Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

This week I spoke to Ray Rothrock. Ray was a longtime investor at Venrock before he left in 2014 to become the CEO of RedSeal–one of the companies he had invested in. While at Venrock, Ray spent a lot of his time in security, investing in companies such as Check Point (now public and worth over $15B), Imperva (now public and worth over $2B) and Vontu (acquired by Symantec for $350M in 2007). In the interview below, Ray and I discuss cyber investing and why he decided to leave the venture world to work at RedSeal.

Though you had some big non-security hits like DoubleClick throughout your time at Venrock, you’ve focused a lot of your time on cybersecurity. What led you to cyber?

It came naturally.  As an original investor in the first browser company, Spyglass, we could see how things would naturally develop over time. Firewalls had been around in the ARPANet for a while, and I had been at Sun where we were a node on ARPANet. Therefore the notion of protecting against unwanted intrusion through a portal like a door, a firewall, made sense. The other investor at Spyglass went after one firewall company, and I went after Check Point. My investment turned out best and survives as a $15B company today. From there, the pattern followed the physical world: intrusion detection — motion sensors and such.

After I invested in Check Point, it was pretty clear that the threats were changing and would continue to change over time. The cyber market, unfortunately, just keeps on giving and giving and giving as the threats keep on morphing.

Also, web tech changed, and a changing basis just opens up more vulnerabilities.

Cybersecurity has been a really hot space for a while now. Has it always been like this? What was the tipping point?

It’s been hot since 1991. What’s different is up until now it’s been about point products addressing point threats (FW, detection, antivirus, data leak, encryption). All that ($75B per year) is in place and yet the world is under attack and companies are feeling it, e.g. Target, JPMorgan, Sony, OPM, etc etc. Why? It’s partly because the point products don’t always work well together and aren’t always installed and run at their top condition, but mostly it’s because the networks are so complex that no one can singularly know what’s going on. Now, with all the incidents being reported, it’s pretty clear you need a cyber strategy as a company to be resilient — to recover from an impairment in your performance, if you want to stay in business. It’s kind of like a domino effect, as well. The small companies who don’t have the money or people to do the hard cyber work are the ones that are really at risk. We need better designed and operated networks. My company, RedSeal, sells an analytics software that essentially is the operating system for the whole security picture, assessing all the equipment, building a model that can be exercised, tested and planned, and truly getting a prioritized list of the issues every network has. Without a complete view of how the whole thing is built and operating, you can’t really recover well from an incident or attack. Sony demonstrated this in spades.

You’ve had an amazing amount of success investing in cybersecurity. What are the essential drivers of this success?

Seeing the patterns. This is true in all VC. You’ve got to see the patterns emerging, not be too early, and invest in really smart, committed entrepreneurs who want to win. Startups are hard, challenging, and not for everyone. It takes focus and commitment and a good product to win.

There are so many cyber companies out there right now and most of them are demanding pretty high valuations. When you were investing, how did you sift through the noise and determine the truly game changing cyber security companies?

I wish I knew how to answer that question. I’m an early stage guy, so the valuations I’m interested in are not the billion dollar deals. As your mom told you, if you fall off of the first step, you don’t fall far. If you fall from the top step, you will get hurt. But if you navigate the stairway well, you’ll exit the top on top of the world. I like doing step one and up–not the top step–and hope I got it right. Hope is not a strategy.

In an article you recently wrote for TechCrunch, you said that enterprises need networks that are digitally resilient and that RedSeal helps companies maximize this. Can you explain the concept of digital resilience and how RedSeal provides for this?

I talked about some of this before above. RedSeal gives you a complete picture of the network and all of its security. We actually calculate a number, Digital Resilience Score, of your network (or a segment of it). With that score, you can make changes and monitor if you’ve improved it. Sometimes you do, sometimes you don’t. Today, no one can confirm you did it right. No one. RedSeal can. So whether you’re deploying a new network, changing an old network, or acquiring another network through M&A, you have no way of knowing if you are making it better or not. As complicated as these things are, no one person or group can know. That’s why you need automation that can do the calculations required to show you every path and compare that to all your host’s VUL files to know if you got it right (meaning as you intended).

You worked at Sun Microsystems for a few years out of school but then you worked as an investor for 25 years and now you’re CEO of RedSeal. How do you like the operating side versus the investing side? 

I love it. I love selling an easy solution. RedSeal’s value proposition is so easy to understand in the executive suite. I feel like I’m assisting every company we sell our product to by giving them the tool to allow them to better protect themselves. The government can’t protect the entire attack surface of the United States with its trillions of points of attack, so everyone has to do the best they can. RedSeal is the tool to do that — enabling every company to be resilient from cyber events. Every one.

The News:

Cyber-security VCs Discuss Their Top Investment Criteria

• Venky Ganesan of Menlo Ventures is excited about breach detection companies and looks for cyber founders with more than 10 years of industry expertise. Don Dixon of Trident Capital relies on an advisory council of 30 cyber industry professionals to help him pick winners.

Venture capitalists flock to cybersecurity information-sharing platforms

• Within the past month, three threat sharing platforms–ThreatConnect, ThreatQuotient and Trustar–raised venture capital from SAP’s venture arm, NEA, and Resolute Ventures respectively. ThreatConnect has apparently grown to over 100 employees and counts half the Fortune-100 as customers.

Avecto pockets $49M from JMI Equity to invest in Defendpoint security product

• The UK-based endpoint security company was founded in 2008 and has grown revenue 50% YoY since 2012. The company hadn’t raised any funding previously.

ZeroFox Secures $27M B-Round Led By Highland Capital

• The social media security company has now raised $40 million across three rounds from NEA, Highland, Genacast and others. See my interview with ZeroFox Founder and CEO James Foster here.

China Calls Hacking of U.S. Workers’ Data a Crime, Not a State Act

• China’s government claims that the OPM breach was the result of Chinese cybercriminals and that it wasn’t state-sponsored. Some of the facts of the case however, suggest otherwise.

Target in $39.4 million settlement with banks over data breach

• Target said last week that it had paid out over $290 million thus far due to the breach and expects insurance companies to reimburse around $90 million.

Palo Alto Remains the Clear Winner in Cybersecurity
Heading into 2016; Adding to FBR Top Picks

• FBR’s equity research team thinks that Palo Alto will strongly outperform expectations due to increasing penetration of NGFWs into the general firewall market and due to expected surges in cybersecurity budgets in 2016.

Startup Offers Free Cyberattack Simulation Service

• Startups vThreat and SafeBreach simulate and provide detailed analytics on how hackers could breach your network.

Non-Security:

First Round Capital’s State of Startups

• FRC interviewed over 500 founders inside and outside of their portfolio and summarized their findings. Almost all founders believe that fundraising will get more difficult in the next 12 months and they see bitcoin and wearables as the most overhyped sectors.

Jason Lemkin on This Week in Startups

• Great interview with Jason Lemkin. Lemkin founded and then sold EchoSign to Adobe for a low 9 figures and then worked for two years at Storm Ventures. Lemkin’s specialty is SaaS and he discusses his learnings in the space from the perspective of an operator and an investor.

First Round Review: Here are the Scripts for Sales Success — Emails, Calls and Demos That Close Deals

• TalentBin cofounder Peter Kazanjy provides specific sales emails, calls and strategies that he used at TalentBin (sold to Monster last year) to win new clients.