 Welcome back to SuperCloud Through and I'm John Furrier, host of the queue here in Palo Alto, California. This is security plus AI, our third installment of SuperCloud. You know, as the SuperCloud emerges, they got to be funded, they got to grow, and they're changing. And so with that, a lot of investments, the capital markets are getting excited. It's a tailwind for cloud and AI, but not so much in other areas as this transformation of digital transmissions happening. We're here with a veteran in the industry, venture capitalist, Bob Ackerman, founder and managing director of Allegious Cyber Capital. Also the co-founder of DataTribe and on Seventh Tribe, as they call it, a cybersecurity and data science startup foundry where they get in and they fund the early stage, worked with the companies, building companies, so they're builders and they're funders. Bob, thanks for spending the time coming on SuperCloud. Very great to be here, John. Thanks for having me. You know, I love your historical, you've seen multiple ways of innovation over the years. This cycle is different. It's highly accelerated. Everyone we talk to that has these experiences and cycles always says it's changing faster than ever before. Jeff Jonas, who we interviewed last Friday, a former IBM or now Gazone cyber deal, he said some people are getting term sheets and by the time they get their money, they could be out of business by the next innovation. So, you know, all kidding aside, that's the pace right now. We're seeing this new SuperCloud and security and AI. AI is changing the game, but also security is a data problem too. There's a lot of action going on in SuperCloud. What's your thoughts? Oh, look, I mean, you know, as the global economy digitizes, you know, cybersecurity really kind of represents the existential threat that digitized global economy. So on the one hand, you know, it's an area where investment is non-discretionary. You really don't have a choice because you can't afford to get it wrong. You know, the fact alone is what drives so much of the investment activity. But you've got a dynamic in cyber that you really don't have in any other area of technology in that there is an offense in cyber. And the offense actually sets the pace and drives the innovation. And, you know, the offense is technically quite capable, well-funded, and basically unconstrained in their behavior. So you've got a very determined adversary that wakes up every day looking for ways to compromise all of our digital infrastructure. And it really puts the pressure on the defense to work at the pace of the offense. And that's very, very hard to do. But it creates a dynamic that, you know, technology moves quickly, sort of that digitization process is accelerating to your point, but cyber moves even faster. And so it's an uber competitive environment. It's obviously drawn a lot of investment attention. At the same time, I think sometimes people don't fully understand the nature of cyber, that it is deeply technical. It's not a pickup game. This is an area much like life sciences or biotech, where I think it really, you better be a domain expert. Otherwise, you're best to step back and step away. And I think, you know, from an investment community perspective, the investment community is done with cyber, what it does in every area. Wherever there's momentum, capital flocks to the momentum. And we tend to get a fair level of indiscriminate, undifferentiated investment, which creates a lot of fog. And cyber has experienced that. And I think part of what we're seeing in today's environment is sort of the great rationalization of let's start the wheat from the chaff or the cream from the milk from the curd, you know, and, you know, kind of rationalize the environment to something that's a little more sustainable, a little more value driven. In the fog of war, as they say, there's casualties in a lot of those storms that don't make it. I mean, the super cloud trend is expanding the cloud surface area. Obviously, the surface area is bigger and better from a surface perspective. That comes with potential challenges. And at the capital markets, you're seeing kind of the haves and have nots on the funding side when you get into it. So because they want to go faster on the customer side, but they always can't go there. So they're playing defense a lot. And then on the old side, they might not be prepared. So talk about that dynamic of like the two sides of the streets, old way, new way, because you might be positioned here. But if you can't even play catch up defense came to that office and your surface area is compromised, you're going to be screwed either way. So yeah, I mean, the surface areas are really, really interesting issue, right? Because when we look at, you know, the explosion in IoT, for example, just massively expands, you know, the threat landscape. You look at the transition from IPv4 to IPv6. You know, IPv4 today, state of the art is maybe 50% accuracy in mapping. And so 50%, we don't know what the hell we've got. We're trying to defend it. You get to IPv6. The people that we work with tell us that that is an insoluble mathematical problem. You know, you go from, you know, you go to an address space, it's a quadrillion, quadrillion addresses, and there's no mapping technology here to four that will allow you to map that environment. And so, you know, it's one of those situations where what we do from a technical perspective, in order to address the environment, we're operating in things like IoT, you know, open up the threat landscape, and we're always playing catch up. You know, and the advantage, of course, the offense has is that they, you know, they get to pick the time and the place. And we have to try and anticipate, you know, where they're going to meet us or where we're going to meet them. But, you know, the haves and have nots. You know, when I look at this market, I do talk about, you know, the cream, the milk, and the curds. And the cream, you know, rises to the top. It easily raises capital. You know, one can argue sometimes it's overcapitalized, quite frankly. Milk is viable, has to demonstrate a little more value, more proof points. The curds are really, you know, good things come from curds. We make cheese, right? But, you know, what you find in cyber is there are a lot of me too, undifferentiated companies that are really capitalized by the venture herd, you know, people trying to capture momentum that want to get in that maybe don't have all of the domain expertise. And they look at things like, like threat intelligence to say, well, that sounds like a really important thing. And it is a really important thing. We have 107 threat intelligence companies today. How many do we actually need? Five will get us there. So what's going to happen with the other 102? You know, they're going to get consolidated, they're going to get rolled up, they're going to go away. And that's part of this cleansing process that we're living through today. You know, a lot of times I get asked, John, I said, you know, cyber overcapitalized or undercapitalized, I said, yes. Which was nice. Well, it's actually both. You know, the truly unique differentiated move the needle cutting edge stuff, grossly undercapitalized. The me to commoditize stuff, grossly overcapitalized. And the difference between that are the people that are writing the checks. You know, the people that, you know, have spent their careers in cyber, you know, are a little better at identifying disruptive ideas or anticipating where the puck will be. And that's really the way you need to approach cyber. Those that are chasing momentum, they're right. There's a lot of opportunity, a lot of value will be created. But if you don't know the difference between the curd, the milk and the cream, you're going to struggle. And I think that's what's being sorted out in today's market. Well, that's an awesome call out. I'd also say that to add to your point that there's a dot connects that you have to figure out on the on the tech side. So this industry playbook around, you know, the curd milk and cream, but also with that, will they cross the right bridge in the market side. So there's a kind of an industry market. You mentioned IPv6. And that's a great example of some of the theoretical math that's needed to the scale of doing the kind of solutions. Kind of what software defined did for networking. You start to see that this technology and market dynamics going on at the same time. So, you know, this and that's one thing, by the way, that's hard. Now you add in national security. Okay, now you have another dimension. So, you know, I know this is kind of tough. And then I'll add the third element. I'd love to get your comments on his tools versus platforms. Okay, I can be best of breed tool, but I can't be a platform of every single thing being rest of breed. All that boiled in together. Like, holy, you know what, what the hell that happens? Yeah, just a phenomenally complex matrix and, you know, tackling in a no particular order. You know, from a venture investor's perspective, we love platforms as opposed to tools because platforms really create that opportunity to create long-term sustainable value. Platforms are hard. You know, and, you know, tools is really what most people start up with. They identify a particular need or gap in the marketplace. They develop a response to that need or gap. And it usually is in the form of a pool of a tool. But tools eventually get aggregated. They get rolled up. They get integrated into platforms. And you've got situations where things start off looking like a, you know, a platform, they end up being a tool. You know, so you've got all of that shifting, you know, prioritization of technical innovation that is a constant challenge in cyber. You know, at the same time, when you sit down, you talk to the practitioners, you talk to a CISO, you know, they're looking for fewer moving parts because more moving parts actually increases risk because it adds complexity and complexity and risk go hand in hand. You know, they've gotten into the business of acting as integrators themselves because they have no choice. But at the end of the day, what do they want? They want fewer moving parts. They want more tools integrated into platforms so that frankly, they can free up resources, whether that be cash or whether that be engineering, to focus on the new emerging threats because every day there is a new emerging threat. And we talked about, you know, you talk about the implications of IPv6. That is a tectonic shift in the networking security landscape. And, you know, there's some very, very important disruptive work that's being done in that area. But, you know, there's, you know, to my knowledge, there's one company operating in that space where you go back to, you go back to things like threat intelligence. You've got 107 companies, you know, there's not enough people doing the really cutting edge, really disruptive stuff. How do we get ahead of the threats? Or how do we get proactive and get out of that reactive mode? And so much what we do in cyber today, for better or for worse, but driven by necessity, is reactive. And, you know, we have to get to a place where we are proactive. We are preemptive. We take more of a data-centric approach to security and begin to design security. And Zero Trust is a great kind of philosophical, conceptual framework that nods in that direction. But we've got a long way to go. And so you're right. There's the technical evolution. There's the innovation evolution. There's the practical practitioner's perspective. There's the economic element in terms of what does the investment community want to invest in. And they're not all working to the same goal and objective at any moment in time. Well, you have a unique view, obviously, of the historical perspective to play the long game and make investments today that could flower and be successful is great. Let's move over to the customer, your customer, the entrepreneur. I know you do a lot of NSA, kind of like theoretical deep tech, engineering-led, founder-led stuff. But there's also now a lot of open source activity, certainly on AI, causing some activity, supply chain security, bill of materials, open source. You're starting to see more proliferation of security entrepreneurs, I'll say, coming in from the mainstream. What's the makeup of these founders? Because they are looking at a new reality. They have a clean sheet of paper. They're looking at super cloud, like, okay, like cloud versus data center. No brain if you were Airbnb and you were going to do an app. Of course, you go to the cloud first. I was just talking to the VP of engineering at former VP at Uber. He's talking about unopinionated platforms, which means full toolkit availability at the platform level. So developers and are become entrepreneurs. They're the next leaders. What are you seeing for the makeup? What's their demographics? What's their mindset? Look, there's a whole bunch there, Johnny. You touched on a really, really interesting point. I think, you know, first of all, we have a bias. And our bias is if you want to build cutting edge defense, and if you're not really cutting edge defense, don't bother. Because cutting edge defense is the only thing that has a hope against the offensive threats. You start with people that have an offensive background. You start with the sneaky bastards that created these threats that think like hackers. They are the ones that understand the technology frameworks. They understand the vulnerabilities. They know where the seams are. They know how they would hit a seam to compromise the system, to achieve what other nefarious goals and objectives they have. So our playbook is very offense-centric. We don't develop offensive capabilities. But if you think about rootstock for what we do, we want people that have lived their life on the offensive side of the equation. You look at Rob Lee and Dragos, for example, a company that we started at Day2Tribe. Core members of the offense and industrial control system team and national intelligence, those are the guys that understand that technology better than anyone else, how to compromise it and how to remediate where there might be an attack. And we use that expertise as the foundation for building what many people consider to be the leading industrial control system security today. You can't learn fast enough in cyber security. And so our thing is start with offense. And frankly, we look for people that have spent their careers in cyber as opposed to what happens in most areas of technology. Entrepreneurs identify an area with a lot of opportunity. To your point, open source appears to lower the threshold for innovation. I'm not sure that it actually does in truth. And it allows them to jump in. But the question is in an environment where threats are revolving at an incredibly accelerated pace. How fast can you learn? And when you get to open source, there's all sorts of issues around security with open source. So yeah, I think open source was the journey genius out of the bottle. Not sure yet what it's going to look like. I agree with you. But I like your point. I mean, we love to use the term tech athletes on the cube here, kind of ESPN of tech would be called the plays. You're talking about a pro game. I mean, the speed of pro game is a whole nother ball game. And that's a good point about having that skill. On the other side, those players that are out there, as it becomes a little bit more democratized and more accesses coming, maybe with AI, what are they attracted to? And what's your view on data and scale? Because when I talk to security pros playing the pro game, they leverage scale, they leverage complexity and data. And now with AI, they're seeing a tailwind to maybe play better defense, kind of as an offensive minded kind of pro. So you start to see a little bit of difference there. What are your thoughts? Yeah, I mean, there's, there's a couple of thoughts. You know, first of all, I happen to believe that fundamentally most cyber security problems at the end of the day are data science problems, or we'll have data science based solutions. You know, we spent a lot of time today trying to secure a network, secure infrastructure. And that's very valuable is very useful. But the metaphor I always use is, what's the mouse after? Mouse is after the cheese, protect the damn cheese, right? I mean, and so if we need to be thinking about securing data, it doesn't mean we ignore the networks doesn't mean we ignore the infrastructure. That's all important. They're all parts of the vector to the cheese. But if we need to take a much more concerted effort to securing our data and understanding at the end of the day, in most cases, not all industrials a little bit different, for example, the adversary is after the data. So, you know, let's, let's, you know, you may have a situation where they get through your networks, as long as they can't get to the cheese, you're largely going to be okay. And that's a pretty radical shift in terms of how we think about cybersecurity. Now, you touched on artificial intelligence. And there's a lot of talk about the benefits of, you know, amped up machine learning. I'm not going to quite go to artificial intelligence yet. I'm a little bit of a cynic. You know, it's a, it's a journey, right? It's not a, it's not even the first inning. Exactly. Exactly. But you know, a lot of the discussion around artificial intelligence, for example, is in, look at how do we, you know, we take an environment today where the reported numbers are, we're short four million engineers inside. And the idea is, if we give them artificial intelligence or machine learning, we'll boost their productivity, we'll begin to close the engineering skills gap. And I think that's a perfectly legitimate perspective. At the same time, what that ignores is what about the offensive application of artificial intelligence, you know, and the fact that things like the Office of Personnel Management, you know, going back what eight years ago at this point in time, you know, a breach that took place, a catastrophic breach that took place over nine months, AI powered attacks, you know, that goes from, it's not nine months, not nine weeks, it's not nine days, it's nine hours. And frankly, we don't have defensive frameworks against that level of automated AI intelligent attacks. And so while on the one side, AI has a lot of promises to boost our productivity, it creates an entirely new threat vector that we need to contend with. And, you know, we spend a lot of time thinking about that. Again, for us, it goes back to that offensive perspective. Once you understand what the offense is doing, it tells you where the puck is going to be or needs to be from a defensive point of view. Yeah, that's that game. I love that story. Also the perimeter is dead, there's more battlegrounds are increasing. So that cheese is somewhere, but you might get it, you got to pick your battles worth fighting, right? So people are taking a layered approach. Everything's at risk, but you bring a good point. You fight the perimeter is dead problem, zero trust point protection. I mean, so it comes down to philosophies. You got to scale growth, but still protect. Well, and so much in cybersecurity, you actually can, you can draw inferences from classic historical military context and playbooks. Sometimes when I look at network security, it reminds me of a Maginot line, and at some point in time, it becomes irrelevant. It feels really good. It's very impressive, but modern warfare adapts, digital warfare adapts, and all of a sudden, a fixed fortification no longer is relevant. Everyone knows, watches theCUBE knows, I'm kind of a hawk when it comes to cyber. I've been pushing the whole red line dogma for years. Like we got to lower that line because there's so much activity going on in cyber that's, that should be kind of, you know, addressed. But I want to bring up the national security. I want to go there too hardcore, get to a whole segment on the red line and how to counter strike that. But the issue is when you get into private public sector partnerships, you start to see a lot more cloud convergence. So there's a lot of activity commercially with public private in the public sector. You know, you see the CIA went to AWS years ago, we reported on that. I'm sure you're involved in a lot of deals. NSA has cloud. I talked to Keith Alexander about this in depth around some of the, some of the doctrine and changes because you got supply chain, you got security. What's your view on the public sector, national security angle in the US, but also abroad, you got a flat world. I mean, if we deploy infrastructure that's going to be hacked overseas, has a global economy win? Well, look, and when you digitize a global economy, it becomes incredibly flat. And you go back to not pet shop, right? Look, look how fast, right? And the unintended consequences that came as a result of that attack. And so I think the realization that the world is flat that the global economy is digitizing requires political leaders to rethink doctrine and dogma. I obviously spend a lot of time with folks operating in a national security environment from a cyber perspective. And the practical reality is a determined adversary is not going to go after your strength. It's going to go after your weakness. And many times the weakness will be in critical infrastructure. The ability to shut down our banking system. What if the banks can't clear? What if the utility grid is not secure? These could be our weak underbellies. And a determined adversary is going to identify, if you read Sun Tzu, the determined adversary will identify your vulnerabilities and will attack your vulnerabilities. And what that means is that the government that once upon a time thought about how do we secure the government? How do we secure the Department of Defense, the ability of the warfighter to fight their mission and only be in a position to respond to cyber threats if they become catastrophic has got to rethink that role and say, look, we are only as strong as the weakest link. And so I think that really forces a government in the private sector to find ways to work together, understanding that they are mutually dependent on one another. If you look at the government, how much of the government from a critical infrastructure perspective is dependent upon industry? Industry goes down, government shuts down. And so that realization, I think, you see a rapid dawning of awareness. And look, I applaud what some of the Kimba and the team at the White House are doing, what Jen Easterly has done in terms of becoming more proactive about reaching out to industry and finding ways to collaborate. Because it's an overused metaphor, but we are only as strong. We are as only secure as our weakest link. And we have a collective responsibility and a collective need to collaborate in identifying those links and securing them. I think that's Bravo that you bring that up. That's the capital markets, that's industry, that's government working together. On a personal note, if you had a magic wand and you can change the sentiment in Washington or government on how to handle cyber and you are in charge for a day, what would you be proposing and putting in executive orders and changing on? What would you say to see? I mean, I've got to say we've got some pretty damn capable people. The NSA is a treasure trove of experience and expertise. DHS with things like CISA has really taken a significant step forward in their level of sophistication. Kimba and the White House from a policy perspective. So I think we have a materially up-dark game from a cyber policy perspective and finding ways to leverage our expertise. So I applaud. But again, this is not a static environment. This is a dynamic environment. So the adversary continues to move forward. I think where we struggle is when we get over to the legislative branch, we simply do not have enough technical expertise. And I think people understand intellectually that cyber is the threat. But what does that really mean? The realization that if you're in a cyber conflict and you are losing, things go from digital to kinetic faster than you can bat an eye. And so it doesn't stay digital. It becomes kinetic. And I don't think that realization is fully appreciated. And I think we need more technical expertise, quite frankly, involved in making these decisions. And we've got to materially increase the rate and the pace at which we move. Because again, you've got a determined adversary unconstrained that picks the time and place of their choosing. And we're playing catch-up. And playing catch-up in cyber almost inevitably means you're behind the power curve and you lose. Well, if you're head in the sand too, if you're playing catch-up and you have no understanding of the impact, to quantify impact, then you're definitely dead in the water there. And I think that's the key. There's too many lawyers, I would say, in the legislative branch. Let's get some more PhDs in there who can size up. You've got a small cohort of pretty technical guys in Congress, but it's five or six. And beyond that, there's a slightly larger circle that come from technology to understand the implications. We need more of that because we cannot continue to move at the pace we're moving and consider ourselves cyber secure. Something we're not going to have. In the aggregate, 1,000 paper cuts adds up to a bigger impact. And as you said, digital to kinetic can translate that energy of doom or impact pretty significantly. So I think this red line, we have to look at that above. Great. Thanks for sharing your thoughts. I think it's super important. And again, back to the funding side. There's still capital to be deployed. I think it'll always be funded. What's your, in the final minute we got, talk about the financing market, what you guys do for deals. What's the economics look like for these founders? What are the deployment of the capital? What's it like? Well, look, cyber is an incredibly virtuous place to build a company because the fact that the cyber market is growing at 12% per annum, core IT is growing at 3%. So you've got a significant growth market. It's an area where the customer, whatever that customer may be, really has no choice but to invest in cyber. We've seen cyber as an equal opportunity threat across the entire spectrum of enterprises. And so it's a big market. It's rapidly growing. It's driven by technical innovation. The world of cyber, almost all of the innovation, my perspective comes out of private startup companies because the bigger companies simply cannot move fast enough. When cyber companies exit, they tend to exit at a 20% premium to core IT. And the coup de gras at the end of the day as an investor and for an entrepreneur is the whole damn things uncorrelated. You saw with COVID, when the markets were shutting down, cyber companies were up and to the right. They're incredibly resilient because it's not one of those areas where it's, let's get to it next year. So it's a great place to be. But I would caution, I think it is very much like life sciences. You better know your stuff because this moves very, very quickly. You're up against very smart people. And you don't have a luxury of learning over time. You have some of the things we do in Silicon Valley, they're important, they're disruptive to industry, but we have the luxury of time. Cyber, we don't have the luxury of time. And I think that's the big challenge. You got to get in there fast and protect the cheese. As you said, the mouse wants the cheese. Love that metaphor. Love that example. And you can't make it till you make it. And the big thing is you've got, right now, what we do at the venture community in particular, but it always does this, right? It skates to where the puck is. That's looking, trying to capture the momentum. In cyber, if you do that, you're going to lose. You've got to be able to anticipate where the puck is going to be. They always ask Bresky, what made him so great? Said, I skate to where the puck is going to be. You have to be able to anticipate what the next generation of threats are going to look like, how they're going to manifest and be in a position in advance to make the play. When we started drawing us, the conventional wisdom within the venture community was, Bob, there is no industrial security market. And my reaction was, that is a historically accurate statement, but it's about to change. And it's going to change because the offense is targeting industrial. That's a great example of the super cloud dynamic. There's going to be people on this side of the street and people on this side of the street, and there's going to be winner and losers. That's clear to me. It's going to move. It's already happening. Yesterday's data doesn't make it right for tomorrow. And I think this next gen cloud scale data, cyber, the apps that need to have certain table stakes features are a lot different than what it was even five years ago. So, to your point, this is a shining example security of got to be good out of the gate, can't fake it until you make it. You got to deliver value immediately. You got to move fast and accelerate with the trend and be ready for that puck. Well, in this environment, things can go right very, very fast. They can also go to hell just as fast. So, Bob, thanks for coming on. Bob Ackerman, founder and managing director of Allegious Capital, co-founder of Data Tribe, Cybersecurity Data Science, startup foundry, building companies, funding them, and playing the long game with public, private partnerships. Bob, thanks for coming on SuperCloud. John, always a pleasure anytime. Thanks. SuperCloud 3, security. I'm John Furrier, your host. We'll be back with more after this short break.