FWIW, this is the blog of Michał Zalewski. He worked on security at Google for quite a while and is, among other things, responsible for ushering in the modern era of program fuzzing with AFL.
I thought the post was half-over when I realized I was at the end. I was expecting a lesson based on evidence, but it was a bunch of personal background and then a hypothesis without any data to back it up.
EDIT: interesting to see this is now flagged. I wouldn't have flagged it, but I was surprised to see how quickly it was being upvoted. It's not offensive or anything — just no there there.
I don't think it should be flagged either, but it's wrong in a lot of ways. Some of those ways are boring, e.g. paying investor board members a salary isn't really a thing. Less boring observations:
Cybersecurity is somewhat unique in that historically most of the big VCs haven't paid much attention to it, relative to other things. Greylock, specifically Asheem Chandna and more recently Saam Motamedi, is the main exception that comes to mind. (This broad lack of interest is changing given the overall growth of the industry and the success of companies like Palo Alto Networks and CrowdStrike, though.)
Smaller VCs have spent a lot more time in the space, both because they haven't had to compete with the big firms and because cybersecurity has lower variance than other industries. The companies generate massive returns a lot less often, but also rarely fail, which makes them attractive to angels, second- and third-tier firms, and specialists.
It's an interesting dynamic, but I'd say the most problematic aspect of cybersecurity investing today is the existence of groups like SVCI (https://www.svci.io) and CyberStarts (https://cyberstarts.com). SVCI's investors are tech CISOs, i.e. potential buyers. It's pay-to-play with extra steps. CyberStarts and a few other Israeli VCs are even sketchier, flying CISOs around the world on lavish vacations billed as industry events where they socialize with the portfolio companies.
I know a handful of CISOs who've walked into new gigs only to discover a dozen CyberStarts portco products laying around, basically unused, that they then had to rip out when the contracts were up. It's all deeply unethical.
Venture capital places wild constraints on the type of products you can build, the price point, etc. I do wonder if when ai brings down the cost of software, it will make existing venture backed businesses financially obsolete
As a venture backed founder, I had less control over the product than I did in big tech
If I were someone like lcamtuf, I would reverse the roles immediately[0] and told them: guys, this is the project I want to build, I can build it in X years and it will cost you $Y. Take it or leave it, because there are others who may pick up the offer.
Because the number of people who want to invest their money smartly is huge, and people like lcamtuf are very few.
[0] As Jonah from The Goal would say, "You will thank me later"
I was at least expecting the post to finish the joke with a punchline: "A venture capitalist walks into a bar... and says to everyone: 'the next round is on me'"
> Pay yourself and a VC-appointed board member below market rate, hire six good engineers, lease some office space, buy equipment, pay for legal and accounting services… and presto, you’re burning through $5M a year
Would love to see the math behind this. How does this add up to $5M/year??
Right, unless you're paying the engineers $400k/yr each, I'm not quite sure how this would add up. Also, what does it mean to pay your VC-appointed board member below-market rate? How much do people pay board members, and how would this be a material line item?
If someone's making $600k at Google, how much would they expect to make at a startup? Based on what I've heard folks tend to top out around $2-300k, with the rest in options. Much of the reason people leave places like Google is to be in a more startup-y environment, and to have a chance to build something from the ground up. If they wanted to just keep making bank, they'd stay at Google.
Well, if you are leasing office space, you are likely in a high cost location like Silicon Valley, and so you are most likely also paying your engineers a lot.
If (almost) everyone is working remotely, you can probably get by without office space and also with lower salaries.
Areas like Silicon Valley are very productive for some reason. That's why people put up with the high costs.
Leasing office space in such highly productive areas might be worth it. (I don't know exactly how the mechanism works, but I'm just assuming that at least some of the companies there know what they are doing.)
Of course, the author of the original piece also seems to implicitly assume Silicon Valley?
If there's no highly productive part of the world where you want to concentrate people, you might be better off spreading out your startup and taking advantage of lower labour costs around the country and around the world.
There's lots of smart people in eg the flyover states, or in South America, who for one reason or another can't or don't want to move.
> I knew that the VCs’ interest in my life’s work wasn’t quite as genuine: they were juggling billions of dollars and wooing me with a script perfected on hundreds of souls who came before me.
Not everyone has to care as much about the same things as you do.
It's ok for some things to just be a business transaction.
https://en.wikipedia.org/wiki/Micha%C5%82_Zalewski