Sorenson Security Playbook: Why Cybersecurity Investing is Like Fishing

By Ken Elefant, Partner and co-founder, Sorenson Ventures

I like to fish. I especially like to go to Punta Mita, Mexico and Marco Island, FL where I’ve always had great luck catching speckled mackerel. Fishing gives me time to think without the pressures and commotion of my daily routine. I get to enjoy beautiful scenery and spend time outdoors, while devising strategies to outsmart the fish I’m trying to catch.

Sometimes I like to fish alone. Other times I fish with my family, friends, or founders and executives from companies in which I’ve invested.

During all of the time I’ve spent fishing recently, I’ve realized there’s a strong connection between my career as a venture investor and my fishing hobby. In many ways, fishing is like running a cybersecurity company. What it takes to be a successful fisherperson is similar to what’s required to succeed as a cybersecurity founder.

Let me explain.

When I’m out on the water, I’m constantly looking for ways to catch more fish. Sitting alone with just a rod and reel gives me a lot of time to think about how to outsmart competing fishers as well as the fish I’m trying to catch. Sometimes this means searching for undiscovered streams where lots of hungry fish like to swim. In other instances, it requires a completely new type of net because, as any experienced fisherperson knows, fish aren’t stupid. They quickly learn how to avoid traditional nets that they can recognize.

To compare it to security investing, the analogy works best if we think about the best ways to catch a lot of fish like placing a large net across a stream or river. In this case, the fish can’t avoid the net, and most of them end up getting caught. Similarly, in the security context, to catch the most bad guys, you want to develop a core security technology that acts just like an unavoidable net that spans the entire width of the stream.

Crowdstrike’s popular EDR (endpoint detection and response) product is a good example. It continuously monitors every endpoint in an organization for common threats like malware and ransomware. When an endpoint is infected, the EDR contains the threat and keeps it from proliferating across the company’s infrastructure. In fishing parlance, Crowdstrike’s EDR is successful because it sits at the top of the stream and catches almost every fish that swims by.

Before Crowdstrike, there were traditional endpoint security vendors like Symantec and McAfee, but those companies didn’t adapt quickly enough to stay relevant. Their nets became tattered, ineffective, and easy to avoid. After a while, they no longer worked very well to catch fish. Instead of evolving from endpoint security to endpoint detection and response, Symantec and McAfee repeatedly fished in the same stream with aging nets that became increasingly easy to evade.

The lesson I’ve learned from all of this is to identify new core security areas like threat intelligence and vulnerability management where the legacy vendors haven’t evolved fast enough. The traditional vulnerability management leaders relied on manual processes that were like nets that had become tattered with age and in desperate need of repair or replacement. They didn’t help security teams efficiently manage the flood of data that was constantly streaming in and let too many fish through.

There had to be a better way. That’s why we invested in VulnCheck. VulnCheck is an early-stage company that has a great opportunity to reinvent the category. It automates and customizes machine-readable vulnerability intelligence to help security teams prioritize response with the benefit of real-time context. With VulnCheck, companies can optimize security team productivity and align resources to the most critical threats.

In other instances, improving an existing net may not be enough. Sometimes when the fish are getting smarter and have figured out how to avoid traditional nets altogether, a completely new type of net or fish-catching device may be required.

In cases like these, I look for a company or founders who have created entirely new technologies and approaches. This lesson helps explain why we invested in CyCognito. CyCognito is a company that has built the leading external attack surface management solution or EASM. EASM, one of key components of the CyCognito External Risk Management platform, is like a smart net. It first helps enterprises find the fish and then continuously grows and adapts, becoming stronger, wider, and deeper over time. It performs attacker-like reconnaissance to guide security teams to find and fix the highest-risk vulnerabilities first. And like EDR today, we believe that EASM and External Risk Management will soon be considered a must-have security technology for every CISO at every large enterprise.

Even with all of my fishing wisdom, I sometimes make mistakes. I fish too far down the river where there’s very few fish. In the past, that’s happened when I become overly enthralled with the technology and forget about the customer’s perspective and urgent pain.

An example of this was the next-gen honeypot space. Boy, was this technology cool, I thought. I was so enamored with the way that we could now catch the most sophisticated attackers and the crazy things they were doing in the network that I didn’t pay enough attention to whether customers really needed the product.

It didn’t take me too long to figure it out. The new honeypots didn’t produce enough actionable intelligence, and, as a result, customers didn’t care enough to buy this “cool, new technology”. When a CISO reviewed the dashboard, she found something like two interesting flags per month from our next-gen honeypot in comparison to the 100+ remediation items that a Crowdstrike EDR produced. Most of the companies in that space got acquired as an added “feature” but they never became true security platforms.

Lesson learned. Don’t stand at the very end of the stream when all the good fish have already been plucked.

Sometimes rivers overflow and spawn new rivers. In cases like this, I get very excited, because I know that if I predict the pattern correctly, I can be the first fisherperson on the stream teeming with fish.

That’s what we saw five years ago with cloud security. Real production workloads were being pushed to the cloud. This technological shift created entirely new rivers with lots of very big fish.

We moved quickly and invested in Bridgecrew, an infrastructure as code security company, which was acquired by Palo Alto Networks. Bridgecrew now provides Palo Alto’s foundational code security capability.

We also invested in CloudKnox, a cloud authorization startup, when it became clear that a new net was needed after the massive July 2019 CapitalOne breach. CloudKnox was acquired by Microsoft in 2021.

The same situation is now playing out with NetRise, a firmware security solution. Because of the entrepreneur’s past sector experience, he knew there was huge IoT security exposure, and it was only a matter of time before firmware security became an important threat vector.  Like cloud security a few years back, we think this new tributary will soon become a huge flowing river that is replete with large fish waiting to be caught.

At Sorenson Ventures, our approach to finding the best cybersecurity companies borrows from the same principles I’ve learned from fishing. We look for startups which are focused on developing the best new nets; finding new, untapped streams; or improving or reinventing existing net technology.

Fishing and investing in early-stage cybersecurity companies are two of my favorite pastimes. I’ve finally found a way to connect the two. When I apply fishing principles to investing, I help both startups and enterprise security teams “catch more fish faster”. The result is everyone has more free time to go fishing.

That’s what I call catching a big one.