ATLANTA, Dec. 21, 2020 /PRNewswire/ — OneTrust, the largest and most widely used privacy, security, and data governance technology platform, today announced a $300 million Series C funding round. The funding values OneTrust, founded in 2016, at $5.1 billion and brings the company’s total money raised in the last 18 months to $710 million. TCV signed on as a new investor and led the round, joined by OneTrust’s existing investors, including Insight Partners and Coatue.
Watch the video: Kabir Barday, CEO and Blake Brannon, CTO, discuss OneTrust’s growth to a $5.1 billion-valued leader in privacy, security, and governance
OneTrust’s technology sits as the epicenter of trust for organizations, enabling strong privacy, security, data governance, and ethics and compliance practices that underpin their digital transformation. As organizations strive for increasing levels of efficiency and agility in their transformation journey, they are looking for a platform approach to managing privacy, security, and governance requirements across an increasingly complex regulatory environment.
Today, 7,500 organizations, including more than half of the Fortune 500, use OneTrust’s technology to comply with the world’s privacy, security, and compliance requirements, including GDPR, CCPA, LGPD, ISO 27001, NIST, DOJ Guidelines, and hundreds of other laws and frameworks. The list of regulations an organization must comply with continues to rise. In 2020, sweeping privacy laws came into effect in California, Brazil, and others, and Gartner predicts 65% of the world’s population will be covered under modern privacy regulations by 2023, compared to just 10% today.
OneTrust has pioneered a true platform approach to trust with its modular products that are built on a single code-base and have been awarded 130 patents. Product offerings include:
OneTrust Privacy – Privacy Management Software
OneTrust DataDiscovery™ – AI-Powered Discovery and Classification
OneTrust DataGovernance™ – Data Intelligence Software
OneTrust PreferenceChoice™ – Consent and Preference Management Software
In less than 18 months, OneTrust raised $710 million in funding. Since its founding in 2016, OneTrust has grown to the largest and most widely used privacy, security, and governance technology and achieved the #1 spot on the 2020 Inc. 500 list of fastest-growing private companies.
No. 1 most widely adopted consent management platform (CMP) for five consecutive quarters according to Kevel (formerly Adzerk)
“Our mission is to build the technology platform that creates the trust fabric of an organization, while addressing the hundreds of privacy, security, and compliance requirements they are faced with today,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy. “We were excited when TCV approached us for an investment. Even with most of our previously raised funds still available, their partnership allows us to further accelerate our mission, leverage our capital and currency to drive organic and inorganic growth, and deliver for our customers and partners long term.”
“Consumers and regulators are demanding that every company on the planet comply with complex and ever evolving privacy regulations,” said Tim McAdam, General Partner at TCV. “There are hundreds of regulatory initiatives in the works emanating from all major countries. OneTrust has emerged as the runaway SaaS leader in the trust and privacy arena. Kabir and his team have built the only truly global privacy platform allowing companies at any stage or size to own their privacy initiatives and remain compliant. TCV is honored to partner with such a rapidly growing and category-defining company led by an outstanding team of innovators.”
OneTrust, OneTrust DataDiscovery, OneTrust DataGovernance, and OneTrust PreferenceChoice are registered trademarks or trademarks of OneTrust LLC or its subsidiaries in the United States and other jurisdictions.
About OneTrust OneTrust is the #1 fastest growing and most widely used technology platform to help organizations be more trusted, and operationalize privacy, security, data governance, and ethics and compliance programs. More than 7,500 customers, including half of the Fortune 500, use OneTrust to build integrated programs that comply with the GDPR, CCPA, LGPD, ISO 27001, NIST, DOJ Guidelines, and hundreds of other laws and frameworks.
The OneTrust platform is powered by the OneTrust Athena™ AI and robotic automation engine, and our offerings include:
OneTrust Privacy – Privacy Management Software
OneTrust DataDiscovery™ – AI-Powered Discovery and Classification
OneTrust DataGovernance™ – Data Intelligence Software
About TCV Founded in 1995, TCV provides capital to growth-stage private and public companies in the technology industry. TCV has invested over $14 billion in leading technology companies and has helped guide CEOs through more than 125 IPOs and strategic acquisitions.
TCV’s software investments include Alarm.com, Altiris, Ariba, Avalara, ExactTarget, ETQ, FinancialForce, Genesys, IQMS, OSIsoft, Oversight, Silver Peak, Sitecore, SMT, Splunk, Vectra, and many more. TCV is headquartered in Menlo Park, California, with offices in New York and London. For more information about TCV, including a complete list of TCV investments, please visit http://www.tcv.com.
1IDC, Worldwide Data Privacy Management Software Market Shares, 2019: OneTrust Dominates the Competition, Doc # US46214219, April 2020
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
transformation is driving enterprises to rapidly enter the next chapter of
cloud adoption. Nearly half of current infrastructure-as-a-service Enterprise
users are running production applications on public cloud infrastructure. As
such, organizations are acutely focused on dynamic scaling, 24×7 availability,
streamlined management and development tools to make the migration
seamless…yet, security seems to be an afterthought or maybe just assumed to be
“locked down” given that the bulk of workloads are at Amazon Web Services,
Microsoft Azure or Google Cloud. Given the brands and heft of these mega tech
companies, how can these clouds possibly not be secure?
high-profile breaches demonstrate that there are inherent risks in the public
cloud. In fact, just moving workloads to these branded cloud providers does NOT
make them more secure at all. It’s clear
that enterprises must ensure their security stack is properly architected for
the cloud. The recent Capital One breach was a shock to the system.
In the case of Capital One, a combination of a tech savvy team and AWS were breached by vulnerabilities that were known and could have been avoided. Does that mean it’s inherently risky to migrate to the cloud? Probably not, but it is clear we need better tools and processes to make this migration secure, scalable and cost-effective.
In this podcast, TCV’s Tim McAdam and Vectra CEO, Hitesh Sheth, talk about what it takes to reduce business risk in the cloud – and keeping enterprises, consumers and their transactions/interactions secure – while capitalizing on the tremendous opportunities the cloud offers.
For these insights and more, settle back and press play.
Tim McAdam: Welcome to Growth Journeys, a podcast series
from TCV, focused on lessons from the field from entrepreneurs in the TCV
ecosystem. I’m Tim McAdam, General Partner at TCV, and I’m here with Hitesh
Sheth, CEO of Vectra, a leader in applying artificial intelligence to detect
and respond in real time to cyberattacks in the cloud, data center, and
enterprise infrastructures. Hitesh brings a wealth of experience from senior
roles at Aruba, Juniper, and Cisco, that affords him important lessons about
how enterprises can assess and address security as they migrate workloads to
the cloud. These lessons include views on encryption, 5G, and commingled log
data, to name a few. We’re covering all these topics today, but first, thanks
for joining me, Hitesh, and welcome to Growth Journeys.
Hitesh Sheth: Great to be here, Tim. Thank you for having
Tim McAdam: So, let’s start with a relatively simple one,
but probably complicated in its scope. What’s the general state of cloud
Hitesh Sheth: Cloud security today is, in my view, where
Windows used to be circa 1990s. If you go back in time a couple of decades when
Windows started to proliferate, security was really not the first thing that
Microsoft thought about. And at that time, it looked like a pretty complex
setup with multiple operating system versions, different devices on which
Windows was getting deployed, and it felt like it was an endless opportunity
for attackers to leverage.
Now, fast forward to today, and if you look at the cloud
environment, whether you’re dealing with serverless computing, whether you’re
looking at Kubernetes, none of the technologies that are being built for the
cloud have had security at the front end, and by comparison we have a thousand-fold
more complex scenario than we had when Windows started prevailing from a
security point of view.
So, I think the scenario we have right now is that while cloud is
taking off exponentially, the security holes that we are facing are indeed very
Tim McAdam: And how do you think enterprises should
approach assessing their security vulnerabilities as they migrate these
workloads to the cloud?
Hitesh Sheth: One of the most important things that they
should think about very carefully is that whatever strategy they had in place
in their traditional on-prem networks is not the strategy they should deploy
into the cloud. And a good example would be – you think of perimeters when you
think of on-prem networks. So traditional firewalls tend to be the way you
think about security. That already is disappearing in traditional networks, and
that certainly cannot apply when you’re looking at cloud infrastructure.
Now, I think Gartner has come out with a very good synthesis of
how to think about building visibility for next-generation SOCs and they’ve got
this thing called the Triad, and the Triad has three components to it. There is
a SIEM in it. There is NDR, which is network detect and response. And there is
endpoint detect and response, EDR. And logically, if you have those three
technologies in place, then you have the best shot at delivering comprehensive
visibility for the SOC. And the good news there, is that it is independent of
whether you’re in the cloud or on on-prem networks as well.
Tim McAdam: Right. And just for the audience, could you
define what a SIEM is?
Hitesh Sheth: Absolutely. SIEM is security information and event management systems. A vendor example here would be Splunk. When you’re looking at EDR, a vendor example would be CrowdStrike. And then certainly when it comes to NDR, Vectra would be the example in mind.
Tim McAdam: Perfect. So, talk about encryption for a
second and what role encryption will play in securing workloads. And I think
there are probably some schools of thought that say, “Why do you need any
of this stuff if our data’s encrypted?”
Hitesh Sheth: Correct. So, I think there’s good news and bad news in encryption. Let me start with the good news. The good news is that you can indeed encrypt the traffic from say, the endpoint to the edge of the infrastructure, or to the SaaS application. And so, in theory, you are reducing the opportunities for a hacker to break into that workload or into the payload and initiate a cyberattack. So that’s the good news.
However, the reality is that whether you’re dealing with data
centers or you’re dealing with cloud infrastructure, the number of times where
the traffic’s going to get encrypted post the edge of the cloud or the data
center tends to be very, very limited. And therefore, you have the need to
still continuously monitor the inside of the data center or the inside of the
cloud for tracking advance attacks. That’s number one.
But number two what is also probably not fully appreciated is that
encryption is actually a friend for attackers. So, if your device is
compromised, Tim, and then your traffic is encrypted from your device to the
SaaS application, then if I’m the hacker, the chances that somebody’s going to
pick me up really get diminished. Therefore, you know, logically the only way
you can really find those attacks is by looking at the behavior of your device
and how you’re interacting with the application. Therefore, behavioral
approaches become really essential in this scenario.
Tim McAdam: Right. And that begs the question – that
might be a device-specific viewpoint. But how about the data itself? Obviously,
multi-tenant cloud applications have effectively commingled log data or log
data from multiple customers. Is that a limitation or security risk as
enterprises move their workloads to the cloud, and how do enterprises gain
comfort that the integrity of their data will remain intact as they move
workloads to the cloud?
Hitesh Sheth: The reason logs get commingled in the cloud environment – I’ll come back to the point I made earlier. Security is an afterthought in the scenario. The primary objective of doing that is to add efficiency to IT ops. That is the reason why they do that. For a customer, who is adopting cloud services, you have to reconsider the Triad that I described earlier. You have to have a SIEM. You can take this commingled log data and you can have this centralized in one place for analysis purposes.
But, what is really crucial is that you don’t rely on that by
itself. You have to use network detect and response. You have to use endpoint
detect and response. And so, the whole point of that Triad is to give you coverage
in scenarios like the one you just described.
Tim McAdam: Got it. That makes sense. How about trends
around next-gen communications like 5G, for example, and then this whole
mindset of zero trust? How do you see these newer trends enhancing, or frankly,
causing security issues?
Hitesh Sheth: The benefit of 5G is that we, as users, can bypass traditional networks, and with our devices – whether it’s a phone or a tablet – you can go straight to the cloud and order the SaaS application. You don’t have to worry about your traditional network and the security therein. Which is great.
Now, the challenge with that is that you have just now opened up a
direct path into the data without any intermediary layers. So, this is where
zero trust is supposed to come in.
Zero trust is supposed to introduce the notion that unless every
device is authenticated, it should not be trusted. But frankly, it’s a very
simplistic view of security because it essentially says, if Tim on Tim’s phone
is authenticated, then Tim and Tim’s device are now automatically safe. But
what if somebody stole your credentials? And that happens on a daily basis, as
we know. And, therefore, it is not enough to rely on something like zero trust.
You have got to have the right monitoring principles in place in
the cloud itself to ensure that if your credentials are stolen on one end,
you’ve got the right mechanisms to watch for the behavior of the privileged
user in the cloud.
Tim McAdam: Got it. So, let’s talk about responsibility
for a second. I recently read a Gartner report that was talking about degrees
of hand-off points from infrastructure as a service providers, to platform as a
service providers, to SaaS providers. How do you think about this shared responsibility
continuum, and do you see this security responsibility changing over time?
Hitesh Sheth: First of all, I think a lot of companies make the mistake of thinking that the security responsibility is solely the cloud provider’s responsibility. And I think that mistake originates from consumers of SaaS applications.
If you are consuming Salesforce, as an example, I think it’s very
reasonable to expect that Salesforce has taken care of your security
requirements. In theory, that’s generally true. However, if you are the entity
that is actually deploying your applications into the cloud environment, having
that expectation that AWS, Microsoft, Google, have done the same thing is
fundamentally not true.
At the end of the day, the company that’s utilizing cloud
resources is responsible for the security of the network layer, the data on top
of that, the applications, and how people are interacting with those
applications. That responsibility solely resides with the entity that is using
those services. And I think even as cloud providers evolve their security
offerings, it would be a mistake for consumers of those offerings to relinquish
their responsibility back to the cloud provider.
Tim McAdam: So, Hitesh, you can’t pick up the paper today
without reading headlines about the shortage of qualified cybersecurity talent
relative to the size of the problem. This is a massive issue. Why haven’t more
cybersecurity companies adopted an AI/ML framework like Vectra’s given the
obvious dearth of humans in the sector?
Hitesh Sheth: I actually think, Tim, that a lot of security vendors are talking about AI today. It’s become one of the pain points for customers, where AI has evolved into a buzzword from vendors, and they talk about it all the time.
The issue fundamentally is that the vendors are approaching this
completely wrong, in my view. Even for investors, as they think about investing
in companies that are touting AI, the principle of generalized AI simply does
not work. Generalized AI equals a human being. And AI is not advanced enough,
from a software point of view, to repeat what a human being would do in
technology. So, the notion of applied AI is really key here. Applied AI does
work as evidenced from the work that we do at Vectra.
And I think the key there is you cannot just take AI by itself. If
it’s application-specific, then domain becomes very critical. And one of the
early epiphanies that we had in our journey here is that as we experimented
with generalized AI, and frankly we made mistakes with that. And what struck us
very quickly was that, “Hey, you need security domain, you’ve got to have
security domain paired up with AI for this to work.” If I’m a customer, I would
be testing for that every single day before accepting a vendor’s word that
their tech is actually going to work in my environment. Otherwise, it’s the
person behind the curtain actually doing the work, not the software.
Tim McAdam: Right. Well, thank you for making all those
generalized AI mistakes before we invested, Hitesh.
Hitesh Sheth: And, yes, we did that in the first few years, Tim, as you know well, but if you don’t make mistakes, you don’t learn. And we are much better off as a result.
Tim McAdam: So lastly, at a recent offsite, one of my
partners floated the concept of via negativa, or addition by subtraction, as it
related to our business model as investors. That is to say, focus on fewer,
more high-impact investment themes or investment types by not focusing on
others. Hitesh, should via negativa apply to streamlining the security posture
of enterprises as they think about moving to the cloud?
Hitesh Sheth: I think it’s an absolutely fantastic principle for how you think about where you invest in infrastructure broadly and certainly in security, because as we all know, security is rife with a plethora of technologies and vendors pitching the next-greatest tool to customers every single day. Yet, paradigms have evolved very, very rapidly.
So for example, if I am building something from ground up, a
customer should ask themselves, why do they really need a firewall? For what
purpose? If I have EDR on my endpoint, if I have the right setup for monitoring
my workloads in the cloud, what role does a firewall really play? What role
does a perimeter play? If you want to save your dollars, OpEx or CapEx, I’ll
put something bold out there and say, eliminate the firewall. I would challenge
somebody to do that. And then provided they are actually following the SOC
Triad – be religious about implementing the SOC Triad.
Do that first and then question the need for spend on anything
else next. That’s the approach – that’s how via negativa can apply to security
Tim McAdam: That is bold. I like it. Hitesh, thanks for
joining us today.
Hitesh Sheth: Thanks very much, Tim, really appreciate it.
SAN JOSE, Calif., June 10, 2019 /PRNewswire/ — Vectra, the leader in network threat detection and response (NDR), today closed a $100 million round of funding led by TCV, one of the largest growth equity firms backing private and public technology companies. Existing investors also participated in the funding round, bringing the company’s total funding to date to more than $200 million.
Vectra will use the investment to accelerate global market expansion and R&D innovation, solidifying its Cognito platform as the market-leading solution for artificial intelligence (AI)-driven cloud security using NDR.
The cloud has critical security gaps that leave organizations vulnerable. Cyberattackers take advantage of these gaps without leaving a trail of evidence. Underscoring this risk, a recent survey by the SANS Institute found that one in five businesses had serious unauthorized access to their cloud environments this past year alone, and many more were unknowingly breached.
The Cognito platform addresses these security gaps by providing 360-degree visibility into cloud, data center, user and internet-of-things (IoT) infrastructure, leaving attackers with nowhere to hide.
“TCV has an extensive track record of partnering with enterprise security companies, including Rapid7 and Splunk, from growth stage to public,” said Tim McAdam, general partner at TCV and a member of the Vectra board of directors. “In our research on the category, it became clear to us that Vectra was rapidly gaining momentum with customers by rethinking the way enterprises view both network and cloud security. The Vectra Cognito platform is poised to become requisite in the security infrastructure of multinational enterprises and midsize businesses alike.”
“The cloud has inherent security blind spots, making it imperative to eliminate cyber-risks as enterprises move their business to the cloud,” said Hitesh Sheth, president and chief executive officer at Vectra. “The Cognito platform enables them to stop hidden cyberattacks in the cloud. We look forward to partnering with TCV and our existing investors as we continue our rapid growth.”
Vectra experienced 104% growth in annual recurring revenue in 2018 compared to 2017. The company will continue to ramp up initiatives aimed at addressing the global deficit in cloud security, innovating on its existing platform and expanding its global customer base.
About Vectra Vectra® is the leader in network detection and response – from cloud and data center workloads to user and IoT devices. Its Cognito® platform accelerates threat detection and investigation using AI to enrich network metadata it collects and stores with the right context to detect, hunt and investigate known and unknown threats in real time. Vectra offers three applications on the Cognito platform to address high-priority use cases. Cognito Stream™ sends security-enriched metadata to data lakes and SIEMs. Cognito Recall™ is a cloud-based application to store and investigate threats in enriched metadata. And Cognito Detect™ uses AI to reveal and prioritize hidden and unknown attackers at speed. For more information, visit vectra.ai.
About TCV Founded in 1995, TCV provides capital to growth-stage private and public companies in the technology industry. Since inception, TCV has raised over $15 billion in capital and has helped guide CEOs through more than 120 IPOs and strategic acquisitions. TCV’s investments include Airbnb, Altiris, AxiomSL, Dollar Shave Club, EmbanetCompass, EtQ, ExactTarget, Expedia, Facebook, Fandango, GoDaddy, HomeAway, LinkedIn, Netflix, OSIsoft, Rapid7, Rent the Runway, Sitecore, Splunk, Spotify, Varsity Tutors, Webroot, and Zillow. TCV is headquartered in Menlo Park, California, with offices in New York and London. For more information about TCV, including a complete list of TCV investments, visit https://www.tcv.com.
The days when technology chiefs could focus simply on hardware and software are gone. For technology leaders, aligning IT with long-term strategy and attracting and nurturing a winning team has become key in a world where customer expectations are growing, and the pace of change continues to accelerate.
Today’s technology businesses need to think strategically at the local, national, and global level. Many companies run business online or mobile first and are getting creative and competitive advantages from collecting and analyzing consumer data. This provides both opportunities and challenges: on one hand, companies can get access to global customers fast, yet they are also facing competitors both at home and abroad, not to mention threat actors who could be located anywhere and can come at you with sophisticated attacks. It’s your talent against theirs – with your enterprise and your customers in the middle.
Ted Coons continued the conversation with a focus on talent and culture, talking with Kameron Kordestani, a partner at McKinsey & Company, and Otto Berkes, CTO of CA Technologies, about building a globally distributed company. Both speakers separated the “artifacts” of culture – posters, slogans, logos – from its essence: ways of working that make the organization succeed. People who embody those essentials should be made ambassadors to new acquisitions or newly built development centers, so that people new to your culture can experience it live. When new team members absorb it, they should be given broader responsibilities in the combined company – this leverages their talent and inspires their original team. Particularly after M&A, the acquired team needs to understand its role and contribution to the combined entity; this should happen quickly and positively. Pay for travel if you can; people in far-flung organizations form bonds faster when they meet in person. Both Otto and Kam warned against sticking too closely to integration playbooks, particularly when the acquired technology is new or different. Sometimes a talent-rich team should not be integrated rapidly. Don’t compromise on security or safety but take time to observe how they work before you impose on a new team – the last thing you want to do is spoil an acquisition by how you integrate it.
TCV EIR Jonathan Shottan, Manmeet Singh, Co-founder and CEO of Dataguise and Pablo Jensen, CTO of Sportradar pulled back the curtain on Europe’s General Data Protection Regulation (GDPR) and California’s new privacy laws. Simply put, GPDR is about What, Where and Why: What private data do you have? Where is private data stored? Why do you need to process that private data? Both the compliance challenge and market opportunity of the new regulations are huge and what unites them is the challenge of identifying the vulnerabilities. Many companies mistakenly believe they are compliant, because they encrypt and segregate various types of customer data physically or in the cloud; but when they bring data types together for analysis, they create “PII” – personally identifiable information. The new laws also require companies to delete data if customers demand it, but that’s likely to create havoc with legacy database applications built on relational technology. And how do you delete older data stored on physical media? Enter data masking, at production scale, to stand in for deletion and encryption. First movers — with enough IT spend on decoupling, segregating, and masking data — may even competitively enhance their brands as “more secure” than others.
After lunch, Ted Coons and Charles Beadnall, CTO of GoDaddy, delved into the transformation of GoDaddy’s culture, a process that started back in 2013. Engineers loved the company’s mission of providing small businesses with a home on the internet, but deterrents included fly-over geography, aging facilities and sensationalist marketing. With a new CEO – and marketing campaign – GoDaddy began recruiting heavily. The challenge was forming a new culture that welcomed both existing employees and a flood of new developers in ways that produced better products, faster. Charles employed a version of the 80/20 rule: if he could populate 20% of a department with more diverse people who modeled the right behaviors, they would tip over the rest. The company hired people based on referrals, recruited many female graduates from local universities and placed experienced diverse hires in senior IT roles. Charles also drew in Ph.D.s from MIT and spent time with teams around the globe to transform a culture while keeping the company focused on growth.
Matt Robinson led the day’s final session on securing the enterprise with Amir Ben-Efraim, co-founder and CEO of Menlo Security; Rob Fry, VP of Engineering at JASK; Robert West, Managing Director at Deloitte LLP; and Christian McCarrick, VP of Engineering at Auth0. Matt first asked the panel how CIOs and CTOs should differentiate among today’s legions of security providers. Recommendations included assessing your vulnerabilities so you’re asking the right questions, getting referrals from peers, and anticipating the inevitable consolidation among security providers. Not every company needs an industry giant – those companies were startups once, and today’s upstarts may have superior technology. The panel then discussed prioritizing among today’s proliferating threats. Getting governance in place is critical – if no one fully owns the security portfolio, priorities will be set for the wrong reasons. If the role falls to you as CTO or CIO, you must be (or become) a good storyteller to convey the threats to your company and build consensus on addressing them. It’s also vital to recognize that malware will get inside your systems, but it won’t be the end of the world if you’re prepared. Ultimately the biggest weakness of all security systems is the human element. Education and training are essential and need to be on the agenda regularly. In addition, Amir argued that companies should hold vendors to a higher standard, aiming to receive 100% efficacy to keep companies protected.
We are grateful for all the valuable insights our speakers shared with attendees and the TCV community we strive to create. We look forward to exploring new topics and connections during our next TCV event.
The day Steve Trundle’s first home alarm system was installed, he was outside with garden shears in his hand. He realized that he could easily reach up and cut the phone lines that connected his system to the monitoring company. “Suddenly it didn’t seem so smart to pay a monthly bill for something anyone could disable in two seconds,” he recalls. His vision of wireless, internet-enabled home security was born.
Trundle, then an executive at public software company MicroStrategy, gathered product design and engineering talent to build a product that would become Alarm.com. It took three years to field a do-it-yourself kit for homeowners that debuted in 2003. That milestone was also the beginning of Alarm.com’s first pivot. “We saw that there was already a whole universe of local security service providers all over the country,” Trundle explains. “We decided that rather than battle with the industry, we would partner with it, accelerate it, and transform it.”
To establish a channel with the security industry, Alarm.com began developing partnerships with security panel manufacturers and service providers. Integrating Alarm.com’s proprietary cellular communications module with security panel equipment eliminated the vulnerable wire that anyone could cut and provided a reliable connection to Alarm.com’s cloud-based services. For the first time, customers could control their security panel — and monitor their home — from any remote interface. This great leap forward quickly helped Alarm.com to develop productive partnerships with thousands of local security service providers who could exclusively offer interactive security monitoring to their customers.
This audacious strategy succeeded because Alarm.com’s software architecture made it possible to add new services to a security system via the cloud rather than physically replacing the panel. By leveraging data from the security system and integrating connected devices into its services, Alarm.com enabled innovative and engaging new capabilities. Proactive security alerts and home automation solutions like energy management, access control and video monitoring, helped to make security systems more valued and customers less likely to cancel their service.
TCV began monitoring Alarm.com’s progress when the company’s installed base was close to half a million “roofs” – industry slang for buildings with a security system. Alarm.com was a striking fit with an investment thesis that TCV was developing for the next-generation connected home, led by Tim McAdam, Jake Reynolds, Kapil Venkatachalam, and Scott Kirk. The TCV team had spent significant time talking to security dealers and industry thought leaders at ISC West, an annual security conference, and realized the need for improving end customer retention, the most important metric for managing a security dealer’s business. All of these conversations pointed TCV again and again to one company with a leadership position and a team committed to success: Alarm.com.
Then, in 2011, Nest introduced a thermostat that could be managed wirelessly, and industry analysts began publishing predictions about the “Internet of Things” phenomenon – often called the IoT. The TCV team realized that if Alarm.com was going to maintain its early lead in connecting homes to the cloud, it had to accelerate its growth to millions of roofs – fast.
Trundle saw it, too. He had known Tim McAdam since college at Dartmouth, and they agreed that the time was ripe for Alarm.com to make another great leap forward.
“TCV understood everything we had done to that point, and they knew how to do the big things we needed. Other VCs thought we weren’t disruptive enough, but TCV focused on our business model. They got how durable it was, and how rapidly it could scale.”
– Steve Trundle, CEO of Alarm.com
TCV invested in Alarm.com in 2012, McAdam joined the board, and Alarm.com shifted into high gear. TCV helped strengthen Alarm.com’s management team and Board with the recruitment of new board members Don Clarke and Darius Nevin, as well as Jeff Bedell as Chief Strategy and Innovation Officer, Dan Kerzner as Chief Product Officer, and, more recently, Steve Valenzuela as Chief Financial Officer. In addition, Alarm.com moved quickly to acquire several adjacent companies that allowed it to broaden its product footprint, entered large new markets in Europe and Asia/Pacific, partnered with industry giant ADT, delivered new apps for mobile phones, televisions, and voice assistants, and extended its data analytics program into machine learning and AI.
“Alarm.com was the first company to provide a smart home security system with an easy-to-use interface primarily accessed on a smartphone. The security functionality quickly expanded to include lighting, energy management, and camera management,” McAdam relates. “Alarm.com was a pioneer in bringing all of these disparate services into the mass market in one app and ultimately has become the market leader in the connected home as well as the most under marketed example of a dominant IoT business.”
With a stronger team and investors who brought best practices for rapid growth, Trundle soon faced the question of when to go public. After starting the process for a 2014 offering, Alarm.com put it on ice until 2015. “The timing didn’t feel right,” Trundle recalls. “Sometimes as CEO you have to make tough calls based on your gut.” That instinct proved prescient, as the company successfully completed its IPO in 2015. TCV showed its commitment to the company and IoT by increasing its investment just prior to the IPO.
The company raised over $100 million in fresh capital with its IPO and moved quickly to invest it in new growth opportunities. Alarm.com acquired the Connect platform from iControl Networks, which serviced a different segment of the security and automation market, and grew its global installed base to more than five million roofs in 2017. The number of security dealers using Alarm.com to offer interactive services climbed to more than six thousand worldwide, and a group of super-dealers emerged to lead the way. The company’s standing in the connected home market has never been stronger.
These achievements are all the more remarkable considering that Alarm.com is headquartered in the Washington D.C. area – on the other side of the country from Silicon Valley. “We learned a long time ago that great companies can be founded and built anywhere,” TCV’s Kapil Venkatachalam says. Trundle says that he overcame any geographical disadvantage through smart hiring. “The Washington D.C. area offers a rich talent pool and we attracted many of the best engineers in our area because we’re one of the few market-leading tech companies here,” he points out, “and with TCV we’re also connected to the talent pipeline in Silicon Valley.”
Top talent remains a priority, because the connected home market is now eyed by all the major players in technology. Startups continue to form with dreams of disrupting the security industry. In a dynamic time and marketplace, Alarm.com must maintain its technology lead while strengthening its relationships with incumbent manufacturers, distributors, and installers. McAdam concludes: “When we look at global penetration rates for the connected home services that Alarm.com offers, the math suggests single-digit penetration. We have a lot of market to take over the next decade.”