boldstart 2018 recap and what’s hot in enterprise 2019

2018 Recap

Welcome to our annual boldstart recap and enterprise predictions letter. We had another solid year filled with learning, growth, laughter, and new projects and partners. Thanks to all of the amazing founders, advisors, co-investors, corporate partners, and others that helped make 2018 an amazing year. We are truly grateful for your support.

boldstart 2018People often ask us why firstcheck.vc or what is first check and our response is that the seed landscape is so confusing, and what founders need is an investor with courage and conviction to lead their rounds and support them from day 1. This initial round could be $500k or it could be $3mm. We are purpose-built to not only invest pre-product but also to help accelerate your path to product-market fit with our decades of entrepreneurial and investing experience along with our active CXO advisory board.

To that point, we are most excited when our founders are able to go from slide deck to product-market fit and Series A and beyond. This year was a banner year as boldstart portfolio cos raised over $150mm of follow on capital from some of the top Series A and B investors (highlights below).

    1. First check leads in 5 founding teams, all in stealth. Some of these themes include privacy/ML, next gen CMS, intelligent automation, and developer productivity.
    1. First check to Series B — congrats to BigID on its $30mm Series B led by Scale Venture Partners, Kustomer on its $25mm Series B led by Redpoint, and Snyk on its $22mm Series B led by Accel and GV. Truly amazing that all of these companies went from slide deck to B in approximately 3 1/2 years.
    1. First check to Series A — congrats to Fortress IQ on its $12mm Series A led by Lightspeed and a stealth co on their $13.5mm Series A led by Bessemer Venture Partners. Once again, we led each of these rounds at slide deck stage and helped land the first handful of customers to accelerate path to product market fit and their Series A rounds.
    1. First check to seed — congrats to Blockdaemon on their seed round led by Comcast Ventures and Wallaroo Labs on its seed led by RRE Ventures. In each of these cases, we led much smaller rounds before they raised proper seed funding.
    1. SmallstepClayDark, and Windmill emerged out of stealth. All are developer first companies respectively in zero trust security, automation, and developer productivity.
  1. Rebel exit to Salesforce. Dev-first API for interactive emails — will be a great fit with the Salesforce marketing cloud.

7. New CXO advisors join — Tony Saldanha (P&G Next Gen Svces, Transformant), Farhan Shah(Allstate, CTO, Head of Platform Eng), Munu Gandhi (VP Infrastructure, AON), Virginia Lyons (CISO, Williams Sonoma) and GTM advisors — Natalie Diggins (Neustar, ex-VP Cloud Platform/DevOps), Francesca Krihely (MongoDB, Dir. ABM/Demand Gen), Richard Crowley (Slack, Ops Architect), Misha Brukman (JanusGraph, co-founder). This means more collaboration with the Fortune 500 and more go-to-market experience as our portfolio companies navigate their path to first customers. In 2019, we’ll be doubling down on this effort as we are hiring a GM for our CXO Advisory Board & Network (job description here).

AWS Reinvent Survivor Dinner with founders, Fortune 500 execs, and VCs

9. Ongoing press coverage of boldstart themes: every Fortune 500 is a tech company, developer first, and security including FortuneTechcrunchWall Street JournalBusiness InsiderSaaStr podcast, and more…

Fortune December 2019 Investor Roundtable

No matter what economic cycle we go through, Fortune 500 companies need to invest in software.”
Ed Sim, Boldstart Ventures

Enterprise Tech in 2019

Amara’s Law: “We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run.”

While the cloud wars, AI, automation, and digital transformation dominated the enterprise headlines in 2018, we have to remember that we are still early in the cycle. In our enterprise world, a large Fortune 500 can’t just flip a switch and close data centers and move to the cloud wholesale. There are other considerations like people, process, culture (see Dean Delvechhio’s, CIO Guardian Life,keynote at AWS), dreaded legacy technology and debt embedded in mainframes, COBOL, and other stuff they don’t want to mess with. Consider 2019 another year of blocking and tackling as the Fortune 500 continues their march to the cloud.

    1. Still in second inning for enterprise move to cloud: Regardless of what economic cycle we endure, the Fortune 500 march to a cloud-native architecture will continue. For the more advanced enterprises who have migrated to the cloud, this will be a year of net new technology and building applications. Along these lines, we are starting to hear serverless more and more from the Fortune 500 and see this trend reflected in the sales pipeline at iopipe which has gone from mostly startups to larger companies. While developers can now spin up applications faster than ever before, one of the downsides is the complexity of managing these distributed applications and technologies. Watch for startups solving this problem with a focus on observability, reliability, security and automation.
    1. Privacy engineering rules: We can’t go a week without a new data breach or privacy violation; Marriott, Google, Facebook and more. Large enterprises are also complaining about keeping up with so many different regulations like GDPR and the California Consumer Privacy Act (CCPA). Other states are also creating legislation around privacy of a consumer’s data and expect 2019 to be the year that the US creates a national standard. This will be a boon to startups as this encompasses finding PII, securing data, and incorporating privacy by design. This is hitting every market from security to data infrastructure to cloud. Designing software with a privacy-first mentality becomes a core theme in 2019. This will be similar to how AI became embedded in most applications in 2018. BigIDand Dropout Labs address some of these areas, and we are actively looking for new opportunities.
    1. Year of HQ2 and Distributed Teams: It was a banner year for non-Silicon Valley cities as NYC and Northern Virginia were selected as Amazon’s HQ2. Google also unveiled plans to double its NYC employee base to 14k. In startup board rooms all across the United States, founders and investors are asking how do we keep scaling our teams? We will see many more startups created with fully distributed teams from the beginning or layer in an HQ2 as it becomes even more expensive and difficult to scale in the prime geographies. Rather than be seen as a negative to funding and scaling a business, this will be seen as a huge positive!
    1. Balanced growth vs. growth at all costs: No conversation about 2019 will be complete without considering the uncertain economic, financial and geopolitical environment in which we are currently living. The 10 year bull market where every company’s revenue chart is up and to the right is over. Many startups were funded on growth alone and this is the year that efficient growth plays a huge part in determining who the next winners will be. Startups should also make sure they are well funded for 24 months and have contingency plans to put on the brakes in case another nuclear winter occurs. Look at 2001 and 2008’s Lehman collapse and Sequoia RIP Good Times deck for lessons learned.
    1. Seed funds back to basics in 2019: We highlighted the barbelling of VC in the year-end 2017 update and see this continuing in 2019. Either you’re a mega fund or an early stage fund, being caught in the middle is a place you don’t want to be. On the seed side, we are seeing more firms focus on smaller and more concentrated portfolios instead of a spray and pray mentality. Consider this a back to basics approach the way VC used to be in the Arthur Rock days. There is so much money out there at the seed stage and specializing, focusing, and concentrating paves a path to success. This is what boldstart is all about, leading that first check round, rolling up our sleeves, and leveraging our Fortune 500 CXO network to accelerate the path to product-market fit.
    1. Enterprises buy new technology, stop selling them: When speaking with IT Execs in 2018, I repeatedly heard the common refrain of “I wish startups would stop spamming me” and “my voicemail is filled with vendors.” When we asked how they find new technology, their answer was clear; research on the web, word of mouth, and their teams, i.e. what are devs using. The script for selling and catering to the enterprise is flipping to the point that these large organizations will find you instead of being sold to. This has huge implications for how startups build their products and go-to-market teams with a focus on ease of use, dev evangelism, content marketing, a tilt towards inside vs field sales, and much more. This “bottom-up” strategy, especially for developer first and product-led growth companies, will continue in 2019. Winning the hearts and minds of developers matters and building the GTM around conversion and upsells will be key.
    1. Low code, no codeThere are 31 million developers on Github and more added in 2018 than the first six years combined. That stat is simply astonishing, and this theme is all about bringing on the next 31 million devs or what we call “citizen developers.” Much of the technology today has been built around abstraction making it easier and easier for devs to go from code to production. Many of today’s applications are actually a polyglot of APIs, third party packages, and services like Twilio, Auth0, and others allowing developers to rapidly assemble new scalable applications.This trend of allowing less experienced developers or even business analysts to build apps in a day will continue and unlock the next wave of “new devs. While they may not be building mission critical applications, this will certainly remove the bottleneck for many business departments to do it themselves without waiting for engineering. See a recent Business Insider article with more of my thoughts. Manifold and Dark are inline with this theme with a dev services marketplace and an IDE to build an application in a day.
    1. RPA moves to intelligent automation and more software, less services: Companies like UIPath and Automation Anywhere had banner years for growth in 2018 and will do so again in 2019. That being said, RPA while automated is still not intelligent so expect 2019 to see more ML and NLP layered into these processes. One other opportunity is that 1/2 to 2/3 of every automation project at the Fortune 500 is still spent on services and not software. 2019 will be the year we see further segmentation in the multi-billion dollar automation market and opportunities for startups to bring new solutions characterized by shorter deployment times, ease of use, and less maintenance. Enter portfolio companies Catalytic and Clay as examples with a respective focus on people friendly and dev-friendly automation. FortressIQ is also one to watch as it uses machine vision and NLP to mine business processes to help determine how work is being done and what to automate.
  1. Blockchain = supply chain: The crypto markets were white hot in early 2018 until they weren’t. Many of the smartest entrepreneurs were leaving their companies to start a new blockchain or crypto company. Many of those went back to doing other things. For those who have the fortitude, 2019 will be the best year to build an enterprise blockchain company with all of the hype removed. That being said, blockchain will not solve all of the world’s problems but we believe use cases in supply chain and data governance will be two big areas in the future. Mstate and blockdaemonwill be well positioned for this opportunity.

Thanks again for all of your support, and here’s to a healthy and prosperous 2019!!!

Sincerely,

Ed, Eliot, Jeff and Max

also posted on Medium

Snyk, from first check to leader in dev-friendly open source security

We are thrilled to announce our investment in Snyk, which is a developer-first security solution that helps companies use open source code and stay secure. We couldn’t be more excited to be leading this new round of capital again with Canaan Partners and including Heavybit, FundFire, and Peter Mckay (Co-CEO of Veeam) (see Techcrunch for more coverage).

Our initial journey goes way back as we were investors in Guy Podjarny’s previous company, Blaze.io, which sold to Akamai in 2012. For the next few years we collaborated on several co-investments and what ultimately attracted us to Guy’s new company (along with co-founders Danny Grander and Assaf Hefetz), was their bold vision to create a new platform for securing open source components with a dev-first focus. At the time we seeded Snyk in late 2015, open source library usage was growing significantly and solutions were either security first which slowed down dev or dev first but not with enough security built in. With the movement towards continuous integration and deployment, it was clear a new solution was needed.

In a little over two years, Snyk has gone from “founder market fit” to “product market fit” and this new round will allow the company to build out is product offering and expand its Fortune 500 customer base.

With over 120,000 developers using the platform, 100,000 projects protected, 350,000 downloads per month, and notable partnerships with Heroku, JFrog and Microsoft Sonar, Snyk has proven it can get developers to fully adopt a security solution, and the importance of having the strongest database of known vulnerabilities in open source

Funding rounds are always a great opportunity to look back and see how the company’s initial thesis has held up and what has improved or changed. See below for Snyk’s initial vision from late 2015, much of which remains the same today; developer velocity increasing, security isn’t dev-friendly, how do you bridge the gap, esp. in open source world where much of it is third party code.

There have clearly been some tweaks to the model since then, but what is most exciting for us is watching Snyk go from idea and vision in a non-existent market to one where the question of how developers are securing open source components is becoming mainstream. And given some high profile security breaches like Equifax in Sept. 2017 where it was due to unpatched open source vulnerabilities, you can see why the interest in solutions like Snyk’s are gaining rapid adoption.

While the need for dev-friendly open source security may seem obvious today, especially with the stats above, how did we frame our initial investment? Here‘s what got us excited back then, much of which has come to fruition in the 2 years since:

  1. Solving a huge pain point in an emerging but potentially massive market — we were witnessing the move to continuous integration and deployment spreading to the enterprise combined with the growth of open source and third party components; the thinking was that if you could make it dev-friendly then it could be a massive business
  2. Dev first business model with budget from security — we love bottom up, organic models but always question where the bigger budgets are coming from, and what we saw in Snyk was an opportunity to go bottom up with developers and then access the security budget for bigger dollars.
  3. Founder-market fit — GuyPod previously was Chief Architect at Sanctum/Watchfire Security, developers of one of the first web-app firewalls, ultimately sold to IBM. Danny Grander had significant security engineering experience starting in the IDF where he met Guy and into Skybox Security and as CTO of Gita Technologies. Assaf had a Sr Research role at Skycure which Symantec bought last year. This team had the technical and product skills and understanding to go after this opportunity.
  4. Repeat founders — we are always thrilled when founders we backed previously give us thefirst shot to invest in their new company. In this case, we had backed Guy before when he co-founded Blaze.io which was sold to Akamai. He eventually became CTO of the Web Experience Unit at Akamai.
  5. We like to work with founders well before they leave their current roleand start a new company. In Guy’s case we had regular dialogue over a couple year timeframe to both brainstorm and also vet the idea with our Fortune 500 relationships. We also introduced Guy to fellow founders like Tom Preston-Werner from Github (see blog post on Snyk) to help refine the story.
  6. Time to value — incredibly easy to get up and running, authenticate via github, bitbucket and Snyk starts scanning, monitoring, and suggesting fixes
  7. We love being able to help accelerate time from “founder-market fit” to “product-market fit” to which we accomplished by helping Snyk secure some of their early on-prem Fortune 500 customers.
  8. We are purpose built to double and triple-down in our portfolio as they hit milestones and scale their GTM team.

Once again, we couldn’t be more excited about leading this new round of funding and look forward to continued success for the team.

Also on Medium

 

Thoughts from RSA and the Climate for Security Startups The year ahead in security tech and VC

Just getting back from a few days at RSA. We kicked it off Sunday night with a boldstart founders and execs dinner where we talked about what’s next in cybersecurity with some of our portfolio companies like security scorecard, bigid, snyk, stealth co and many friends from the industry representing strategic partners and IT buyers. After a couple more days of straight security talk with lots of new vendors, VCs, strategics and CISOs, I wanted to share a few observations. Many of these are not earth shattering but important to cover nonetheless.

  1. There are way too many cyber security startups. A record $3b went into these companies in 2016 and $2.5b in 2015. Many startups are features or products and not businesses. Each category and mini category used to only have a few vendors and now you can expect up to 10. Lots will struggle and go out of business and industry consolidation is ahead.
  2. That being said, cyber security budgets keep increasing! Banks like JP Morgan spent $500mm on security and yet they are still not secure. While many large cos will still buy from best of breed startup vendors, the landscape is changing as Palo Alto Networks and Symantec keep incorporating new tech and provide an integrated seamless stack.
  3. Which leads me to my next point. One CISO of a large bank told me that his team met with over 300 vendors last year. Large companies can’t possibly integrate all of these disparate technologies and the more you have, the more false positives you have.
  4. Rise of Nation State attacks – more sophisticated and deadly – many are targeting the largest financial institutions.

    Read More

The state of consumer security

I had the pleasure, and I mean pleasure, of recently rebuilding two of my home PCs running Windows XP because of performance degradation and other issues.  I ended up doing a clean wipe of the hard drives and reinstalling Windows XP from scratch.  Once I got the machines up and running with broadband connection, I recognized that I was completely naked on the web with no protection.  As you may or may not know, I have invested and am on the board of 2 security technology companies which sell into the SMB and enterprise markets (see Deepnines and netForensics).  Therefore, I clearly understand the need to lock down your systems and protect yourself against spyware, viruses, and other malicious attacks.  Of course, there is always a tradeoff between security and performance.  In the past, I have been an avid user of best of breed software on my PC – ZoneAlarm Pro for firewall, Norton Antivirus, and Webroot SpySweeper for Spyware.  One, this is not cheap, and two, and it becomes a headache to manage and keep track of after awhile, especially if you have more than one machine in the house where you have to set up rules for each separate PC.  For example, as you can see from a recent post, a new software release from Webroot killed one of my machines.  Despite the management overhead, what this best-of-breed approach offers me is diversified protection and real-time scanning.  What good is having virus protection if you are already infected and the virus scan detects and removes it after you are already infected?  There is a huge difference between prevention and remediation. 

So of course, with an eye on simplifying my life, I decided to download and install Windows OneCare on one machine.  It was easy to download, offered diversified protection against threats, and also allowed me to add multiple machines.  However, one drawback, which did not really seem to be highlighted anywhere was that there was no real-time scanning and protection for incoming email.  That in my mind is a huge flaw.  How can Microsoft give everyone the perception that they are locked down with this new service when it does not scan your PC in real time for threats antivirus threats in your email?  I can see a whole army of consumers feeling secure but still having tons of issues without the real-time functionality. 

Anyway, this post is not about Windows or any one specific product, but the fact that I have to download and install security software on multiple machines and have to set them up and manage them.  As you know I am all about simplicity and reducing friction in usage, so why not have one simple box that does it all for the consumer – cable/dsl modem, router, wireless LAN, with best of breed security software loaded into the device?  Zarouterpressfinal3jg Just like the enterprise security market went from packaged software installation to set and forget appliances, why can’t I have the same functionality in the consumer market?  As we all know, hardware is a commodity and prices have fallen dramatically.  And just like enterprises, I want defense-in-depth for my house which means building in security at the edge before it can even get to my machines.  With best-of-breed security functionality built into the router, I can set security policies once for my whole house and not have to install and manage client software for every machine.  I also get my CPU cycles back on my PCs as they can be a drain for the machines.  The good news is that forward thinking companies like Checkpoint ZoneAlarm are starting to go after this market and recently announced just such a device for the consumer market.  If you look at this graph you can see why having comprehensive security at the edge is needed.  Malware gets blocked at the edge before it can do damage to your PCs.  In my mind the state of consumer Internet security is that we are still in the dark ages but it is getting better.

What needs to be done to make us more secure

I was in a meeting with an executive at a large financial services company today discussing some of his technology problems and how my portfolio companies could address them. One of the big issues he mentioned was spam and stopping worms. Even though his company has spent real dollars in those areas, they are still problems which need to be solved. As Sasser and other worms and blended threats spread rapidly around the Internet, it got me thinking about what needs to be done to make us more secure. Techdirt has a great piece about taking a hyrbid strategy to stopping these threats, an approach I agree with wholeheartedly. I have always been a fan of a defense in depth strategy where you have security devices at the network level and down to the desktop. Have you seen Cisco’s recent advertising campaign about self-defending networks? While it is a broad-based strategy which you can read more about on their site, one aspect I like about the NAC initiative is that it does not allow anyone to access a network wirelessly or wired before a scan is done to make sure the device is virus and worm free and up-to-date with its patches and antivirus software. They currently have an enterprise focus, but the logic behind the initiative makes a ton of sense. Recently, Earthlink launched a deal with Symantec where consumers could get antivirus and firewall software from Symantec on their monthly bill. While I like the direction Earthlink is taking, I think all ISPs should take this a step further and replicate the Cisco NAC initiative where no user can log on to a network until their system is scanned and updated with the latest patch and antivirus software. Charge consumers an extra $1 a month but make it a prerequisite to get on the Internet. On top of that ISPs are and should continue to apply a number of different security devices on the edge of the network to prevent attacks from reaching end users. Vendors sellling home networking equipment like Linksys and D-Link should figure out how to embed and price antivirus and antispam software in their boxes as well. For the most part this will only stop the vulnerabilities and attacks that we know about, but the reality is that many of these attacks take advantage of known vulnerabilities. Helping the naive consumer in a proactive way will help us take one big giant step in making the Internet a more secure place.

Mydoom and securing the perimeter

As I said before, if you want to stop blended threats like Mydoom and others, the best way to do so is to secure the perimeter by preventing an attack before it has a chance to infiltrate your network. That is best done on the edge, IN FRONT OF THE ROUTER, but for a number of reasons no one has attempted it. Of course, if you tried to do it on the router it would degrade performance 60-70% which is not a good solution. One other big issue is having the scalability to inspect every packet entering and leaving a network (router) with minimal latency. Finally, being able to effectively detect and prevent anomalous traffic from entering a network requires sophisticated algorithms. You have to have minimal false positives and no false negatives. In other words, the last thing a Chief Security Officer wants to be blamed for is screwing up a large multi-million dollar transaction for a business unit by blocking it from entering or leaving the network. Therefore, many CSOs are willing to just have the detect function turned on instead of solely relying on technology to make decisions about what is good and what is bad traffic. Of course, given the proliferation of complex viruses and blended threats, we are seeing more and more security teams moving from detection to prevention.

Before we dive further into securing the perimeter, let’s first understand how Mydoom works. Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and also tries to randomly generate or guess likely email addresses to send itself to. It also leaves a backdoor wide open for hackers to take control of the machine to steal user information or start spam campaigns or DDoS attacks. The kicker is that these new viruses typically send email messages using a built-in messaging or SMTP system bypassing the normal messaging host on a computer and therefore bypassing any antivirus software you may have installed. This sounds pretty nasty, doesn’t it? The amount of inbound and outbound email traffic can easily bring your network down leading to lost revenue and lost productivity. The fact that it leaves a back door open for nefarious uses could be even more damaging. For example, someone could use millions of infected computers to launch a DDoS (Distributed Denial of Service) attack on you bringing down your transactional web site.

In my opinion, an effective security solution would sit on the edge, prevent anomalous traffic and malformed packets from entering or leaving a network, and provide capable antivirus technology. In other words, you would buy an integrated security solution that includes a firewall, intrusion prevention, DDoS, and gateway antivirus technology that can sit in FRONT OF THE ROUTER. Therefore the only data that should be traversing your network is good, clean data and all of the bad stuff, ingress and egress, is left behind and dropped. I have spent a fair amount of time during the last few years looking at this problem. During the last 3 months, I have been working closely with one company that can offer customers all of the above. Please check back in the near future to learn more about it. Of course, if you have come across any companies that fit the bill, I would love to hear from you.

Life in a connected world…

As we increasingly move to a connected world where all of our devices and products have embedded chips in them communicating with a wireless network to share information and data, we will become more susceptible to privacy and security issues. The New York Times has a great article (must log on but free to join) on automobiles and how products like Onstar from GM, EZPass, and even tires from Michelin can share data about you and where you have been. Obviously, there are a plethora of benefits from services like the above and a potential invasion of privacy is the tradeoff that we need to live with in order to have more convenience. However, there is one aspect of living in a more connected world that I worry about and that is security. In an earlier posting, I commented on potential security breaches in mobile phones and other devices. Currently Onstar can remotely unlock your doors and turn on lights and horns. What if a hacker found ways to control other functions in your automobile via Onstar? As new technologies emerge and proliferate into the market, you can bet that hackers will find a hole to exploit. When taking advantage of new technology and designing new products, companies must carefully balance the tradeoff between convenience/simplicity and security.

Citrix buys GoToMyPc maker, Expertcity-great day for ASPs

Congratulations to Expertcity and Andreas, John, and Klaus. It has been great to work with you from a board level over the last 4 1/2 years. When the transaction closes, I look forward to writing a little more about how you were able to persevere through some tough times, launch new product, stay focused on leveraging the core screen sharing technology, and build a high growth business in a completely new market. Not only were you an early player in remote access, but you also were one of the first ASPs out there.

Expertcity is not the only ASP making headlines today. Salesforce.com filed to go public and raise $115mm. As I mention in an earlier posting about Google and IPOs, pre-bubble, it took companies 4-6 years from their first round of funding to IPO/acquisition. During the bubble it took 1-2 years. While I am excited about today’s announcements and other recent deals like VMWare (bought by EMC) and Zonelabs (bought by Checkpoint), it is obvious that we have returned to a pre-bubble mentality and the companies that will be significantly rewarded are the ones that embody the philosophy of building real businesses with real revenue and cash flow. Well, isn’t that just business 101? Yes, and this is great news as it is something we can all understand.

Check Point makes first meaningful acquisition

So Checkpoint is going to buy Zone Labs for $205mm. Here are my thoughts on the deal. Zone is expected to do around $28mm of revenue in 2003 and $42mm in 2004. The revenue multiple is 7x for 2003 and 5x for 2004. That is pretty much in line with existing security multiples of 6-8x revenue. The more significant point is that Checkpoint made its first, meaningful acquisition. So for all of you security companies out there, add Checkpoint as another potential acquirer. Some future deals could include an SSL VPN player or network intrusion prevention provider. It seems that concerns over their revenue growth has finally hit management, and they are trying to find ways to accelerate the top line. However, I am not too sure that acquiring a desktop firewall product and competing against established competition like Microsoft, Symantec and NAI is the way to do it.

Securing Cyberspace-the Government vs. the private sector

There were 2 conferences yesterday addressing cybersecurity. One was the National Cyber Security Summit in Santa Clara and the other was a smaller event in DC. While I was not in attendance, I did speak with a couple of people who participated in the events. The takeaway is that 85% of the critical infrastructure in the US is owned and controlled by the private sector. The other 15% is the government. While security has gotten better over the last few years, there are still some major holes in the system. There is a classic standoff right now as the government wants the private sector to take control of securing their networks and data while the private sector says why bother when the government’s infrastructure is not even secure. For example, if cyber terrorists took down critical DNS systems, whether or not the private sector secures its infrastructure is moot as the Internet will have massive troubles. Some in the private sector also alluded to the fact that Chief Security Officers do not have enough control as most are only VPs who report to CIOs who sometimes report to CFOs. If CSOs have no real control over budget, then how can they really effectuate change? The government, on the other hand, is threatening to take action and impose mandates for securing private infrastructure. The government wanted to give the private sector the chance to organize itself and develop its own best practices before it is forced to do so through legislative mandate. To hammer the point home, one official apparently said that the next terrorist attack could be on the information systems of a large financial services institution causing serious economic damage. Despite the warnings, it does not sound like the 2 sides made much progress yesterday. At the end of the day, companies in the private sector are driven by dollars. If these companies feel secure enough already, they are not going to rush out to spend more money for the sake of national cybersecurity. Therefore, my feeling is that Ridge and his team will not get what they want until the private sector feels pain on their bottom line in the form of stiff economic sanctions. That being said, the government has to live up to its end of the bargain and drive security in its 15% of the infrastructure as well, because as Ridge says, all it takes is one hole to compromise national security.