Interview: How Cyber Startups Can Ensure Success

Alberto Yépez is co-founder and Managing Director at Forgepoint Capital, the most active early stage cybersecurity venture capital firm in the world, with 37 active companies and the largest and most diverse investment team of investors in the space. Yépez is a serial entrepreneur with a wealth of experience leading businesses to successful exits, including enCommerce (acq. Entrust), Entrust (acq. Thoma Bravo), and Thor Technologies (acq. Oracle). Since Forgepoint’s founding in 2015, the fund has raised $770 million and deployed over $500 million, backing industry leaders such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv (Forescout), Huntress, IronNet Cybersecurity (NYSE: IRNT), Noname Security, NowSecure, ReversingLabs, Uptycs and more.  Yépez also currently serves as the Chairman Emeritus of the Hispanic IT Executive Council (HITEC),  which is focused on building stronger technologies and executive leaders in today’s digital-first world.

At RSAC 2022, we spoke with Yépez to discuss the challenges that cybersecurity startups currently face and how they can combat them to ensure success, as well as how the increasing number of acquisitions in the cyber world may affect companies just starting out.

Could you give us an introduction to Forgepoint Capital and the work you do within the security industry?

Forgepoint Capital is a venture capital firm that’s focused on cybersecurity and cloud infrastructure. We believe security is fundamental to software development and industry innovation. So, it’s not just features, speeds, and devices, but also cyber insurance, data analytics, and related capabilities needed to deal with privacy. We believe that cybersecurity enables economic prosperity and helps businesses transform digitally, while protecting individual privacy.

We’re mission-oriented in the sense that we are committed in backing companies protecting the digital future. What we do matters, and we back our companies holistically stage to stage with hands on support. I’m not just somebody who puts “money on a bet” with the hope that a company is going to do well. I never expected to be a VC either. I was an engineer who bootstrapped my own company in cybersecurity and eventually wound up in venture. As an operator and serial entrepreneur, I have a good sense for what it takes to succeed.

In terms of size, we’re one of the largest—if not the largest—cybersecurity venture capital firms, with one of the most experienced and diverse teams in the industry. Although we started the firm in 2015 and are a relatively young franchise, we’re investing out of two funds we raised that total $770 million—and have been one of the most—if not the most—active funds in our sector and stage.  Of the 42 investments we’ve made, 37 are now active (we’ve had one IPO and the others have all been successfully acquired). Each company  is out to solve different problems, but also work together and complement each other – there’s a lot of synergy across our portfolio that drives partnerships and accelerates growth.

As you know, a venture capitalist is somebody that receives funding from a pension plan or from family office, and  seeks to return a multiple of that capital by making strong investments that have good exits, whether via IPO or acquisition. We take a discerning view of the market grounded in extensive analysis and due diligence, resulting in a highly selective approach towards the investments we make. We then go deep in the ways we support our entrepreneurs with strategic guidance, customer access, and more.  

The cybersecurity industry is growing constantly, with innovative new products being designed to combat the sophisticated threats we’re seeing. But it isn’t aways easy to break into a market, new or established. What are some of the main challenges that cyber startups currently face?

How do you break into a new market is such a great question. Let me give an example. Let’s say you have an intrapreneur—a successful potential leader within a large corporation—who knows what he wants to do and has a uniquely differentiated technology in mind, but doesn’t know how to break into the market. The role of the venture capitalist is to say, “I can open my network and help you validate your claims to your solution.”

I met with somebody earlier in this position, and we set up a meeting with the Global CISO of Santander, the 16th-largest banking institution in the world. Santander is always looking for new innovative solutions, and because we have great relationships on both sides, we were able to bring them together. One side has the problem while the other has the right solution. We let the company—Santander—test the solution and validate it. If then we decide to invest and they decide to buy the solution, Santander becomes a reference customer.

In my opinion, the best way to break into a market is to get your claims validated by these sophisticated third parties through real life situations as the decisionmakers at companies who are quite familiar with the use cases and problem sets. Once you get those reference customers, you can attract channel partners across the rest of the market and go global. You don’t just become a success in the UK or the US—you can take your solution anywhere.

That’s what we do. We’ve run companies before and we have relationships all over the world, so we may not offer the highest valuation, but we offer the most value. We’re very fair when it comes to valuations and we’re going to help you succeed.

How do you choose which organizations to invest in, and which ones to partner them with to validate their solutions?

That’s another great question. I’ll answer the first part first. There are five key criteria from our point of view: First, how big is the market and how fast is the market growing? Obviously, you want to invest in a big market opportunity that is growing fast.

Second, how unique is the solution, and how hard is it to replicate? You don’t want a Google or Microsoft to come in and throw more money into the intellectual property, so the technology must be very unique and hard to replicate.

Third, how easy is it to find you a company to partner with? We spend a lot of time on that one. The go to market strategy, who will you partner with to reach the market, and at what stages we can do co-marketing, co-selling, and reselling so you can expand globally are all key considerations.

Fourth, is the team. We look at whether they’ve done something similar before, we look at their experience and skill sets. Obviously we don’t expect the team to be concrete—we will add to the team and figure out what we can do as we go along.

The fifth and final item is, how strong is the syndicate of investors? Who invested before us and what value will they bring to the table beyond investment and will they support the company through good times and bad?

So, market, intellectual property, go to market strategy, team, and syndicate. If one of these fails, it’s not going to be a successful company.

Now, who we decide to partner them with is very dependent on what they’re doing. For every company we consider investing in, we try to work out what the right ecosystem is for them. And it depends on the markets that we have. For example, if we’re looking at a cyber insurance company, we’ll think about connecting with Lloyds of London, Willis Towers, or AON, because they have the need for that product and they know that cyber insurance is one of the fastest growing markets, but they don’t know much about technology or analytics and they want a partner to help them underwrite that.

How might the increasing number of acquisitions in the cyber world affect companies just starting out?

It’s great to be acquired—especially if people are going to pay a lot of money for your company! There are different reasons why cybersecurity companies get acquired, and transactions happen depending on the stage and fit. If you’re a fairly early-stage startup, they value your technology and your reference customers. Before you scale and bring more money, they want to make you part of their solution, so they can share your tech with all their customers and grow their capabilities.

By the time you grow to the next stage, they value you because you have a business. You have not only a team, but also great customers who have channels that they don’t have in the market in which they want to expand.

One of the unique things about the cybersecurity industry is that more than 95% of companies get acquired. There’s a difference between being sold and being acquired. If you’re being sold, it’s because you can’t scale, so you need to sell the company. If you get acquired, it implies that somebody’s going to come in and buy at a premium.

I’ve been an entrepreneur and built three companies that were acquired. There’s nothing wrong with that. You get more experience, and you get a lot of liquidity. Let the public company scale the business, stay there for a few years to help them understand the market and build a team, then you can move on to the next one.

If you look at some of the fastest growing companies in cybersecurity, one of them is Cloudflare and anoher is SentinelOne. SeninelOne is probably the fastest growing in terms of revenue —almost 100% year-on-year. It’s hard to be a public company and almost double every year, but they wanted to continue their rate of growth. So, they bought a unique technology — Attivo Networks —  one of our more mature companies, which was doing more than $50 million ARR—that enhanced their capabilities and enabled expansion into other markets to gain tens of thousands of new customers.

They made money, we all make money, and everybody’s happy—while addressing real customer needs. Acquisitions are good news, because the established companies cannot innovate fast enough, while the startups don’t have the scale.

There has been an extraordinary wave of consolidation in the market—I’m pleased to share that Forgepoint has celebrated the acquisition of four of our companies in the last 120 days. So, what does all this M&A activity mean for startups? They should be prepared for potential inquiries and associated diligence, and for their competitors to be considering consolidation as well. Though cybersecurity is one of the stronger sectors and more immune from the market uncertainty, anything can happen and their exit timeframes may be faster than expected. This is when your investors can really help—ideally, they are seasoned investors and company builders who have exited companies and help others do the same.  

There can sometimes also be anxiety around the idea of acquisitions. Why is that?

Acquisitions are generally very positive, but let me give you some of the potential downsides. Many companies buy emerging companies and kill them because they don’t know how to integrate them properly, they’re unable to retain key talent, or they don’t know how to sell the technology.

Now, when you sell your business to a buyer, the anxiety is that while you may be financially rewarded, your solution may disappear. I sold my first company to a company called Entrust, and they really killed the product. We were the number one company in the world, but, because of the market downturn, they couldn’t invest in our go-to-market and had to prioritize their own products instead. They effectively pulled us off the market and we didn’t realize our full potential. That was a billion-dollar transaction and we made a lot of money, so on one hand it was fine from a financial perspective, but on the other hand, you have the consumers of that technology—your customers—who  become disappointed. They’ve come to rely on your technology as the best solution for their needs, then suddenly it gets killed.

In the case of Google acquiring Mandiant, for example: is Google going to kill Mandiant or is Google going enable Mandiant to be more successful? There are two sides to the story.

What is your final piece of advice to start-ups that want to cause a stir in the cyber market?

Focus. You cannot be all things to all people, so you have to be the best in what you do. Even if it’s a very narrow solution, like in the case of Area 1 Security—they were the best at defending against phishing attacks and they were recognized for what they did. That’s what ultimately got them to cross the chasm, become successful, and get acquired by Cloudflare.

If you want to try to do this, that, and the other, you don’t do anything well or you just spread yourself too thin.  You have to have focus and to be adaptable to the market conditions. Many entrepreneurs are afraid because all the valuations have gone down or they think there’s no money. But there’s a lot of money to invest! Sure, valuations have come down and people may not value your company at $100 million, they may value it at $50 million instead, but that doesn’t matter! Get the company funded so you can get to the next round and the next one will be even bigger. The cybersecurity market is very resilient, and it’s one of the very few markets in the technology sector that’s growing at almost 20% year-on-year. Last year, the market was $170 billion, and it’s expected to be more than $500 million in the next four or five years. So, my advice to every entrepreneur, is to focus.

Thank you to Alberto Yépez for taking part in this interview. You can find out more about Forgepoint Capital’s investment services and partnerships via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.