Siddhant Trivedi is a partner and senior associate at Foundation Capital where he works with entrepreneurs to create the leading next-generation enterprise software companies. Prior to Foundation Capital, he has also worked as an investment professional at Symphony Technology Group, a Palo Alto-based private equity firm investing in software, technology-enabled and data analytics companies. Formerly, he was an investor at Omidyar Technology Ventures where he invested in and counseled early-stage enterprise software companies.
1. Could you tell us a little bit about how you think about investing in the enterprise security sector?
From a macro perspective, there are four macro shifts occurring in cybersecurity that I have been tracking and that drive the majority of my focus from an investing perspective:
• As a result of the numerous high-profile breaches over the past few years (Sony, Yahoo, United, eBay, PayPal, Target, Equifax, etc.), practitioners have realized that their environment will be breached and so budgets have shifted away from pre-breach prevention technologies towards post-breach detection and response technologies.
• There is a massive shortage of security analyst talent in the market leading to a large demand/supply imbalance. As a result, CISOs are very focused on buying security products that reduce false positives and/or automate a certain level of processes.
• The attack surface has dramatically increased and become even more difficult to scan due to the prevalence of cloud, APIs, and
mobile and IoT devices. The main reasons that CIOs sight for why public cloud adoption is still at approximately 20 percent of total infrastructure are security concerns, data loss and leakage risks and regulatory compliance requirements. Overall, CIOs can’t get comfortable with the loss of underlying network visibility when transitioning to a multi-tenant public cloud.
• As the internet has become more commonplace and with the advent of social media, people have become more open to sharing their private information to third parties online. Therefore, the risk of loss of sensitive private information due to a data breach has increased. Regulatory bodies are waking up to the impact of cybersecurity on their constituents and thereby creating new laws for corporates to comply with. This has resulted in recent guidance from the SEC in the United States (February 2018) and GDPR regulation in Europe (went into effect May 2018).
"Within cybersecurity, my first criteria for evaluation always starts with market"
Companies that have identified and are trying to solve one or more of the above problems are particularly interesting for me.
2. How do you work with the companies in which you invest? Tell us about your investment style.
When working with companies my focus is around being as collaborative and helpful as possible. This can range from helping to introduce companies to potential customers, working with a company on its next fundraising presentation, introducing the team to critical hires, providing market intelligence or helping with business strategy and operating model build-out. I try to be there for the companies and management teams to provide support through the ups and downs of scaling a company. When a team member asks for advice on a particular topic I normally come back with a well thought out answer after taking into account all of the existing data (primary and secondary), or if I am not an expert in the field, I focus on introducing the person to a relevant expert who I know. I define success here as getting to a point in the relationship where a founder or management team member thinks of me as one of the first two to three people to call when they face any issue.
3. How do you differentiate between the opportunities that you see?
There are generally five things that I look at when evaluating a company – market, team, product, metrics, and valuation. Within cybersecurity, my first criteria for evaluation always start with market. It’s critical to understand what the market opportunity is, where the opportunity will fit within the security budget, and who the champions within the enterprise will be. In cybersecurity, if you don’t have a line of sight to getting customers (or at least active POCs) in the first 12-24 months of founding a company, then that’s a problem. There are too many other vendors and the market evolves too quickly that building a product over multiple years is not going to be the answer in cyber. Once I have a good idea of the market, I then focus on the team and product to really understand what differentiates the company from other vendors (i.e. what will make them “win” in the segment of the cybersecurity market that they have selected). Finally, I look at financial metrics and valuation. The first few financial metrics that I look at are bookings, revenue (new, renewal and upsell), number of customers, average annual contract value (ACV), churn, customer acquisition cost, and lifetime value.
4. How do you think your current portfolio of companies has benefited most from your guidance?
I hope that if you called the companies I have worked with and asked them, they would say that I have tried my best to provide guidance on key strategic decisions, or if I didn’t have expertise, that I connected them to the relevant experts in the field. Reputation can have a huge impact in our business and I am constantly thinking about how I can best help our companies. The goal is not to constantly call companies and offer your services but rather to listen to the issues at hand to gain context and wait for the call from the founder asking for help.