CIOs and CISOs have a tough question: Consider the burgeoning field of emerging technology options, separate the startup wheat from the chaff, and land on a product or service that really makes a difference.
One answer to this dilemma is to adopt a venture capital mindset. In other words, think about technology choices the way a VC thinks about the startup landscape and its investment strategy. In this emerging technology selection approach, the VC’s deal pipeline becomes that of the CIO or CISO idea pipeline. The VC business portfolio becomes the technology stack of the business.
This innovative mindset manifests itself in different ways. In some cases, this means adopting a new IT management philosophy. In others, it’s about harnessing VCs as technology thought leaders to better harness the wave of developments to come. And, on another level, CIOs and CISOs become VCs, investing in companies to access new technologies or influence their direction.
VC Mindset for Audit IT: Laying the Groundwork
This shift in mindset – and action – may also require structural and cultural change within companies. Organizations may need to rework internal processes to more quickly adopt and disseminate emerging technologies, for example. Looking at IT through a venture capital lens also requires a different way of looking at risk, with enterprise technologists betting on start-ups. Making such choices, while not getting locked in when things don’t work out, is one of the toughest parts of a CIO’s role.
According to Ross Hosman, CISO at Drata, a security and compliance firm, and former head of cloud security at JPMorgan Chase, as CIOs and CISOs absorb the lessons of VC, they will need to fine-tune their spending and prepare to embrace the unconventional.
“CISOs really need to start adopting this mindset because you have a limited number of dollars to deploy for your security program,” he said. “And just because something was always done the way it was done doesn’t mean you can’t shake it.”
These bold moves must also be swift. Sean Beard, vice president of Pariveda Solutions, a business and technology consulting firm headquartered in Dallas, said CIOs need to get ahead of the tech curve “before the business comes back and say, ‘We need you to do this,'” he added. .
With cutting-edge technologies like real-time 3D, a component of the Metaverse, the goal is to master development before competitive advantage evaporates.
“The mindset of the VC is to be able to bring [technology] in, rate it and incorporate it if it’s good, and reject it if it’s not,” Beard said.
Develop the new technology funnel
The CIO’s initial task as VC is to navigate the new technology funnel. Tony Olzak, CTO at Trace3, an Irvine, Calif.-based IT services provider, leads the company’s VC briefings program, in which CIOs hear from VCs and companies coming out of stealth mode. A key aspect of the VC mindset is simply learning what’s out there.
“For you to invest in good ideas, you need to hear about good ideas,” Olzak said. “How do you do that as CIO? »
Tony OlzackTechnical Director, Trace3
For starters, CIOs can take a page from a VC’s portfolio management — or, possibly, Taylor Swift. The singer-songwriter could write 100 songs of which maybe 20 will make it to final production, including 12 included on an album and two or three released as singles, Olzak noted. Technology investments roll the same way.
“In VCs, when you look at their funding cycles and their funnel, they’re looking at 100 companies and only one of them will be funded at the end of that cycle,” Olzak said.
With that in mind, CIOs should consider creating their own deal flow or idea funnel, he said. It means creating a network through which they can discover new ways to harness technology and support business goals. “And not just technology to increase efficiency, but technologies to transform your business,” he added.
VCs have extensive networks, Olzak said, noting that maybe only 10% of their funnel comes from startups trying to introduce them. Most of it comes from established relationships, cultivated during the investigation of the various technological spaces they wish to tackle.
The typical CIO or CISO doesn’t have time to comb through the industry to find the right innovation contacts. But some work directly with one or more VCs to build their networks and tap into transformational thinking. They can also work with consulting firms that can do matchmaking.
Trace3’s VC briefing program, for example, starts with the board uncovering a CIO’s or other executives’ most pressing issues, then brings together a group of startups that address those challenges. The executive can then hear multiple presentations at the same time. “It’s kind of like speed dating,” Olzak said.
Partner with your business development group
However, a CIO’s network doesn’t have to be limited to external sources. Darren Person, global CIO at The NPD Group, a market research firm in Port Washington, NY, said CIOs could work with a risky organization within a large corporation. In this scenario, the CIOs share their technology strategy with the venture capital group, and the group determines whether any of its acquisition or investment goals align with the IT teams’ strategies.
In small and medium-sized businesses, a business development group replaces a risky organization. That’s the case at NPD, and Person said his discussions with business development follow a similar pattern: “We talk about the technology strategies we have and whether there’s an opportunity to potentially accelerate our technology strategy through some sort of partnership or acquisition.”
The business development group shares the profiles of the companies it follows. The next step is to determine, from the CIO’s perspective, whether any of the companies are worth considering and, if so, what type of relationship to pursue. The relationship “could be an investment, taking a small stake in a company that had interesting technology, or partnering with a start-up startup,” Person said.
As for outright acquisition, NPD considered buying the assets of a company that had technology to automate the data encoding process. The deal didn’t materialize, but illustrates how the company could bolster its internal IT — in this case, its data science team — through an acquisition.
CISOs as investors
The technology manager’s approach to investing is also evident in Silicon Valley CISO Investments (SVCI), a group of 60 CISOs who serve as a syndicate of angel investors. The group does quarterly assessments of start-ups, perhaps 10-30 companies, although the numbers vary. At the end of the cycle, no less than five companies are considered for investment. SVCI primarily focuses on companies at seed, Series A and Series B funding levels, Hosman said.
“We are a small VC [and] our investments are smaller,” Hosman noted. But SVCI pitches its portfolio companies to larger venture capital firms that can provide additional funding.
SVCI cybersecurity funding recipients include Drata, Island, Orca Security and Tines. Hosman became Drata’s CISO due to his involvement with the investor group. “We made an investment in Drata and as part of that investment I joined Drata.”
Drata’s investment demonstrates SVCI’s approach to funding companies that meet the daily needs of security practitioners. “Part of what we’re looking for are companies that solve a problem that we have and Drata solves a major problem in the area of security compliance,” Hosman said.
That problem, in a nutshell, is the lack of automation in the security compliance process, which he says has been very manual, time-consuming and cumbersome.
Drata’s technology “solved the need I had at JPMorgan Chase, where I was looking at how to ensure compliance in our cloud environment,” Hosman recalls. He spoke with the CISO of AWS about this and learned that the hyperscaler was deploying 700 developers to automate security and compliance. But hiring such a volume of people is not feasible for the typical CISO.
“When we saw Drata, it was sort of a no-brainer for us,” Hosman said. “It fills that need that many CISOs or compliance officers have.”
The pursuit of practice
The resolute pursuit of a specific CISO or CIO problem is what venture-minded IT executives look for in an investment candidate.
“The presentations that I see that really succeed are people who focus on stating the problem,” Hosman said. “The pitches I see that don’t really do well come from people trying to tell lofty stories, like how they’re changing the world.”
Pariveda’s Beard said business leaders considering startup partnerships should be wary of “shiny object syndrome” and resist the urge to jump on the tech bandwagon. His advice: Don’t lose sight of the practical aspect.
“The first question is, ‘What are the use cases?'” Beard said.