Cybersecurity guru Devin Redmond on the ‘threat actors’ making cyber such a hot sector in the private markets
Lucy Brewster here, filling in for Jessica today.
Few industries have been spared during 2022’s meltdown, and even fewer are reporting optimistic growth projections for the year ahead. Yet cybersecurity remains one bright spot. As Fortune previously reported, the global cybersecurity market is expected to reach $403 billion by 2027—making the compound annual growth rate 12.5% from 2020 to 2027. Industry hiring remains hot, with unfilled cybersecurity positions worldwide growing 350% from 2013 to 2021. I recently talked to Devin Redmond, co-founder and CEO of digital compliance firm Theta Lake to discuss how new communication technology has changed the security landscape and how companies can protect themselves from cyber attacks.
Redmond has been an expert in cybersecurity solutions for over twenty years—he founded and ran security firm Nexgate and has served as an executive at Websense, Neoteris, and other firms before founding Santa Barbara–based Theta Lake with CTO Rich Sutton in 2017. Theta Lake brings to market A.I. software designed to detect cyber risks or leaks. Some customers of Theta Lake include Wells Fargo, TD Securities, and AG Advisor Group. Redmond holds numerous patents in security technology. In March, Theta Lake announced their $50 million Series B Fundraising round led by Battery Ventures. Other investors include Zoom Video Communications Inc., Lightspeed Venture Partners, and Neotribe Ventures.
This conversation has been edited and condensed for clarity.
What is so appealing about the cyber security industry right now?
There are a couple of different things that are happening in the security space right now. There’s an unprecedented awareness of the threat actor community and their focus on accessing sensitive data to get access to infrastructure. There is also now an awareness of the insider threat. Regulatory bodies such as the SEC and FINRA are looking at key segments of the market and saying to companies, ‘Hey, You need to make sure that you’re paying attention to your own insiders that are working internally and make sure they know how they handle data and regulate how they’re behaving and how they’re protecting consumers.’
Has cybersecurity historically fared well during periods of economic downturn?
Having seen downturns in 2000 and again in 2008, often periods of [slower growth] bring issues like threat actors or regulators increasing scrutiny on organizations more into focus when people are doing less growth, growth, growth at any cost.
How have recent events such as Russia’s invasion in Ukraine and COVID-19 affected cyber attacks?
Outside of specific measurements on attacks, it’s certainly put a heightened awareness on most cyber teams and security teams to be aware that there could potentially be something coming. It’s interesting because it varies among different tiers. Large organizations that are in the financial services space or serve as the backbone to infrastructure certainly have a heightened awareness and focus on readiness. But even smaller organizations are still aware that they need to be ready for a breach, because there are non-state actors that are really trying to get some sort of financial gain. Everyone is also thinking about the fact that there may be escalations in overall state sponsored or state associated cyber warfare.
How are these private companies preparing?
The usage of Teams and Zoom and Slack and WebEx and RingCentral are new. There is a mix of new communication tools that are built into those applications and these create a whole new place where information is both created and shared. The phase that we’re in right now is really maturing the infrastructure around communication to make sure that there’s good visibility into what data employees have, what data is being captured, who’s communicating it where and with whom. Companies need a sense of how they are going to govern that and how they want to protect information from leak risk.
What do employees think about these tactics to prevent internal security breaches?
It’s a very interesting dilemma that organizations face. I think at the end of the day being very open and public about the communication is important. When it comes to work on infrastructure, and it’s a matter of corporate data, employee data, or customer data, which is the holy trinity of information that you need to deal with on that front, it should be the expectation that the organization is taking a risk based approach to managing that. The organization has a duty of care to protect all of that information. If you take a risk based approach, and you’re very open and communicative about that, it solves a lot of those problems. I think the areas where privacy becomes an issue is where it’s trying to get a sense of employee productivity and trying to be Big Brother versus trying to protect data.
Does the age of the company make a difference? Are startups, for example, more susceptible to these attacks?
I find this very interesting, because as someone who has been around for a long time, I see attacks hit both types of companies. Super mature companies that have very well established cyber processes and infrastructure struggle with technical debt. They built a lot of infrastructure so they have to keep that up to date and they have to use both existing technology that they may have invested in, but they also have to think about shifting as conditions change. For example, if you’re an organization that had all of your employees in an office two years ago and everything was protected on a physical network and you had lots of infrastructure that was designed to protect that site and then your workforce, then you shift to remote work, everything that you previously did for your security has to change. Sometimes that’s actually harder than if you’re starting from a fresh slate. Companies that have been around for a handful of years have the opportunity to adopt new technology. I think younger companies get the benefit of being able to start with a clean slate in a lot of ways. They just have to be aggressive about matching their investment in security to make sure that they get to a good current state and future state to make a plan. Existing companies have to deal with that technical debt in their pre-existing infrastructure while they modernize to this new environment.
What industries are at the highest risk for cyberattacks?
You have to look through the lens of the attackers, right? Where do they get the most gain? Financial services is always a target because it’s where the money is. Infrastructure is a place where the attackers can be hugely disruptive. Manufacturing technology is where there are opportunities to gain access to very sensitive, potentially profitable or differentiating information and technology. Health care is a target because there’s lots of access to data, it’s a fan favorite for ransomware. Those generally are the biggest, but it’s always dominated by what’s the gain side of that equation for the attackers, and their relative ability to reach that gain.
What’s your projection for the industry in the upcoming years?
I see growth, for sure. Ongoing, I definitely see that trend of those two big areas of bifurcation. One being managing the threat actors who are trying to compromise and get access, and the other being examining the insider risk in the firm and understanding how to better manage company data. I think that the insider risk element still needs to come to a new wave of maturity to be on parity with where the external threat actor has evolved. So I’d say that cybersecurity continues to grow pretty significantly over the next handful of years and probably on into the future.
Jackson Fordyce curated the deals section of today’s newsletter.
- Insilico Medicine, a Hong Kong and New York-based clinical-stage drug discovery company, raised $35 million in Series D2 funding led by Prosperity7 Ventures.
- Properly, a Toronto-based real estate company, raised $36 million CAD ($28.21 million) in funding. Parker89, Bain Capital Ventures, Prudence, FJ Labs, Golden Ventures, Intact Ventures, Max Ventures, AlleyCorp, Interplay, Industry Ventures, and others invested in the round.
- Kumospace, a remote-based virtual office software company for teams and events, raised $21 million in Series A funding from Lightspeed Ventures.
- FundamentalVR, a Boston-based medical VR education platform, raised an additional $20 million in funding. EQT Life Sciences led the round and was joined by Downing Ventures.
- Farther, a New York-based wealth management company, raised $15 million in Series A funding. Bessemer Venture Partners led the round and was joined by investors including Khosla Ventures, MassMutual Ventures, Moneta Venture Capital, Context Ventures, and Cota Capital.
- Fora, a New York-based travel agency, raised $13.5 million in Series A funding co-led by Heartcore Capital and Forerunner.
- Abridge, a Pittsburgh-based medical documentation platform, raised $12.5 million in Series A-1 funding. Wittington Ventures led the round and was joined by investors including Union Square Ventures, Bessemer Venture Partners, Pillar Venture Capital, UPMC Enterprises, Yoshua Bengio, and Whistler Capital.
- Invisible Universe, a Los Angeles-based animation studio, raised $12 million in Series A funding. Seven Seven Six led the round and was joined by investors including Cosmic Venture Partners, Dapper Labs, Franklin Templeton, Gaingels, Initialized Capital, Schusterman Family Investments, Wheelhouse, and 75 & Sunny.
- Satellite IM, a Boston-based peer-to-peer communications platform, raised $10.5 million in seed funding. Multicoin Venture Fund and Framework Ventures led the round and were joined by investors including Hashed Venture Fund, IDEO CoLab, Solana Ventures, Pioneer Square Ventures Fund, and others.
- Interaxon, a Toronto-based consumer neurotechnology company, raised $9.5 million in Series C funding. BDC Capital, Alabaster, and Export Development Canada led the round and were joined by investors including Phyto Partners, Iter Investments, Intretech, and The Clavis Foundation.
- Craniometrix, a New York-based D2C Alzheimer’s care company, raised $6 million in seed funding. Quiet Capital led the round and was joined by investors including YC, defy.vc, Olive Tree Capital, Rebel Fund, J Ventures, and Cathexis Ventures.
- Dropbase, a San Francisco-based collaborative data import and data management platform, raised $1.75 million in refunding. Gradient Ventures led the round and was joined by investors including Y Combinator, Liquid 2 Ventures, Bragiel Brothers, Unpopular Ventures, and other angels.
- GlacierPoint, backed by Mill Point Capital, acquired Marina Ice Cream Corp., a Richmond Hills, N.Y.-based ice cream service provider. FInancial terms were not disclosed.
- ReVamp, backed by Bertram Capital, acquired Flagler Concrete Coatings, a Palm Coast, Fla.-based concrete coating provider. Financial terms were not disclosed.
- DNSFilter acquired Guardian, a San Francisco-based firewall and VPN technology platform. Financial terms were not disclosed.
- Harver acquired pymetrics, a New York-based soft skills assessment platform. Financial terms were not disclosed.
- Planet DDS acquired QSIDental, an Atlanta-based cloud-based dental practice management software provider, from NextGen Healthcare. Financial terms were not disclosed.
- Wallbox acquired COIL, a San Francisco-based EV charging installation service. Financial terms were not disclosed.
FUNDS + FUNDS OF FUNDS
- Urban Innovation Fund, a San Francisco-based venture capital firm, raised $121 million across two funds focused on companies building technologies for future cities.
- Kian Capital Partners, an Atlanta and Charlotte-based private investment firm, hired Jordan Lee as a principal. Formerly, he was with Starr Investment Holdings.
- One Rock Capital Partners, a New York-based private equity firm, hired Diana Barr as an operating partner. Formerly, she was with Boeing.
- Piva Capital, a San Francisco-based venture capital firm, hired Daniel Ketyer as an investor. Formerly, he was with Deloitte.
Correction: A previous version of this newsletter misspelled Kumospace.