VC Expert: Cybersecurity Industry Is Ready for New PlayersForgepoint Capital's Alberto Yépez on the State of Cybersecurity Amid the Recession Tom Field (SecurityEditor) • April 26, 2023
Despite the current macroeconomic headwinds, the cybersecurity industry is at an optimal stage for the emergence of new companies with increasing demand for cybersecurity solutions, said Alberto Yépez, co-founder and managing director of Forgepoint Capital.
Drawing parallels with the 2008 recession, Yépez said there is an opportunity to innovate then and now, and several of the largest cybersecurity companies today were born out of the last recession. During these lean times, the competition and "noise in the market" are at their lowest. The market is self-correcting, but the need for cyber protection is more important than ever, thanks to sophisticated attacks and the increasing misuse of artificial intelligence by bad actors, he said.
"You see a perfect storm brewing because you have the need to avoid cyberattacks, you have regulation that is driving, and you also have the ability to try to drive answers to the new emerging technologies that we have," he said.
In this video interview with Information Security Media Group at RSA Conference 2023, Yépez also discusses:
- Why cybersecurity continues to remain a top priority in technology budgets;
- The U.S. national cybersecurity strategy and the role of the government in improving critical infrastructure protection;
- New areas of investment companies are looking toward.
Yépez is one of the pioneers of the cybersecurity industry. A serial entrepreneur and global investor in cybersecurity, he has a track record of building global businesses and leading them to successful exits. He currently serves on the boards of Constella Intelligence, CyberCube, Huntress, NowSecure, ReversingLabs and Uptycs.
Tom Field: Hi there, I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. Talking today about the state of the cybersecurity industry is Alberto Yépez. He is the co-founder and managing director of Forgepoint Capital. Alberto, the first time in three years, we've been able to do this face-to-face.
Alberto Yépez: It's a pleasure to see you again.
Field: The cybersecurity industry has come far since the last time we sat down to talk - we've seen ups, we've seen downs. Since this year has started, we've seen some companies have left the market; we've seen some layoffs; we've seen some consolidation. Give me your diagnosis here, what's the state of the cybersecurity industry? And I know you're going to be optimistic.
Yépez: I have to, because I think this is the best time to start a company. Think about during the downturns and you kind of correlate when Palo Alto, CrowdStrike, Zscaler got created. It was around the 2008 downturn.
Yépez: And, there is less competition because there's less noise. Maybe 12 months ago, there were so many companies doing the same thing, and a lot of it was marketing. And you wouldn't recognize which ones had the real technology solution. So there's some good things about the market that is just by itself, it has to correct. So Forcepoint to remind you, we're one of the largest, if not the largest, early-stage venture capital firms investing in cybersecurity. We have invested in 46 companies to date, and we have 35 active portfolio companies. We've grown the team. We have 25 members on the team, of them 12 are investors, because imagine having to invest in all these different technologies, you cannot be an expert in everything else. So we're privileged and feel honored to be able to be working with amazing intrapreneurs to create the next generation of companies that protects the digital future. This in our mission is protecting the digital future. So talking about the market, at a macro level, you see, moving toward a recession, capital is getting more expensive. SPV came through some challenges. And now there's an opportunity for other banks to serve the venture capital community and venture-backed companies. But all in all, it's an ecosystem that is very resilient. If the demand wouldn't be there, these companies in this market will not go anywhere. So as you can attest, this is one of the top priorities in terms of budgets. When you talk about technology budgets with anybody in the industry, they will tell you that, some of them may be going down, cyber is the only budget that is going up because the board of directors are not getting involved in. The SEC is beginning to get very active in trying to I wouldn't say demand but to require. And then why because as a board member in a public company or a private company, you will be liable if you don't provide the right guidance for companies to do that. So all that generates demand. And therefore, there's an opportunity to create innovation. And then we combine that with the cyberattacks and the cyberthreats. There is more, they continue to be more sophisticated, using AI to make it even more difficult to detect. So you see a perfect storm brewing because you have the need to avoid those attacks. You have regulation that is driving. You also have the ability to try to drive answers to the new emerging technologies that we have.
Field: Well, you make a good point you talked about 2008. And certainly yes, because budgets are tight, and staffs are lean as they were in 2008. The attack surface is infinitely larger than it was in 2008. The adversaries are infinitely more focused than they were in 2008. How does that foster an environment for innovation when you're constantly just trying to keep up with what's going on around you?
Yépez: Well, that's a great question. Always ground yourself with the need of the customer. They have to regardless whether all these things change, they need to defend the banks, the water processing, the nuclear plants, whatever. Therefore, they need to look for answers. Therefore, there's an opportunity to create new solutions on the changing environment to be able to do that. So the fostering of innovation comes because of the attack surface and the sophisticated attacks. The fact that these are real in their impacting companies and therefore think about the growth of cyber insurance, for instance. As a board member, you need to be able to ask, do you have cyber insurance? Are you going to have the right coverage? And even though that happened in the last couple of years, the insurance industry lost a lot of money. Because as they underwrote cyber policies, they were all not profitable. So the use of data analytics, predictive models, etc. to make sure that you can underwrite cyber, and try to help companies at least get the right processes in place to be able to defend the adversary. So I think it's a more of a need, rather than a nice to have.
Field: Let me ask you about some themes. Certainly over the past year or so two years, we've seen distributed work, we have seen cloud migration, and we've seen digital transformation, what are the new areas of investment you see opening up? And I bet that generative AI is going to be near the top of that list.
Yépez: It will be. But let's step back. So the pandemic taught us that we could be resilient and move very quickly to enable that distributed workforce, not only distributed workforce, our kids were going to school on remote basis. But, the decisions that were made two years ago to protect the distributed workforce were very tactical. Therefore, now many companies they are not looking at the next generation, they're saying, architecturally, do we have the right solution? In this way, you keep on hearing zero trust, again. Why architecturally sound solutions that can help these distributed environments and it's here to stay, it's not going to go away anytime soon. So from that regard, you see, the next-generation companies are beginning to offer you that distributed infrastructure for people to do that. But you said it correctly, because it now includes the cloud, which before it was beginning to get included, but it wasn't there. So now, when you talk about cloud, there's not one, there's three or four. So to name a few, Google, Microsoft, Amazon, etc. And then - you see, the private cloud is a public cloud. And all of this is dictated by the need in applications that people use. So the need for protecting the distributed environment, enabling their transformation of businesses therein, and therefore, I think, once again, creates new opportunities for investment. So zero trust, the whole area of protecting identities across multiple clouds. Imagine before it was enough to say there was the IBM stack, the Oracle stack and others. And then we felt comfortable, because we have stacks that manage areas across them, there were silos. The same thing is happening. The silo for identity for Google, the silo for identity of Microsoft, because they want to lock you in. But as a consumer, you want to work with all of them, and you have to work with all of them. And therefore, that's the whole area of identity, it is because you're trying to protect information that somebody is using and consuming. And therefore how can you provide the appropriate controls and the right safety?
Field: Now, we have got a new US National Cybersecurity Strategy. And we already talked about those. There's a sense that there's more regulation coming. What role would you see the U.S. continuing to play - the government - in improving critical infrastructure protection and fostering the type of innovation you've talked about?
Yépez: Because two things on the cyber strategy, the thing that got me nervous is the shifting of liability to the providers.
Yépez: And everything else is great, because we got our work together, and we have to have all the right.
Field: Everyone else says it's a great thing to put it liable, but you, it makes you nervous. Why is that?
Yépez: Well, how are they prepared? How are they going to assess that I did my best effort to do that. No nervousness is that I think there's a lot of work to be done.
Yépez: People talk about software assurance, talked about the supply chain. How do you know that NVIDIA, or whoever SolarWinds and Zoom, they didn't have any bad intentions, those backdoors that existed and created, how do I know that I do, was that I'm going to shift the liability, those companies will not exist. So they need to show the proper hygiene, the proper investment so that they can say, I did my best efforts, therefore, I cannot do that. So stepping back, that thing that makes me nervous a little bit is the shifting of liability. Not because it's not the right thing to do, it is the right thing to do because you're going to incent companies to make the right things, both on the consumer side, they're going to demand so what are you doing to test your applications to be able to make sure that they don't have backdoors. On the other hand, you have the vendors having to take it seriously and invest to do that. But that said, I think the cyber strategy. I was in Japan six weeks ago, and I met with a Japanese cyber leadership and they were waiting for the US Cyber Strategy. So we take a huge leap and people oftentimes mirror what we have.
Yépez: And I think, we're taking it very serious when you talk about critical infrastructure; there's all these next-generation things that sometimes seem a bit mundane to us. 5G was something that we didn't practically took a role in the world. So we're trying to figure out what is the role of the U.S. to do 6G and beyond. The other thing is the use of AI to protect critical infrastructure. And there's been a lot of hype discussions about AI. AI has been around for a long time. In expert systems and in machine learning, people are talking about cognitive AI and all that. But the reality is, how can you do the responsible use of AI to automate tasks, to try to filter tease the signal from the noise and so on, but that's a lot of different moving parts. So the strategy gives you a framework on how you think about and with the investment that in the public sector, the private sector, the innovation community, and incensing innovation community to do that, and the world is listening, because they want to follow our lead.
Field: So given all this context you talked about, what are the areas of investment you're bullish on today?
Yépez: The whole multi-cloud migration, everyone talks about shift left, which we talked about it - which is shifting toward the developer to build secure code. But that's kind of, I wouldn't say passe, people are still working on a secure code. Instead of shifting left, we're calling something called shift up. Shift up means here you're going to shift to the cloud.
Yépez: In the multi-cloud environment, so that whole area is still nascent, early innings in a lot of things that we knew in our normal environment is all the way from the physical environments and firewalls and all that is moving to the cloud in the multi-cloud and hybrid environments. So that's one area that we're going to be talking for the next five to 10 years. It's going to be big companies that will emerge. And some of them, they're not going to be able to do that. The other area is AI. How do you enable the responsible use of AI? It's not about containment, it's all about enabling. And, I have a thesis on responsible AI. We've been using it for automated systems and trying to automate some basic human tasks. But I think that the key to make sure that we don't get in trouble and you've seen a lot of news about companies in Asia, they were using the OpenAI and they were exposing intellectual property, PII, personal information and people than the user. This is not the way to do it.
Yépez: The way to do it is, there are going to be these walled gardens. For instance, you have a massive database of videos and interviews. And if you use AI, to say check, how many times did I talk to Ron Gula or Alberto? And what things do they say? It will probably do it faster than you and I or the whole team. So there are ways in which AI can be used in a very responsible way. So you're going to see walled gardens with information, that the information you're using those models is verified, the problem is when this information is not verified, so people can introduce misinformation. And therefore now author and you drive conclusions that are the wrong conclusions. So one thing is how do we look at these vertical orientation and walled gardens in the use of AI automation, to be able to drive that you're seeing the bad guys already using ChatGPT to increase the effectiveness of their ransomware attacks. All these phishing emails and all these BECs, remember, you could detect them quickly, because their English wasn't even very good. And the punctuations weren't very good. Now through their use, it looks good. It looks like it would be me sending you an email. So Alberto, fine, this is what happened. So we're beginning to see the bad guys using it. So how do we turn it around so that we can detect some of those issues to be able to do that? So that's one area that it's not like we're waiting for something to happen. People are already using for the wrong reasons. So I guess as corporations, you're beginning to see who will be the most qualified individuals that can take that leap, at the end of the day its data - data analytics, data processing, data automation and processing. Therefore, now you have many companies, very large banks, the government setting up these joint AI centers. They're going to try to impact the same way the migration to the cloud and the digital transformation, AI is going to enable us to do more things better, faster, but we have to be responsible in the use. In areas like observability or containment, just do a little parallel to open source. Everybody, when they use an open source routine, they thought it was a good thing to search or an index, or reuse it. But there were backdoors. So the same thing in AI, you're going to have these models. It could tell you that those models don't have a backdoor. That's another area where, it's a very tactical area. Just to give you an example, areas we are focusing on when trying to invest, what is the observability and the containment and of AI models so that we don't get surprised.
Field: Terrific overview. Before I wrap up, as we go into the second half of this critical year, what's your message to investors that support your efforts, companies you invest in, and the customers who rely on these cybersecurity solutions?
Yépez: I would say, this is where the companies that endure and the companies that have resilience are going to come up stronger, because many of them had to cut back expenses and everything else. This is the best time to start a company, establish the company, you are focused on the right things, which is the customer success. And I would say all our lives are continuing to transform digitally in the way we think about it is protecting the digital future and the best is yet to come.
Field: And shift up. You've got to trademark that.
Yépez: And shift up. One of our companies called Uptycs has trademarked that.
Field: Not surprised.
Yépez: It is upto Uptcys, since they're the ones that are driving that efforts.
Field: It's been a pleasure. Thank you so much for your time.
Yépez: Yeah, thanks again.
Field: Once again, we've been speaking with Alberto Yépez. He is the co-founder and managing director of Forgepoint Capital. For Information Security Media Group, I'm Tom Field. Thank you for giving us your time and your attention today.