.png){kind=logo}
In the latest episode of the Cyber Thoughts Podcast, Lucas is joined by Mike Privette, the founder of Return on Security, a must-read newsletter and blog focusing on the financial aspects of early-stage companies in the cybersecurity sector. Mike, who began his career as a Chief Information Security Officer (CISO), shares his unique journey in cybersecurity, shedding light on his transition from security consulting to forensics and eventually into leadership roles.
Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.
Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.
Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.
PODCAST TRANSCRIPT
[Lucas Nelson]
Welcome to the latest episode of Cyber Thoughts, where we explore the industry of cybersecurity through leaders in the field. Today, it's my great pleasure to welcome Mike Privette. Mike runs Return on Security, a newsletter and blog about the funding of early stage companies, of all companies in the cybersecurity market. I'm really excited to have Mike here today. He knows where early stage funding has been, where it is going, and he's got a great view of the current market. He's also an angel investor. So, Mike, welcome to the podcast.
[Mike Privette]
Thanks, I appreciate the offer to be here.
[Lucas Nelson]
Awesomeness. So let's do the origin story. You've got today, your day job is writing a newsletter, but you started out as a CISO. You've been in security for a while. So let's go all the way back. How did you get into cybersecurity in the first place?
[Mike Privette]
I got into security probably mostly by accident. I started in the security field right about the same time that Sarbanes Oxley was a really big thing for those of us who like listen to that show their age. Like Enron was a really big thing and cooking the books and financial misstatements and, out of that came a lot of, financial controls, mostly IT controls, and how you can manipulate systems and data, and.
That's where I first got my start in consulting fresh out of college. and that kind of led me to it control testing and then security testing for small and medium banks. and that's kind of what led me down to like a financial services path. and from there, from the consulting company, I went to, Wachovia, then they merged with Wells Fargo. and I learned a lot in this role on like the vendor security assessments. So I got to ask all the vendors all around the world, what do you do with the bank's data?
How does it work? What services do you provide? So it was a great kind of like continuation of my consulting journey where I did probably a new client every two weeks. I traveled all around the world as a single guy. It was great. And I just, I learned a ton, but then, you know, after that role, I was actually tired of asking the questions and I wanted to be the one giving the answers. So I was fortunate enough to kind of pivot my way into a forensics role, like a cyber forensics.
And that kind of began the start of my engineering journey. And I basically just brute forced my way into it. Like I probably called every product help desk every day and read a bunch of documentation, wrote a bunch of documentation, and just tried to audit my way into security in a very strange way. But I really liked that engineering path a lot. I enjoyed making things like stable and resilience and thoroughly tested and documents so that
people like my old role, when they would come ask auditing questions, it would just be ready for them. And so I kind of carried that approach into how I thought about all security. Like, hey, let's make it auditable. Let's make it easy to document. Let's make it resilient first. And then we can do, once we get that boring stuff done, or boring sec, as I like to call it, then we get to do the fun stuff of actually building new things or securing new things. But that engineering role really pivoted me.
[Mike Privette]
to like my deep interest in the subject. And then the rest is history there, I grew and led teams and then built organizations and led multiple teams and different departments and lines of businesses. And then finally landed a couple of CISO roles. And then now I pivoted it out where I'm still one foot in sort of consulting today, but still mostly on the writing front and like the research and analyst front.
[Lucas Nelson]
So let me ask a couple questions. You did forensic work. Did you ever end up on the stand?
[Mike Privette]
No, luckily I did not. It was actually, most of it was just destroying hard drives, which and like search, doing forensic lookups and like, you know, making sure that in case it did have to go to courts, it was, you know, documented correctly, but it was a great way to just learn, you know, how that process works. And also learned like people do crazy stuff on their work computers that they really should not ever do.
[Lucas Nelson]
What's the craziest thing you can talk about?
[Mike Privette]
Um, probably people just sending racy photos to each other, not realizing that, that this might be read one day. and they're, you know, typically like a boss and like an employee, and, having, having no clue. And then, the best part was after they were found out and terminated, they asked for all the pictures back. Like, well, that's not going to happen.
[Lucas Nelson]
That's amazing. Cool, so then you transition from, I will say, doing the job to the CISO role, which is much more of a managerial part of the world. How was that transition for you? How did you make the jump? And then what'd you like about being in CISO and maybe what's not so much?
[Mike Privette]
Yeah, I'd say the jump is honestly the hardest part. especially when you go from that high individual contributor level to try to go to that manager team lead level, it's very hard because you have to live effectively in both worlds at the same time and you're treated as if you're in both worlds at the same time. So you have like a doubly high standard. and so it was really, really hard. I talked to a lot of people, but how do you make the transition? And, and honestly, a lot of it's timing and luck and just being like prepared to be in the right spot at the right time. Um,
My transition was another one of those brute force by accident things. I was helping set up a security operations center for a bank in India. And the SOC would call me at all hours of the night and day. I was like the tier three, like team lead for the incident response and for intrusion detection platform and kind of backup on firewall engineering. And they would call me and say, Hey, we saw a bad thing on an IP address. And then I'd say, so what?
Like, what about these like 10 other things that I need to know to like help, you know, determine if this is real or not. and so in like a fit of rage, I wrote like a operations document on like the 10 questions or 20 questions they needed to answer, like before they called me. and, that worked really well. Call volume really dropped. then the CISO at the time was like, all right, cool. And now you manage this team. And I was like, no, that's, that's not what I wanted to do. I just wanted them to leave me alone so I can go threat hunting.
But that didn't work. So that was kind of my first foray, just being thrust into it. But it was kind of an eye-opening moment for me because I could then figure out, wait, they can do a whole lot more than I can. And then if I can apply some frameworks or if I can apply some general directions, we can accomplish a whole lot more. And then we can still do the fun stuff as well. So that kind of goes back to, all right, let me go back to process flows, operational efficiency.
building that out and making that team as effective as possible. So then I could then go back to doing like the fun stuff. and it worked and that kind of, you know, led me into like, my next engineering role, at a bigger company. And then that is kind of then helped me like step because I, I'd done a bunch of different types of security roles up to that point and, you know, let it off short team and built up another, on like global team at a larger company.
[Mike Privette]
It was kind of like help prove my case before I got there that, Hey, I can probably organize a group or I can, I'll probably organize several teams around a common kind of function. and then it was great to build out, like, what are all the services and what are all the engineering things we can do to help the rest of the company go fast and the rest of the security team go fast. And so that was, that was a lot of fun to figure that out, hire a lot of smart people, let them, you know, give them some ideas or
bring them in on the buy-in of where we're gonna go and then let them run with how we get there. I really enjoyed that piece and that was fun. And that's kind of what I knew. I'm like, yeah, I gotta hang this up, the technical aspects. I can't hold a candle to these people anymore. So I shouldn't try. Let me get out of their way and then just knock other barriers down for them. So I'd say that carried over into the CISO world too. I really enjoyed that.
I think it was fun to be able to kind of do what I call like a pendulum swing between like the highly technical aspects of the girl up to like the business aspect of the role where you have to like reduce all of that technical jargon into like business outcomes. Like what's the point of this? Why should we care? Does this mean we need to invest money or not? Does this change strategy? Does this change or more importantly in the corporate world, does this change the project deliverable you said you were going to do by next quarter? So like
you know, learning how to do that was a fun, was a fun thing to figure out. And to be honest, I'm still figuring out every different job I go to, every company I go to, the mechanics of how corporations work and how they function are all different. and so we're buying decisions. So we're investment decisions of people and technology and consultants and all that. so that's fun to learn. I'd say the, the less fun part about it is, is that honestly, you just, you have to.
be so far removed sometimes on things that have nothing to do with technology and security and a lot more risk focus. Like there's an inordinate amount of time to spend on business risk versus technical risk. And it's not necessarily a bad thing, but it does require more thought cycles. Like me who likes a prefer to stay on the tech side. It's good to pull me out obviously, but it's, that's a piece that I think I can always continue to improve on.
[Lucas Nelson]
Nice. So you made it up to the top. You became the CSO. I talked to a lot of CSOs and generally it's the stress that gets you, right? There's always something on fire. Did you fight it that way? Is that why you started to do a side project that became your day job?
[Mike Privette]
Yeah.
[Mike Privette]
Yeah, I mean, there is a constant level of stress and there's a constant level of like context switching that I think is like, it gets spread, you get spread very thinly to be able to answer it all. And honestly, the bigger your team is, the more complex that gets and the bigger your organization you report into or that you're a part of, like if you're a part of IT, like the more complex that gets. And the stress really comes about like all the organizational posturing and politics you have to play to kind of make things work.
knowing that like the risk and like the weight you're carrying is, it has a different, math outcome than the rest of the organization does. so I think that's tricky. And, and just like the highly like kind of spread out nature, I feel like you can't really ever get one thing done. That makes sense. and like, you're never good. so like, you know, having conversations with the executive team about like, are we good now? And we're like, well, you know, I can't really tell you that. Um,
I can tell you that we are good up to this point. I can tell you that we have these mitigations in place, but this constantly changes. It's a double-edged sword because it's what draws a lot of people to the field to begin with, is that constant change and that you have like a live, like person on the other end who's potentially trying to, you know, make you have a bad day. But then again, that's also a huge burden on you as well.
[Lucas Nelson]
Gotcha. So let's pivot a little bit. So return on security. For those who don't know, you do a daily, well why don't you explain, you do a daily newsletter or daily, a weekly newsletter, you do a blog. Why don't you explain it and then we'll talk about how you created it.
[Mike Privette]
Yeah. So right now, return on security.com is a weekly newsletter that's called security funded inside of under that brand, where I track all of the cyber security companies every week that raise money or get acquired or sometimes shut down or go IPO. So I capture that, I summarize it, each company that has a transaction. I categorize every company myself. And a lot of that comes back from my days of engineering and architecture roles. We're like,
I had to bring in tech into the organization. So I have lots of opinions. And then I also do the occasional deep diver long form blog post on any given topic. So I might write about something about the RSA's innovation sandbox. I might write about a particular type of role or how you can advance your career in cybersecurity or get your first manager job. Or I might even write about macroeconomic things about how
There's like a change after 2022 and the way the economy is recovered in an odd way and not everybody's like Getting the rebound effect that they that everyone expected So it's a wide range of like macroeconomic global like cyber security topics mixed in with some career stuff as well
[Lucas Nelson]
Well, so I find your newsletter to be a must-read each week. Thank you for doing it. I appreciate it. So how did you start it? What gave you the idea to start a weekly newsletter?
[Mike Privette]
Thank you.
[Mike Privette]
Uh, honestly, this is my second foray into newsletters. my first one was a monthly deep dive, newsletter, another one of those brute force backs. And I think, I think there's a theme here, of where, I get frustrated that I'd have to explain something. I then write a lot about all that and say, go read this. and then, that then turns into like, we'll do it again kind of thing. so I did that for a while.
I found this other first newsletter to be fun, but like kind of mentally draining because it took a lot to write every post. And so I only did it once a month. And so I was looking for a way to do something. I still like to write. I still enjoyed that. I wanted to be something that was weekly and that was a bit more timely and relevant and kind of like had a natural curve of like the news. And so at the time I was also looking for, how do I keep track of all the companies that
like raising money or who's cool, like who's, who should I be looking at? Who has a new breakthrough, like, you know, feature or product, or who's, who's partnered with a really big investor, like, you know, YL or, you know, a 16 Z or somebody, somebody big who, who may, you know, take, take them to the next level. and I had a really hard time finding all of that information. I looked all over like social media, Twitter, LinkedIn, Reddit. I looked, um,
through a bunch of different financial newsletters, like general finance newsletters, couldn't find exactly what I was looking for, but found enough information and enough sources that I put it in a spreadsheet because going back to my Auditor Hat days, you put everything in a spreadsheet, that's how it works. And so I collected that data one week and then I made a tweet that just said, hey, does anybody like this? I just captured some...
some data and one like and I'll do it again. It was basically the thing. And I got one like and it wasn't just mine. And so like the next week I put it in a pie chart. I'm like, hey, here's a chart. Here's the categories that are made up. And then so it just sort of started ballooning from there. And like after a few weeks of tweets, I had to say like, what if I emailed this to you people on Twitter? A couple of you said yes. And so I put up a signup page.
[Lucas Nelson]
I'm gonna go to bed.
[Mike Privette]
for that and just sort of taken off from there. And it's just like really evolved going on like two and a half years now, but it's, it's evolved into like a lot of feedback. And like, I got a lot of good input from people who are in more traditional finance roles, like our private equity or venture capital roles, saying like, Hey, we'd like to see data like this structured this way. We'd like to see charts like this. And then just listening to feedback from the people who read it over the years. And.
It's fun, I love doing it every week.
[Lucas Nelson]
So that's how it started. It's now your full-time job or most of it, right? So talk about that a little bit because I know a bunch of people try to like make a side hustle that becomes their main thing. And you're one of the rare people that actually has done.
[Mike Privette]
Yeah. Yeah, it's, it's a very, very fortunate position. Honestly, it's, it's been a long time coming. Like I had hoped it would happen very, very fast, but like that I was, I was a nobody on the internet. I'm still a nobody in the internet, but like now have like a small mailing list. But, I didn't have any of the classic signs of like, you have to have a huge audience and you have to have a lot of important things to say. And then you ask people to sign up for stuff. Is what all the gurus say.
I can't tell you how much money I've spent on that stuff. That's also the same thing. but it's, it was something that you had to deliver consistently, which is kind of the only way you ever get past that, like, you know, the pit of despair or the trough of disillusionment. If we're talking like, you know, magic, you know, wave terms or whatever. but it was one of those, like I had to think about it as a business. And I think that might've been, um,
attorney point for me in that I framed it that it was not like a passion project. I enjoyed it. I really enjoy it, but I framed it up as a, as a business first. I'm saying this is what I want to do. This is how I want to monetize it. Here's how, what I think I can charge like from the, from day one. and I was lucky that I'd had previous experience doing some consulting work, writing my other newsletter, like I was able to monetize that one as well, but a very small amount, um,
And so like another critical reason I stopped doing that first newsletter was that it was private. So nobody could read it unless you paid for it. and people did, but it was extremely small niche audience. And so I, I stopped charging for it. I refunded everybody and then opened everything up so I can try to draw people in from a broader, like, search engine optimization reach or SEO reach. And that's how it started plotting out. Like, all right, I'm going to become.
like a source of this information. I wanted to become the source. Like when you think about deals and you think about cybersecurity and you think about investing, like what you think about return on security, like that was kind of the goal of that. and then I just kind of positioned it from the beginning of like, here's how I will use this to like grow influence and grow a business on the side as well. and I kept it, I made sure to do something that was, repeatable, which is really, really hard to do. Um,
[Mike Privette]
Like every week I produce the same kinds of content. Like you get the exact same things, but then I also, then I'll add in context sometimes, or I'll add in commentary sometimes to each thing, depending on what's happening in the world or what's happening, you know, in the funding landscape, but the, the core of it's always the same. And that was a key piece for me to be able to like consistently deliver that thing and then get people used to that. like I got, I got my hats off to a lot of these people who write a different newsletter or different content every week or even every day. Sometimes that's a much harder job than it was not a job I was looking to do at the time. I was, I did not want to burn out. And so I had to think about this of like, what will I want to do five years from now? Will it still be this? Yes. and so like, I was super excited about it. It consumed like all my thoughts. Still does. but like, but I'm excited about it still, to this day, but it was one of those like,
I slowly built, use my consulting, background and my, I just, a cold outreach to a bunch of sponsors until it slowly hit a tipping point that they started reaching out to me. And then I was able to kind of arbitrage that and, and get a good pipeline of like, yeah, here's what my revenue is going to look like. Here's where I'm going to spend, like different, backend, different structure things. and then, part of it too, is that I was, I wasn't trying to replace my income from day one. I was trying to say.
How much, like what can I make? Can I pour right back into the business to make it better? Like, can I make better charts? Can I get better data? Can I make this easier on me? Can I make this quicker? Will it give me more time to add more insights that people can't get anywhere else? And that's like always the way I think about it as like a, almost like a public utility is the way I think about it for like people. And so I got, that's, that's just the way I've approached it. And it seems to have been having some success so far.
[Lucas Nelson]
Wonderful. So I want to pivot now into talking about the market. I think we'll go general first, and then we'll go into specifics. And then at the end, I do want to talk about data sources a little bit because I think it's a fascinating piece to it. But I'll wrap that into the normal kind of flow of what we do here. So let's start with the market. We came off of giant highs in 21. 22 was a bit of a correction. You know, kind of continued that. So why don't you, you know, you know it better than I do. Why don't you kind of walk us through how we got here and where we are today and to frame it up, let's say, you know, pre-seed seed series A, maybe a little series B, I'll let you off the hook. The IPO market is a whole separate beast and let's stick with the stuff that you focus on.
[Mike Privette]
Yeah. Well, I mean, you had a good intro to it as well. Like, I mean, the tech industry in general has had like a absolute bull run for like the last 10 years up until about mid 2022. It probably longer than that, to be honest. Many like longer term investors would say like, like the public markets have been, you know, on a rip with Microsoft and Apple and others long before that. But, you know, it was a year. It was many, many years of where the tech valuations.
and hiring and salaries and funding rounds just went up and to the right. Like they never ever stopped. and there was kind of no historical basis for valuations. There was no historical basis for that was, I'm sorry, that was relevant, for, funding rounds. And so like, if you could carve out a category or you could jump in as like, you know, numbers like one through like 10 in the, in the, in a category that's got created.
you had a pretty good chance of taking the market, or at least being successful. And that's, I would say is an interesting piece about the cybersecurity market is that it is not a zero sum game. It is a positive sum game, meaning that multiple players of the same type can exist in the same market and compete a little bit, sure, but not necessarily step on each other's toes too much because...
There is a super heterogeneous mixture of companies behind them who buy, who have reasons why they buy, who have different budgets, who have different industry regulations that push them or pull them in different directions. And it all depends on kind of when you catch what company and what part of the cycle and their openness to startups versus their openness to longer term versus outside pressure from investors, if they have any. So it's a really complex market to kind of dissect.
which is one of the things I find so fascinating about it, is that it's been really tricky to try to compare it to any other kind of tech. If you think social media or any other, or traditional tech companies, it's been harder to compare some of these things because there's almost no logic sometimes to why security products take off because they have such an outside factor of news cycles and hype.
[Mike Privette]
And then not to mention like the, the engine of startups that get turned out of Israel and San Francisco. And there, there is a special kind of mixture in the cybersecurity market. So like, because of that, like everybody, there were many investors who were like specialists in this field, but there were many generalist investors who, who wanted to diversify their funds and just said, Hey, let me get in on, you know, cyber. you see, you see the same thing now with AI or observability or data science or, you know, the like.
There's been a couple in and out waves, but cyber has always kind of been a consistent theme in that front. and so as things went up, it's easy to go look across the market when you have, when most of the data is public and say, well, they raised a hundred million series a, I should too. And you have many people who say, yes, that's a totally reasonable idea. Let's do that. and you don't have any reason to believe it's not true until, basically the middle of 2022 when like.
the US Fed started jacking up interest rates and just basically wanted to try to stave off a the hard landing, economic hard landing or just a recession in general. So it's that is a completely separate ball of wax that I can't get into with like I'm not an economist by any means but I know there's much disagreement about the approach but whether or not it's working is also debatable but it caused a complete dry up overnight of like how far money could go in like every sense.
So like you couldn't hire as many people. The money you had sitting in the bank didn't go as far because interest rates were so incredibly high. And that meant that the cost of like lending money and the cost of like, you know, acquiring a customer also got much higher, which means a lot of these companies stopped acquiring customers at the rate they were. So you saw a lot of drying up of advertising, of marketing. Customers themselves pulled back greatly because they had the same liquidity crunch like they couldn't afford.
people to buy the products, they couldn't afford people to run the products. They could barely afford to run their businesses. And so you saw at this perfect storm of like increasing rates. and then people stopped spending and they just kind of went this way. and that just calls like broader tech to like, kind of just like cinch up. and so what you saw kind of the rest of 2022 after that midpoint was deals that were already kind of in motion that couldn't be stopped.
[Mike Privette]
But then you started to see like a lot of people raise their hands and say, Hey, acquire me. We got to get out of here. And, and that's something that kind of continued heavily into 2023 as well. and we actually, as of today, the day we're recording this, like we've already crossed like 200 acquisitions in security this year. so it's, and it's on average, it's on track to beat last year, so far. So it's, it's one of those where, the companies who had a lot of money in the
[Lucas Nelson]
Okay.
[Mike Privette]
who had good product market fit or product zeitgeist fit or however you wanted to frame it and didn't have to spend a ton of money to acquire new customers, were in a very good position to just sit on cash, get a little more operationally efficient, maybe do some layoffs. It just depends on like how, you know, how overrun they were with hiring, but then they could just wait until these, some of these companies are on their very last leg and say, I'm gonna acquire you now because now you're interesting because you can barely pay your bills.
So there's a weird, you know, consolidation happening, it, but it's just a phase to be honest, like it's consolidation always happens in multiple year cycles. I think about it more as like an accordion. So like it goes up, but then it goes out and it goes up and it goes out. You're always making music, but it's like, you got to turn it different ways. and, this is just like the latest iteration of compression and consolidation, but we're about to expand more, especially with like, as we're going through like the waves two and three of like AI security enabled companies.
But, you know, that's the early stage deals, like the pre-seed and seed, they still happened, a lot of them, because it was small checks, it was small effort, possibly a good outsized return on a lot of these. So there was more, there was still pretty consistent deal flow in pre-seed and seed and series A, series B, series C got hit the worst because that's really hard. Like you're in the growth stage, you need a lot of money.
And you need a whole lot of return to come back and like make that money worth it for the investors to spend that much. And when you're in that range, like you're basically just spending a lot of money on customer acquisition. and then it goes back to like money doesn't go as far as it used to. so, and not every company invested in tech and iterated the same way. So you see like huge breakaway successes, like whiz, just leapfrog competitors who started before them. Which.
happens a lot in our industry, but it was just like a spectacular example of that. And then you see examples of like sneak, just like snapping up other companies here and there and just basically turning on features overnight that, you know, they had didn't have before the same with like Microsoft and GitHub and, and the like. And so you see a lot of that kind of happening and pushing towards a consult, a platform consolidation, which is great up to the point that the platform can solve, but like.
[Mike Privette]
The challenge, the benefit of the platform is the same problem it has is that it tries to solve everything. It tries to be the single pane of glass that it can never possibly be in security. There could be multiple panes of glass and you wanna consolidate those choke points where you can, but it's not something that will be true for most organizations, even if they use like an MSSP, like for like, if they're a small company, you'll still have to have a couple other areas and tools you invest in and focus on.
You know, as 2023 goes on, like, you know, funding just crossed 10 billion two weeks ago for the year. So that's still, you know, it's about half of what it was last year, even because first three quarters are so stacked. And that's, you know, still up from a little bit for 2021. But there is definitely a softening, I would say, in a lot of factors, like the companies that did the layoffs are hiring again. People are
[Lucas Nelson]
Thank you.
[Mike Privette]
Uh, while deals are still heavily scrutinized by like CFOs and finance, finance teams, they are going through. So you'd seen like what used to be complete stoppage in sales are now just like, you know, okay, let's push this out for another quarter so we can have, you know, we can close up our books nice and tight and then we can sign a deal. so it is coming along slowly. and then all the while, you know, that early stage market is still churning, still bringing new stuff is, still coming out every week.
[Lucas Nelson]
So let me give you a couple of quick targeted questions. First of all, that's great. Thank you. Awesome overview. I've seen the prices come down in pre and post money valuations. Where do you think we're standing today? And do you think there's more correction to happen? Or do you think we've kind of hit the terminal baseline and we're at the new normal?
[Mike Privette]
Yeah, I think we're close to the normal. I think, as more of these like acquisitions shake out these, these companies, especially like Q4 is the one to watch because there's going to be a lot of companies who are just going to be like on death's door and they're going to be like waiting to be acquired who probably should have raised money a long time ago, but couldn't get the right terms or probably should have gone IPO. But then they, they wait, they raised way too much in 2021 or 2022. And I've just like, just slow slowly dying. Um,
I think after that wave and after Q4, I think we'll see pretty much the return to normal. I don't know that means that the IPO market will open back up again. Although there's been some of that this year. There was like none in 2022, but I think we're pretty close to the bottom. And I think people have just had to accept it basically. Like, all right, this is the new model. I can't get $10 million for my like 10 on 100 or whatever. I have to like...
show a bit more traction or a lot more traction in some cases have to show real customers and real product market fit. Otherwise, like it's just not going to go. So I think that's, that's giving, I think it's a, it's a good thing overall in terms of like ecosystem wise, because it's, it's forcing people to actually. Like the ideas that probably shouldn't have made it like, aren't making it. And the ideas that are, that have some real legs, like are, you know, taking traction pretty quickly.
[Lucas Nelson]
So one last question. We have this debate internally at my firm. When we first started 2018, 2019, a pre-seed round was like a million dollars or less. A seed was one, two, maybe three million. In today's market, or at least 22, 21, we saw seed rounds of four to five million dollars, pre-seeds of two to three. And so the question is, does the pendulum swing back to 2018, 2017, where, nope, pre-seeds are
[Mike Privette]
Hmm.
[Lucas Nelson]
two million and seeds are three to four, or are we now in a five to seven pre-seed, which used to be a series A? Do you think the pendulum has swung and stuck and we're not going back there? I've got views, but I'd love to hear yours. You got the data.
[Mike Privette]
Yeah, I would say, I mean, the averages have already dropped. So I would say that we are swinging back how far back we go. I don't, I don't know that we'll ever get back to 2017, 2018 time. but it's, it's totally possible. so I think it, and it's, what's interesting is like how these rounds sometimes are classified because some of these like, you know, larger seed rounds are really just like extension rounds to like, like in between an A and a C. and, um,
And maybe they had a large pre-seed, but didn't have enough to raise like three, four million on a seed. So I think the data says it's slowly coming down. But then you'll still see some big ones that come out of the woodwork with like 50 million series A, which is like astronomical as well. But if you look at like TalonCyber, they raised 100 million series A, 110 billion series B.
And then, you know, now they might be getting inquired by Palo Alto. So it's like, sometimes you'll have these like gigantic outliers. but I do think it like, we're, we're just going to get somewhere between the norm there, but it won't be like the heights of 21 and 22, is, is my opinion.
[Lucas Nelson]
So before we kind of, let me ask, what are you interested in, right? What areas are you excited about? If you're gonna do a deep dive next week, what would you write it up on right now?
[Mike Privette]
Um, you know, I think, I think there's an interest, there's many interesting things right now, but, you know, one thing that I think, is kind of capturing my attention right now is like, the, how people feel about, analyst firms in general, like Gartner's and Forester's of the world and like, they're placed in this world, they're placed with like the, the rise of AI and content generation everywhere. and like, where's the place of the expert? I just think, I think that's a fascinating piece that I would probably, if like, you know, that's kind of tangential to the market.
I think would be interesting. But then in terms of like investing as well, it's like now that we're seeing the second or third kind of iteration of these AI security kind of platforms, like we're past, everybody has a chat bot now. Like, and we're past like block chat GPT at like a proxy or like a web gateway kind of thing. Now let's say, what else can you do to like ensure like safety and trust of your AI models, of things like that? I think...
I think trust and safety is a really interesting piece that I think we're going to see a whole lot more of. Because just look at disinformation and misinformation all on social media now with any global event. It's getting harder and harder to know what's real. Community notes or user flagging things helps to an extent, but you can't possibly monitor all that content without some sort of AI help.
And so like that's something that's gonna be like, I think a really interesting piece because that stuff influences how people like think and their worldviews, unfortunately, it informs how some people view everything as the latest TikTok. So it's like, you have to think about those kind of larger societal kind of impacts. I think that'd be another deep dive.
[Lucas Nelson]
So you mentioned AI, so in the broader venture funding market, there's been a huge pullback in everything except for AI. And that's where the hot momentum investors are still doing their thing. Are you seeing the same in cybersecurity? I.e., if you took the AI deals out of Series A, the average deal size would drop precipitously in the venture across the board. Is that the same in cyber? Are we seeing like...
[Lucas Nelson]
Yeah, cyber deals are 50 pre where everything else is 25 pre or something like that.
[Mike Privette]
Yeah, there definitely is. Like I would say like there's, there's a couple, if you took those out, there'd be, you know, probably like 25% less deals overall. just like a general swag and, yeah, those do happen to be a little bit bigger as well. and I think that a lot of that's like capital constraints in terms of like, how do you actually run and train your own models and you buy your hardware and, and like, where does that money go? So I think there's, it's an interesting piece. Um, to see where that next iteration is going to go. Because it's been really interesting to see how the AI market has changed so fast. It went from here's ChatGPT to then here's an LLM wrapper on top of ChatGPT. And then ChatGPT just releases the feature that all those companies built, and those companies fall away. And then, oh, we can run your own vector databases, your own models. And then somebody else hugging face, or somebody else comes out and just says, oh, we know we got that too. And then all those companies go away. So.
I think the next great intervention on that front is a hardware change. Whereas NVIDIA, you don't need as many to do as much. And there's going to be some forcing factor that changes how people think about that as well. But it's been really cool to see that evolution hype cycle that might take 10 years in another industry happen in like two, or not even two, in like a year. I think there's to be some really interesting pieces on that with security as well.
[Lucas Nelson]
Cool, so I'm gonna start to wrap it up here, but you mentioned data sources, and I'm a big fan of data sources. So what are your favorite data sources? And then let's back that into, what are your favorite resources besides your blog and in your newsletter? What do you read?
[Mike Privette]
Oh yeah. I try to read a bunch of stuff just because I, I just try to stay up to date on, on everything and, I love, you know, it's interesting what you read, that may, may jog your mind in another direction. So I read a lot of like finance blogs, just about general concepts. I read, you know, a lot of VC newsletters. Well, I actually, I read your guys newsletter, which I really like. and I just, yeah.
[Lucas Nelson]
Thank you.
[Mike Privette]
It's hard to find good content these days. So I always try to latch onto that. And outside of the traditional security events and breaches and hacks and all that stuff, I read a bunch of that stuff. But I really like the security research angles, like Clint's Gibbler's TLDRsec newsletter, Dan Meesler's unsupervised learning. He's great in terms of where does AI, ethics, cyber, geopolitics, where do those things intersect?
I find that pretty interesting. A lot of philosophy kind of built in that as well. And then, you know, I've always got like, you know, several feeds going to the news reader. So I read a lot of TechCrunch, Security Weekly, all these things too. But I really like YouTube videos as well. Like I learned a lot better, like listening. So like I'm also a bit of a crazy person in that I listen to earnings calls while I work out. It's a...
[Lucas Nelson]
Yeah.
[Mike Privette]
So like, I'll just, I'll go through that as well. But you know, if I can find a public source on that, or if I can go deep on like a software engineer's blog who has like nothing to do with security, but has like really interesting insights on like, you know, building a business or like design or anything of that nature. I like, I'll just, I'll go very deep on a particular like blog or person. But I like those who are like reading and then...
You know, from data sources, you know, I use LinkedIn and Twitter a bunch to capture a bunch of things, read a bunch of other like BC newsletters or finance newsletters that like talk about transactions. look at Crunchbase, look at pitch book or anything that's like publicly available, I try to like capture, and just try to paint all those pictures together.
[Lucas Nelson]
Do you automate any of that or are you doing that all by hand?
[Mike Privette]
I do a lot of automation. So like most of what I've been focusing on is building out like, the database behind the newsletter. So I actually write the newsletter in a database, which is probably different than a lot of other, newsletters. so like once I capture a company or an investor, like I've got them in the neck and then slice and dice and say, Oh, now I know what Sequoia is invested in. And I can, I can kind of see like over time, like the, you know, what they do, or like how much they've raised or who they've raised from.
So it's going back to like spreadsheet nerd and auditing days. Like I just, I just capture it all. and then I have fun just kind of slicing and dicing it. So that's how I make all the charts every week and all that. So it's, and that's, I'm able to kind of like categorize things. So it's, to, to now it's like, you know, I still have to like read every company and give a synopsis on what they are, like I'd, I would rather personally do that than try to like fine tune a model or something like that. They try to write it for me. Um,
I've seen other people do that and it's, they really just miss the mark. And, you know, I'm still a firm believer like that people are reading it for like the human aspect of it, not just like the curated generic content of it. And so that's my goal is try to like, give that personal opinion on an aspect of it as well. And said, but I try to make someone like the, the data aggregation and like the.
the issue, like generation of like the basic stuff, like the bullet points and all that. I try to make that as automated as possible where I can, but like I still fill in all the data.
[Lucas Nelson]
Very cool. All right, so these last two are rapid fire. I asked them to everybody, you've partially answered the first one, which is, what's your favorite information medium? How do you like to learn? It sounds like audio might be your thing.
[Mike Privette]
Mm. Yeah, audio is definitely my thing. I really like YouTube videos, but if it's a podcast or if it's a stream, I like to do it because I can do lots of other stuff and still listen to that source at the same time. That's what I can do. I can do like back squats while I'm listening to earnings calls. I'm like, oh, that was really interesting what Nikesh Aurora said. And so like, just go on from there.
[Lucas Nelson]
All right, last one. What's your favorite book?
[Mike Privette]
Oh, I'd have to say Snow Crash from Neil Stevenson. I'm really into cyberpunk type stuff, but it's amazing reading that book so many times, how much of it's come real, especially metaverse things, back last year. So it's very interesting.
[Lucas Nelson]
Yeah, it's especially my favorite stuff is his views on corporations and where they were going to end up. And it's scarily prescient for dystopian novel.
[Mike Privette]
Yes.
[Lucas Nelson]
All right, so let me say thank you so much for spending your time with us. Anything you wanna plug, tell us where we can find you, tell us, you know, whatever.
[Mike Privette]
Yeah, no, thanks so much for having me. Oh, this is great. The best place to reach out to me is on LinkedIn. Like I'm just Mike Privette on LinkedIn, or returnonsecurity.com and, on Twitter, I'm @mikepsecuritee. I made that up a long time ago and it just stuck with it. I'm pretty responsible with any of those. Thanks again for having me.
[Lucas Nelson]
Well, thank you so much. And again, your weekly is part of my must read. So thank you for doing all that. I love it. If you haven't, and listeners, if you haven't checked it out, you totally should. It's a great blog. All right, Mike, thanks so much for your time. Have a great day.
[Mike Privette]
Thank you. Thanks, Lucas.