on application security, or DevSecOps, which embeds security earlier into the software development process (“shifting left” to enable security from code design through production). We’ve invested in a few companies focused on this space, including Checkmarx, Sonatype, and Arxan Technologies, which is part of our Digital.ai DevOps platform.