There are few industries drawing more outside investment these days than cybersecurity.
Our growing collective reliance on technology, the increasingly interconnected nature of IT systems across the public and private sector and the fundamentally insecure foundations of the internet have combined in recent decades to create a huge attack surface for hackers and malicious actors.
Click here for complete coverage of SC Media’s 2020 Women in IT Security
Cybersecurity spending is expected to reach nearly $250 billion by 2023, according to research by Markets and Markets. Much of that growth is forecasted to come from increased concern over cyberattacks and demand for emerging technologies and stricter regulations around data privacy.
The venture capital community has responded as well, pouring billions of dollars into startups who promise to close the security gaps of today and tomorrow. However, this golden age of investment continues to leave certain groups – like women and people of color – behind at the highest levels.
“It’s society, it’s deep and it’s not necessarily something to blame,” said Cyndi Gula, the managing director and a co-founder of Gula Tech Adventures, an investment firm that focuses on early stage cybersecurity companies. “I just think that we need to do things differently and say things differently to get more people involved.”
According to research from the Harvard Kennedy School’s Women and Public Policy Program, women make up only one in ten investing partners at venture capital firms, and three out of every four firms have no female investors.
But why is that? A project last year looked at more than 500,000 open source conversations about gender diversity in the venture capital community and nearly two-dozen interviews with male and female venture capitalists. It concluded that despite ample evidence showing firms who had a higher proportion of female partners earned higher profits and saw greater returns from their investments compared to those who had fewer or none, the industry still retains its “famously hypermasculine culture” and remains “one of the most male-dominated [industries] in the United States today.”
Gula is the youngest of eight children (four boys and four girls), growing up in a family that almost never made distinctions between traditionally male or female activities. It wasn’t until a group of boys rejected her attempts to join a football game that she came face to face with the rigidly defined roles that had seemingly been carved out women. That pattern manifests itself everywhere, and venture capital is no different.
“I think if we really take a step back as a society and we look at that, we should understand how we got here,” Gula says of the lack of female investors in the cybersecurity industry.
Niloofar Razi Howe and her family emigrated to the United States from Iran shortly after the 1978 revolution. She had one day to say goodbye to her friends and neighbors before leaving. Living in a strange, unfamiliar land, Howe says she retreated into computer science, picking up coding at the age of 14 and even writing a Dungeons and Dragons game on her Apple 2 computer.
“I came to the United States when I was a kid and a lot about the world didn’t make sense, but when I was on computer, everything made sense,” Howe told SC Media.
After 9/11, she became more interested in using her skills to make the world a safer place. When a group of former national security officials banded together to create the investment firm Paladin Capital Group in 2001 that would focus on dual use commercial and military technologies, she put in an application and was soon hired.
Howe, who is also a member of the SC Media Women in IT Security advisory board, has been investing in technology companies since 2001, starting as a venture capitalist at a Los Angeles fund where she focused on tech-enabled media and consumer software. She also spent time as a lawyer advising companies on tech issues and a stint at McKinsey & Company as part of their new ventures branch that provided consulting services to early stage tech companies. She now invests in cybersecurity companies through multiple mediums, including her own angel investment firm, Razi Ventures.
Howe says the fact that many of the tech and cyber sectors she invests in are still so male and white dominated “feels like a personal failure.” Being the only woman in boardroom meetings is still a common occurrence, and investors tend to respond more positively to a particular blend of swagger and confidence that is often associated with male communication styles. She recalled one nine-year period where just one female-led company got funded, and only two pitched their ideas.
“It’s hard. This is all hard, which is why it’s not about making performative public statements but actually doing the work it takes to make a difference,” she says.
How to spot a startup
In a crowded market, investors must have a sharp eye for picking out diamonds in the rough and identifying teams that can weather the stormy waters that come with navigating a new or innovative startup.
Chenxi Wang grew up in Shanghai, China, gravitating to math and science as a little girl. When she came to America to study computer science, she chose to specialize in encryption issues, something that served as a gateway into the larger cybersecurity discipline. After working as a security researcher, a professor and a researcher at Forrester, she decided to try her hand at investing, founding Rain Capital.
Wang, also a member of SC Media’s advisory board of women leaders, says she looks at a company’s idea from the user’s perspective: is this something chief information security officers or directors of security would find interesting? After that, she considers the “defensibility” of the technology or idea – how easy or difficult it is for another company or competitor to replicate the same structure and services.
While Gula had an engineering background, it wasn’t until she decided to go into business with her husband Ron two decades ago to create Gula Tech Adventures that she began “learning by osmosis” everything she could about the tech and cybersecurity industries.
As she became more comfortable with the technical aspects of the job, she also began developing her own investment style and philosophy. First and foremost, she looks for truly disruptive companies or ideas first, noting that most consumers and businesses are not interested in giving up what they already have for an unfamiliar alternative that’s 5 or 10 percent better. After that, the founders and the team they put together are the next most important factors.
The company’s perceived coachability and willingness to take feedback is also “a huge, huge piece in the due diligence part of investigating a company for investment.”
“You can get an idea of coachability real quickly: A couple of suggestions here and there, [and you see], do they take it?” Gula says.
Howe says she looks for three things: a large market opportunity, “a real pain point” and a team that has a track record of working and solving hard problems. The tech itself factors in too of course, but can also change over time, and it’s more important to know whether the company can execute on its ideas and pivot if things don’t go as planned.
It’s also a crowded field, with billions of investment dollars flooding into cybersecurity every year and thousands of startups competing for funding. A company that can distinguish itself from the competition without exaggerating the potential of its tech or falling into clichés is another important indicator.
“Everyone has a lot to say. There’s a lot of money going in, there’s a lot of marketing and a lot of marketing hype, and it’s very hard to tell the difference between one company to the next,” Howe said. “So how you position yourself to rise above that noise is actually pretty hard,” Howe says.
The “Why” and the “What Now?”
Some experts and all of those interviewed agree on two things: the homogenous makeup of the cybersecurity investment community is a real problem and its origins cannot be laid at the feet of any one – or two, or three – explanations.
Conscious expressions of sexism can of course happen through hiring decisions, promotions and within company cultures, but it can plague even those firms that publicly recognize the problem and take steps to improve.
There are “well documented unconscious biases” in the venture capital world that “play an important role in keeping women out of the industry and its top ranks,” write Harvard researchers Siri Chilazi, Anisha Asundi and their director, Iris Bonnett. These biases can impact the questions that get asked to male and female entrepreneurs who pitch their ideas and the criteria used to judge their answers and plans.
This systemic imbalance also goes in the other direction: Harvard’s research indicates that just 13 percent of VC dollars go to companies with at least one female founder. That same dynamic tends to trickle down to many C-Suite positions, considered a crucial career pipeline for tech talent that often serves as a launching pad for tomorrow’s investors.
This gender gap leads to “major disparities in the tech sector” because venture capitalists “play a critical gatekeeping role in deciding whose ideas, products and innovations get a chance to shape our modern economy and society,” researchers argue.
Most of the women interviewed characterized their own experience as either unusual or lucky in that they were able to find organizations that welcomed them or made a conscious effort to bring in people from different backgrounds.
Homophily – the tendency to associate with those who are similar -- is another unconscious bias, one that is a common problem across many organizations and industries. But it can be particularly pronounced in the venture capital community, where money, an elite education and high-level connections can form hard barriers of entry for outsiders.
Venture capital also tends to not look very far outside its own professional networks for hiring. Research from Deloitte indicates that firms don’t consider external candidates for many jobs, and particularly when it comes to senior positions. Many don’t even collect demographic data about their workforce, something that could inform a variety of hiring and retention decisions.
Wang says that over the span of her career, things have gotten better for women but “people tend to invite people they’re comfortable with” and that insular culture can be harsh for newcomers.
“I think recent changes have indicated that the investment community has opened up its ranks, if you will, to folks with different backgrounds,” she says. “But traditionally…you either grew up in investment communities, you were an associate at Goldman Sachs or you became an investor running some program and then came to Silicon Valley, or you joined a firm and climbed up, or you’re a CEO who’s made millions. A lot of these channels are sort of self-selecting and they didn’t allow folks with different background and ways of life to join this game.”
Some firms style themselves as meritocracies and as a result, tend not to overtly emphasize diversity goals, Wang says. But that same Deloitte research found a formal human capital strategy in place to guide HR decisions led to a 13 percent boost in women and minority representation at venture capital firms compared with those that did not.
Focusing on that pipeline both within the investment community and the broader cybersecurity industry is a long, arduous process, but one that could have the most impact over the long term.
“You can’t will it to change,” says Howe. ‘What you can do is support the women who are building the companies, advise them, invest in them, mentor them, because there’s some great female entrepreneurs out there.”
