As cybersecurity investment booms, Lucas Nelson of Gotham Ventures highlights two cultural changes and two new technologies transforming the cybersecurity market.

The following is a guest post by Lucas Nelson (@lucasnelson), Principal at Gotham Ventures.

In 1995, when I was in high school, I was part of the Cypherpunk mailing list; a group list of forward thinkers who created a movement to fight the US government’s restriction on cryptography. While many brilliant people were on the list, Julian Assange is the alumnus who has become most notorious.

While they were best known for their fight against government key escrow (an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys), the members also thought deeply about what an Internet connected future would look like. As a group they were very prescient and they thought through many ideas regarding living in a digital world that have only now become relevant to the mainstream.

Back in the 1990s, they experimented with many of these ideas, but like punk music, the Cypherpunk movement was low fidelity, meaning it was often DIY and unpolished, and as such the ideas failed to gain mainstream acceptance. Today, the tools that were difficult to use and understand 20 years ago have become simple enough that mainstream usage is happening. Another factor is that there are two orders of magnitude more potential users on the Internet today and everyone is now aware of the fact that encryption is necessary for privacy on the network.

For these reasons, now many of their ideas are not only feasible, they have caught on. Some ideas, which have become products today, that have clear predecessors on the Cypherpunk mailing list are:

  • Digital currencies, which today are finally gaining traction in Bitcoin.
  • The Street Performer Protocol, an idea similar to a juggler who won’t begin his act until enough money has been put into his hat, is the basis for the Kickstarter model.
  • And, of course, they discussed privacy and how to keep communications secret; today we have apps like Snapchat and the encrypted Andriod Blackphone.

Today computer security (Cybersecurity) is a hot space for VC investment, but that wasn’t true just a few years ago. Since I’ve been in the computer security community for more than 20 years, I’ve gotten to experience two of these cycles. Back when the sector was out of favor I came up with a thesis as to why:

1)     Attackers and defenders are in an arms race that causes interesting technology cycles.

2)     Investors tend to follow these cycles, so security investing goes in and out of favor depending on who appears to be winning the arms race.

In 1999 there was an investment peak driven by network security as enterprises put their corporate networks onto the Internet. The winners of this cycle were Checkpoint, Symantec, and McAfee. Then, in 2007 there was another cycle driven by web application security as attackers began to target websites. Winners this time were companies like Qualys, Sourcefire, Barracuda, and Trusteer.

lucascyber1It should be obvious from the graph above that we are now in a third cycle, which is bigger than the past two. These peaks have come 8 years apart, though there is no technical reason to say that this has to remain true.

And while investments have been cyclical, exits have not.


This chart shows that both peak and non-peak years create companies that are bought or IPO. One might be tempted to avoid investing during the cycle peaks, but if an investor skipped those years they would miss out on some of the largest winners.

lucascyber3So, as investors, we don’t want to leave the market completely during peak investing years.

One of the reasons we are seeing the increased investment in cybersecurity is companies are allocating more of their overall budget to protect themselves from the increased number of threats. According to Gartner, an almost 39% increase in security spending from 2013 to 2017 will help even large companies grow at almost 9% a year. Startups, of course, can grow at a much faster rate.


Due in part to those trends, cybersecurity saw record investments in the past few years of approximately $1.5 billion in 240 deals. M&A and IPO activity is also up with a peak in 2012 of almost 100 deals. I don’t expect that to be the top though, since there are plenty of large players who can acquire companies and there still are large cyber security companies in the IPO pipeline.


Exit valuations are in line with venture expectations with exits averaging 10x revenues and a median of 5x revenues.

All of this data tells us why cybersecurity makes an attractive investment, but that doesn’t tell us what trends and companies we should be looking at. For that we need to see what is driving changes in the cybersecurity market; I argue that there are two cultural changes and two new technologies that are transforming the security market.

Cultural: Due to high-profile security incidents, cybersecurity and privacy have become factors that drive decisions for both the C-suite as well as consumers. I see two investible trends in this change, one that displaces incumbents and another that is a greenfield opportunity that can exist alongside traditional companies.

Technical: There are also two new technologies that, as they get adopted, will need to have security solutions. Security around new technologies always lags behind the adoption but has been a well-proven investment thesis. As with the cultural themes, one of these themes will displace existing firms while the other is a greenfield opportunity.

Thesis: The attackers have won

cybertheme1The first cultural trend comes from the admission that no system is truly secure, given enough time and money any system can be broken. While the security community has known this for decades, most CEO’s didn’t understand it. In the past, if a security breach happened the CSO was fired and that was the end of it. The forced resignation of Target’s CEO was a wakeup call to executives and led to their realizing the reality of the situation.

Instead of trying to create a system that can’t be broken, there is increasingly a focus on reacting once an attack has been initiated. Companies riding this wave will help their customers detect and remediate cyberattacks. While the average time to detect an intrusion today is measured in days and remediation can take weeks to implement, the future will be detecting attacks in real time and cleaning the machine in minutes.

Thesis: Privacy matters

cybertheme2The second cultural trend is around privacy; Consumers have had a wake up call of their own. While many people weren’t surprised that the NSA was violating their privacy, the extent of the intrusion revealed by Edward Snowden has made many take note. This kick-started a long overdue discussion about what data the government is collecting and how companies are tracking consumers and selling the data to advertisers.

For both businesses and consumers this has led to an interest in encrypted chat and email. In a society where people regularly allow themselves to be tracked at the supermarket for a 3% discount on their groceries, this is a large shift in behavior as they begin to protect their privacy. Today the Blackphone is selling and companies, like DuckDuckGo (a search engine) and Ello (a new social network), are competing on the front of respecting users privacy.

Thesis: Cloud Security

cybertheme4The first technology trend is obvious, everyone knows that the cloud is changing the way enterprises manage their IT. Security has always lagged behind new technologies, so this paradigm shift will have an accompanying security change as well.

In the past, an enterprise had a defensible security perimeter that could be protected by a firewall and extended with a VPN; the metaphor they used was a moat around a castle. Today companies use cloud services, the result of which is that they no longer control the infrastructure that employees are utilizing. For instance, to revoke a users access to a file they manage permissions in Dropbox. To prevent the same user from getting their email they have to administer Gmail access.

User management that used to happen inside of Microsoft’s Active Directory is now spread across several systems. Products that help manage this proliferation of services will be the first step and will be quickly followed by products that extend access control decisions to 3rd party platforms.

Thesis: The Internet of Things


The second technology trend, and the last thesis, is based on the Internet of Things (IoT). Adding Internet connectivity to essentially everything is going to create a much larger surface of attack for the average consumer. Today one can count the number of their devices that access the Internet (e.g. Laptop, phone, iPad, Chromcast). But very soon, you will no longer be able to keep track of the number of devices on your network as you connect things like light bulbs, refrigerators, and your sneakers to the Internet.

The state of security on these newly connected devices is dismal, recently HP found an average of 25 security flaws per IoT device, and they won’t get better anytime soon. Researches actually found a compromised refrigerator that was being used to send spam emails. The fact that it is difficult to update the software on these devices will only make it worse. There will be a number of companies providing new types of firewalls or network security services to help consumers defend these newly created forms of Internet devices.

While each of these investment ideas can yield large companies, I believe the last one has the potential to really change the cybersecurity landscape. I think these are very exciting areas to be exploring, and I look forward to seeing companies that tackle these challenges.


nelsonheadshot Lucas Nelson is a Principal at Gotham Ventures and is a proud geek; a hacker turned VC. Lucas works most closely with Gotham Ventures Portfolio companies STELLAService and ADstruc as well as his angel investments in Branch, DarkNet, and WayWire. He is a Kauffman Fellow, co-authored The Art of Software Security Testing, chaired DefCon – the largest hacking convention in the US – for 10 years, and has been a member of the NY tech community since 1999. Prior to joining Gotham Ventures, he was a Senior Manager for Product Security at Adobe and previously spent time as an Investment Associate at US Venture Partners. Lucas received a B.S. in computer science from Purdue University and an MBA from the Tuck School of Business at Dartmouth.