On the podcast: Why a hedge fund joined VC's cybersecurity arms race

Hosts Adam Lewis and Alec Davis discuss recent coverage of the femtech frenzy, PE's march on VC and an update on the red-hot fintech space. Then, Maverick Ventures managing director Matt Kinsella joins the pod to discuss why hedge funds are getting to venture, how that influx of capital will impact the industry and the never-ending arms race within cybersecurity. 

Listen to all of Season 4 and subscribe to get future episodes of "In Visible Capital" on Apple Podcasts, Spotify, Google Podcasts or wherever you listen. For inquiries, please contact us at podcast@pitchbook.com.

Transcript

Matt: They are like some of the best swag to send out to your customer. That's great. Think that they don't get some Maverick Yeti mug. I work for a place called Maverick, and it's a hedge fund with about $12 billion under management. It's an early-stage venture fund called Maverick Ventures, which is where I spend most of my time. We also have a growth equity fund, which is a bit of a newer offering from us.

Maverick's around since 1993. I've been here since 2005. I started here out of school after Notre Dame and have been here ever since. It's a long time to be at one place, but I've been able to do a lot of interesting things while I've been here. The first chunk of my career was all focused on public equity markets. I worked at our hedge fund and did mostly software investing. Then in 2014, moved over to help get Maverick Ventures off the ground and have been focused on that ever since.

James: You made the switch from public to private. We call that crossover investing. It's definitely like a hot topic. It's something that has really upended the venture capital world. I'm just wondering, from your point of view, how big of a mindset shift was that going from public software to early-stage startups?

Matt: It was quite a mindset shift. The way Maverick has gone about this is when we had a public equity investment vehicle and then an early-stage investment vehicle. Really those are very different investment strategies. At the end of the day. You're still trying to find great companies that you think are going to be worth a lot more in the future. The signals you look for in the analysis you do are very different and the skill sets are transferrable to some extent, but really quite different.

I'd say the biggest difference is just the focus on the people. When you are doing early-stage investing, a lot of that is really just understanding what makes that entrepreneur tick. Why are they so focused on doing this? Because it's a really hard thing to do, and trying to look for signal as to why they're the right person to do this and are they going to have the grit to stick with it and grow the business over time?

There will be a lot of challenges that come with it. A lot of time is really spent understanding the people. Of course, in public equity, investing management is very important, but it's one of the only things that matters early, early stage. That was a big mind shift for me. Then another one that's interesting, too, is just the degree of certainty. You can put on any forecast or any information given to you in the public equity world.

If a company gives guidance or company gives you some indication of where the business is going to be, they have a reasonably good understanding of what that's going to look like. They're not going to be off by a ton, don't get it wrong, but you can be off by orders of magnitude easily every day in the early stages. You have to always take with a grain of salt, any forecast that you're relying upon in the early stage of the business because you have to be understanding it's going to end up being quite different than people think it's going to be.

James: I was recently talking a professor who studies hedge funds, and I was asked him kind of like, why are they coming into venture capital? What is the strategic advantage? His basic take was, they are really good at doing company analysis, and that is what they're looking for. They come at the growth stage. They're like, "You're an excellent company. You're dirt. I don't want you."

They pick who they feel confident they're going to be the winners. They don't really mind paying valuations that are out of step with what the rest of the venture market is seeing at that time. When you guys decided to launch the growth fund, was it a similar thought process like, "Hey, we're doing this already in the public markets, we can do this in the private markets?"

Matt: Maverick, actually, has been doing private investments since the beginning of its founding since 1993. To your point, but motivations for doing private investing, they can be quite broad. At the early stages of when Maverick was doing private investing, and I'd mentioned in 2014, helping getting Maverick Ventures off the ground before that Maverick had been doing early-stage investing out of the hedge fund.

The real reason why we started to do that, it was very opportunistic early on going back, even before I got to Maverick. A lot of it was around investing in tiny companies to get a better understanding of what might be disrupting the large, publicly traded companies in a few years or companies that might be partner. It was almost part of the research process for the big dollars you were putting into work in the public equity market.

Over time we continued to iterate on that and notice that, wow, this is actually quite profitable for us. We should probably, if we're going to keep doing it, standardize it and actually put real capital behind it. The thing there's a number of different reasons why the hedge funds will want to get involved in the private markets, and they can range from helping influence their research process on their big public equity funds.

Two, to your point, applying that same type of methodology they're doing for the research and the public equity market to the later stage private companies, because often they're not that different. A lot of these later-stage private companies have been private for much longer than they used to stay private. You could actually do quite a bit of analysis on the financials, and it doesn't look that different. from doing an analysis on a publicly traded company.

To a certain extent, you can sometimes get more in-depth information from a private company than you would from a public equity company. You can get cohort data, you can get all sorts of data that you might not be able to do, so you can feel more confident in the research process that you've done and have more confidence in the potential outcome for the businesses.

I think that's another reason why hedge funds are coming more into the late-stage private market. Why Maverick did it was, we had this sort of barbell strategy almost. We had the public equity business and then we had the early-stage venture business, and it just seemed very natural since those two skill sets can meet in the middle and focus on the growth stage.

Also when you have a full portfolio of venture-sized companies, a lot of those are moving into the growth stage and it was starting to get annoying, seeing so many other hedge funds put more capital into our favorite companies and not being able to keep up. Part of this is opportunities fund where we can just continue to support our favorite businesses out of our venture capital fund.

James: Yes. You don't want other people to profit off your winners?

Matt: No, that's [it] exactly.

James: So much ink has been spilled over the question of valuations and venture capital right now. I think a lot of people fairly or unfairly point to hedge funds as being part of this bush. What's your perspective on it? When you think about the rise in valuations, is it really a narrative of these outside investors coming in and bidding up startups? Is it something maybe much larger than that?

Matt: I have an interesting seat in all of this because Maverick is a hedge fund, but I'm part of an early-stage venture fund. That's under the same umbrella as the hedge fund, and so even though we're part of a hedge fund and I can have the mindset of all of my colleagues who are on the public equity side of the business. My mindset is fairly squarely in the venture capital world, and so it's interesting to see those other funds.

It's not just hedge funds—it's the large mutual funds, the Fidelities, the Heroes, the capital groups that are also coming into this market. Is it just a function of those folks coming in? I think they are part of it, but the broader issue is just, there is a lot of liquidity in the system. There's a lot of people who have a lot of capital interest rates are very low. People are searching for returns and it's no secret that a lot of funds have done very well in their private investing efforts.
More capital is coming into that private investing world and as a result of that, we're seeing prices rise for sure. What I think is maybe less well-appreciated is just prices are rising. It's the asset class itself is expanding materially. More market cap is being created in that growth equity phase, and so while there's more dollars coming after it and prices are rising at the same time, companies are staying private longer and more companies are being developed.

They're realizing valuations that they may have otherwise realized in the public equity markets while they're still private. You probably know this better than I do given I think I probably pulled this data from PitchBook, but I think if you look at the valuation of all unicorns in 2010, it was $30 billion, and in 2020, it was $1.5 trillion. That's a 50x growth. If unicorns are a proxy for late-stage venture capital, that's a massive growth in an asset class.

I think while a lot of capital coming in here, the asset class itself is growing as well. Those are all the trends that are coming together to create this situation and at the end of the day, the people who are probably missing out are the public equity investors, because so much of this market cap is being created before these companies even go public. When they do go public, which an increase in valuation that would have otherwise happened in the public markets is now happening in the private markets.

James: For your early-stage investments, do you think that it creates more of a challenge, these increased valuations to get in at prices that you can reliably make return if you make enough of these bets?

Matt: It is certainly starting to impact the earlier stage world as well, and one of my favorite parts about our strategy and growth is since we know these companies so well, that are in our portfolio, we can have much more conviction in what we think the outcome is going to be, and actually maybe feel comfortable paying a higher price than maybe we otherwise would for a company we didn't have the history with the management team.

We're more comfortable putting probably a bigger evaluations on some of the companies we've been investing in for a long time because we have such high conviction in what the ultimate outcome is going to be. We've spent years with this management team, as I was saying earlier, that people were the most important we understand. I think, well, you do see even earlier stage valuations rising materially because of this trickle-down effect from dollars coming from the public equity funds into the late-stage growth into the early-stage venture.

It is manageable if you can get in earlier, established relationships with those companies and then feel comfortable putting more capital than even if it is at higher valuations. I think another really interesting aspect of all of this is it's not so much necessarily even the investment mentality that the public equity investors bring. It's just the size of the dollars they're bringing.

It's also just what their baseline is for what a fund is. A hedge fund might be 30 to $50 billion depending on the fund, and so in their mind, a $5 billion growth fund doesn't seem all that crazy. Whereas go back five years ago for the traditional growth investors, a $5 billion fund would have seemed massive. Having that much capital to deploy, they have to put it to work, or else the funds go away, and they need to really make sure they can get a lot of capital to work.

That means they need to make sure their big bets work out and what's happening is you're seeing them make these $10 [to] $20 million bets in the Series A, Series B world, and you can almost think of those as tracker investments and they're paying just to get in the door of some of these early-stage companies. If they see them start to work, and they'll pour more capital into them.

I think you actually see the ones who've done this successfully, they see much higher returns on their bigger checks, because they've sort of vetted it out by all these smaller checks that might not do as well, but they can see and identify the early winners and pour more capital into them. Which ultimately is similar to what we're doing with IN the growth fund to support our favorite portfolio companies out of our venture fund.

James: Do you think that the seed and early-stage, especially Series A is keeping pace with the demands at that later stage? This is a beast that wants to be fed? Are there going to be companies left in four years? Are there going to be enough to satiate all the asset managers and hedge funds and private equity firms that have come into the Series B and later?

Matt: It's never been easier to get a startup off the ground, with just the low cost. I haven't done this analysis in a long time but I remember back in 2018, 2019, timeframe, just looking at the cost of starting a business in 2005, versus the cost of starting a business in 2018 and it was like 5%, the cost just with what AWS has done. I do think that we're going to continue to see great innovation, a lot of new companies popping up and those companies will get funding because there's much demand.

Now, will there be a higher failure rate? Probably, will it take longer to realize the good companies versus the ones that are going to make it? Also probably because they're going to continue to be able to be funded for longer than they otherwise would have because all this capital is raised. It's good to get put to work.

James: You've been investing in software for well over a decade and you've seen the rise of SaaS from pretty early days.

Matt: I have.

James: How is that shaped the way that you look at the opportunity around tech companies broadly.

Matt: One of the things I've always liked about software businesses, even before SaaS, even if you go back to the old license and maintenance model is just these are truly very good businesses, they have predictable cash flows. As they scale, they see great leverage and they tend to have great unit economics, because their marginal cost of selling another piece of product is zero and they have close to 90% gross margins at scale.

Seeing the rise of SaaS, I think what was interesting in the early days of SaaS was people didn't totally understand, myself included, the power of the subscription business model. There used to be a sell license, and then you click the maintenance fee over time. What I think took people a while to get was just how valuable a customer was throughout the entire life of that customer if you had a predictable subscription and low churn.

It was very rational to invest a lot of dollars upfront to acquire customers, even at the expense of short term profitability for explosive expansion and margins later on as that marginal cost-benefit really started to play out. What I think it's helped me to do is just to really think longer-term about what businesses can be and what new definition of what terminal value is, and understanding just how valuable these businesses can be, as they really see that margin expansion that's always in the outer years because you're investing upfront to acquire those customers.

It makes things look quite expensive on any kind of near-term metrics but what people don't totally understand is just how explosive that growth is going to be in the out years because of the profitability of those customers, as the long-term value increases above the CAC. If it has a sticky business model, like a lot of SAS is you really see margin expansion in the out years.

I think things are expensive, for sure but these are also amazing business models, and more and more of the market cap out there is levered to these types of business models, and these businesses can get very valuable very quickly. To me, it's been just to focus on what companies can look like at steady state as opposed to what they look like on next year's revenue or the year after that's revenue.

James: You're pretty interested in cybersecurity, right?

Matt: I am. Yes, it's been an area of focus for me.

James: When did you kind of start investing in that?

Matt: I made my first cybersecurity investment in 2012, 2013. It was right around the time, there was a bunch of data breach and those were a new thing back then their front-page news when that happened. I feel like I've seen one literally every day now but I remember the big one was the target breach where some hackers had gotten into target through an HVAC system and to me, that was kind of a aha moment that, while cybersecurity had been a big thing, it was going to just get bigger.

The more CIOs I talked to, the more apparent it was, that was sort of the one area they had a blank check to spend on like, this is a board-level issue. Now, everyone is freaked out about this and we need to make sure we are spending money to make sure we can try to stop this. It's kind of been a straight-up into the right experience since that 2013 timeframe.

Back in my public equity days, some of our early investments were companies like Palo Alto Networks and Fortinet, and we were the largest shareholders of both of those companies for several years and have gone on to make many, many other investments in cybersecurity in both the public and private markets since then.

James: You're saying it's not just me, the hacks are really getting bigger and more frequent and scarier?

Matt: They are. Yes, and it's like every year they keep getting worse, back in 2013, a data breach that maybe exposed hundreds of thousands of records was pretty big news and now you're seeing tens, the hundreds of millions records pretty normally being done. Then you're seeing some really terrible stuff like hackers going after hospitals and taking over all the connected medical devices and threatening to shut them down if you don't pay them enough Bitcoin.

You're just seeing the hackers continue to be pretty darn creative in what they go after and creative in the ways they go about doing it. I've always thought of the cybersecurity world as a shiny new toy world, where there's new companies that are being spun up all the time, because there's new ways in which the bad guys are going after the information and so you are always constantly trying to plug different holes.

It's a pretty ripe area to invest in the early stages that said a lot of companies don't ever make it to huge scale because they end up being point solutions. You really have to try to parse out what is going to be a point solution versus what can actually grow to be a more of a platform. A lot of these cyber securities companies have historically and been started in Israel.

If you look at the archetype, it's often somebody who comes out of the 8200 unit, which is the Israeli defense forces cyber unit and they're able to spin their IP out of that unit, which is very unique to the 8200 unit. It's one of the reasons why so many of the companies come from there and so these former 8200 unit officers will start companies around their technology.

The historical trend had been to build that up to a certain level of scale, but never really have to master go to market and then you'd sell to one of the bigger providers, whether that was to Symantec or a Check Point, or even a Palo Alto Networks. Palo Alto and Check Point were originally Israeli startups that did grow to scale, but the thing that people would tend to do was to sell for a technology-based outcome, as opposed to really proving out to go to market.

I think that mentality has shifted a bit because we've seen a few more, really big outcomes come out of Israel and so more and more of these companies are attempting to be platform size, as opposed to just attack in acquisition for 10 to a hundred million for some of these larger cyber security vendors.

James: What do you think has enabled that platform opportunity?

Matt: Well, it's always been there. It's just really hard to figure out which one is gonna be. I remember my work around Palo Alto Networks back in the day, the world of firewalls was already pretty well established by that point in time and so it was a pretty negative thesis on Palo Alto. Why would another firewall vendor be able to come in and disrupt this and where you have to really try to focus your efforts is you look at when renewal cycles are coming up for a certain product.
Back then the platform of choice was the firewall because most of your assets were still on-premise. You could protect them by building a firewall around it and I just noticed a lot of CIOs were actually going to rip and replace their checkpoint or their Cisco firewalls with Palo Alto.

You ask why, and it was because the performance was just so much better. I don't think there's necessarily a silver bullet as to how you can determine what's going to be a new security platform or how long that's going to last for. It's really just trying to pick up signals along the way that you're seeing mass replacement of what the existing platform is and then things tend to bolt onto that.

You've seen, for instance, like Okta become a platform in of itself. When I don't know if anyone would necessarily thought identity was going to be a platform five years ago, even, but if you followed it closely, you would've realized that being able to access all your different cloud apps via one single sign-on through Okta and have one identity across all of those had a pretty good shot of being a platform.

I think there's other really interesting ways of potential really building other identity platforms out there too, that are based on things other than a password or a multifactor authentication that maybe could be the way in which you interact with your devices, identifying you via behavior or other types of biometrics. That's an area I'm also quite excited about. It's just other ways of identifying people because I do think identity itself is emerged as a platform and is kind of one of the true pillars of compute.

James: Yes, I'm glad you brought up identity for verification. It's one of the hottest areas of investment right now and it came up in the colonial pipeline hack that they were not using even a dual-factor authentication on these devices. I'm curious though, for selfish reasons, are we gonna get to a point where passwords just rarely come up?

Matt: People have been predicting at the death of the password for a long time. I think it's with things like the colonial pipeline and many other things. I think we have enough proof points to show that' they're not very efficacious, especially when you of the most common passwords are password or your name or something very common or the place you work. I'm certainly guilty of this, my passwords are usually some version of something that one could very easily hack if they tried to.

I think what will happen is you will start to see beefing up of other measures around the password and so multifactor authentication is the first shot across the bio there. You do your password, then you got to do something else. The problem is that's pretty high friction. I don't know about you, but every time I log in to into my apps on my computer, it takes two minutes because I have to do a password, then I got to do the multifactor authentication, or I have to do my password, then I have to log into one login, then I have to get a multifactor authentication set.

I think what a lot of companies are working on are ways to just decrease that friction and provide a beefing up of the security around the password. I think what you might see over time is that some of those things were the tangential things that were just helping to support the password and make the password stronger. A multifactor authentication or some behavioral biometric will start to maybe become the primary form of identification as opposed to a secondary or a backup form.

I think it'll be a while before you see the password go away, but I think you'll see a lot of things happening in the background that are just beefing up the security around the password that will then usurp the password itself. That's my presumption of how it will end up playing out, and we have a portfolio company called BioCatch, which does what's called behavioral biometrics.

They can identify you on the way you interact with your devices, and no two people have the same typing cadence, no two people hold their phones at the same angle, no two people rotated while you're typing. There's a lot of different things that are very unique to you that could not be mimicked by someone no matter how hard they tried, nor could it be mimicked by artificial intelligence.

What they do is they take all those signals in, and they can create a profile for James and say, OK, we know how James interacts with his devices. If someone's interacting with your device in a different way than James, it can be flagged. Now, if it matches the profile of your wife or someone that they also have on file, it's probably less concerning, but if it's some profile they know, it can be more concerning.

What's interesting about trying to take behavioral signals is that once you do that enough, you start to develop straw man's profiles for things that might be fraudulent. You can say, Okay, well, we've seen enough fraud, and we know how someone behaves when they're entering in a social security number, let's say they're applying for a credit card. They're entering in a social security number, they can tell whether they're pulling that social security number out of long term memory, or if they're typing it off of a piece of paper.

If you put enough of those signals together, you can start to try to prevent fraud before it happens, because you can catch these signals early, like, Oh, this person doesn't actually know this password. They've guessed it, or they've pulled it off a piece of paper and try to stop things before they happen that way.

James: What are some of the other big areas in cybersecurity that you're most excited to see develop?

Matt: We already touched briefly upon hospital cybersecurity, I do think that's going to be a big area in the future, just medical cybersecurity in general. I continue to be very excited about identity, we've already talked about both those. An area that I think is new and burgeoning, that is going to continue to get bigger is just DevOps security and if you see what like a sneak is doing and explosive growth they've seen.

Protecting software as it's developed and even around the process of how software is written and developed, protecting things at that level, I think continues to get more important, especially in the aftermath of the solar winds hack, which was a supply chain hack meeting. Someone got into the code of solar winds, that code went to all their customers, and then they were able to get out of that code and then penetrate their customers' environments.

What sneak or other companies that focus on DevOps security can do is hopefully mitigate those types of risks by making sure the processes that code is written, and the code itself is safe and as opposed if you look at the exact opposite, or the opposite end of the spectrum would be endpoint security. Which is, the password, how I'm accessing my software, this is protecting things as the software is being written. That's an area I'm quite excited about.

It's a relatively new area of cybersecurity, but if you think about who the cool kids are at companies, now it's the developers as digital transformation is top of mind for all organizations. Those developers have a lot of clout in their organizations and if they know they need to be more secure, I think those organizations will spend to make them more secure and that's an area that I'm quite excited about to explore even more deeply just developers focus security.

James: You briefly mentioned Bitcoin earlier. I think one of the inevitable things if you read enough these hack stories, you realize, Oh, yes, cryptocurrencies are kind of how they're getting paid and a lot of ransomware cases. So much venture capital money has been going into the crypto space. I'm not trying to make any connections, specifically here but do you think that crypto and security can coexist, or are we doomed to have this battle between security and privacy working against each other?

Matt: It is true that most hackers want to be paid in crypto is a true statement. Is it that different than a hacker demanding to be paid, or a bad guy demanding repair do with a suitcase of cash? Not really and I don't necessarily blame crypto for that. It's just the medium they've chosen to accept payment through. I've been amazed to see the FBI be able to track down some of these folks tracking it through the ledgers in Bitcoin and tracing back and be able to recover some of the money.

In some ways, it's probably even, there's a greater chance of recovering it if it's in crypto. I think the hackers have used crypto because it's convenient for them to get paid, and they can feel relatively confident that they won't be able to be caught. I don't necessarily hold it against Bitcoin for allowing those to happen in Bitcoin. I think it has a lot of other great things that it does. That would be hard to answer that question.

James: I think that's fair. The other thing that we've seen quite a few, I know you're customer in anti-money laundering, like startups that are targeting these issues for the crypto community and getting quite a lot of money, especially as more institutional players come in.

Matt: Totally.

James: On that, do you consider yourself an optimist or a pessimist when it comes to cybersecurity? Is this going to be a perpetual game of whack a mole, or are we on course or can we get on course to control these threats?

Matt: I'm both optimist and it's going to be a perpetual game of whack a mole, [laughs] so it's going to be both of those things, for sure. We are going to continue to have great, great innovations and how infrastructure is secured, and the bad guys are going to continue to test how to get through those. They'll figure out ways to worm their way through and then great technology is going to come out of the 8200 unit or the NSA to help combat that.

It's just going to be a constant push and pull, probably moving more and more in the direction of more secure. It's going to be two steps forward, one step back, probably world. They'll be whack a mole, but I do think we're getting to a place where things will continue to get more secure, then we have to worry about quantum computing coming through and breaking all of modern-day cryptography. Then we'll cross that bridge when we get there.

James: So much to look forward to.

Matt: Totally.

James: Thanks Matt, I really appreciate you being here.

Matt: No, it was great. It was really nice to talk with you, James.

In this episode

Matt Kinsella is a Managing Director at Maverick Ventures, a venture capital fund focused on early and growth stage investments, where he has been since 2005.  He currently serves on the boards of private companies in the fields of SAAS, cybersecurity and healthcare.  Mr. Kinsella received his B.B.A. from the University of Notre Dame (summa cum laude). He serves as the Chairman of Maverick Capital Foundation San Francisco and sits on the boards of OneGoal and the San Francisco General Hospital Foundation.  He lives in San Francisco with his wife Kavana and daughter Emma.