A

You're listening to the Cyberwire Network powered by N2K.

B

This exclusive N2K Pro Subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full stack zero trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP. After certain particularly long weeks during my years as a ciso, I would need to sit and contemplate a Is the cyber technology industry working across purposes to that of the cybersecurity profession as a whole? Specifically, has the cyber industry decided that they would rather sell mitigation as opposed to solve the problem? We've seen this at times in other industries such as healthcare, where it's so profitable to sell palliatives that some providers appear to have decided that it's less important to cure diseases than it is to sell mitigations. While I do not assume altruism and nobility are the primary drivers for all cyber professionals, sometimes it seems as if the cyber technology industry allows its focus on maximizing profit to stand in the way of advocating for innovative yet incredibly useful tools and solutions. This is to the detriment of the consumer, our clients. Case in point, in 2015, I had the privilege of working with a small tech company based in Australia. The technology in question looked at the problem of establishing identity differently than anything else I had seen, and could do so at low cost and in a way that would virtually eliminate certain types of fraud. I sat in on a pitch meeting with a venture capital firm that was run by a former CEO of a security technologies company. The technology partner of the VC firm, a former security technology cto, had spent days understanding and testing the product and found that the Australian company's claims were, if anything, understated. The technology did what it said it would do and more, which is why the VC firm refused to offer funding or support. As the firm's founding partner stated, your tech would destroy at least one third of our portfolio. The technology partners shook the hand of the Australian company's founder and closed the meeting with the following no offense, but I hope you get hit by a bus on the way home. Cut to almost 10 years later, technology companies and their investors are now clamoring to solve the very same problem that this small Australian company solved a decade ago. Sadly, though, that solution is no longer available. After hearing essentially the same answer from all potential investors, the Australian company was forced to fold its tent. This was a grave disservice to the millions of users impacted by credit card fraud every single year over the past 10 years. Folks, I don't work for free and have no objection to making money. That said, I hope it can never be said that I have let little green pieces of paper overshadow what I believe should be the primary mission of everyone in cyber. Our job, simply put, is to keep people safe. If you prefer a less altruistic and more business like answer, our job is to minimize the probability of material incidents within the organizations that we serve. It's time for CISOs and other cyber professionals to start demanding more of our industry brethrens. Let's stop accepting tint control updates to technologies as innovation and start pushing for true solutions. My $0.02. Welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. Throughout this season we've been exploring some of the most pressing problems facing our industry today and discussing with experts how we can better address them. Today, we're diving into how venture capitalists see the cyber landscape. On today's episode, I'm excited to sit down with someone who brings a very different perspective from that of old security guys like myself. John Funge is a venture partner with Datatribe and has been on the investing side of security for many years now. Throughout today's conversation, we break down how venture capitalists see the cyber landscape, how they go about determining what businesses to invest in, and what some of the common challenges are that they face. So we have mutual friends, but we actually haven't talked before this. So would you take some time to introduce yourself to my audience and tell me a little bit about John Funge, please?

A

Sure, sure. So I am a venture capitalist and I work with Datatribe and if I go sort of all the way back to the beginning of my career, I started, as many do, as a software engineer. For a few years. Pretty early in my career I got the sort of startup bug and you know, through the startup process a few times where I've started, built and sold three companies and then I met the founders of Datatribe and one thing led to another. They invited me to join the firm in 2018 and that sort of brought me to the other side of the startup table. And so I've had the pleasure of being able to do that. And then since that point, I've been swimming in the waters of early stage cybersecurity startups. And you know, Datatribe is an investor in N2K and I've certainly been a huge fan of all the different Cyberwire podcasts and I usually am on. I like to think of myself as being on the other side of the mic, but this side of the mic is fun as well.

B

Fantastic. Fantastic. So I want to take this conversation a little bit atypically from a founder's perspective or a venture capitalist perspective. I want to take it from the perspective of an operator, which I have been for many years in the past, and try and get an understanding as to how decisions are made in terms of what type of innovation to invest in. And let me caveat that a little bit, John. I know there's obviously a business component and a financials component and a viability component associated with that. That's a little bit beyond the scope of where I want to go. What I want to get at is I have seen in my limited experience. That's sarcasm. I've been doing this for quite some time. I've seen in my limited experience good technologies that would solve problems that I have not be able to get to the table. And I've seen in many cases other technologies that I describe as tint control. All the old balloon county. Thank you for getting that reference. As tint control upgrades immediately get piled into funding and in one case it's one of the examples I use within one of the lead in essays for this episode is we're now looping back attempting to solve a problem that a technology that was roundly rejected by various VC firms 10 or 15 years ago, we're now attempting to solve the problem with lesser technologies today. So what I'm really trying to get into is outside of the business components, which are obviously important, I get that. How do you all make decisions on what problem that you wish to solve or help me solve out in the environment? Can you talk to me about that, please?

A

Well, you know, it's interesting if you were to look at it as a pie chart, I'd actually say, and this, this varies depending upon the sector that you're working in. But at least in cybersecurity, while the technology is important, it's probably a minority of the calculus that goes into, particularly at the very early stage of a decision to make an investment. And when you are investing in an early stage startup, you really are going into business with that team. And so part of the due diligence of that is to really sort of think holistically about a number of factors that are kind of outside of both even, you know, the sort of the business side as well as the technology side. So thinking about a lot of it has to do with, is the collaboration with this particular group of founders, you know, really good between the investors and the founders. Is the, is the group of founders, do they represent unique capabilities? So you know, a lot of times there's really good ideas and then the next natural question after you look at a really good idea is to say, well, why this team? So there's sort of a concept of kind of a, a founder market fit along with the market opportunity, the market opportunity itself. Sometimes there's really excell technology solutions, but they don't necessarily lend themselves to a excellent business opportunity either. The market might not be big enough. And generally speaking, and this kind of gets into just the business of venture capital. And when you're making an investment as a vc, and by all means, VC is not the only way to create a great company. There's a lot of excellent entrepreneurs and excellent startups that, that get created, you know, without venture financing. It's, it's one way and it happens to be maybe, you know, in tech media, you know, can be lionized a bit in a way where it makes it seem to founders like that's, you know, maybe like the best path or the only path. But you're looking oftentimes for a home run. I mean, it's very much a power law business. And so every time you're making an investment, you're really looking for a huge opportunity or something that like, at least at the very beginning when you're considering the investment, you have conviction. And this is a word that gets thrown around a lot, but you really do feel it. Like when you are going through the process of meeting with founders, investigating the market, investigating the competition, investigating how they're going to go to market, you really start to develop a belief, a conviction in the opportunity. But yeah, you have to have a conviction that it's a really, really big opportunity and that this team is world class in that and, and that they have something where they can create truly differentiated and defensible position in the medium, long term. I mean, so there's a lot of kind of factors in there and there's subtle things, like one of the things that's really subtle that you know, we, and by all Means we're, you know, we, we are not perfect at this and we, we will, you know, kind of routinely look at opportunities and say, you know, was, was, there's something about this that we missed. But one of the things is how the company gets integrated or the technology gets integrated into the environment. So for example, you might have a startup where it's largely maybe a threat intelligence or a data offering where in essence the delivery involves maybe a login or a very simple API integration that's very, very different than if you're kind of going to market with a product that demands every employee in the company re enroll in the way that their identity is managed or you have to do some sort of deep integration into the security tech stack that might take months of time, a much bigger lift. Those, those two paths alone can, can influence a decision to make an investment or not because we look really, you know, again, we're looking really hard at what is the path for this startup to, to take whatever it is they have today, continue to improve upon it and then achieve the maturity milestones that they need to achieve with the amount of capital that we are going to give them and, or other investors are going to give them to get there. And usually for most startups that's you know, give or take 18 to 24 months of quote unquote Runway. And in that amount of time they have to, they have to kind of with wherever the starting point is. So there will be some kind of starting point with their, with their product and they have to take that and kind of either complete the product or if the product is more complete and kind of ready with a, you know, a minimum viable product or something that's ready to go to market. They have to find those initial customers and get those initial customers to, you know, to kind of pay and use the product at a level where you can really demonstrate enough of the product market fit in order to, to really justify a next round of funding. And it's hard, I mean it's a, it's, it's really hard to do as a founder, it's really hard to do as investors. And cyber in particular, while on one hand cyber is not unique in that there are other verticals that are kind of equally as crazy in terms of the number. So like, I don't know if you've ever looked at the Martech space, but Martech is a little bit like cyber where there's just a bajillion companies and like the typical large Enterprise has like 50 to 80 tools they use, etcetera so, you know, cyber is not unique in that sense, but it is, I think, unique in the sense that cyber, the pace of innovation and change is spurred by adversarial activity. And that makes it in a lot of ways, just really unique and interesting.

B

Let me duck in here because that particular line leads me to another question that I want to be probative on. So first, so far this has been a great primer and I appreciate this more than, you know, one of the challenges that I see within the environment, understanding that this is not a charity and understanding that we need to make sure that we're making sound business decisions as we make investments and that I would expect any investor to do that with the capital they're investing, the same way I do with my personal portfolio within the environment. That's not an unreasonable issue or an unreasonable stance to take. The challenge that I have in some cases is for many years, decades in some cases, the industry of cybersecurity has placed itself or wanted to place itself as another partner to the profession. Both terms used in big air quotes of cybersecurity versus that adversarial relationship that can occasionally exist between tool set and solution providers, et cetera. When that relationship became almost untenable, and particularly now as we're seeing the pace of change increase, there has been a push or a movement to say we need to lean into innovative startup type solutions out there to look for those to solve the problems that we're trying to solve that many of the institutional players are struggling with, aren't doing as quickly in some cases, can't solve. The challenge that I have, though, as I look at both of those areas, is I understand all of the pieces you're saying, John, that go into this, but I've been in the room in a couple of cases within VC meetings where they have walked away from solutions that I need that solve problems that I have. And the main reason behind it in one case was quoted by one person who said, you'll destroy the rest of my portfolio if you implement the solution. And now I'm still struggling with the problem. So it's kind of difficult for me to look at entities like yours as a partner when you're walking away from solutions that I need within the environment. So how do we reconcile a reasonable need, and I want to emphasize that term to you and my audience, an absolutely reasonable need for you to make sure that you're investing soundly within the environment and that you have the ability to not only destroy and not destroy other investments, but to Build and grow your portfolio with a need that I'm looking to folks like you to help me solve problems that I can't solve yet. You're walking away, it feels like you're walking away from solutions that I need. How do we inject ourselves into that equation so that we can become more partnered in trying to whoop up on the adversary, which is what we're all trying to do. Talk to me, if you would, please. Am I making any sense, by the way? I'm not trying to poke at VCs. It's not.

A

You're making a lot of sense. I think so. You know, one of the things I think that you're, you're touching on, Kim, is that there's a slight, you know, slight bit of daylight to some extent between the incentives of investors and the incentives of the vendor and the incentives of the, the, the customer and practitioners using the, the technologies. And the more they're aligned, the better. I mean, in theory, it's the success in kind of warding off adversarial activity and reducing cyber risk. To the extent that that's a success for the customer, that's a success for the vendor. And then in theory, the company that's doing that should succeed and then that would hopefully propagate into investment returns for their investors. So for sure, what happens, and it's interesting because you have a compelling sort of case there where what sounds like a very promising technology didn't end up getting backed. And you say, well, why is that? One thing is this is just something that investors in general, and I don't know the particulars of that, that situation, but investors in general don't invest in startups that somehow compete with their current portfolio. So that's, that's, and there's a lot of good reasons for that, but basically you just don't want to have a conflict of interest where you know, you're, you're sort of really trying at your best as an investor to help your portfolio company succeed. Again, looking at, looking at individual decision versus just sort of how the whole system in theory is supposed to work. Like what it's, it, you know, it's interesting when you sort of think about like, what's happening if you bubble it up in aggregate. So like what happens in aggregate is, is that when a company, when a startup is going to market to, to raise venture capital, what they're doing is they're making a little market and that little market, and it might be 10, 20, 30 funds, is assessing whether that opportunity looks like the best use of their capital. And, and, and based on their, you know, background expertise, they're putting money on the line. They're saying, okay, I mean, there's nothing really more, more pure in terms of conviction about a trend than people putting actual investment dollars on the line.

B

So definitely see or understand conceptually what you're, you know, what you're talking about makes sense to me. And yeah, you would want to do that, particularly as, you know, you're investing significant amounts of cash within the area. I guess what I'm trying to get to is where in this process is the injection of, okay, I've been doing this for 40 years. Where do you consult with people who've been doing this for a while to say not only is there a market, but are we looking at the addressable problem sets out there? That these are the problems right now that old gray hairs like me are facing right now. And then adding to that, how is this look five, ten years down the road and is there an addressable market space? I'm trying to understand where in that calculus is the injection of practitioner input. Yes, thank you. That's what I'm trying to spit out. Foreign. Foreign. Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack, zero trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter Designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's meter.com CISOP.

A

Here's the thing, as we're, as we're doing that, that due diligence, right? So, and it's again, if you're a startup, you're Going to go talk with a handful, you know, or more. And so there's a bunch of people that are kind of all looking at it hard. And in some ways, like again, in theory, this is really testing the validity of the idea. But the way we do it and different firms do it in different ways, but we, you know, we have a CISO network of about 30 CISOs and when we are making an investment every single time, we will engage with, you know, five to 10 of our, you know, members of our CISO network as well as we'll engage with prospective customers. Like so, for instance, one of the things that is very, you know, if you're a startup and you're, and your prospective investors do this, it's usually a pretty good sign. And it's also a pretty graceful thing where they will introduce you to people they know that could be prospective customers. And so we will actually go ahead and arrange meetings and for the startup, even if we don't back the startup, that adds value to them because it's like, wow, that was a valuable introduction. I just got introduced.

B

Well, for lack of a better term, it's free consulting.

A

Exactly. And those introductions, you know how busy CISOs are. I mean they can be very hard to get those meetings. And so 30 or 60 minutes with somebody at a Fortune 500 company who is a CISO to provide you feedback. And what we do is we'll facilitate that meeting and then we go in there and just shut up and listen and, and so we, we're doing that exact thing that you're saying is that we're attempting to get that practitioner input on the problem domain. Now there are times like we have had situations where, you know, because our, our headlights, because we are oftentimes investing at a, you know, maybe the company doesn't have even a product yet or they don't even have revenue. They' baby baby companies. We may be looking at a trend or something that is like further in the future than the immediate agenda that usually a CISO is working more in like a 12 to 36 month horizon, whereas we might be thinking more along the five to ten year horizon. Right. So it's sort of, there's a little bit of a judgment call that, that you need to make in terms of saying okay, like is what this startup doing aligning enough with what we're hearing articulated as, as a, as a demand in the market. But at the, the day we, we can't do, we just don't have the resources nor do any VCs to do you Know, interviews with hundreds of people. So we're ending. So, and, and startup founders do it and, and investors do it. We end up making really important decisions on a small number of high fidelity data points and then we grock that against our other due diligence and understanding of the market. But, but your point is, Kim, is, is super, is super valid and super important. Like if that company, when they have, you know, whatever that product is, when it's done and ready to go, like if they don't have willing customers that are open to buying it because they recognize there's a valuable problem. And a valuable problem, we have to be clear, is not just like, and this is, you know, the kind of cliche, is it a, is it a kind of a medicine or a vitamin? It has to be something where the prospective customer will literally stop what they're doing and make time. Like, this is so interesting. The value proposition to me is so compelling that I'm going to block out a meeting for it. It has to be a super compelling.

B

Type of thing that makes sense to me. So let me take another tack on that. You mentioned something in terms of time horizon within the environment. You're right. I'm going to say something that I've said before that will probably be controversial amongst some of my listeners, but it needs saying. Most strategic CISOs aren't really strategic, they're really operational within the environment. And in many cases what they're calling strategic planning is changing the word operations plan and putting the word strategy on it. Finding strategic CISOs out in the wild is hard because we tend to play whack a mole. And even when we do find strategic CISOs out in the wild, finding ones who can look beyond that time horizon that you mentioned early, John, is what, maybe 1 in 10,000? So my question to you is how do we get better at that so that we can provide better input to folks like you so that we can create more of that alignment and close that gap between where you're going and what we need. How do I do that?

A

Yeah, I mean, I think so. There's definitely opportunities and I certainly, I would invite CISOs that would be interested to engage with datatribe. But usually there's this incredibly sort of complimentary and valuable exchange of points of view in these types of conversations where we can help CISOs to really see what's kind of coming down the path in that longer term horizon. Because that's what we're all, I mean that's what we do think about all day long and what CISOs can help us with is to tell us where, you know, where we're seeing mirages and help us stay grounded in the ground truth of like the reality of the enterprise. And because, you know, venture investors, we spend a lot of time thinking about kind of getting these technologies into production and there's that there's nothing more valuable than the folks that are actually in the seat telling us for sure, hey, you know, so whether it's with Datatribe or another, another venture firm, I would, I would definitely encourage CISOs. And you know, you'll find investors are pretty receptive to, you know, whether it's through a formal kind of CISO network or it could just be through informal coffees or it could be other types of kind of conference or meeting settings. Some, some venture firms will organize periodic dinner events to get together. You'll pick a, you, you'll pick a topic and kind of trade thoughts and notes. But you know, there's a lot of different formats and ways to do it, but it's kind of, it's easy. I think it's easy to sort of say in at the high level. I think the hard part is finding the time because it's so. Everybody is so busy.

B

CISOs tend to complain regarding the disconnect. But if we don't make the time to bridge that gap, how are we going to make it better? Yeah, so, you know the, and I say this to my audience for every one. In fact, I've got three sitting in my email and I haven't been in the chair in a while, but I'm an old security guy, so every now and again people ping me. I've got three invitations for a telephone meeting, a zoom meeting and a dinner. I'm at least going to go to the dinner. Free steak. I'm a big guy. If we don't make the time to do that, it's not going to get any better. So as these opportunities come up, because you're right, we see them all the time and the issue is time. There's a value proposition to close that gap for us to say, figure out how you're going to provide that feedback loop but don't just fart it off, which is what a lot of us do.

A

Yeah, yeah, no, and that's the thing. It's finding that time and kind of doing it in a way that fits with your routines but kind of delivers value. And so that would be something I, you know, think is a pretty low hanging fruit opportunity.

B

Awesome. Awesome. I got two more questions for you then I'm going to be respectful of your time. I really seriously, this has been hugely helpful. You have no idea. I really appreciate you. The first question is probably a little more provocative. I just finished Ezra Klein's book Abundance within the Environment. There's a section in there. I can't remember the chapter. So I'm closely paraphrasing. Don't quote me on this. Where he talks about the tamponing down of innovation, particularly within the academic field. He uses the example of mRNA which became the foundational piece for the COVID vaccine and how the woman who had actually initially done the research on that spent 20 years not being able to get grants, not being able to get recognition to the point where she had shelved it when we had that opportunity to potentially get ahead in some of these solutioning for some of these things because it was too far off from what the standard mainstream was looking at. Thus my analogy to Bloom County's tint control that academia and academic research, in many ways we were making tint control changes in expected and accepted avenues of research before rather taking a 15 degree avenue off from that in looking at something that's truly new and truly innovative, et cetera. I'm curious, are you seeing sensing, feeling, experiencing as a founder a similar tampening down of innovation or is really the sky the limit out there and it's just a matter of the business models behind it within the space you're in now? Talk to me.

A

Yeah, it's interesting, I think it's funny because we operate in a small, sort of small, relatively small corner of the economy and so you can have broader macro trends with regard to kind of deep tech R and D. Cyber is a. Cyber is a very active market. It has been growing faster than the economy by a fair amount. It's not growing as fast as AI. I mean AI is the. And at some point we'll have to sort of lose the AI moniker and just kind of everything has AI and it's go back to a different taxonomy. But in the last quarter, just under 50% of the venture capital in the US full stop went into some kind of AI related opportunity. But cyber there continues to be a very rich kind of bubbling cauldron of innovation. And in a lot of regards, the way I look at it and others is that cyber innovation really is a function of other digitalization. So as the rest of. As robots come online, as autonomous vehicles come online, as you know, as you have, you know, AI assisted processes, AI development, there's these new attack surfaces that are continuously getting created.

B

So I'm going to push you a little bit on that one. I can see what you're saying, but isn't that fundamental attitude, which is not necessarily unreasonable, stifling our innovation within the environment, Is that the reason we haven't solved phishing? Is that the reason we haven't solved identity? Because we're looking, you know, there are fundamental challenges within the realm of cybersecurity that we have been working on for my 40 years, military and civilian, within the profession that we haven't solved. And is it because we're waiting to anchor some of these solutions around new attack surfaces versus just look, let's just solve the damn problem. I'm curious.

A

Yeah, no, I sort of think if I were to. I look at it, but you know, there's so many, so many sort of pieces to this. So let me see if I can boil it down to a couple, a couple succinct thoughts. One of them is that there is a true sort of weight to making these big changes you're talking about. So we've looked at opportunities where, you know, the startup will be proposing, we're going to completely blow up the sim. Like we're going to go in and it's going to be a totally different tech stack. We're going to take 20 or 30 tools out of the, you know, out of the enterprise and replace it. Now that might be the kind of profound change that's actually necessary to really impact the, the problem in the way that you're thinking about. Kim. The challenge with that is, is, is that it's really, really hard to never sell. Yeah, it's really hard to sell and it's really hard to build a business around that. And so there's this inertia. It's a little bit like, I mean, on a micro level, the inertia that gets built up around like an email address. Nobody intended email addresses to be used the way they are. But like, you know, you've got 200 accounts tied to an email address and it makes it so now, like enterprises, they've got all these tools, 80, 60, 80, 100 tools. The inertia of making any kind of massive change to that is incredible. So that's, I guess, one point I think is kind of augering against the type of profound change you're talking about.

B

That's a fair point.

A

Yeah, we do, you know, at, at, at, at Data, we spend a fair amount of time. So we, we, you know, are partners with, with the Carnegie Mellon scilab and they are an incredible Organization. I don't know if you know much about them, but they, they really do some incredible one. And one of the things I, I, I'm always impressed with the research that they do there is that it's very, it's very relevant, very over the horizon, but not so far over the horizon that it's like science fiction. And that's the balance that's really tricky. But there is in, even in our collaborations, we've looked at a couple of opportunities out of Carnegie Mellon very closely, came very, very close to investing in one. And there is a true funding gap. So if you look at Data Tribe as an investor. Right. So we are a foundry. As a foundry, in addition to capital, we provide a whole ecosystem of support people that are expert entrepreneurs to help with the founders. We have other resources, literally a facility that the companies can work out of and we nurture a number, including our CISO network. We nurture an ecosystem of networks that we plug the startups in. All of this designed to help them just succeed, go faster and to kind of lower their chances of failing. Selling half of the companies that we invest in probably don't have product. Even when we're making, you know, making the investment. And we're high conviction. We'll, we'll make a, you know, we'll Invest, you know, $2 million, two and a half million dollars into a company that doesn't have a product. And that's very unusual. Yeah, we're about as early as you get in terms of vc. It's a long winded way of saying that. And even as early and as, as optimized as we are for working with deep, deep tech founders, there's still a bit of a gap between the readiness of an innovation coming out of an institution like a CMU and be really being ready to get into that mode of like, okay, we're going to, we're going to go from zero to a million dollars of annual recurring revenue and 10 referenceable accounts in 18 to 24 months. Yeah, and so that's a real problem. I'm, you know, certainly not, you know, there's many, many people that have thought a lot more about that kind of innovation funding gap problem. You know, I think it's, it's out there. I mean, I do think that increasingly like organizations and VCs are getting better at kind of helping those founders in the university environments and other labs as well. I mean, we also look at the intelligence community as another place where there's really, really interesting, like super over the horizon innovation happening and oftentimes there the innovations are kind of being put into like a production application. So it's even more close to sort of ready for kind of putting into a product. But it's. Yeah, so those two things, I think there's a huge inertia that is, that's out there and then there's, there is this kind of, you know, bit of a gap where, you know, there's, there's a, a professor needs to, you know, usually needs to figure out a business, you know, some kind of business partner or someone that helps them with the business side. And sometimes there's a hard decision they need to make, whether they want to continue to teach and try and do the startup on the side or whether they want to jump in both feet. Most investors will want to see them jump in with both feet. And that's a big, that's a big decision. And so there's a lot of delicate things that need to kind of come together at least in that academic environment. But I don't know those, I guess that's a really interesting question you pose. And I wouldn't discount the possibility that, you know, we, we sort of every day there's, there's startups that come along where it's entirely possible. There's, this is an entirely new way of thinking about a, you know, a whole part of the, of the problem. And you know, and we stay very optimistic to that. I mean it's, it's, you know, I would love to love the sort of mission oriented side of me would love to see cyber not growing faster than the economy. I mean, you can read reports that cyber right now is 200 billion ish depending upon the source market. And there's plenty of smart market forecasters out there that forecast it going to 1 to 2 trillion over the next 10 years at a pace that's faster than the economy. 12 to 14% compounded annually as opposed to 2%. And so like what does that say? It says that, well, digitalization is continuing to happen so we're going to have more cyber with all that digitalization. It's also saying that, you know, we haven't figured out a core solution like you're saying to bend the curve and at some point it would be nice to bend the curve. I completely agree with you.

B

Yeah. What is the one thing you would want my audience of CISO's current and future to know or do that we either don't know about VC or that we're not doing in terms of engagement?

A

One might be, you know, an interesting trend right now to be aware of is that there are a family of, you know, a number of startups working on platforms to help large organizations rationalize and understand their cyber stack and to manage it. So basically suck in all of the contracts and also help to manage renewals and to basically figure out where are my gaps, where are my overlaps, what's my best marginal risk, buy down, all the rest of that. And I think that approach, as it gets more and more AI enabled, I think there's a real opportunity for AI to really help, not just at sort of the security analyst and SOC level, but also help with some of these vendor management, vendor decisions. So that's a trend I would, I would encourage, you know, your listeners to kind of keep an eye on. And so that could, you know, it could just be a really different because it's, you know, that procurement and management of all those relationships is a huge burden and it's not necessarily helping you defend the organization, but it's something you have to do. So to the extent you can do that better. And then the other thing, and we mentioned it before, I mean, I think the other thing would just be VCs want to engage with CISOs and I would invite your listeners, whether it's with a data tribe or another VC they may know to, you know, to really kind of embrace taking some slice of their time and allocating it to trading notes with people on, you know, what's coming in the five to ten year horizon.

B

John, this has been a very educational session here. I really appreciate you giving us the time. Thank you so much for sharing with us.

A

Kim. Thank you. I. I enjoyed it.

B

And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show Notes. This episode was edited by Ethan Cook with content strategy provided by Mayon Plout, produced by Liz Stokes, executive produced by Jennifer Ibin, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next episode. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity meter builds, full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer, from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode for all Cyberwire listeners.