It’s no secret that private equity has been on a cybersecurity kick as of late—and for good reason. With online attacks and digital fraud only becoming more prevalent, global spending on technology to protect sensitive data and information is expected to reach an unprecedented $124 billion this year, according to research firm Gartner.
That means there are more companies than ever seeking to provide cybersecurity solutions, and those companies need capital to grow. Enter the likes of private equity giant KKR, which closed its $711 million Next Generation Technology (NGT) Growth Fund in 2016 with an eye toward investing in growth-stage companies in the realm of technology, media and telecommunications (TMT).
Thus far, the cybersecurity sector has proven an integral part of KKR’s investment approach to the fund, which also targets enterprise software, fintech, and consumer internet companies. The NGT Fund has delivered returns through the likes of endpoint security software firm Cylance, which was acquired by BlackBerry for $1.4 billion earlier this year, and is a lead investor in British artificial intelligence firm Darktrace, which closed its most recent funding round in September at a $1.65 billion valuation.
More recently, KKR agreed to take a minority stake in Florida-based startup KnowBe4 via a $50 million investment that valued the company at $800 million, as Fortune first reported in March. KnowBe4, which counts notorious hacker Kevin Mitnick among its leadership, offers cybersecurity training to companies and their employees that aims to build a “human firewall” against phishing attacks and data breaches.
KKR managing director Vini Letteri has helped guide these investments as part of a 20-person team spread across Silicon Valley, New York and London. According to Letteri, the NGT Fund, which today has 11 companies in its portfolio, is now “about 90 percent invested.” While 2018 was “a really slow year” for the fund amid a high-valuation environment—with KKR making only one new investment, in Portugal-based tech firm OutSystems—this year has already proven more active, with both the KnowBe4 deal and a February investment in Michigan-based software firm OneStream.
Letteri sat down with Fortune at KKR’s offices in Midtown Manhattan to discuss cybersecurity bets, whether data really is the new oil, and how one-third of the KKR team fell for a phishing hoax.
Fortune: What prompted KKR, an established giant in the private equity realm, to launch a growth fund?
Vini Letteri: I think the strategy is an outgrowth of something that Henry [Kravis] and George [Roberts] have been trying to drive at the firm. We made a strategic decision to shift towards what we would call growth-oriented buyouts. That is, going after companies that have high revenue growth but still have the opportunity to scale—versus financial buyouts of legacy, cash-rich, slow-growth companies, where you put leverage on them and make your return by containing costs. The thesis behind these growth-oriented buyouts was that you make your returns by helping maintain or accelerate revenue growth and helping [companies] expand.
We were seeing a number of opportunities come our way which we thought were really interesting, but were just too small for our buyout fund. Today, our North American buyout fund is $14 billion, and the idea of writing $50 or $100 million checks from a fund that size, it just wasn’t going to move the needle.
And you also have the phenomenon of these companies staying private a lot longer. When I started at the firm a dozen years ago, the average company stayed private around six-and-a-half years before they went public; today that number is around 11 years. So you’ve seen this shift in value creation from what traditionally used to happen in the public markets now happening in the private markets, and we didn’t have a pool of capital to invest in those companies—which is how the Next Generation Technology Fund came about.
How would you describe the profile of the companies that the fund looks to invest in?
We are not trying to take technical risk or business model risk; we think of that as the land of venture capital, where you’re trying to take an idea and build a company around it, but you’re not sure if you can build the technology or if somebody will pay for it. The risk-reward there can be tremendous, but that doesn’t match up with our appetite and where we think we can be differentiated.
Where we feel like we’re really good is [investing in] companies that have moved through that technical risk phase and have product-market fit, which we generally term as having revenues of $25 million or more. I think on entry, our companies on average have somewhere in the $50-to-$60 million of revenues range, but they’re growing fast and we see an opportunity to scale those typically local or regional businesses into global enterprises.
Cybersecurity has been one of the key investment areas that the NGT Fund has focused on. What’s prompted you to target that market?
On the cybersecurity side, you hear these phrases that people throw around, like “Data is the new oil,” or whatever. We think about it as, there’s been this big shift in assets and in value from physical assets to digital assets, and the things that generally protect those digital assets today are passwords and networks and other types of things.
Criminal activity is no longer breaking into banks and art museums; it’s stealing data and information, and you see this digitization of crime, if you will, which we think is really interesting. On every board that we sit on, which is hundreds of boards, cybersecurity is a topic of conversation. A decade ago, nobody had heard of a chief cybersecurity officer or a chief information security officer; now, pretty much every company has them, and the need for protection is just going to increase over time.
What drew the fund to invest in KnowBe4, and how does it fit within your strategy?
Despite all of the protections that you put in place for endpoint and network security, 90% of security flaws still happen at the worker or consumer level, which is why KnowBe4 was so interesting.
I think I can share this; as part of our diligence, we worked with our CSO [chief security officer] to actually launch a phishing attack on a subset of KKR employees. We think this place is full of high-integrity, intelligent people—and even then, over a third of the employees that we sent it out to went ahead and clicked on the malicious email. We brought that up in the investment committee meeting, and it became so obvious that if, in a place like this, people still need to go through that sort of training, then it’s got to be broadly applicable out in the marketplace.
And it’s continuous [training], because these types of attacks change all the time. The interesting thing about KnowBe4 is they’re constantly updating the training, the content and developing new sorts of things to stay in front of that.
You’ve said that high valuations hindered your ability to make deals last year. What’s your current take on valuations? Has the environment cooled at all?
In general, valuations continue to be pretty high within the market. If you look at the data, it would tell you that there’s been more money that’s gone into both venture- and growth-stage companies, but there’s been a lower number of deals, so the dollars-per-deal have gone up.
In our role as stewards of our stakeholders’ capital, we have to stay really disciplined. If you look at 2018, it was a really slow year for us from a new investment standpoint; we made one new investment, a great company called OutSystems based out of Lisbon, Portugal. We issued 13 term sheets—we had one that was accepted, which was OutSystems, and then of the 12 where we weren’t the ultimate winner there, 11 of those was because of price. We went back, talked to our team, looked through models, and we just couldn’t get comfortable budging from our offer. We’ve made two investments already this year [KnowBe4 and software firm OneStream], so we’ve already doubled what we did last year.
With your fund now around 90% deployed, what’s next?
I think it’s fair to say the strategy has been very successful. We have no plans on stopping what we’re doing.