The CISO's Guide to Early-Stage Investing
Below are some things I learned as a CISO making angel investments into cybersecurity startups. I’m not a professional investor or financial advisor, and I’m avoiding discussions on whether you should pursue private investing or how to pick winners. My focus in this article is on the types of investments, customs, and definitions a CISO focused on cybersecurity startups is likely to see around 2021+, and helping you understand the terms you will hear if you decide to get involved.
Deliberate investing often has 3 properties:
- Avoid situational errors that disadvantage you over the rest of the field.
- Look for advantages that give you an edge over the field.
- Invest with enough frequency, volume, and/or diversity to protect you from outlier events and learn from your experiences.
Item number 1 includes transparent access to data and strong legal protections. The stock market has that in spades, with securities laws requiring transparency and providing recourse if you lose on a tilted field. In the private markets of unregistered securities, though, you are on your own. That drives the SEC requirement that you are an accredited investor before startups or funds are permitted to take your investment. The general premise here is that you must be a financially sophisticated investor, capable of understanding and absorbing the inherently higher risk. Contractual agreements for private investments will require you to meet the accredited investor definition via one or more of several criteria including an annual income of over $200,000 or a net worth of over $1m. Read these agreements carefully - even if boilerplate - as they are making important disclaimers about the substantial risks of private investing, including the significant likelihood your investment value will go to $0. But even as an accredited investor, how can you expect to manage due diligence, financial validation, and legal contracting? While nothing is a replacement for retaining qualified counsel, one strategy that helps is to use the resources of professional investors - specifically venture capital firms - by “riding their paper”. You can start with the contractual provisions VCs are requiring by co-investing with them.
Item two is all about being a CISO. Leverage your strengths and disproportionate advantages in investment decisions. How to identify your advantages? Follow the money. Look for areas where you’ve been able to earn based on your unique abilities and experiences. As a CISO that is likely to be cybersecurity, risk management, enterprise procurement, and/or hard-core technology. And know your limits. Being a CISO doesn’t guarantee you are an expert in cryptography. Feel free to pass on investments where you just don’t feel you are an expert.
The third item - investment frequency and volume - is about making sure that risky angel investment has an appropriate place among less risky investments in your total portfolio, and that within your angel investments you consider distributing your risk across multiple investments over time.
Just like public equity investing, the basic premise of private investing is acquiring equity - a percentage of a company - for a set price today and selling it for a higher price in the future. The simple math here - again similar to the stock market - is dividing your investment by the entire value of the company at the time it was made, and thus deriving the percentage of it that you own. As that valuation (or market capitalization - in public market parlance) increases, your fixed percentage ownership increases in value.
Imagine you invest $25,000 in a company that is worth $2.5m. Congratulations, you now own 1% of the company. If the value of the entire company increases to $10m and you have an opportunity to sell your shares, you should receive $100,000 (1% of $1m).
But nothing is simple…
Calculating equity ownership requires establishing a valuation for a company. The inputs to this process can include tangible assets and inventory, but for technology startups (and even more so cybersecurity startups) it is generally based on a prediction/hope of future earnings, which most commonly ties back to current revenue. So how do you apply a valuation to a company without any revenue yet? You could fantasize and say “we are on track to creating some amazing anti-ransomware device, think we can sell it for $50,000 a pop, and expect to sell thousands so… we are going to have revenue of at least $50m a year… so let’s use that”. That’s hard enough when you have some prototypes produced, ideally have a few sold, and have some good data about the potential market for your devices. But when all you have is a dream in the garage, it’s too far of a stretch for most investors. This is what we call seed round investing, and one of the most common hallmarks of seed round investing is avoiding valuation altogether. Instead of procuring equity, investors will usually secure a (convertible) note that promises the ability to participate in the next round - where the company is further along and it is more reasonable to establish a valuation - at a discount to reward you for getting involved so early. A note is a legal agreement, and there are countless variations possible on various terms.
Using our example above, a seed round investment of $25,000 may just secure a note saying that when the company gets further along and does a proper institutional round, you will not only be given the privilege of rolling your $25,000 investment into that round alongside much better funded venture capital firms, but you will do so at a discount of - say - 20%. That means you will actually get $31,250 worth of company equity at the newly-established valuation, and not have to pony up any more money than your original $25,000 investment. At that point you will technically be up 25% already.
Another common variable in a note is a cap. A cap is the max valuation that will be used to establish your equity percentage. This protects you from getting left behind if the company really skyrockets along.
Once again using our example, let’s say you enter into a note early - before a value is established for your target company. In your head you are hoping it will be worth between 10 and 20 million dollars when it does a formal raise, but you just get your 20% discount percentage and figure that you will see how it goes from here. Then they strike gold - they come up with a bulletproof ransomware solution that not only prevents damage, but improves performance and innoculates computers from all security vulnerabilities in 5 minutes. The VCs are fighting to throw money at it, and the valuation at the first institutional round is actually $100m. If you just had your 20% discount rate alone, you would get your $31,250 worth of equity, or 0.03% of the company. If the company later sold for that $100m, you would have profited just 25% - not what you would hope for with this home-run investment. With a $10m cap specified in your note, however, your investment is translated into equity ownership at that valuation, meaning you have 0.3% of the company - or about $312,500 worth.
Discount and cap figures usually go hand in hand with notes in seed stage investments. It is also common to have an interest rate that is applied to reward the investor for waiting, though this seems less common with new tech/cybersecurity startups. When it is applied, it is usually accrued and then later applied during conversation into equity (your capital is increased by the interest) and not paid out in installments like a traditional loan.
A common template used in many seed transactions at this time is the Simple Agreement for Future Equity (SAFE) note; research that if you’d like to explore more about note terms.
Moving beyond seed stage, the first true equity round (with a valuation) is usually the Series A. While a seed stage company may have relied more on whiteboard drawings, concepts, and/or founder reputations, an MVP has usually been built before the Series A. An MVP - or Minimally Viable Product - is exactly that - a prototype. A Series A firm may not have many paying customers yet, but they may have a Design Partner or two secured. This will be a low or no-paying customer who shares the startup's passion about the problem statement and is allowing the startup to use their environment and feedback to help define the MVP into an optimized product. At the Series A stage, the investment round is usually led by a proper Venture Capital firm. Several firms may bid to make the lead investment into the round and set the terms, but there will be room for more. VCs will compete by offering term sheets that specify the valuation of the firm, amount to be invested (if you are following along you know those two bits imply the percentage ownership to be gained), and a host of legal stipulations including potential governance input via Board seats. VCs will also look to differentiate via the backgrounds of their general partners, the validation that a top brand brings in a funding announcement, their network of prospective design partners, customers, and peer companies, and even in-house administrative services ranging from payroll to marketing. Different VCs will have different advantages, and a wise startup will look to fill some of their internal gaps during the selection process. Once a lead investor and term sheet is agreed, others will be invited to round out the total amount to be raised on the same terms.
At the Series A stage the amounts raised for cybersecurity startups are usually in the $5m-$15m range, and individual angel investor checks are generally inconsequential. When each firm is writing a check for several million dollars, taking additional investments of $25,000, $100,000, or even more is generally just not worth the extra hassle of adding another entity to the cap(italization) table, or record of all equity holders and percentages owned.
This is where investing as a subject matter expert begins to differentiate. Traditional angel investors who are not leveraging a specific experience and skill set spend a lot of time worrying about deal flow - being invited to review and consider investing in new startups. This often drives them to earlier seed stages, where word of mouth may get a founder in touch with a friend’s rich aunt or something like that. Such angel investors often aggregate into clubs and share information to become aware of investment opportunities, but have to bear the added risk of investing at a seed stage. Many angel investors would prefer to have the lower risk and more concrete product - if not metrics - of a Series A investment - but with an often oversubscribed round of VC firms eager to get in with multi-million dollar investments, there is no room for angels. That’s the differentiator - CISOs may be able to barter valuable experience and advice for a seat at the table to co-invest in a round where their check-size is otherwise uninteresting.
So how does one get involved and get this deal flow as a CISO? The simplest answer is to forge relationships with VC firms and offer your valuable insight in screening potential deals for them. Depending on your employer’s policies, you may be able to do that for a cash retainer or formal ability to participate in investing, but it may be simpler and more valuable to do it pro bono to establish good will and awareness of startups. If you end up with an opportunity to invest, it will have to be for the future value you can bring to the startup, and not the past value you brought to the VC during screening. So you need to demonstrate your helpfulness to the startup. Screening deals is an excellent way to meet founders and products you want to invest in, gain experience knowing the range of talent and ideas that are out there, and stay close to VCs that will be aware of investing opportunities.
Conflicts and Disclosures
Your employer's policies may or may not explicitly prohibit you from private investing or require approval for any transaction. If the latter, it is common to have a double materiality test - whether your investment would be material to the company or to you. With angel investing the latter is more likely, so a policy like that is making sure you aren’t going to be incentivized toward unethical behavior to avoid financial ruin. But once you ensure compliance with your trading policy, you separately need to consider potential conflicts of interest in your ongoing duties when the vendor is in cybersecurity and you are a CISO. Again, look to your published policies and consultation with your compliance team first, but a general rule is that you do not want to be making financial decisions around a vendor when you have any personal gain or loss at stake from the firm’s success. That said, being invested does not mean you have to disqualify your company from availing itself of this awesome product you are so passionate about. Rather, it is usually appropriate to disclose your conflicts to appropriate personnel and likey recuse yourself from financial decision making. Establish the rules of engagement with your compliance team and get agreement in writing, but a good starting offer would be to say that if and when you have any investment conflict with a current or potential vendor, you will not participate in any financial decision making around the relationship and instead will disclose the conflict to your supervisor and redirect approval to a peer. If you enter this arrangement, consider making your technical team available to your peer without your involvement so they can make an unbiased decision.
So what about your team? Should you let them know early-on that you are invested in a potential vendor? That’s certainly up to you. The aim should be an objective unbiased decision from them. It’s possible that disclosure can have a reverse-effect in those cases. As a superior, it is possible that disclosing an investment in a vendor will give the unintended message that you expect the team to favor that product. Again, you can consult your compliance team, but take your company culture into account and consider treating the vendor identically to the competition when reviewing with your team.
Dilution is important, but can be confusing and often misunderstood.
Heading back to our earlier example, you had 0.3125% of a $100m company - or $312,500. But that wasn’t the end of it. The company continued on it’s stellar trajectory for several years, and finally went public at a share price that implied a $2b market capitalization! That’s another 20x return on top of your investment - so do you now hold $6.25m worth of stock? NOT QUITE, unfortunately.
The challenge is dilution. If your investment had their IPO right after the Series A, your math would be fine. But as is more commonly the case, they raised Series B and C rounds in the interim. And each time, the equity for the new investors had to come from somewhere. You might think the founders would just give up more of their shares, but that’s not the case. Rather, the existing investors usually get diluted by an even percentage. So if a new round of investors are going to collectively own 10% of the business, existing investors will all give up 10% of their holdings. So your 0.3125% ownership slipped to 0.28125 after that Series B. If it happens again in the Series C, you are down to 0.253125%. If our magical unicorn IPO scenario then unfolds, you have just over $5m to show for it. Still not bad, but dilution is something you should understand so you aren’t budgeting for too large a sailboat in your cocktail napkin dreams. On a related note, when subsequent financing rounds are raised, you may have pro-rata rights to participate in the new round to keep your total ownership percentage whole. This is a common clause for institutional investors, but it requires additional cash to exercise and is less likely to be demanded by working angel investors.
So finally on to exits. Unlike the public stock market - which lets you get in and out any time you want - private investing suffers from illiquidity in general. You can only get in during fundraising rounds - and then if you are invited - and you can only get out during exit opportunities. There are a few ways those can manifest. First - remember our dilution example with new investors coming in for their 10% of the company? It’s possible - but not always common - that they and the founders will allow existing investors to simply exit during such a round. Perhaps you’ve had enough and are willing to just sell your shares outright at the new valuation and in essence transfer ownership to the new investor. This can be a great way to bank a return quickly and avoid dilution for other investors as well. The most common exit in our niche, however, is an outright commercial sale of the company. A private equity firm or another company in the industry may purchase the startup outright, and the purchase price will dictate whether that means a profit or loss from you. Finally, the company may make an Initial Public Offering (IPO) on the public stock market, at which point the market will trade shares to establish the valuation and you will have the opportunity to sell at the time of your choosing.
Another way to participate in startup investing is via funds. In this method, you can invest among a pool of investors and get exposure to an array of (cybersecurity) startups without the concentration risk of a single company. While venture capital firms may commonly require $500,000 or more for each Limited Partner (LP) in the fund, they may lower that threshold if you will bring a unique set of experience to the table, knowing you are more likely to devote more time to startup screening for them if you have skin in the game. In this model, it is common to have a percentage of your investment allocated to fees, and a percentage of any gains - or carry - you make shared with the General Partners (GPs) of the fund. A common model is the “two and twenty” that means 2% of the fund will be used to cover expenses, and 20% of the carry allocated to the GPs. Expenses will include legal, accounting, and tax services, office space, and salaries, though most GPs will be aiming for the 20% of carry to make a living off VC work. You can also be an LP in a fund and co-invest on a specific target where you feel especially passionate about the business. With a fund, you gain comfort with the investing partners and investing thesis, and then let them handle the day to day screening of target investments. Since a fund will generally take several years to deploy all of their capital, they usually do not take it all up front. Rather, they ask for a capital commitment from you but then ask for money via capital calls as needed throughout the life of the fund. Likewise, if and when various investments exit for the fund, they will look to return capital to investors right away and not wait for the entire fund to wind down. VC firms will often raise several funds over time, with each one having a predicted life span, specific “raise period”, and investment thesis. Funds may allow investors to come in a little bit late - especially if there have been no major valuation changes in the investments - by charging the investor a catch-up fee in the form of interest.
SPVs and Syndicates
Between direct investments and investing in funds are syndicates and special purpose vehicles (SPVs). You can think of these as pooled investments. A syndicate can technically just be a group, with all the members agreeing to invest in an entity but doing so separately. One downside of this - particularly for the startup - is a potentially large number of people or entities on the cap table, each of which deserves updates, statements and, in some cases, tax filings. It’s thus preferable for a startup to receive a single large check from a legal entity, which can be one of several types - usually an LLC or LP - set up as a syndicate or SPV. This setup can be run similarly to a fund, with the main differences being that there is only one pre-agreed investment target (versus investing in the fund with faith the managers will do a good job picking targets later without consulting you) and that there is likely to only be one “capital call” so the fund will only ask for money once. Some VCs will actually launch many SPVs over time for specific purposes, ranging from performing a follow-on investment for a portfolio company where the original fund is tapped out to pursuing a special one-time endeavour that doesn’t fit an existing fund thesis. Other than the “special purpose” investment target, SPVs can and are often run very similarly to general funds with the “two and twenty” commission plan and similar reporting and financial statement detail.
If you invest in a startup, fund, SPV, or similar vehicle, you will need to get the capital to them. Given enough time, it is possible to mail a physical check and have it clear in time. It is much more customary and somewhat polite to perform a wire transfer, however, since it will settle so much more quickly and require less logistical work from the manager. You will receive wire instructions from the investment manager with a cutoff “close date” for the fund. Be sure to action these quickly to allow the fund to close on time, but BEWARE WIRE TRANSFER FRAUD! Remember that adversaries actively compromise cloud-based email service accounts and search for common wire transfer activity automatically. While I’ve not yet heard of VCs being victimized, I suspect it is out there given how many reports there are of real estate agents getting hit. In these cases, the adversaries will send automated “corrected wire transfer instructions” in a sophisticated manner. In addition to exercising the usual suspicion expected of cybersecurity professionals, you should also confirm some of the wire instruction details - such as the last several digits of key numbers - out of band via phone or another non-email method.
Angel investing isn't for every CISO, and you shouldn't be overwhelmed by the fear of missing out. Your paycheck is likely to be the best return you ever see, but it is good to understand the vocabulary of startup investing no matter how you decide to participate.