Ensuring that a company’s information assets and technologies are protected remains a tall order for many a chief information security officer (or CISO). Cybercriminals can be both persistent and creative.
Now, a group of 46 of these professionals is taking the wraps off a syndicate that allows them to compare notes and war stories and will see them advising — and making small financial bets on — some of the nascent cyber security startups whose tools can potentially keep the bad guys at bay.
Called Silicon Valley CISO Investments or SVCI, the idea is to identify these startups, fund them, advise them on pitfalls to avoid, and introduce them to potential customers, including their own employers in some cases. In fact, one of newest bets, Orca Security, an Israeli cloud security firm that focuses on giving enterprises better visibility into their multi-cloud deployments, just announced its Series A round today, with participation from the group.
To learn more about how the whole thing operates, we talked yesterday with two of the founding members of the syndicate: former Splunk CISO Joel Fulton, who has more recently cofounded a stealth startup, and Oren Yunger, who is today a full-time investor with GGV Capital but previously worked as the CISO of two Israel-based companies.
They’d previously come together for a working group focused on helping early-stage executives to address security well before the point where they typically hire a head of security. As Fulton explains it, the more each CISO contributed to the project, the more they appreciated the strength of their collective insights, so decided to form this investing syndicate.
SVCI is invite-only, and members must be recommended by others in the group. “We prefer quality over quantity,” Fulton says. Even so, it’s growing fast. While the group began last fall with eight individuals, it now has 46 members, including the chief security officer of ServiceMax, Al Ghous; David Tsao, who is the vice president of security engineering at Marqueta; and Jonathan Jaffe, who is the head of information security at People.ai.
How it’s all supposed to work: one team of people will act as scouts, another will focus on due diligence. These roles change over time. “We had to have forced volunteerism” at the outset, jokes Fulton. “You don’t have to dedicate 10 hours a week” to SVCI,” adds Yunger, “but you have to be included in the conversation. There are no passive members.”
After settling on roughly 40 companies per quarter, the group winnows down their favorites to four, who present to the group. The companies can have just raised money or be about to raise again, but they have to be willing to leave a small portion of one of these rounds open to SVCI, should its members opt in.
If the startup gets the green-light, the group will contribute roughly $200,000, no matter the number of SVCI members who want to participate in the deal, which is entirely optional for each person. (The capital is bundled into special purpose vehicles so the startup isn’t stuck with potentially dozens of people on its cap table.)
It’s a small amount, obviously, just enough to form a relationship with a startup that the group wants to help — and that it thinks will make the group look smart as it works to establish its reputation.
It’s also just enough to form potential conflicts of interest on both sides of the table. You might imagine that Yunger’s ties to GGV could translate into signaling risk for a startup whose Series A doesn’t involve GGV, for example, though Yunger insists this shouldn’t be a concern, saying the two operations are “mutually exclusive.”
Companies might also be concerned about revealing too much about their products to a room full of security pros from big companies that could potentially replicate their offerings.
Fulton says that SVCI first filters out startups that “have an unreasonable expectation” of privacy, and that when it does invite companies to lay out what they do to the group, founders can “stay mum” on certain things, as well as drop out of the process at any time.
There is always the risk, too, that members of the group will promote to the employers startups in which they have an interest for their own gain, but Fulton says that to avoid it, all members agree to work within their companies’ conflict of interest policies and to disclose financial stakes where they exist.
In the meantime, none of the members is exclusively committed to working with SVCI or funneling deal flow its way. Some have and will continue to advise other venture outfits that are focused on cybersecurity startups.
In fact, in addition to seeing what’s bubbling up in their world, many advantages to members of SVCI are largely personal.
Yunger notes that while everyone “has a day job,” it’s a “really nice mesh of people” to be more tightly connected with, from execs at Fortune 500 companies to those at largely privately held outfits.
Fulton echoes the sentiment, saying the “interconnectedness” it provides is “greater than a Slack channel.” Besides, he adds, there is intellectual strength in numbers. “I love learning how CISOs who don’t think like me do think and stealing from tools from their toolboxes.”
In addition to Orca, SVCI has so far made two other investments. One remains in stealth mode. The other is Tonic, a two-year-old, San Francisco-based synthetic data provider created by former Palantir and Microsoft engineers and that has raised roughly $2 million in seed funding to date.