June 7, 2022


Alberto YĆ©pez joins the show to share his perspective as a venture capitalist working to help entrepreneurs build Cybersecurity businesses. He started his wildly successful career at Apple and he is now the Co-Founder and Managing Director at Forgepoint Capital.

Join us as we discuss:

  • Information security challenges from the 2000ā€™s that we still face today
  • Albertoā€™s experience working at Apple
  • Criteria that makes investing in a company worthwhileĀ Ā 
  • Three models of private equityĀ 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you donā€™t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & canā€™t see the links? Just search for The Virtual CISO Podcast in your favorite podcast playerĀ 

Intro (00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no-BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there, and welcome to yet another episode of The Virtual CISO Podcast. With you as always, your host John Verry, and, with me today, Alberto YĆ©pez. I certainly hope I didn’t screw up the pronunciation, Alberto.

Alberto YĆ©pez (00:37):

You did not, John. Thank you for the opportunity.

John Verry (00:42):

Cool. I always start easy. Can you tell us a little bit about who you are? And, what is it that you do every day?

Alberto YĆ©pez (00:47):

I am a venture capitalist right now. This is my third career. What I do every day is help entrepreneurs build businesses that protect the digital future. I don’t want to say cybersecurity. We’re an inflection point in terms of with all these digital transformations, work from home and the fact that there’s not a single executive, despite the size of the company, that is not concerned about protecting information and protecting the privacy of their employees and their customers. I love what I do. I help build companies. I used to build companies in the past because I’m an entrepreneur.

John Verry (01:32):

You still build companies. You just do it as a guiding hand as opposed to the heavy lifting.

Alberto YĆ©pez (01:39):

Yeah, so that’s what I do every day. I work, mingle with entrepreneurs and help make introductions and try to help them whatever they need … the wisdom of having made some mistakes and avoid them to be repeated in the future.

John Verry (01:57):

Well, as people will find out, you’re being quite modest. While you may have made some mistakes, you’ve also had some giant wins. We’ll get to that. I always ask, before we get down to business, what’s your drink of choice.

Alberto YĆ©pez (02:08):

Japanese whisky.

John Verry (02:10):

Suntory?

Alberto YĆ©pez (02:14):

Yeah, 18.

John Verry (02:16):

I’m also a whiskey person. I thought, with the surname YĆ©pez and the fact that you mentioned to me that you’re recording this from a visit to Mexico, I thought I might hear tequila or mezcal.

Alberto YĆ©pez (02:27):

Well, if you put it that way, the cocktail of choice is pisco sour because I’m from Peru, actually. I’m originally born and raised and educated there, and I immigrated to the United States. Home for me is the San Francisco Bay Area, but so, my cocktail of choice is pisco sour. Many people may not know pisco is like grappa, and is a more refined grappa that is made out of the peeled grape. It’s amazing.

John Verry (02:59):

My wife is going-

Alberto YĆ©pez (03:00):

Be careful having more than two or three because you’ll be sorry after that.

John Verry (03:03):

So, my wife is going to hate you because I’m one of these people, I hear these drinks and then I order them somewhere. She thinks I’m being hoighty, but I’m just being adventurous. A pisco sour?

Alberto YĆ©pez (03:14):

Pisco sour.

John Verry (03:14):

All right, so I’m going to have a pisco sour and then I will send you an email to tell you how much I enjoyed it when I get done with it. Thank you for telling me about a drink I haven’t had. There’s not many that I have not had, Alberto. I will tell you that, and you came up with one, so kudos to you.

Alberto YĆ©pez (03:14):

Okay, thank you.

John Verry (03:31):

I was really excited to have you on the podcast because I think you have an insanely unique perspective. You started your work in the technology sector. You’ve started and sold multiple companies. You’ve been a heavy consumer of technology services. You’ve founded a venture capital firm that has invested into dozens of information security firms. You’ve sat on the board of many notable information security forms. I think you have a perspective very few people do have about info security. My first question is going to be an interesting one. If today’s you were able to travel back in time to you in 2000, do you think the you in 2000 would be surprised, shocked perhaps, by the information security challenges that we still have 22 years later or 21 years later?

Alberto YĆ©pez (04:19):

I think so. Look, I don’t think anybody predicted it because my first part of my career, I spent it at Apple. At Apple, we thought we could rule the world and change the world an individual at a time. But, seeing some … I won’t say failures, but lessons learned like the Newton. You tell me today the iPhone has many of the characteristics of the Newton, but we had to deal with the constraints of a very nice device that didn’t have the processing power, didn’t have the display, didn’t have the network capacity and the development tools. So for me, I would say yes, I knew the world was going to change, but not this much and not this fast. The transformation has been rapid, and it’s only increasing, which gives us a great opportunity for all of us cyber security professionals to make a living and make a difference.

John Verry (05:21):

I guess from my perspective when I think about this, I’ve been in infosec in dedicated fashion since 2000. I thought firewalls were going to change the world. And then, I thought sims were going to change the world. Then, I thought PKI was going to change the world. Then, I thought IPS was going to change … If you think about it, ever year, there’s been a $100,000 investment that the CISO of a major organization would go to their board or go to their CXO suite and say, “Hey, I need this, and then we’re going to be secure.” But yet, it’s 21 years later and I’m not so sure that we’re any more secure than we were in 2006. I think maybe we’re less secure. That’s what I meant. To me, I find that shocking and concerning.

Alberto YĆ©pez (06:04):

Yes indeed because I think we were all very comfortable when everything was centralized. Remember the old days of the mainframe?

John Verry (06:11):

Mainframe, sure.

Alberto YĆ©pez (06:12):

Very few people have access to the terminal.

John Verry (06:13):

Green screens and wide-carriage paper, right?

Alberto YĆ©pez (06:17):

Yeah, very few people had actual devices in the data center. Where I was going to college, I was doing an operator job as a student operator to learn a little bit of that. But then, as the information started to spread with the transformation of distributed computing, client server, the cloud, the information starts just dispersing everywhere. You just want to boil it down to: what is cyber security? But, what we’re trying to accomplish with cyber security, we don’t call it security anymore, cyber implying that it’s an interconnected world and it’s born with the internet being more pervasive and adopted by businesses.

So, what we’re trying to do is protect information. We’re trying to protect information. Information is derived from data that is processed by applications. They’re run on a device that has an operating system that is interconnected with a network, and perhaps interoperates with others. So, if you believe in this tactic, at the end of the day, we’re protecting information. In the early days of the mainframe, everything was in the same place. But now, just think of the mobile apps that we have. It’s called an app, not an application because it’s really a browser that is invoking all these APIs. You don’t know where that information is or where you’re bringing context to make decisions to process this data.

Therefore, I think the fundamentals have been changed. I remember the early days of access control with things that maybe your audience would not know, RACF and ACF2, which was a centralized access control, and we’re trying to do the same. My first company was RACF for the web. It was a web single sign-on 20 years ago, more than that. I founded it in 1995. I remember the Okta founders trying to figure out the success we had and the lessons learned, but it was centralized access and control and the privilege for people that need to access the information, provide policies to: when can they access it and from where, etc.? So, the fundamentals have not changed. The issue is the technology platform and infrastructure has evolved and will continue to evolve.

John Verry (08:48):

Yeah, it is an interesting quandary that we find ourselves in. Do you remember there was, I think, one of the most fascinating and one of the most predictive things that I ever remember reading was George Gilder wrote a piece called Telecosm. If you think about this, what you just explained is Telecosm. He envisioned a world where, once bandwidth was infinite or fast enough, all of the individual components of a computer could be anywhere in the world. The software, the CPU, the screen, the network. Really, that’s what you just described. That app is really … It’s what Gilder envisioned in whatever that was, 1991 or something crazy like that.

So yeah, the other thing too is I do think you spoke to complexity. I think complexity is definitely part of this, especially complexity and the continuous rate of change associated with the same complexity because I find it remarkable that I can … If you really sat down and thought about it, from the time that I click a mouse and you follow the flow of electrons and you follow it through the computer and out, up the OSI model across a network, back down the OSI model, back up, it’s actually remarkable any of this stuff works. We get mad whenever a webpage doesn’t load fast enough. We should thank the lord that the webpage loaded at all, from my perspective.

Alberto YĆ©pez (10:07):

Exactly. You know, even before that reference that you had, I would encourage people to go back to a video that Apple put together in 1987 called The Knowledge Navigator. This is when Steve left and there was a big void of vision, and Sculley wanted to be the visionary. We needed to come up with something that was so compelling that people would say, “Oh, Steve doesn’t really matter. Apple will continue to run the world. If you watch it … It’s on YouTube and widely available. It’s The Knowledge Navigator video, 1987. It really shows an iPad and a professor walking in right before class and saying, “Oh, we’re talking about deforestation. I need to talk to my friend in Brazil.”

And basically, it starts a FaceTime video session and says, “Hey, what are the latest things that you have?” “Oh, let me tell you. This is research that I put out. Let me send it to you,” and it automatically shows up on the screen. They open it up and, within 10-15 minutes, the fellow has all the data that he needs in order to deliver a very compelling class in deforestation. If you think through what the implications of that vision, it’s finally here because you talked about unlimited bandwidth, unlimited processing power, talk about video capabilities, talk about APIs and ability to invoke information and share information in a secure way, so it’s just fascinating.

I think that the next race is going to be space. We all take it for granted. We all hear that there’s a lot of these satellites, mini satellites being launched by SpaceX and guys like the founder of Amazon is doing, and also the governments of India, China and Russia are trying to do this, a race in space. I think we’re taking it to that level, and the same questions, the firewall, the IDS and IPS and all those different things are [inaudible 00:12:23]

John Verry (12:22):

You’re saying I’m going to have job security for a while. That’s what you’re saying, except now I’m going to be-

Alberto YĆ©pez (12:28):

Yeah [inaudible 00:12:28]

John Verry (12:27):

Listen, are aliens good hackers? Do you happen to know? I know the Eastern Bloc is, and, if the aliens are better hackers than the Ukraines, I’m out. I’m out. I’m just telling you that right now.

Alberto YĆ©pez (12:39):

That’s why we invested in AlienVault.

John Verry (12:41):

Budum boom.

Alberto YĆ©pez (12:41):

We love the name.

John Verry (12:41):

Budum boom.

Alberto YĆ©pez (12:44):

We locked up the space alien that basically demonstrated a vision. But anyway, sorry for interrupting.

John Verry (12:51):

No, I like the AlienVault reference because I’m actually a fan of USM Anywhere. It’s interesting. You had me thinking. We’re pointing out that Gilder Telecosm and Apple’s Knowledge Navigator presaged a future, and it makes me wonder what else presaged a future. I’m starting to wonder, as the metaverse evolves, if you’ve ever read Snow Crash, a very famous book, that was the founding of the word metaverse. And then, Ready Player One of course built on that. I wonder, if you and are are redoing this podcast in five years, would I be making a reference to one of those being why we are where we are? It’s kind of an interesting thought process.

Alberto YĆ©pez (13:34):

Probably. The other thing that I’ll always be thinking is Star Trek, how you teleport, transport yourself and have all these arcane things. It was like bridging your imagination in a world where it doesn’t matter where you are and you need to interact and saved in the last minute because you’re in danger, and, all of a sudden, you disappear. I think you’re talking about metaverse. It’s the virtual world. It’s an economy that doesn’t have any borders with all the cryptocurrencies and all this stuff. Everybody talks about web3 and distributed applications. I think it’s a means to an end. It’s part of that evolutionary road that we’re going to continue to find [inaudible 00:14:14]

John Verry (14:14):

And there will be a whole nother set of security challenges associated. They’re already having issues with it. I didn’t mean us get into the metaverse. That’s another whole thing.

Alberto YĆ©pez (14:22):

No worries.

John Verry (14:22):

I’d like to have Chris Dixon on the podcast. I don’t know if you ever heard him talk.

Alberto YĆ©pez (14:27):

No.

John Verry (14:27):

Chris Dixon, one of the best podcasts I’ve ever listened to, and if you haven’t listened to it, I’d encourage anyone listening to listen to this, Chris Dixon and an Indian gentleman. I think his name is … It’s N-A-V something. I don’t remember exactly what it was … was on Tim Ferris, and they talked about NFTs, and they walked about web3. It was a fascinating conversation, and Chris Dixon is a fascinating follow on Twitter. He’s a brilliant guy and he comes up with some really interesting stuff. But, let’s put that to the side for a second. You mentioned that you were at Apple. How much were you involved in infosec at Apple if at all?

Alberto YĆ©pez (15:06):

Really, where I started was in telecom, in networking. I was a network design engineer. That was my first job out of college. What it meant was we needed to interconnect all the business systems to create a unified network around the world. We thought that digital net or digital rings that would bring all the manufacturing systems that were running on tandem computers with all the distribution centers that were running on IBM System/38, AS/400, all the financial reporting that was being running in mainframes, and also all the crate computers doing simulation. As an engineer, I was having a blast because he was interoperating, interconnecting all these systems in a secure form, the early days of ethernet cards and how you put fiber across the campus in Cupertino. How do you create a digital ring between all our distribution centers and all the manufacturing centers, not only in the US and Europe in all that?

So, for me, it was all about information sharing and the ability to access that information. My next job was even better because, since I had got so much context on this computing power, Apple said, “We need to make sure the Mac and our products interoperate and interact with it,” so I was able to run a group called the Mac Technology Group that basically was an IT that was developing applications and development interfaces into the mainframe into all the different devices, and I had an opportunity to work with the IBM/Apple alliance, with the tech alliance, with so much work that needed to be done that bring me a lot of context.

Destiny has its way. If you told me, “This is what you’re going to do …” I studied computer science. I didn’t write a single line of code. The world is safer because of that. Let me just state that. But, it was just inquisitive knowledge about: how do you share information and how you create windows? At the time, we wanted people to imagine the Mac interface in front of your app and your reporting rather than just having to look at that green screen that you described or generating the reports; you had to get your printout and that’s the way you got it. So, I did get involved early on with my passion of information and sharing. One of the considerations was, “Is this information secure?”

John Verry (17:37):

If I read your bio right, then you ended up at enCommerce, which was an email marketing platform. It was interesting to me that you ultimately sold that to Entrust, which was an information security firm. I’m curious: Entrust, as an infosec firm in 2000, what level of security due diligence did they do on enCommerce at that time, and how much did that experience shape your future career arc?

Alberto YĆ©pez (18:04):

enCommerce wasn’t an email platform. It was a cyber security company that enabled commerce, that enabled the customer lifecycle management all the way from somebody coming to your website to get marketing information about your product, be able to purchase online, be able to get the support. So, we built the very first web single-sign-on platform that integrated with PKI, Verisign and Entrust in those days, integrating with RSA and all the other tokens. It also integrated with all the directories at the time. Everybody forgets about Novell and others, so we had built the very first portal infrastructure that provided web single-sign-on personalization.

And, this is the early projects where chase.com launched and it was almost letting the space shuttle go to the moon because Chase was one of our large customers, and we were migrating all the customers to online banking. There were 20M accounts that we needed to migrate, and our technology had to scale to allow people to not only log in, personalize to their own accounts and the things that were relevant and tried to do that. So, enCommerce was the learnings of me leaving Apple and trying to … It started as a consultant like many entrepreneurs were working with early adopters of technology like Schwab and Cisco and others who wanted to use the browser as a way to share information.

That’s how the idea of enCommerce and web single-sign-on security came about. After raising four rounds of venture capital and almost getting the company ready to go public, we had the largest banks in the world, not just the US. You name it, in Japan, UK, Singapore. We had the largest telcos in the world. Sun was one of our strategic partners. It was a java framework, and because Sun was pushing java, we used to help sell E10000 just to get the portal, the backup, the crash and burn. They loved us.

John Verry (20:12):

Sun was a monster. People forget how big the company Sun was in those days.

Alberto YĆ©pez (20:15):

They helped us, and we were addressing one of the biggest issues for them. And so, short of taking the company public, Entrust realized that PKI wasn’t an easy business to be in other than selling affiliates and selling certificates for web HTTP servers and VPNs and maybe email security, so they needed to diversify with something that really enabled the business. For them, it was a very strategic acquisition to enable, and we brought a set of customers that otherwise … We were talking to the people, what they called the digital transformation people at that time. eCity and all these towns, there were people trying to migrate into more online business.

It was a fascinating experience because innovation in cyber security doesn’t happen in the lab. It really happens by understanding the changes in technology, how people want to interact and facilitate information. I think the background of Apple having the center of design be an individual carryon on helping build the products that we did. We had Okta in ’97, ’98, ’99, 2000. That’s when we got acquired by Entrust. I joined Entrust as a board member and eventually ended up having to run the company because the market crashed and had to face the music when you have a downward spiral brand and trying to figure out: how do you cut costs and structure and still make it relevant, and eventually helped recruit, with other members of the board, an executive out of Nortel to run Entrust.

And then, I ended up being recruited by private equity. This is my early days in venture capital and investing, that they wanted to consolidate the industry in cyber security. At the time, Bill Janeway was the vice chairman of Warburg, and he says, “Alberto, why don’t we just consolidate and buy a couple companies and make the biggest cyber security company in the world?” We said it’s not going to be in the network side because the firewall was already solved, so why don’t we do it at the application level? Literally, we almost bought RSA and we combined it with assets of CONTROL-SA from BMC.

John Verry (22:39):

At that point, that would have been a really … You were doing the authentication. Now, you had the multifactor baked in. At that time, RSI hard tokens were the cat’s meow, right? That’s what everyone was buying. That would have been around late ’90s, early 2000s, right? That was the-

Alberto YĆ©pez (22:39):

Early 2000s.

John Verry (22:54):

Yeah, it was the height of the RSI tokens. I knew RSA sales guys in those days that were making bank.

Alberto YĆ©pez (23:01):

And BSAFE, remember the libraries?

John Verry (23:04):

Oh my God, yeah.

Alberto YĆ©pez (23:04):

The secure libraries everybody needed to [inaudible 00:23:06]

John Verry (23:06):

I wouldn’t have remembered that if you didn’t mention it.

Alberto YĆ©pez (23:08):

But anyway, that’s how my experience with cyber security as a practitioner, as an entrepreneur, working with customers, resellers, distributors, the different markets and secrecies or a big large bank that has unlimited resources versus some that is a small team that needs to make sure they give the convenience and the same quality of cyber security, and then how to evolve, think through. As professionals, how do we provide that assurance or mitigate the risk so whatever business we’re in can help with whatever insights we can provide.

John Verry (23:53):

You just made the jump, if you will, from being on the technology side, being on the security side and into the venture capital world. That’s led you to make investments into, it looked like, 50+ firms at this point in time with some really fantastic exits. You mentioned AlienVault and their exit with AT&T cybersecurity. There were certainly a few others. When you’re looking, because a lot of our clients are either early-stage firms, seed-based firms, some VC-backed firms … When you’re looking at a company, what is it that you prioritize? Is it the people? Is it the culture? Is it market size, external drivers, technology stack, intellectual property? What is it that is the two or three core things that make an investment a worthwhile investment for you?

Alberto YĆ©pez (24:45):

That’s a great question and it’s a question we are often asked. What is your criteria of selecting a company that you want to invest? We have five areas. One is the market, second, the intellectual property, third, the go-to-market strategy, fourth, the team, fifth, if there is a syndicate and other people helping build it. Markets, obviously, you look for large market opportunities that are fastly growing, fast-growing markets, large market opportunities. The IP, the intellectual property, has to be hardly differentiated and hard to replicate. That’s why we tend to invest primarily in high-IP content business. We will tell you in a moment why because, in cyber security, most of the exits are M&A, and the established companies, in order to stay relevant, need to buy the innovative companies.

And so, IP becomes a critical component. The third component is the go-to-market. What is the segment of the market? What is the pricing? How do you get it to the ultimate consumer? With all the evolution now, that component becomes probably one of the most critical ones, especially when you talk about the small-medium business because, now, security is being delivered as a service, but it looked a sacrilege 10 years ago. I remember working with Philippe Courtot. We were trying to take Qualys public, and people were so nervous that we were putting all the vulnerabilities in the cloud. They says, “Wait a minute. Now, you can deal with that.” Now, he became a visionary. He became somebody that was way ahead of all of us.

And so, security now needs to be … In the go-to-market, now, the criteria is technology that is easily consumed, easily deployed, preferably using a model that is cloud-first and is in a subscription manner because people don’t have the capital expenditure to be able to buy something big. I’m okay buying subscription, the old world that Salesforce innovated and says, “You don’t need to buy SAP. Just pay me monthly.” It started small. But then eventually, you start paying millions of dollars a year at that company. Then obviously, the core of that company, which is the DNA of the founders or the founding team, do they have the context? Do they have the contacts and the experience in the area that they think they can address this large market opportunity with differentiated IP with a sensible go-to-market strategy? That becomes one of the key criteria, that you’re investing in people.

Syndicate is more like: companies take time to develop, and, if you’re the only investor, yeah, it’s interesting. But, in the case of AlienVault, since we mentioned it, we had some wonderful syndicate members. The company started in Spain. We started as an opensource project. We led the series A. Kleiner followed us in the series B. And then, two or three other VCs came in, but we were able to fund the company and transform the company from a community-led business to a much more … It was appliances. I don’t know if you recall Unified Security. People even had problems with memory, but eventually moving that from a physical appliance to a virtual appliance to a cloud native first. That’s when AT&T decided that, “Wow, we got to have it because we have such a huge opportunity with that mid-small-medium business that we can provide this capability.”

For them, it was a very strategic position because it enabled them to really get into the business in a more credible way, in a way that there’s a community of people that believed that a unified security management framework that had pretty much everything quote/unquote, “Built in,” would address most of the requirements from small-medium businesses. It was an interesting evolution. When you apply the criteria, market IP, go-to-market, team, syndicate, it’s very important. If you align all five, you have a successful company. If one of them drops, you may have the best technology in the fastest growing market with the right team. But, if the go-to-market fails, you’re done. You may have the best go-to-market team with the right syndicate, the right team. But, it’s a market that is very small, so you realize that it’s not just one or two. You have to align all five in order to be successful.

John Verry (29:12):

That was interesting. When you did them in order, before the syndicate, the second to last was people. I was just curious if there was a relative … if you listed them in relative order of importance, and if people were listed late in the process because you can supplement them or replace them? But, the others are not easily supplementable or replaceable.

Alberto YĆ©pez (29:32):

Interesting observation. People is the basis, I think, of the investment. The only reason I put it in that order is, oftentimes, when you’re an investor, my business today is, “You’re going to give me money and I need to return two, three, four times the money you give me, so I better invest in large-market opportunities. I may have the best team, but if they’re going to try to address a very narrow market, that’s [inaudible 00:29:58] so I start with, “What problem are we trying to solve, and is it a big, big problem? Do the people that are starting this business have the context, the experience, the knowledge how to do that?”

People is a constant everywhere. The IP is created by the people. It’s not automatically created by somebody in the universe. Like I said, it’s all about creating differentiated IP that is hard to replicate, but people is the one that creates that IP. And then, go-to-market is people, again, because it’s people that understand channels, people that understand pricing, people that understand support.

John Verry (30:33):

To me, go-to-market is critical because you can have the best widget in the world, but if you don’t know how to sell it, you’re in trouble, and you’re considering that to be part of the people. I just felt once the intellectual property is launched … because I see a lot of venture firms invest into an organization. Then, you see them replacing people but still having some success, which is why I asked that question.

Alberto YĆ©pez (30:54):

I think we bet on people and we partner fundamentally with the founders. Then, we have conversations at the right time. I was a founder as well. We may need to bring somebody to help scale the businesses, but if they don’t want to do it and want to go all the way, we support them and bring people under them that can help them with their blind spots. Some founders love to innovate. They don’t like the politics.

John Verry (31:21):

They don’t like to manage.

Alberto YĆ©pez (31:26):

Yeah, it’s more a founder’s choice, but fundamentally, Forgepoint partners with the entrepreneurs to help scale and build businesses. We have a lot of relationships to bring people into companies when and if the appropriate time is in order to help it scale.

John Verry (31:43):

Gotcha. You largely answered my next question, which was: you see different approaches in PE firms regarding the core services they provide, and even the level of governance they exert over the organization, whether they run somewhat autonomously and whether they’re held a little bit more closely. What is your particular philosophy?

Alberto YĆ©pez (32:03):

You brought in a very interesting nuance that I don’t think a lot of people in the audience know, nor I knew until I got into the business. Private equity, I guess, broadly speaking, you invest equities in private companies, but there are three very different plays in private equity. There’s venture capital, which is really minority ownership. You don’t control the company. You don’t own. You need to work with your core investors, with the founders to drive that. In the other stream, the proper PE firms, they buy control. They’re majority investors. They control the business, and, if they want to change the CEO, there’s no discussion in the boards. It’s, “John, thank you very much. I appreciate your services. I have Mary coming in tomorrow. Make sure you just do the right thing. We’ll pay you appropriately. See you later.”

Private equity firms have a very different model of venture capital. They tend to be looking at efficiencies, and, oftentimes, investing companies at a scale, or even public companies and they take it private because they failed to innovate; they failed to grow in a fast pace, and, therefore, what happens is they tend to not only bring efficiencies, increase the EBITDA, and then they start buying innovative companies, which are the venture-backed companies. The venture-backed companies is where we are minority investors and we know that our biggest value is not the capital. It’s the experience. It’s the network that we’re bringing to bear. We introduce people to the founders. “Do you like this person? Do you have the right synergy to be part of your executive team? Do you want this individual to be an independent board member?” the things that you, perhaps as an entrepreneur, never had an opportunity to develop.

And, if you go to our webpage, forgepointcap.com, you’ll see something called the advisory counsel. There’s more than 70 people, many of them practitioners, many of them entrepreneurs that I would consider the protagonists of this industry. There are people like Greg Clark that started Dascom, ended up doing Blue Coat, Semantic, whatever. Now, he runs his own fund. You have people like Kevin Mandia when he was building his consulting business, but you have massive CISOs of different big companies and small companies. We have a lot of military background, but all these people have the same vision. We want to be able to protect the digital future, and, what we do, is it’s a loosely coupled association where … and the founder wants to help, or the help of somebody that has technology background on how to sell to the government or how to scale the business, they help.

And for us, they help us evaluate the technology. Don’t think that just because you tell me your technology works, I believe it. I said, “Okay, let me introduce you to Ramin at Jeffries. Let me introduce you to Phil at Goldman. Let me introduce you to Tad at JPMorgan.” They will be the ones saying, “Okay, listen to the pitch.” They try it. They test it and say, “Yeah, it’s good. If you invest, I’ll buy it,” so we enforce each other and that’s how we grow businesses together. Private equity is not one-size-fits-all. Private equity buys control and they can bring their operating team, change it, efficiencies and all that. Venture capital is about growth.

John Verry (35:23):

This was a really fascinating part of the conversation for me because I have always struggled with understanding that. But, if I recall correctly, you said at the beginning that there were three distinct models, and you really outlined two, I think. What was the-

Alberto YĆ©pez (35:35):

The middle one, which is the growth equity buyouts, is more investing in the growing venture capital firms that are moving towards a private equity category. But, it’s that mid market. Growth investors tend to also buy control because that’s the way they can influence, but they don’t have the networks and the scale of the private equity firms, nor do they have the billions of dollars to take public companies, so it’s kind of a hybrid between venture and private equity, and it’s called growth equity, and it’s more related to buyouts. A lot of founders, once we catch up, say, “I’m done with this. Let me get other people. I can stay on the board or something,” so it’s kind of in the middle.

John Verry (36:23):

Gotcha. That was helpful, thank you. I never fully understood that. You’re investing into most of the investments, perhaps all of your investments right now are into security companies, infosec’ companies. How important is it to you that those security companies already have a strong security story to tell their customers? Do you have a preferred approach? If it is a software firm, are you looking for someone who’s got demonstrable security using WASP application security verification standard or SAM or ISO 27001 or SOC 2, anything particularly that you look for?

Alberto YĆ©pez (37:02):

Interesting because it depends given if … I think most companies now, because we’re looking for more cloud-native companies and all that. Therefore, you start not only with SOC 2, FedRAMP, all the ISO standards to make sure that … If they don’t have it, we’ll help them do it. We look at companies, when they do development, they have a mature development process where they don’t misuse nor license opensource libraries that eventually, once you go public or somebody’s going to acquire you, you’re going to have to rewrite because you never paid the license to build. So, we tend to be more software investors. Appliance is okay, but we tend to migrate. The pandemic taught us a lot about appliances and how it was hard to even go deploy and put them in remote locations and everything else. And so, we’re more software-only, ideally cloud-native, cloud ready, SaaS model for recurring business models, and that’s pretty much the focus that we have.

John Verry (38:08):

Interesting. And then, just on that SaaS model, any particular focus areas whether it’s identity, whether it’s SIMSOC, whether it’s … Where are you seeing the emerging areas that you’re targeting right now?

Alberto YĆ©pez (38:27):

Interesting. We have 37 companies in the portfolio, so we have the largest portfolio, everything. We have the new modern SOC with a company called Cysiv that is all in the back, in in-house. You remember the ArcSites of the world? Now, all that’s using machine learning, trying to do alerts, reporting, doing 80% of the work.

John Verry (38:48):

That’s a fascinating area. I’ve had two guys on the podcast in the last … that cloud-native … because the infinite scalability, the way you can leverage functions of service … You can do realtime correlation. You’ve got these data lakes, so you got massive data stores. I’m assuming Cysiv is in that same genre?

Alberto YĆ©pez (39:05):

Cysiv, yeah. For the mid-market, the next generation and points, everybody talks a lot about SentinelOne and CrowdStrike. No, we’re investing in Huntress.

John Verry (39:16):

Huntress?

Alberto YĆ©pez (39:16):

Huntress is an amazing company. It’s a company that is like the CrowdStrike for the rest of us. It’s security for the 99%. It’s security for the people that don’t have the resources. Once you deploy, you go in, you sign up, you deploy it. It’s up and running within minutes. Then, after the week trial or the month trial, boom, you convert and you have pretty much 80-90% of what a CrowdStrike or a SentinelOne gives you, amazing team, former NSAers, understood the MSP market, not the MSSP market, the MSP, which is the trusted technology advisor. My goodness, the company’s on fire. It’s taking the world by storm. But, they never see the competitive nature of a CrowdStrike or a SentinelOne because they’re playing in very different stadiums.

John Verry (40:08):

SMB, SME space?

Alberto YĆ©pez (40:10):

SME, and then MSP is their core business to go to market. It’s an amazing company. We’re doing stuff in identity, not only using blockchain and distributed identity, a company called 1Kosmos that not only helps you with password lists, but onboarding and identity verification and gives you a wallet so that you’re able to embed that. So, during the pandemic, imagine people being hired. How do you verify their documents or who they are? They come in. You have to give them access to different things using the password component to go to do. It uses blockchain because this is a distributed model that people don’t have to deal with. We’re doing some amazing work in cyber insurance. As you know, with the advent of ransomware, the growing trend of ransomware attacks, guess what, a lot of companies either had bought cyber insurance, and the claims were covered. But, many of the insurers, the big insurance companies lost money.

John Verry (41:03):

They’re bleeding money. They’re bleeding money.

Alberto YĆ©pez (41:04):

They lost money because-

John Verry (41:06):

Half my customers either can’t get cyber anymore or they’re coming back and … The lowest increase that I’ve seen is 27%, but I’ve seen 200-300%.

Alberto YĆ©pez (41:14):

We’re seeing more the 200-300%, and guess what, they get these sold. You know why? Because there’s not a lot of data. You use machine learning predictive models. We have a company called CyberQ that does that and is being used by some of the largest insurers in the world, re-insurers and all that. But, that’s more analytics and predictive models to predict cyber attacks depending on the sector, the segment and all that. But on the other hand, when you look at cyber insurance, now you could do … It’s a pre-assessment, and there’s eight controls at every cyber insurance. Before, it was a questionnaire you had to build. Now, somebody can come in-

John Verry (41:48):

I know. I’ve been arguing this a long time.

Alberto YĆ©pez (41:50):

Now, some-

John Verry (41:51):

Their due diligence, their underwriting process sucked.

Alberto YĆ©pez (41:53):

But now-

John Verry (41:54):

I talked to the guys that are in it. I have some good friends in the insurance space. It was a market grab. They all saw this as being the holy grail. They all said, “We’ll buy the business, and then we’ll figure it out.” They all got bit, so now they’re all trying to go back. There’s a fundamental flow though with underwriting cyber liability insurance that it’s got to work its way out, because you’re at a point where it used to be like someone would come to me and say, “Oh, we’re paying $2,700 here for cyber liability and cyber liability insurance,” but, in order to do a real true due diligence on the company for an underwriting process would cost $9,000.

So, the mathematics of it didn’t work. The risk management component and the money they set aside wasn’t enough to pay for that, so we’ve got to get it to a point where those tools … There’s a capability for the … What I think they should do is, if you want my cyber liability insurance, that company has to pay for the due diligence that’s necessary to demonstrate to me that they’re worthy of being insured.

Alberto YĆ©pez (42:51):

Very good point, and many companies are beginning to create businesses out of MSSPs that do the pre-assessment. If you have the label, then the insurers come in and said, “I’ll pay you.” But now, not only have the MSSP for the audit and the assessment, but they have it as a continuous monitoring so that now you have what at least somebody has invested in these and they have some idea what it takes to control the environment.

John Verry (43:15):

Yeah exactly. Anything before we wrap up here? One thing I’m always curious about: you’ve got a stake in Huntress. You still probably have friends over at AT&T. They’re using SentinelOne. They have a whole big deal with SentinelOne. You going to get them to replace SentinelOne with Huntress any time soon?

Alberto YĆ©pez (43:36):

I think AT&T’s a tremendous machine and great … You know, what we learned when we sold AlienVault, we were only addressing a third of the market of the small-medium business because AlienVault was very complex. Huntress is that bottom 70%.

John Verry (43:55):

Really?

Alberto YĆ©pez (43:55):

Oh, yeah.

John Verry (43:55):

It’s that easy? I’ll have to look at it.

Alberto YĆ©pez (43:58):

You’re going to fall in love with it.

John Verry (44:00):

Really?

Alberto YĆ©pez (44:00):

Just keep it in the background. It’s one of those tips that you’ll see how the world is changing and how people with very limited resources, that cyber security’s a part-time job for somebody that has five other things to do, talk to them about … or even try it yourself.

John Verry (44:18):

Okay. You just named every one of my customers.

Alberto YĆ©pez (44:22):

Okay, that’s great.

John Verry (44:25):

They’re under-resourced and they need all the help they can. Anything else on your portfolio that’s like a huntress, that, if you’re an SME, they’re all understaffed. They all can’t afford information security people with the salary escalation. There’s to enough of them, so, if they can get them, they can’t retain them. Anyone else in your portfolio for the stressed, understaffed, under-resourced 500-person firm? Anything else that you’d recommend people look into?

Alberto YĆ©pez (44:52):

A company called SolCyber, S-O-L cyber, C-Y-B-E-R. It’s a modern MSSP that is basically … It gives you the full stack and embeds companies from our own portfolio, Area 1 for email, Huntress for endpoint, Cysiv for sim, but you don’t have to worry about it. You’re buying a ceviche, you don’t care about the fish or what you’re using. It’s an amazing company and they charge you per user per month, and it’s way, way below what a CrowdStrike … Everybody’s trying to do that, even the eSentires in the world of the new MSS, they can not even compete. The company is called SolCyber. It’s based in Dallas, but they serve large constituents. A lot of people in venture capital and a lot of people in venture-backed companies are going. By the way, they’re about to launch a program with an insurance company that, if you’re a user of SolCyber, they’ll discount your cyber insurance by 30%.

John Verry (46:00):

Yeah, we’re seeing more and more of that where these insurance companies recognize that, if someone makes that level of investment, at least we know they’re fairly serious about it. It’s not a definitive they’re secure, but, from a probability perspective, which is really what it’s based on there, their actuarial data. Awesome. This has been as good as I hoped it would be, thank you.

Alberto YĆ©pez (46:23):

We can continue, John. I had a lot of fun as well, and I know the time ran out on us.

John Verry (46:28):

At some point, it would be fun just to continue the conversation, maybe not on microphone here. I would love to learn more. Selfishly and for our client base, I’d like to know about the products that you have out there. One of the things that I love about doing this podcast is I’m lucky enough to talk to a lot of early-stage companies, companies that are in their funding rounds. One of the companies I just spoke to just hit a billion-dollar valuation, and I didn’t even know about them. Knowing what they’re doing, how they’re doing it, it’s advantageous to me personally. It’s advantageous to our client base and to our listeners, so thanks. I warned you ahead of time because I did a crappy job of preparing you, so we’re going to see if you can think while you talk, because you would have had to have done that. Give me a fictional character or a real world person you’d think would make an amazing or a horrible CISO and why.

Alberto YĆ©pez (47:18):

Posthumous, I would think Steve Jobs would make both-

John Verry (47:22):

That’s cool, and you worked with him, so you would actually know.

Alberto YĆ©pez (47:25):

Awesome and horrible at the same time because he was such a visionary.

John Verry (47:30):

He wasn’t the world’s nicest man.

Alberto YĆ©pez (47:32):

But on the other hand, brilliant, and he always wanted to simplify. I think if we can all embed that, “Why do you make technology complicated?” The day he took away the hard disc, the day he took away the CD, we were all saying, “Are you crazy?” And guess what, look what we’re doing today. I think he would be an amazing driver to bring simplicity and making sure that we accomplish the goal without even feeling that it is complex, hiding that complexity.

John Verry (48:04):

That’s a great answer. One of the stories that I love about Jobs, I think he said something to … I’m going to paraphrase. “If we had done design groups, the iPad would have never existed.” He said, “People aren’t smart enough to know that they need this, but I am, and I’m going to produce it,” effectively. Having people with that level of chutzpah, trying to keep the word polite, that makes a lot of sense. So, if folks with get in touch with your firm Forgepoint to learn more about the companies that you back, how would you do that?

Alberto YĆ©pez (48:37):

Our website is forgepointcap.com like Forgepoint Capital, cap.com. You can find me on LinkedIn, Alberto YĆ©pez … happy to chat with entrepreneurs who are looking to build businesses or people that have great input who are missing an opportunity to work with amazing opportunities. Just refer them to us because that’s the value we help create. And, thank you for what you do for the community, John. Really appreciate it because-

John Verry (49:05):

Listen, same to you. If you think about it, there are 37 promising companies out there. No seriously, look, I know this is going to sound stupid, but I am to a point in my career that part of what I’m doing is altruistic. Because, I could go sit on a beach at this point. I’m sure you could, too. You’ve been wildly successful. You could have probably sat on the beach 20 years ago, but you’re out there every day. I do think that there’s honor in what we’re doing. I love your phrase and I’m going to steal it sometime, so just be ware. I don’t expect to hear from your lawyers, but I love … I wrote it down, “Protecting the digital future.” I thought that was fantastic.

We try to say that we’re trying to protect customers. We have a phrase, “1,000 customers, 1M employees, 1B customers,” because that’s really the reach that even a small company like Pivot Point has. When you think about the 37 companies that you have and you think about, “If you can advance infosec’ as much as you hope, how much value that extends to the globe, it’s pretty fascinating and it’s pretty interesting,” so, kudos to you. I love people that are making the investment into our future like you are.

Alberto YĆ©pez (50:13):

Thank you very much for the opportunity. Have a great weekend.

Outro (50:16):

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security, so, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And, to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.