What’s 🔥 in Enterprise IT/VC #403
Cybersecurity wakeup call - 62% of the global external attack surface is concentrated in the products and services of just 15 companies 🤯
On Friday, we all had a wakeup call. It could have been way worse. One content update/patch on endpoint devices from CrowdStrike (nice technical breakdown here) created the Biggest IT outage ever! While not a cyber attack, one cybersecurity company whose job it is to protect our systems from downtime was responsible.
The scope is simply insane 🤯!
On the one hand, we now see the dominance of cybersecurity, and what happens when leading vendors like CrowdStrike are embedded everywhere.
On other hand, this one faulty software update also shows us how vulnerable we all are to software and a glimpse of what real cyber warfare could potentially do to the world. Imagine if this was real and multiply by just a factor of 2 or 3? Further imagine what happens in a world of “platformization” and the single point of failure for software shrinks to even less vendors.
Alex Yampolskiy, co-founder and CEO of Security Scorecard (a portfolio co) released a stunning research report in May identifying the supply chain cyber risk across approximately 12 million organizations and here’s the shocker
62% of the global external attack surface is concentrated in the products and services of just 15 companies.
Other key findings include:
*150 companies account for 90% of the technology products and services across the global attack surface.
*41% of those companies had evidence of at least one compromised device in the past year.
*11% had evidence of a ransomware infection in the past year.
*The top 15 third parties have below-average cybersecurity risk ratings – indicating a higher likelihood of breach.
According to McKinsey, companies spend hundreds of thousands of dollars per year managing cyber risk within their vendor, and third-party ecosystem and millions on cyber programs, yet their billion-dollar business is only as good as the cybersecurity of their smallest vendor.
Mitigating supply chain cybersecurity requires four key steps:
1. Identify single points of failure
2. Continuously monitor the external attack surface
3. Automatically detect new vendors
4. Operationalize vendor cybersecurity management
Alex goes further in a recent interview on the events:
Looking ahead and just thinking randomly, here are some other key questions to ponder for the future.
When looking at security companies we always like to ask the question if founders are building technology that sits inline in active and blocking mode or out of band in listening mode. One of the reasons why Wiz scaled so quickly is because it created an agentless platform for cloud security unlike others before it.
Wiz's agentless scanning technology provides complete vulnerability visibility using a single cloud-native API connector to continuously assess workloads without needing any ongoing maintenance.
There is a huge difference between inline vs out of band or listening mode and why startups who end up getting in the critical path of systems usually take longer to show proof of value as typical journey goes from dev to staging to production. More on the tradeoffs from this Reddit post below explaining discovery vs. true enforcement. It comes down to time to value vs. perhaps deeper protection.
If you are wondering what’s better, all I can say is that it’s pretty insane that in 4 years Wiz is now potentially being sold for $23 Billion to Google! Given the recent disaster from CrowdStrike many will be asking about agents, patching software, etc. and all things being equal most would prefer agentless where possible.
What about software contracts and liabilities? The T&Cs or terms + conditions matter in enterprise contracts. Usually, the max liability by default is set at the cost of software unless you are a massive company like a F100 who demands more from a liability and potential damages perspective. For mission critical software, will more large enterprises demand more protection beyond a refund on the cost of software? If so, how can startups sell into these entities knowing that one mistake could have unlimited liability or liability that it can’t pay? Yes, there is insurance, but the cost of business may go up in the near future.
We will all recover from this. However, the world of enterprise software and cybersecurity just changed overnight. The repercussions will last well beyond this weekend.
As always, 🙏🏼 for reading and please share with your friends and colleagues.
Scaling Startups
#Yes, we’re still bullish on cybersecurity. Thanks to Trinity Chavez of the NYSE for this interview which was released earlier in the week. Here I talk about why cybersecurity is the gift that keeps on giving (although I was not thinking about the gift from CrowdStrike), how AI will impact cybersecurity, and why cybersecurity is a board level topic.
#Saturday inspiration from Coach Mike Tomlin of the Pittsburgh Steelers (hard for me to share 🤣 as I’m a diehard Ravens fan but here you go…watch here
“Hear Me…”
Mike Tomlin GOLD 🥇
“It’s not what you are capable of; it’s what you are willing to do. Plenty of people are capable. Fewer people are willing.”
This message is the ultimate TRUTH in sports.
No Deposit - No Return
#Keep going, here’s a cool note on Fred Luddy, founder of ServiceNow from Konstantine Buhler (Sequoia)
Was reading the wikipedia ServiceNow founder Fred Luddy this afternoon and found this absolutely inspirational:
"In 2004, his then net worth of $35 million was lost due to an accounting fraud at his previous company, Peregrine Systems, of which he was the CTO.
Luddy founded ServiceNow two weeks before his 50th birthday, "I couldn't wait, because there was something psychologically that said I couldn't start a company at 50""
Did not verify if this is accurate (it's Wikipedia) but seems to check out and maybe Fred will weigh-in on this post.
It inspires me for at least two reasons:
1. You're never too old to start a legendary company (ServiceNow is the #3 largest SaaS co in the world and under the leadership of Bill McDermott and Chirantan "CJ" Desai is growing way faster than any of the other giants). Ageism is ridiculous on both sides of the distribution.
2. When you get knocked down...you get back up. Fred was CTO of Peregrine, which at one point was valued at $4 billion, and lost almost all his money due to a fraud at the company. What did he do? Get right back up.
Saturday inspiration.
Enterprise Tech
#Insight Partners CIO Survey State of Enterprise Tech 2024 - some great survey data on AI, security and what’s top of mind in DevOps
#🤣 seems par for the course, management vs. practitioners (Atlassian State of Developer Experience Report 2024)
#LLM model size competition is intensifying… backwards! (Andrej Karpathy)
My bet is that we'll see models that "think" very well and reliably that are very very small. There is most likely a setting even of GPT-2 parameters for which most people will consider GPT-2 "smart". The reason current models are so large is because we're still being very wasteful during training - we're asking them to memorize the internet and, remarkably, they do and can e.g. recite SHA hashes of common numbers, or recall really esoteric facts. (Actually LLMs are really good at memorization, qualitatively a lot better than humans, sometimes needing just a single update to remember a lot of detail for a long time). But imagine if you were going to be tested, closed book, on reciting arbitrary passages of the internet given the first few words. This is the standard (pre)training objective for models today. The reason doing better is hard is because demonstrations of thinking are "entangled" with knowledge, in the training data.
Therefore, the models have to first get larger before they can get smaller, because we need their (automated) help to refactor and mold the training data into ideal, synthetic formats.
It's a staircase of improvement - of one model helping to generate the training data for next, until we're left with "perfect training set". When you train GPT-2 on it, it will be a really strong / smart model by today's standards. Maybe the MMLU will be a bit lower because it won't remember all of its chemistry perfectly. Maybe it needs to look something up once in a while to make sure.
#a matter of scale, I have always ❤️ NY but good reminder…
#regulation will continue to leave the EU behind…
#how big is AI for JPMorgan? 2,000 employees now in “AI” broadly speaking from a data and engineering side which Jamie says is going to 5,000 in a couple of years 🤯 (Business Insider)
In an interview with LinkedIn's Editor in Chief Dan Roth, the JPMorgan CEO lauded AI as a valuable "productivity tool" that is already impacting the workforce, including at his bank.
"It's huge," Dimon said of AI. "And what we do is we've embedded it in all of our businesses."
The CEO told LinkedIn that JPMorgan has about 2,000 employees looking at data and analytics, machine learning research, and other areas critical for AI, and that number is likely to expand.
"My guess is that number is going to be 5,000 in a couple of years," he added.
In addition, Dimon said his company has 400 "AI projects" and will continue to grow each year. The CEO told shareholders in an April letter that the use cases are in marketing, fraud, and risk.
"My guess is 800 in a year — 1,200 after that," he said. "It is unbelievable for marketing, risk, fraud. Think of everything we do."
#AI coding not just for engineers - interesting data from Replit
#another week, another massive data breach, this time with Disney’s internal Slack channels - there’s gold in those internal slack channels - will be interesting to see what leaks out
🚨🚨#DataBreach 🚨🚨
"NullBulge" claims to have leaked Disney's internal Slack.
According to the post, the amount of data leaked is 1.1 terabytes and includes almost 10,000 channels, every message and file, unreleased projects, raw images and code, some logins, links to internal APIs/web pages, and more.
NullBulge also has a clear net site where they define themselves as a hacktivist group protecting artists' rights and ensuring fair compensation for their work.
The confirmation or denial of these claims has yet to be verified.
#CyberAttack
Markets
#👇🏼 must watch market overview from Coatue, always look forward to this deck starting with macro view down to micro and yes lots on AI - here are a couple of slides I clipped from Philippe Laffont’s talk
#VCs search for liquidity and alternate paths to DPI (cash back to investors)
Recent Sequoia funds offered to buy Stripe shares to create liquidity from older Sequoia funds (Axios)
Sequoia Capital is offering its investors a way to cash out of Stripe, the payments giant it first backed nearly 14 years ago, Axios has learned.
Why it matters: Limited partners in venture capital funds are increasingly desperate for liquidity, as companies like Stripe eschew IPOs.
Behind the scenes: Sequoia this morning emailed LPs in funds raised between 2009 and 2012, offering to buy up to $861 million of Stripe shares.
The purchasers would be other, more recent Sequoia Capital funds — a process partially enabled by the firm's 2021 restructuring. In the weeds: The price would be $27.51 per share, which is Stripe's most recent 409A mark and represents a $70 billion valuation. For context, Stripe was valued at $95 billion back in 2021, but by last summer had slashed its worth to $50 billion.
Strip sale of a portion of a venture portfolio, esp, for older funds, to provide liquidity to LT holders and to get new investors in with different risk profiles and holding periods (Bloomberg)
Goldman Sachs Group Inc.’s alternatives unit is leading a consortium investing in a $540 million continuation vehicle created by venture capital firm NEA, according to people familiar with the matter.
The VC firm contributed stakes in 11 of its companies — including startups Databricks, Plaid and Tempus AI Inc. — to the vehicle.
The transaction, which enables NEA to give its limited partners some liquidity, also features investors including Industry Ventures, Pathway Capital Management and Goanna Capital, the people said. Jefferies Financial Group Inc.’s private capital group advised on the transaction, they said.
Databricks and Plaid comprise about 38% and 10% of the vehicle, respectively, the people said.
Other companies in the vehicle are Strive Health, Built Robotics, Automation Anywhere, Instabase, Collective Health, National Resilience, Echodyne and Everside Health.
All in, the deal was priced at a roughly 19% discount to NEA’s internal marks, some of the people said. The firm’s internal marks include Databricks and Plaid at $46 billion and $8 billion, respectively.
Ed, thanks for your comments about old guys still doing start ups! Add me to the list please. I started Red Vector at the young age of 65. If creation and adventure are in your blood, I believe it stays there and only improves over time if you can evade the threatening biophysics of aging. But that's for another post. Oh and on the CRWD situation, Red Vector, like WIZ has taken an agentless approach to Insider Risk / Threat detection. While agents are a legitimate approach in the cyber realm, like in the physical/human realm, agents can go rogue and become double or triple agents. That almost always becomes problematic for someone. Stay well my friend.
You don’t stop because you become old.
You become old because you stop.
Don’t stop.
Go