OneTrust Secures $300 Million Series C Funding at a $5.1 Billion Valuation led by TCV

ATLANTA, Dec. 21, 2020 /PRNewswire/ — OneTrust, the largest and most widely used privacy, security, and data governance technology platform, today announced a $300 million Series C funding round. The funding values OneTrust, founded in 2016, at $5.1 billion and brings the company’s total money raised in the last 18 months to $710 million. TCV signed on as a new investor and led the round, joined by OneTrust’s existing investors, including Insight Partners and Coatue.

Watch the video: Kabir Barday, CEO and Blake Brannon, CTO, discuss OneTrust’s growth to a $5.1 billion-valued leader in privacy, security, and governance

OneTrust’s technology sits as the epicenter of trust for organizations, enabling strong privacy, security, data governance, and ethics and compliance practices that underpin their digital transformation. As organizations strive for increasing levels of efficiency and agility in their transformation journey, they are looking for a platform approach to managing privacy, security, and governance requirements across an increasingly complex regulatory environment.

Today, 7,500 organizations, including more than half of the Fortune 500, use OneTrust’s technology to comply with the world’s privacy, security, and compliance requirements, including GDPR, CCPA, LGPD, ISO 27001, NIST, DOJ Guidelines, and hundreds of other laws and frameworks. The list of regulations an organization must comply with continues to rise. In 2020, sweeping privacy laws came into effect in California, Brazil, and others, and Gartner predicts 65% of the world’s population will be covered under modern privacy regulations by 2023, compared to just 10% today.

OneTrust has pioneered a true platform approach to trust with its modular products that are built on a single code-base and have been awarded 130 patents. Product offerings include:

  • OneTrust Privacy – Privacy Management Software 
  • OneTrust DataDiscovery™ – AI-Powered Discovery and Classification 
  • OneTrust DataGovernance™ – Data Intelligence Software
  • OneTrust Vendorpedia™ – Third-Party Risk Exchange 
  • OneTrust GRC – Integrated Risk Management Software 
  • OneTrust Ethics – Ethics and Compliance Software 
  • OneTrust PreferenceChoice™ – Consent and Preference Management Software 

In less than 18 months, OneTrust raised $710 million in funding. Since its founding in 2016, OneTrust has grown to the largest and most widely used privacy, security, and governance technology and achieved the #1 spot on the 2020 Inc. 500 list of fastest-growing private companies.

“OneTrust is leading the market outright and showing no signs of slowing down or stopping,” said Ryan O’Leary, senior research analyst, Legal, Risk, and Compliance at IDC in the report: Market Share Worldwide Data Privacy Management Software Market Shares, 2019: OneTrust Dominates the Competition. Other key analyst recognition includes:

“Our mission is to build the technology platform that creates the trust fabric of an organization, while addressing the hundreds of privacy, security, and compliance requirements they are faced with today,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy. “We were excited when TCV approached us for an investment. Even with most of our previously raised funds still available, their partnership allows us to further accelerate our mission, leverage our capital and currency to drive organic and inorganic growth, and deliver for our customers and partners long term.”

“Consumers and regulators are demanding that every company on the planet comply with complex and ever evolving privacy regulations,” said Tim McAdam, General Partner at TCV. “There are hundreds of regulatory initiatives in the works emanating from all major countries. OneTrust has emerged as the runaway SaaS leader in the trust and privacy arena. Kabir and his team have built the only truly global privacy platform allowing companies at any stage or size to own their privacy initiatives and remain compliant. TCV is honored to partner with such a rapidly growing and category-defining company led by an outstanding team of innovators.”

For information or to request a demo, visit OneTrust.com

OneTrust, OneTrust DataDiscovery, OneTrust DataGovernance, and OneTrust PreferenceChoice are registered trademarks or trademarks of OneTrust LLC or its subsidiaries in the United States and other jurisdictions.

About OneTrust
OneTrust is the #1 fastest growing and most widely used technology platform to help organizations be more trusted, and operationalize privacy, security, data governance, and ethics and compliance programs. More than 7,500 customers, including half of the Fortune 500, use OneTrust to build integrated programs that comply with the GDPR, CCPA, LGPD, ISO 27001, NIST, DOJ Guidelines, and hundreds of other laws and frameworks.

The OneTrust platform is powered by the OneTrust Athena™ AI and robotic automation engine, and our offerings include:  

  • OneTrust Privacy – Privacy Management Software 
  • OneTrust DataDiscovery™ – AI-Powered Discovery and Classification 
  • OneTrust DataGovernance™ – Data Intelligence Software
  • OneTrust Vendorpedia™ – Third-Party Risk Exchange 
  • OneTrust GRC – Integrated Risk Management Software 
  • OneTrust Ethics – Ethics and Compliance Software 
  • OneTrust PreferenceChoice™ – Consent and Preference Management Software 

Be a More Trusted Organization™. To learn more, visit OneTrust.com or connect on LinkedIn and Twitter

About TCV
Founded in 1995, TCV provides capital to growth-stage private and public companies in the technology industry. TCV has invested over $14 billion in leading technology companies and has helped guide CEOs through more than 125 IPOs and strategic acquisitions.

TCV’s software investments include Alarm.com, Altiris, Ariba, Avalara, ExactTarget, ETQ, FinancialForce, Genesys, IQMS, OSIsoft, Oversight, Silver Peak, Sitecore, SMT, Splunk, Vectra, and many more. TCV is headquartered in Menlo Park, California, with offices in New York and London. For more information about TCV, including a complete list of TCV investments, please visit http://www.tcv.com.

1IDC, Worldwide Data Privacy Management Software Market Shares, 2019: OneTrust Dominates the Competition, Doc # US46214219, April 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Media Contacts
Gabrielle Ferree, OneTrust
+1 770-294-4668
media@onetrust.com

Katja Gagen, TCV
+1 415 690 6689
kgagen@tcv.com

SOURCE OneTrust


Is the Cloud Safe? – The View from Vectra on Reducing Business Risk as Enterprises Aggressively Move to the Public Cloud

Digital transformation is driving enterprises to rapidly enter the next chapter of cloud adoption. Nearly half of current infrastructure-as-a-service Enterprise users are running production applications on public cloud infrastructure. As such, organizations are acutely focused on dynamic scaling, 24×7 availability, streamlined management and development tools to make the migration seamless…yet, security seems to be an afterthought or maybe just assumed to be “locked down” given that the bulk of workloads are at Amazon Web Services, Microsoft Azure or Google Cloud. Given the brands and heft of these mega tech companies, how can these clouds possibly not be secure?

Recent high-profile breaches demonstrate that there are inherent risks in the public cloud. In fact, just moving workloads to these branded cloud providers does NOT make them more secure at all.  It’s clear that enterprises must ensure their security stack is properly architected for the cloud. The recent Capital One breach was a shock to the system.

In the case of Capital One, a combination of a tech savvy team and AWS were breached by vulnerabilities that were known and could have been avoided. Does that mean it’s inherently risky to migrate to the cloud? Probably not, but it is clear we need better tools and processes to make this migration secure, scalable and cost-effective.

In this podcast, TCV’s Tim McAdam and Vectra CEO, Hitesh Sheth, talk about what it takes to reduce business risk in the cloud – and keeping enterprises, consumers and their transactions/interactions secure – while capitalizing on the tremendous opportunities the cloud offers.

For these insights and more, settle back and press play.

***

Tim McAdam: Welcome to Growth Journeys, a podcast series from TCV, focused on lessons from the field from entrepreneurs in the TCV ecosystem. I’m Tim McAdam, General Partner at TCV, and I’m here with Hitesh Sheth, CEO of Vectra, a leader in applying artificial intelligence to detect and respond in real time to cyberattacks in the cloud, data center, and enterprise infrastructures. Hitesh brings a wealth of experience from senior roles at Aruba, Juniper, and Cisco, that affords him important lessons about how enterprises can assess and address security as they migrate workloads to the cloud. These lessons include views on encryption, 5G, and commingled log data, to name a few. We’re covering all these topics today, but first, thanks for joining me, Hitesh, and welcome to Growth Journeys.

Hitesh Sheth: Great to be here, Tim. Thank you for having me.

Tim McAdam: So, let’s start with a relatively simple one, but probably complicated in its scope. What’s the general state of cloud security today?

Hitesh Sheth: Cloud security today is, in my view, where Windows used to be circa 1990s. If you go back in time a couple of decades when Windows started to proliferate, security was really not the first thing that Microsoft thought about. And at that time, it looked like a pretty complex setup with multiple operating system versions, different devices on which Windows was getting deployed, and it felt like it was an endless opportunity for attackers to leverage.

Now, fast forward to today, and if you look at the cloud environment, whether you’re dealing with serverless computing, whether you’re looking at Kubernetes, none of the technologies that are being built for the cloud have had security at the front end, and by comparison we have a thousand-fold more complex scenario than we had when Windows started prevailing from a security point of view.

So, I think the scenario we have right now is that while cloud is taking off exponentially, the security holes that we are facing are indeed very profound.

Tim McAdam: And how do you think enterprises should approach assessing their security vulnerabilities as they migrate these workloads to the cloud?

Hitesh Sheth: One of the most important things that they should think about very carefully is that whatever strategy they had in place in their traditional on-prem networks is not the strategy they should deploy into the cloud. And a good example would be – you think of perimeters when you think of on-prem networks. So traditional firewalls tend to be the way you think about security. That already is disappearing in traditional networks, and that certainly cannot apply when you’re looking at cloud infrastructure.

Now, I think Gartner has come out with a very good synthesis of how to think about building visibility for next-generation SOCs and they’ve got this thing called the Triad, and the Triad has three components to it. There is a SIEM in it. There is NDR, which is network detect and response. And there is endpoint detect and response, EDR. And logically, if you have those three technologies in place, then you have the best shot at delivering comprehensive visibility for the SOC. And the good news there, is that it is independent of whether you’re in the cloud or on on-prem networks as well.

Tim McAdam: Right. And just for the audience, could you define what a SIEM is?

Hitesh Sheth: Absolutely. SIEM is security information and event management systems. A vendor example here would be Splunk. When you’re looking at EDR, a vendor example would be CrowdStrike. And then certainly when it comes to NDR, Vectra would be the example in mind.

Tim McAdam: Perfect. So, talk about encryption for a second and what role encryption will play in securing workloads. And I think there are probably some schools of thought that say, “Why do you need any of this stuff if our data’s encrypted?”

Hitesh Sheth: Correct. So, I think there’s good news and bad news in encryption. Let me start with the good news. The good news is that you can indeed encrypt the traffic from say, the endpoint to the edge of the infrastructure, or to the SaaS application. And so, in theory, you are reducing the opportunities for a hacker to break into that workload or into the payload and initiate a cyberattack. So that’s the good news.

However, the reality is that whether you’re dealing with data centers or you’re dealing with cloud infrastructure, the number of times where the traffic’s going to get encrypted post the edge of the cloud or the data center tends to be very, very limited. And therefore, you have the need to still continuously monitor the inside of the data center or the inside of the cloud for tracking advance attacks. That’s number one.

But number two what is also probably not fully appreciated is that encryption is actually a friend for attackers. So, if your device is compromised, Tim, and then your traffic is encrypted from your device to the SaaS application, then if I’m the hacker, the chances that somebody’s going to pick me up really get diminished. Therefore, you know, logically the only way you can really find those attacks is by looking at the behavior of your device and how you’re interacting with the application. Therefore, behavioral approaches become really essential in this scenario.

Tim McAdam: Right. And that begs the question – that might be a device-specific viewpoint. But how about the data itself? Obviously, multi-tenant cloud applications have effectively commingled log data or log data from multiple customers. Is that a limitation or security risk as enterprises move their workloads to the cloud, and how do enterprises gain comfort that the integrity of their data will remain intact as they move workloads to the cloud?

Hitesh Sheth: The reason logs get commingled in the cloud environment – I’ll come back to the point I made earlier. Security is an afterthought in the scenario. The primary objective of doing that is to add efficiency to IT ops. That is the reason why they do that. For a customer, who is adopting cloud services, you have to reconsider the Triad that I described earlier. You have to have a SIEM. You can take this commingled log data and you can have this centralized in one place for analysis purposes.

But, what is really crucial is that you don’t rely on that by itself. You have to use network detect and response. You have to use endpoint detect and response. And so, the whole point of that Triad is to give you coverage in scenarios like the one you just described.

Tim McAdam: Got it. That makes sense. How about trends around next-gen communications like 5G, for example, and then this whole mindset of zero trust? How do you see these newer trends enhancing, or frankly, causing security issues?

Hitesh Sheth: The benefit of 5G is that we, as users, can bypass traditional networks, and with our devices – whether it’s a phone or a tablet – you can go straight to the cloud and order the SaaS application. You don’t have to worry about your traditional network and the security therein. Which is great.

Now, the challenge with that is that you have just now opened up a direct path into the data without any intermediary layers. So, this is where zero trust is supposed to come in.

Zero trust is supposed to introduce the notion that unless every device is authenticated, it should not be trusted. But frankly, it’s a very simplistic view of security because it essentially says, if Tim on Tim’s phone is authenticated, then Tim and Tim’s device are now automatically safe. But what if somebody stole your credentials? And that happens on a daily basis, as we know. And, therefore, it is not enough to rely on something like zero trust.

You have got to have the right monitoring principles in place in the cloud itself to ensure that if your credentials are stolen on one end, you’ve got the right mechanisms to watch for the behavior of the privileged user in the cloud.

Tim McAdam: Got it. So, let’s talk about responsibility for a second. I recently read a Gartner report that was talking about degrees of hand-off points from infrastructure as a service providers, to platform as a service providers, to SaaS providers. How do you think about this shared responsibility continuum, and do you see this security responsibility changing over time?

Hitesh Sheth: First of all, I think a lot of companies make the mistake of thinking that the security responsibility is solely the cloud provider’s responsibility. And I think that mistake originates from consumers of SaaS applications.

If you are consuming Salesforce, as an example, I think it’s very reasonable to expect that Salesforce has taken care of your security requirements. In theory, that’s generally true. However, if you are the entity that is actually deploying your applications into the cloud environment, having that expectation that AWS, Microsoft, Google, have done the same thing is fundamentally not true.

At the end of the day, the company that’s utilizing cloud resources is responsible for the security of the network layer, the data on top of that, the applications, and how people are interacting with those applications. That responsibility solely resides with the entity that is using those services. And I think even as cloud providers evolve their security offerings, it would be a mistake for consumers of those offerings to relinquish their responsibility back to the cloud provider.

Tim McAdam: So, Hitesh, you can’t pick up the paper today without reading headlines about the shortage of qualified cybersecurity talent relative to the size of the problem. This is a massive issue. Why haven’t more cybersecurity companies adopted an AI/ML framework like Vectra’s given the obvious dearth of humans in the sector?

Hitesh Sheth: I actually think, Tim, that a lot of security vendors are talking about AI today. It’s become one of the pain points for customers, where AI has evolved into a buzzword from vendors, and they talk about it all the time.

The issue fundamentally is that the vendors are approaching this completely wrong, in my view. Even for investors, as they think about investing in companies that are touting AI, the principle of generalized AI simply does not work. Generalized AI equals a human being. And AI is not advanced enough, from a software point of view, to repeat what a human being would do in technology. So, the notion of applied AI is really key here. Applied AI does work as evidenced from the work that we do at Vectra.

And I think the key there is you cannot just take AI by itself. If it’s application-specific, then domain becomes very critical. And one of the early epiphanies that we had in our journey here is that as we experimented with generalized AI, and frankly we made mistakes with that. And what struck us very quickly was that, “Hey, you need security domain, you’ve got to have security domain paired up with AI for this to work.” If I’m a customer, I would be testing for that every single day before accepting a vendor’s word that their tech is actually going to work in my environment. Otherwise, it’s the person behind the curtain actually doing the work, not the software.

Tim McAdam: Right. Well, thank you for making all those generalized AI mistakes before we invested, Hitesh.

Hitesh Sheth: And, yes, we did that in the first few years, Tim, as you know well, but if you don’t make mistakes, you don’t learn. And we are much better off as a result.

Tim McAdam: So lastly, at a recent offsite, one of my partners floated the concept of via negativa, or addition by subtraction, as it related to our business model as investors. That is to say, focus on fewer, more high-impact investment themes or investment types by not focusing on others. Hitesh, should via negativa apply to streamlining the security posture of enterprises as they think about moving to the cloud?

Hitesh Sheth: I think it’s an absolutely fantastic principle for how you think about where you invest in infrastructure broadly and certainly in security, because as we all know, security is rife with a plethora of technologies and vendors pitching the next-greatest tool to customers every single day. Yet, paradigms have evolved very, very rapidly.

So for example, if I am building something from ground up, a customer should ask themselves, why do they really need a firewall? For what purpose? If I have EDR on my endpoint, if I have the right setup for monitoring my workloads in the cloud, what role does a firewall really play? What role does a perimeter play? If you want to save your dollars, OpEx or CapEx, I’ll put something bold out there and say, eliminate the firewall. I would challenge somebody to do that. And then provided they are actually following the SOC Triad – be religious about implementing the SOC Triad.

Do that first and then question the need for spend on anything else next. That’s the approach – that’s how via negativa can apply to security spend.

Tim McAdam: That is bold. I like it. Hitesh, thanks for joining us today.

Hitesh Sheth: Thanks very much, Tim, really appreciate it.

***

The views and opinions expressed are those of the speakers and do not necessarily reflect those of TCMI, Inc. or its affiliates (“TCV”). TCV has not verified the accuracy of any statements by the speakers and disclaims any responsibility therefor. This blog post is not an offer to sell or the solicitation of an offer to purchase an interest in any private fund managed or sponsored by TCV or any of the securities of any company discussed. The TCV portfolio companies identified above, if any, are not necessarily representative of all TCV investments, and no assumption should be made that the investments identified were or will be profitable. For a complete list of TCV investments, please visit www.tcv.com/all-companies/. For additional important disclaimers regarding this document, please see “Informational Purposes Only” in the Terms of Use for TCV’s website, available at http://www.tcv.com/terms-of-use/.


Vectra raises $100 million led by TCV to secure the cloud using network threat detection and response

SAN JOSE, Calif., June 10, 2019 /PRNewswire/ — Vectra, the leader in network threat detection and response (NDR), today closed a $100 million round of funding led by TCV, one of the largest growth equity firms backing private and public technology companies. Existing investors also participated in the funding round, bringing the company’s total funding to date to more than $200 million.

Vectra will use the investment to accelerate global market expansion and R&D innovation, solidifying its Cognito platform as the market-leading solution for artificial intelligence (AI)-driven cloud security using NDR.

The cloud has critical security gaps that leave organizations vulnerable. Cyberattackers take advantage of these gaps without leaving a trail of evidence. Underscoring this risk, a recent survey by the SANS Institute found that one in five businesses had serious unauthorized access to their cloud environments this past year alone, and many more were unknowingly breached.

The Cognito platform addresses these security gaps by providing 360-degree visibility into cloud, data center, user and internet-of-things (IoT) infrastructure, leaving attackers with nowhere to hide.

“TCV has an extensive track record of partnering with enterprise security companies, including Rapid7 and Splunk, from growth stage to public,” said Tim McAdam, general partner at TCV and a member of the Vectra board of directors. “In our research on the category, it became clear to us that Vectra was rapidly gaining momentum with customers by rethinking the way enterprises view both network and cloud security. The Vectra Cognito platform is poised to become requisite in the security infrastructure of multinational enterprises and midsize businesses alike.”

“The cloud has inherent security blind spots, making it imperative to eliminate cyber-risks as enterprises move their business to the cloud,” said Hitesh Sheth, president and chief executive officer at Vectra. “The Cognito platform enables them to stop hidden cyberattacks in the cloud. We look forward to partnering with TCV and our existing investors as we continue our rapid growth.”

Vectra experienced 104% growth in annual recurring revenue in 2018 compared to 2017. The company will continue to ramp up initiatives aimed at addressing the global deficit in cloud security, innovating on its existing platform and expanding its global customer base.

Cloud Security Solutions Forecast, 2018 to 2023” by Forrester Research, Inc.

About Vectra
Vectra® is the leader in network detection and response – from cloud and data center workloads to user and IoT devices. Its Cognito® platform accelerates threat detection and investigation using AI to enrich network metadata it collects and stores with the right context to detect, hunt and investigate known and unknown threats in real time. Vectra offers three applications on the Cognito platform to address high-priority use cases. Cognito Stream sends security-enriched metadata to data lakes and SIEMs. Cognito Recall is a cloud-based application to store and investigate threats in enriched metadata. And Cognito Detect uses AI to reveal and prioritize hidden and unknown attackers at speed. For more information, visit vectra.ai.

About TCV
Founded in 1995, TCV provides capital to growth-stage private and public companies in the technology industry. Since inception, TCV has raised over $15 billion in capital and has helped guide CEOs through more than 120 IPOs and strategic acquisitions. TCV’s investments include Airbnb, Altiris, AxiomSL, Dollar Shave Club, EmbanetCompass, EtQ, ExactTarget, Expedia, Facebook, Fandango, GoDaddy, HomeAway, LinkedIn, Netflix, OSIsoft, Rapid7, Rent the Runway, Sitecore, Splunk, Spotify, Varsity Tutors, Webroot, and Zillow. TCV is headquartered in Menlo Park, California, with offices in New York and London. For more information about TCV, including a complete list of TCV investments, visit https://www.tcv.com.

Media contacts
John Kreuzer
Lumina Communications for Vectra
vectra@luminapr.com

Katja Gagen
TCV
kgagen@tcv.com 
415 690 6689

SOURCE Vectra

Related Links

https://www.vectra.ai

From Startup to Global Scale: Securing and Building the Company’s Culture Are Keys to Success of Tech Leaders

The days when technology chiefs could focus simply on hardware and software are gone. For technology leaders, aligning IT with long-term strategy and attracting and nurturing a winning team has become key in a world where customer expectations are growing, and the pace of change continues to accelerate.

Today’s technology businesses need to think strategically at the local, national, and global level. Many companies run business online or mobile first and are getting creative and competitive advantages from collecting and analyzing consumer data. This provides both opportunities and challenges: on one hand, companies can get access to global customers fast, yet they are also facing competitors both at home and abroad, not to mention threat actors who could be located anywhere and can come at you with sophisticated attacks. It’s your talent against theirs – with your enterprise and your customers in the middle.

At TCV, we’ve been focused on talent and culture as critical success factors for more than 20 years. Many of our investments have turned on building or sustaining successful cultures and nurturing them with the right people. For this year’s invitation only CTO/CIO Summit we decided to look at talent and culture together with the challenges of globalizing and securing the enterprise. We brought together over 40 technology executives, including founders, product leaders, TCV partners, and — of course — CTOs and CIOs, in Half Moon Bay, CA, for an opportunity to build peer relationships, learn from shared experiences, and discuss top-of-mind issues facing these leaders. We also mixed up the “talent” for the event itself, drawing not only on working CTOs and CIOs but also career IT experts with consulting and investing experience across multiple industries.

For us, the most important part of the two-day event was gaining a deeper understanding of both the challenges and opportunities technology executives need to balance, including:

  • Winning the Talent Wars and Creating a Winning Culture
  • Building a Globally Distributed Organization
  • Privacy and Identity Initiatives and Securing the Enterprise
  • Our agenda centered around best practices in scaling a global organization. Other topics we discussed included how to integrate acquisitions and best practices in managing a global workforce.

Here are the highlights:

Over dinner, Zillow CTO Dave Beitel spoke about how technology has transformed the real estate industry. Dave joined Zillow in 2005 and has seen the company grow, both organically and with 13 acquisitions in the last 12 years. Dave explained the importance of creating a strong culture across multiple locations and laying out paths to career development to motivate teams as organizations scale. He also provided advice on a common challenge that many growing companies face, particularly how to integrate offshore teams and make them an extension of existing efforts rather than adjacent resources. He also discussed with the group how to achieve success in scale with multiple office locations and different cultural identities.

Tim McAdam led the next day’s first panel with Victoria Schillinger, VP of HR at Alarm.com; Caroline Horn, Partner at Andreessen Horowitz; Michael Morell, Managing Partner at Riviera Partners; and Jonathan Schoonmaker, SVP of HR at FinancialForce. Their topic: winning the talent wars against today’s tech giants. The practical tips flowed freely, starting with university recruiting. Pick a few schools and work them, including both Ivy League schools and state colleges. Build relationships with influential faculty. Introduce your brand to younger students, not just seniors. When they become interns, give them meat to work on, not crumbs – having an impact is what they value most. If they turn down an offer, wait 2-3 years and call again – they may not be having the impact they expected at that big company they chose. Retaining key talent has to be proactive. Sit people down and map out how they will develop themselves and increase their impact by staying with you. Give them management opportunities so they can imagine themselves as leaders. Don’t expect diversity to walk in the door — look for talented, highly motivated people who come from completely different fields such as law or the military. And finally, the 90 days after a new hire starts are more important than the 90 days spent hiring them. Set them up for quick wins, build in plenty of touch-points, and make sure they’re comfortable in the culture.

Ted Coons continued the conversation with a focus on talent and culture, talking with Kameron Kordestani, a partner at McKinsey & Company, and Otto Berkes, CTO of CA Technologies, about building a globally distributed company. Both speakers separated the “artifacts” of culture – posters, slogans, logos – from its essence: ways of working that make the organization succeed. People who embody those essentials should be made ambassadors to new acquisitions or newly built development centers, so that people new to your culture can experience it live. When new team members absorb it, they should be given broader responsibilities in the combined company – this leverages their talent and inspires their original team. Particularly after M&A, the acquired team needs to understand its role and contribution to the combined entity; this should happen quickly and positively. Pay for travel if you can; people in far-flung organizations form bonds faster when they meet in person. Both Otto and Kam warned against sticking too closely to integration playbooks, particularly when the acquired technology is new or different. Sometimes a talent-rich team should not be integrated rapidly. Don’t compromise on security or safety but take time to observe how they work before you impose on a new team – the last thing you want to do is spoil an acquisition by how you integrate it.

TCV EIR Jonathan Shottan, Manmeet Singh, Co-founder and CEO of Dataguise and Pablo Jensen, CTO of Sportradar pulled back the curtain on Europe’s General Data Protection Regulation (GDPR) and California’s new privacy laws. Simply put, GPDR is about What, Where and Why: What private data do you have? Where is private data stored? Why do you need to process that private data? Both the compliance challenge and market opportunity of the new regulations are huge and what unites them is the challenge of identifying the vulnerabilities. Many companies mistakenly believe they are compliant, because they encrypt and segregate various types of customer data physically or in the cloud; but when they bring data types together for analysis, they create “PII” – personally identifiable information. The new laws also require companies to delete data if customers demand it, but that’s likely to create havoc with legacy database applications built on relational technology. And how do you delete older data stored on physical media? Enter data masking, at production scale, to stand in for deletion and encryption. First movers — with enough IT spend on decoupling, segregating, and masking data — may even competitively enhance their brands as “more secure” than others.

After lunch, Ted Coons and Charles Beadnall, CTO of GoDaddy, delved into the transformation of GoDaddy’s culture, a process that started back in 2013. Engineers loved the company’s mission of providing small businesses with a home on the internet, but deterrents included fly-over geography, aging facilities and sensationalist marketing. With a new CEO – and marketing campaign – GoDaddy began recruiting heavily. The challenge was forming a new culture that welcomed both existing employees and a flood of new developers in ways that produced better products, faster. Charles employed a version of the 80/20 rule: if he could populate 20% of a department with more diverse people who modeled the right behaviors, they would tip over the rest. The company hired people based on referrals, recruited many female graduates from local universities and placed experienced diverse hires in senior IT roles. Charles also drew in Ph.D.s from MIT and spent time with teams around the globe to transform a culture while keeping the company focused on growth.

Matt Robinson led the day’s final session on securing the enterprise with Amir Ben-Efraim, co-founder and CEO of Menlo Security; Rob Fry, VP of Engineering at JASK; Robert West, Managing Director at Deloitte LLP; and Christian McCarrick, VP of Engineering at Auth0. Matt first asked the panel how CIOs and CTOs should differentiate among today’s legions of security providers. Recommendations included assessing your vulnerabilities so you’re asking the right questions, getting referrals from peers, and anticipating the inevitable consolidation among security providers. Not every company needs an industry giant – those companies were startups once, and today’s upstarts may have superior technology. The panel then discussed prioritizing among today’s proliferating threats. Getting governance in place is critical – if no one fully owns the security portfolio, priorities will be set for the wrong reasons. If the role falls to you as CTO or CIO, you must be (or become) a good storyteller to convey the threats to your company and build consensus on addressing them. It’s also vital to recognize that malware will get inside your systems, but it won’t be the end of the world if you’re prepared. Ultimately the biggest weakness of all security systems is the human element. Education and training are essential and need to be on the agenda regularly. In addition, Amir argued that companies should hold vendors to a higher standard, aiming to receive 100% efficacy to keep companies protected.

We are grateful for all the valuable insights our speakers shared with attendees and the TCV community we strive to create. We look forward to exploring new topics and connections during our next TCV event.

###

 

The views and opinions expressed are those of the CTO/CIO Summit speakers and do not necessarily reflect those of TCMI, Inc. or its affiliates (“TCV”).  This summary is not an offer to sell or the solicitation of an offer to purchase an interest in any private fund managed or sponsored by TCV or any of the securities of any company discussed.  Not all companies discussed above are TCV portfolio companies.  Any TCV portfolio companies discussed above are not necessarily representative of all TCV investments, and no assumption should be made that the investments identified were or will be profitable. For a complete list of TCV investments, please visit www.tcv.com/all-companies/.  For additional important disclaimers regarding this document, please see “Informational Purposes Only” in the Terms of Use for TCV’s website, available at http://www.tcv.com/terms-of-use/.

 


Alarm.com Cuts the Cord

The day Steve Trundle’s first home alarm system was installed, he was outside with garden shears in his hand. He realized that he could easily reach up and cut the phone lines that connected his system to the monitoring company. “Suddenly it didn’t seem so smart to pay a monthly bill for something anyone could disable in two seconds,” he recalls. His vision of wireless, internet-enabled home security was born.

Trundle, then an executive at public software company MicroStrategy, gathered product design and engineering talent to build a product that would become Alarm.com. It took three years to field a do-it-yourself kit for homeowners that debuted in 2003. That milestone was also the beginning of Alarm.com’s first pivot. “We saw that there was already a whole universe of local security service providers all over the country,” Trundle explains. “We decided that rather than battle with the industry, we would partner with it, accelerate it, and transform it.”

To establish a channel with the security industry, Alarm.com began developing partnerships with security panel manufacturers and service providers. Integrating Alarm.com’s proprietary cellular communications module with security panel equipment eliminated the vulnerable wire that anyone could cut and provided a reliable connection to Alarm.com’s cloud-based services. For the first time, customers could control their security panel — and monitor their home — from any remote interface. This great leap forward quickly helped Alarm.com to develop productive partnerships with thousands of local security service providers who could exclusively offer interactive security monitoring to their customers.

This audacious strategy succeeded because Alarm.com’s software architecture made it possible to add new services to a security system via the cloud rather than physically replacing the panel. By leveraging data from the security system and integrating connected devices into its services, Alarm.com enabled innovative and engaging new capabilities. Proactive security alerts and home automation solutions like energy management, access control and video monitoring, helped to make security systems more valued and customers less likely to cancel their service.

TCV began monitoring Alarm.com’s progress when the company’s installed base was close to half a million “roofs” – industry slang for buildings with a security system. Alarm.com was a striking fit with an investment thesis that TCV was developing for the next-generation connected home, led by Tim McAdam, Jake Reynolds, Kapil Venkatachalam, and Scott Kirk. The TCV team had spent significant time talking to security dealers and industry thought leaders at ISC West, an annual security conference, and realized the need for improving end customer retention, the most important metric for managing a security dealer’s business. All of these conversations pointed TCV again and again to one company with a leadership position and a team committed to success: Alarm.com.

Then, in 2011, Nest introduced a thermostat that could be managed wirelessly, and industry analysts began publishing predictions about the “Internet of Things” phenomenon  – often called the IoT. The TCV team realized that if Alarm.com was going to maintain its early lead in connecting homes to the cloud, it had to accelerate its growth to millions of roofs – fast.

Trundle saw it, too. He had known Tim McAdam since college at Dartmouth, and they agreed that the time was ripe for Alarm.com to make another great leap forward.

“TCV understood everything we had done to that point, and they knew how to do the big things we needed. Other VCs thought we weren’t disruptive enough, but TCV focused on our business model. They got how durable it was, and how rapidly it could scale.”

– Steve Trundle, CEO of Alarm.com

TCV invested in Alarm.com in 2012, McAdam joined the board, and Alarm.com shifted into high gear.  TCV helped strengthen Alarm.com’s management team and Board with the recruitment of new board members Don Clarke and Darius Nevin, as well as Jeff Bedell as Chief Strategy and Innovation Officer, Dan Kerzner as Chief Product Officer, and, more recently, Steve Valenzuela as Chief Financial Officer.  In addition, Alarm.com moved quickly to acquire several adjacent companies that allowed it to broaden its product footprint, entered large new markets in Europe and Asia/Pacific, partnered with industry giant ADT, delivered new apps for mobile phones, televisions, and voice assistants, and extended its data analytics program into machine learning and AI.

“Alarm.com was the first company to provide a smart home security system with an easy-to-use interface primarily accessed on a smartphone. The security functionality quickly expanded to include lighting, energy management, and camera management,” McAdam relates. “Alarm.com was a pioneer in bringing all of these disparate services into the mass market in one app and ultimately has become the market leader in the connected home as well as the most under marketed example of a dominant IoT business.”

With a stronger team and investors who brought best practices for rapid growth, Trundle soon faced the question of when to go public. After starting the process for a 2014 offering, Alarm.com put it on ice until 2015. “The timing didn’t feel right,” Trundle recalls. “Sometimes as CEO you have to make tough calls based on your gut.” That instinct proved prescient, as the company successfully completed its IPO in 2015. TCV showed its commitment to the company and IoT by increasing its investment just prior to the IPO.

The company raised over $100 million in fresh capital with its IPO and moved quickly to invest it in new growth opportunities. Alarm.com acquired the Connect platform from iControl Networks, which serviced a different segment of the security and automation market, and grew its global installed base to more than five million roofs in 2017. The number of security dealers using Alarm.com to offer interactive services climbed to more than six thousand worldwide, and a group of super-dealers emerged to lead the way. The company’s standing in the connected home market has never been stronger.

These achievements are all the more remarkable considering that Alarm.com is headquartered in the Washington D.C. area – on the other side of the country from Silicon Valley. “We learned a long time ago that great companies can be founded and built anywhere,” TCV’s Kapil Venkatachalam says. Trundle says that he overcame any geographical disadvantage through smart hiring. “The Washington D.C. area offers a rich talent pool and we attracted many of the best engineers in our area because we’re one of the few market-leading tech companies here,” he points out, “and with TCV we’re also connected to the talent pipeline in Silicon Valley.”

Top talent remains a priority, because the connected home market is now eyed by all the major players in technology. Startups continue to form with dreams of disrupting the security industry. In a dynamic time and marketplace, Alarm.com must maintain its technology lead while strengthening its relationships with incumbent manufacturers, distributors, and installers. McAdam concludes: “When we look at global penetration rates for the connected home services that Alarm.com offers, the math suggests single-digit penetration. We have a lot of market to take over the next decade.”

###