Bessemer Vice President Sunil James shares advice for any startup founder creating a new venture, and more specifically, for cyber security businesses
When I think of Silicon Valley, I imagine sprawling, expensively modern, and colorful workplaces like Google’s and Facebook’s campuses. So when I drive into the parking lot of Bessemer Venture Partners, the US’s oldest venture capital firm (going back to 1911), with companies like LinkedIn, Pinterest, and Twitch in its portfolio, I am surprised to see a bland, beige building that better resembles a dentist’s office than that of a tech titan.
This no-nonsense, real world approach to investing is the secret behind Bessemer’s success, I learn in an interview with Bessemer Vice President Sunil James. Before Bessemer, he was a product manager at Google and Amazon. In his current role, he focuses on investments in information security, networking, and cloud infrastructure.
Here, he shares solid advice about how any startup should approach creating a viable business as well as the trends he sees in cyber security.
“A lot of companies we see tend to be hammers looking for nails.”
James cautions that, “A lot of companies we see tend to be hammers looking for nails. We don’t often find entrepreneurs that are starting with their customers, and working backwards from that, and really building viable businesses that will address the needs. Oftentimes we have teams that are founded off of some cool great tech, that they think is expandable to a broader kind of business but oftentimes is difficult to make that leap itself.
“We fundamentally believe in working backwards, in evaluating where the world is going, evaluating how the world is changing, and then synthesizing that to determine what that means in terms of how things might change. Whether that’s in cyber security, finance, healthcare, you name the domain.”
In regards to cyber security, which is led by Bessemer Partner David Cowan, James says that they first get into the mindset of attackers, identify how they are going to target victims, and from this, identify potential business areas of interest. Then, they spend a lot of time with not only chief information security officers (CISOs), but also with buyers and individual users to start building an understanding of whether an area of interest that they think could be a lucrative domain is actually a problem for customers at hand. From these levels of analysis, they come up with a set of perspectives in terms of what business ideas are actually useful.
What are valuable needs that cyber security startups should focus on?
First, James describes the vulnerabilities that come with connecting centuries-old industrial businesses and other physical processes to the internet. “We think that’s going to create huge amounts of exposure for an attacker to exploit. Those devices are not just going to be rebuilt to be 2017-friendly with all the bells and whistles in terms of how software is built these days. Oftentimes, they are just going to be retrofitted with a set of interfaces that allows for you to communicate with that device. But, there’s still a lot of exposure that comes from the fact that it’s just a device that’s sitting on the internet now and it can be exploitable in just the same way that my phone is, or your laptop is. We think that area is really interesting.”
He mentions that Claroty, an Israeli startup whose September funding round of $32 million Bessemer led, is worth following in this OT (operational technology) cyber security space, as well as Bastille Networks, which James praised in a 2015 blog post, saying, “This is exactly the kind of team I’ve dreamt of backing since joining Bessemer.” They tackle IoT security from a new standpoint: Analyzing radio frequency waves that are emanating and on which one can see all kinds of traffic.
Next, he says that any kind of technology that makes it faster for security teams to identify threats and then determine if a threat is dangerous is highly appealing to cyber security buyers. “For a CISO at a Fortune 1000, they not only want to solve problems, but they also want to do so in a fast, effective way. How do you go from getting a signal, and then determining if was malicious or not.? Reducing that time so you can repurpose those resources to tackle the next threat [is crucial]. Technologies that are making security organizations work faster; that’s really important and resonates with the buyers.”
Finally, he mentions how easy it is to create software, such as website builders, that anyone in the world can use. However, the challenge is that these software companies often don’t have security foremost in their minds when they’re developing these services, even if most users expect these tools to be secure: “The world wants us to be more creative. But if that happens, these development platforms being built for non technical programming users need security built in. How do you inject it into a development layer without it being perceived as an inhibitor or a road block, but as an enabler to get your product to market faster?” He recommends portfolio company Auth0, which helps web platforms and apps easily integrate security.
When I ask him if he thinks a Trump Administration will increase or decrease business towards cyber companies, he says that he doesn’t think the president will have much of an effect on cyber security startups. Instead, he asks, “The better question is will they be more prepared? How will our governments adapt and evolve in Trump’s administration to protect enterprises? What’s government’s responsibility in protecting enterprise networks? Is it solely the responsibility of the companies that are transacting and building these financial networks? Is it government’s responsibility solely to develop policy?”
“I don’t know, and look forward to seeing what gets presented,” James concludes.