Lessons in Venture Capital: How to Build and Scale a Successful Cybersecurity Company, with Marcus Bartram of Telstra Ventures

Guest: Marcus Bartram
Telstra Ventures
EPISODE 16: THINK BAD, DO GOOD
Lessons in Venture Capital: How to Build and Scale a Successful Cybersecurity Company, with Marcus Bartram of Telstra Ventures
Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ
Telstra Ventures’ Marcus Bartram understands the growing pains inherent in building a business. Working at high-growth companies early in his career helped him build wisdom and resilience and foster a sense of empathy towards entrepreneurs. As a venture capitalist, Marcus understands how to use capital as a tool for building a business, and he and his team have led successful investments in companies like CrowdStrike, Auth0, Corvus Insurance, Elastica, and vArmour, among many others.
In this episode, Marcus joins Jonathan to discuss the ins-and-outs of evaluating potential investment opportunities, the company profiles that attract venture capitalists, and the excitement that comes with building partnerships. “Who’s the team?” Marcus asks. “Do you believe in the vision they’re trying to paint? Do you trust them to want to give them literally millions of dollars of money? And do you think they can execute on the vision?”
Marcus recounts stories of navigating the turbulent dotcom boom of the late-1990s, reflects on the role it played in his career, and shares his views on the future of cybersecurity and technology. “For my sins, I really like the cybersecurity market, which is a huge, vibrant market with lots of opportunity,” he remarks. “What’s their unique view on that, and why are they different to the other thousands of cybersecurity startups that are in the market today? Are they solving a big problem, or are they solving for a feature in cybersecurity?”
Tune in for more.

Marcus Bartram
In addition to being an AttackIQ investor and Board Member, Marcus was part of the founding team for Telstra Ventures. He believes that the key to success in life and investing is being humble, immersing yourself in new places, new cultures and new ideas to expand your perspective, and using his experience to help others achieve their ambitious goals.
His approach has led him investments in companies such as Crowdstrike, Auth0, Anomali, Cequence, CloudKnox, Cohere, Cofense, Corvus Insurance, Closedloop.ai, CyberGRX, Dimmi, Elastica, ipSCAPE, Headspin, Matrixx, reThought Insurance, vArmour, and Zimperium.
When he is not partnering with entrepreneurs who are shaping tomorrow’s world, he loves spending time shaping his next surfboard, being with his family and friends, mountain biking, skiing and traveling as much as he can. Marcus received an MBA from the University of Oxford, UK and a Bachelor of Engineering (Electrical and Electronic, honors) from the University of Adelaide, Australia.
Jonathan Reiber:
Hello, everyone, and thank you for joining us for today’s episode of AttackIQ’s podcast, Think Bad, Do Good. It is my great pleasure to host an investor, a leader, and a cybersecurity strategist, Marcus Bartram. Did I say it right that time? Yeah, he gives me the thumbs up. Good. Thank you, Marcus. Who is one of AttackIQ’s lead investors, and he comes to us from Telstra Ventures. But Marcus, where are you based today? What’s the weather like? What’s happening out there?
Marcus Bartram:
Hey, Jonathan. Really great to be here. I’m in sunny Mill Valley. It feels like it’s nice and warm outside. I haven’t ventured outside today, but after this, I’m going to go for a walk.
Jonathan Reiber:
Good. Well, hopefully you won’t need a walk after today’s podcast. Thank you, Marcus, for joining us today. It’s really a pleasure to have you. Why don’t you tell us a bit about yourself and where you came from and how you came into this space?
Marcus Bartram:
Sure. In venture capital in particular, I was working at Telstra, which is an Australian telecoms company, in 2010, working for an executive there. He had a vision for how do we drive innovation in a big giant telecommunications company. And I was part of a small team that sort of came up with the idea of how do we attract the attention of these amazing entrepreneurs and founders that are innovating in the world, and get them to work with Telstra.
And we kind of landed on two things. What do founders want? They need capital and they want customers and they need expertise, and Telstra can offer them capital and customers. So this sort of idea evolved and twisted and turned and ultimately became Telstra Ventures. We made our first investment in early 2012, and have sort of gone on to greater and bigger things since then.
Jonathan Reiber:
That’s awesome.
Marcus Bartram:
Now we’ve invested in sort of 90 companies across a really broad spectrum of the software, cyber, and tech industry.
Jonathan Reiber:
Yeah, I know… When did you first touch cybersecurity? Was it when you were in London with NSC? Is that right?
Marcus Bartram:
Yeah. Yeah, that was just in the dotcom boom with a company called NSC Global. We had a practice. We were selling managed services and security services and security consulting services, and we were selling the early versions of Check Point Firewall and NetForensics. There’s an intrusion detection tool, and that’s when my first exposure to cyber came from.
Jonathan Reiber:
What was it like in London back then? Give us some flavor for the environment when you first got into cyber?
Marcus Bartram:
London in the dotcom boom was crazy. It was so much fun. It felt like you could do anything. There’s a level of madness associated with it, but people had real imagination for the things they were trying to create and build. Which I was sitting in the kind of tech side of the industry at that point rather than the financing side of the industry, where I am now, but it felt like there’s tons and tons of opportunity from thousands of companies got created and entrepreneurs went out and raised capital and did all sorts of wonderful things. Yeah, no, the story of the dotcom boom and the dotcom bust is well told, but I lived through both of those, which is a really fascinating moment to be in an early stage company on both sides of it.
Jonathan Reiber:
No, I think American listeners in particular think about the dotcom boom and the dotcom bust, and they think about sort of billionaires and millionaires made in Silicon Valley, but you’re in London. What were some of your formative memories of that time? And tell us what you did after NSC too, because I think that will inspire envy on the part of our listeners.
Marcus Bartram:
Yeah, it’s a good question. The hardest thing to do in that time was to find talent, because everyone was running in a million miles an hour and talent was really expensive. So you could hire people that you were paying premium, premium rates for the term.
Marcus Bartram:
And then when the dotcom bust came, there’s huge restructures of these companies, because customers just stopped buying. They all retracted. I remember sitting in the office in London, and it was literally the space of two days, we went from selling to not selling. And by the end of the week, we had an office that seated maybe 20 people, and we had 80 people back in the office, sitting on the floor and hanging around in the corridors. And clearly, things had shifted incredibly dramatically. So we went through this really painful process and a real learning sort of process for me where we had to let a huge part of that workforce go, try and reset the company and get it back to some level of sustainability, and kind of build out of that.
Yeah, and personally, that was a really hard time and required an enormous amount of work, both building the company and then kind of rebuilding the company along with the founders and other folks and things. And I found myself sort of saying, “Look, the company doesn’t need someone like me in it.” It goes back to a reset. So yeah, I left and I was really fortunate, I actually had an offer to do a master’s of business, or an MBA, at Oxford University. So I took six weeks off, I think it was, and I literally just laid down in the grass. I was so tired. Laid down in the grass, in the sun, and just tried to recover. And then went off to Oxford University and did the MBA, which was, yeah, an amazing experience.
Jonathan Reiber:
So what role did Oxford play in your career, if you were to think about it? I don’t know if you’ve ever thought about this before, but the Saïd School of Business is such a cool place, and as someone who spent… I’ve been to Oxford probably a grand total of 10 days in my life. Each time, it was a short visit. I had some friends who went there. I was extremely envious. They didn’t seem to be working very hard, which is not what I was expecting. These were people who either didn’t get the Rhodes Scholarship or got something close to it, and I was expecting them to be studious and making magic. So what was it like at Oxford then, and how did that shape your career?
Marcus Bartram:
It’s just like Hogwarts, Jonathan. It was amazing. So I would say a couple of things. So I kind of went into Oxford… And I actually had an offer before I joined NSC to go and do an MBA. I spoke to a mentor, he was actually my father-in-law, and I said, “What do you think I should do?” And he said, “Go and do the startup, the early stage company, because you’ll learn more doing that than you will doing an MBA.” And at the end of that, I then accepted to go into the MBA. I kind of knew the things I didn’t know through the startup and the things that I wanted to learn, which are really kind of numerate things like finance and accounting and marketing. All these sort of subjects that you sort of do in a startup, that it’s just such a crazy environment, you kind of don’t know what you don’t know.
So I went to the MBA to kind of fill all the gaps, or the perceived gaps that I had. And through the MBA, I kind of really enjoyed the sort of heavier finance subjects around private equity and just a touch on private and venture capital, and kind of filled in all the dot points that I need to fill in on these other subjects. So when I popped out of it, that’s sort of the place I wanted to go. The journey from there to actually doing it was still a decade away after the MBA.
Jonathan Reiber:
What was it about venture capital that attracted you to that field?
Marcus Bartram:
It’s kind of the idea of building businesses and the idea of capital as a tool to sort of be in that process. So years before, I worked at Honeywell. I was an engineer. I trained as an engineer, I went to Honeywell, and really enjoyed the role I had there, which was helping kind of build a business. Not really being an engineer, but running a small team and trying to build a product and get it sold and win customers and respond to tenders and do all these things, and build a marketing program.
And then going to the startup was exactly the same thing. It’s like, “How do you kind of survive as a small company in this sort of crazy environment?” And we had business all over Europe, all through the UK. Really impressive clients. And generally, it was a lot of fun.
So this idea of building a business was the thing that kind of resonated. And then the finance side of it, I just kind of liked the finance element of it and trying to understand what that meant and how it worked and what the point of it was.
Jonathan Reiber:
Yeah. So I’m tempted… You’ve now been an investor for X period of time, right? I think at least 15 years, right?
Marcus Bartram:
We had our 10th anniversary for our first investment eight weeks ago, four weeks ago.
Jonathan Reiber:
Great. Yeah, so when you think about lessons for how to make a good investment as a venture capitalist, right? I think that’s something our listeners would definitely love to hear. What are some of the things that you look out for when you’re deciding when to back a company? What is the stuff that excites you the most?
Marcus Bartram:
That’s a really good question. I think there’s a handful of things, and they kind of fall into sort of four categories. First one’s the team. Who’s the team? Do you believe in the vision they’re trying to paint? Do you kind of trust them to want to give them literally millions of dollars of money? And do you think they can execute on the vision? So that’s sort of the first part of that. And no team is ever complete when you meet them. They’re people. So yeah, what makes them tick? Can they scale? Have they done what you’re asking them to do before? Do they have a sense of how to do what it is they’re trying to do?
And then it’s then the market and which market are they in. And for my sins, I really like the cybersecurity market, which is a huge, vibrant market with lots of opportunity. So in that context, it’s kind of like, “What’s their sort of unique view on that, and why are they different to the other thousands of cybersecurity startups that are in the market today? Are they solving a big problem, or are they solving for a feature in cybersecurity?”
And then where we invest, most of our companies have a product, like 99% of them have a product. So let’s learn about the product and what does it do and how does it work and what problem does it solve. And kind of all those things tie together.
And then the fourth part is sort of the financial results and what are the trailing sort of metrics of all the work that goes on. So those four ingredients mixed together are kind of what make the basis of what I think is a good investment. And the financial element is also then from an investment point of view, it’s evaluation, right? We’ve seen years of now very, very high valuations. So for us to do our job and return money to our partners, we need to believe we can invest at this price, help build a company and support the entrepreneur to build a company, and then sell our shares at a price that delivers a great result for our partners.
Jonathan Reiber:
Who do you rely on to determine evaluation? I’m sure I’m asking a naive question.
Marcus Bartram:
No, no. We do all the pricing inside. So as a team, we do it. We work, we build a model, a financial model or a business model, for the company. We look at as many precedent sort of transactions as we can, be it venture investments or M&A. We look at the public market comparables. And then you’re in a competitive process. So at what price do you really want to buy into the company that still supports your belief of the sort of return you’re going to make and need to make? And at some point, the price is high or too high, and you don’t invest. And at other points, you have enough conviction that you will pay a really high price and hope the company can kind of build to them.
I think as a fund, we’re pretty conservative and I think we’re very rational in terms of pricing. So I think we sort of have a good stable sort of base to how we think about pricing. And then when you pitch to the other partners on the investment, you get all the hard questions in terms of the assumptions you’ve made and the price you’ve picked and what does it really mean.
Jonathan Reiber:
So even though you, as a partner, may believe it, you still have to sell it internally to get everybody to buy into it. And then you have to get an LP to back it, right?
Marcus Bartram:
Well, we have a fund. So the LPs have already agreed to give us money and they trust us to invest sensibly and return capital to them. So we don’t have to ask them for new money, we just have to convince ourselves of the merits of the investment.
Jonathan Reiber:
So the LPs have already said, “We’re going to trust Telstra or Marcus and his team to make these decisions, and we’re going to contribute to the fund.” And then from there, you can make your decisions on your own.
Marcus Bartram:
Yeah. Exactly.
Jonathan Reiber:
Yeah. That’s really helpful. I have so many questions about that, but-
Marcus Bartram:
Fire away.
Jonathan Reiber:
Yeah. Well, so I suppose on the pricing question, right? When you’re an investor, who ends up… Is it a negotiation with the company itself for how much you’ll put in? Or how do those negotiations work?
Marcus Bartram:
Part of it is kind of art, part science. So we do this work, we build a model, we have a view on price. But then we’re in a competitive market, and so other funds are doing the same thing. And sometimes we partner with those funds and we agree a price and we try and win the business together. Or we’re competing to win an investment. So then it becomes a negotiation between the founder and us and the founder and the other sort of suitors, if you like, for that investment.
And then part of that is price, and part of it is then what all the other things that we can add as a fund to the company. So it’s a beauty contest. That’s a terrible way to say it, but that’s what it feels like. And an environment where there’s lots of money looking for investments, prices go up. When the environment changes and your prices fall or there’s less money, then prices will come down. Because our job is to pay as little as possible, and the founder’s job is to get a reasonable price. But the market kind of speaks for itself.
Jonathan Reiber:
That’s really interesting. That’s something that I literally know nothing about. So I appreciate you walking me and viewers and listeners through it. That’s really interesting. Now, on the products side, you said 99% of the time, they have a product. Now, of course we’re all familiar with the terrible stories that are being circulated in the global media these days about companies that didn’t have a real product that then got all sorts of money. But I also imagine that the definition of a product can be anything. It can be in prototype phase, it can be in beta. It can be quite mature already, and you’re investing later. How much product is enough?
Marcus Bartram:
Now there’s a tricky question. So the way we proxy for that is do you have customers that are paying you to use the product? And generally, this is a gross rule of thumb, it’s sometimes they have five customers, sometimes the company will have 10 or 15 customers, and it’s a little bit of a judgment call as to how much product is enough. And the reality is at that stage of a company’s life, they have built the bones of the product, they’ve worked with a bunch of design partners and customers who are helping them build the product, and then they’re starting to sell it.
So we’re really interested in for where we invest, what are the signals we see in that sales motion and what do we see in response to when we talk to the customers, about the problem that they’re solving. And can we kind of extrapolate that to somewhere else? And then the job the company has and we have after we’ve invested is to kind of find them people, support them with capital, find them customers, do the work that we do to help them scale their business to the next level.
Jonathan Reiber:
That’s really cool. Now, having never founded anything, my background’s in national security policy. I worry about the people who are like… I don’t worry about them. I don’t understand what their life is like when they have the bare bones idea. They want to build something. Now, if they’ve done this before, then they know previous investors or maybe they made a lot of money, and so they have the capital to themselves invest in their product. But what about for people that are just like, “I want to build this app today.”? Is that when angel investors come in? Are those the people for them to call? Are they supposed to find angel investors to help them get their first customer?
Marcus Bartram:
I mean, there’s sort of a… Most people who have an idea and understand a problem that they want to solve, the first kind of money they try to find is folks that they know or they use their own money. Or maybe they did have a successful exit before, and they can kind of bootstrap it. But all of those first checks, whether it’s an institutional fund or it’s their own money or their friends and family are sort of those angel and sort of seed or pre-seed investors. And as they start to write code and create a product, they’ll hit milestones that then attract the next level of investor or a seed investor, and so on and so forth. So as the company grows and the product matures and they find design partners and customers, there’s different levels of appetite for investment.
So if you’re an angel investor or a seed investor, you’re writing smaller checks, 10, 25, $50,000 checks, but there’s a really high risk that you won’t get your money back. But if the company grows and scales, that small investment can become very, very valuable.
We have less appetite for failure, so we invest a little bit later in the company’s growth profile. So we invested that sort of series A and series B, where they have customers and they have a product and they’re generating revenue. So the risk of them failing is still high, but it’s not as high as when they’re first sitting around a card table in a restaurant and drawing out the design on a paper napkin.
Jonathan Reiber:
This is really instructive and cool. I didn’t know we were going to talk about this. I realized that I’ve had these-
Marcus Bartram:
Good.
Jonathan Reiber:
… questions knocking around my head for months if not years as I’ve thought about startups. Look, I’ve interacted with investors before, and I think probably I’ve been too ashamed to ask some of these questions. And I also wanted to give this for other people like me who are out there listening, who think, “What does it actually mean to be a venture capitalist? How do you do this? What are you looking for?” So I appreciate you walking us through that.
Marcus Bartram:
Happy to share.
Jonathan Reiber:
Yeah. So what-
Marcus Bartram:
Happy to share.
Jonathan Reiber:
Have you had moments where you’ve met a small team and you thought, “This team is so good, I believe in them so much. I think the rest of their business plan is kind of crap. They don’t have anything to go on. But I believe in them so much, I just want to give them a positive endorsement and tell them to come back in X and Y months.”? Or maybe that happens more at the seed stage.
Marcus Bartram:
Always. Always.
Jonathan Reiber:
Really?
Marcus Bartram:
Yeah, there’s loads of people that are technically and commercially brilliant, creating new companies and thinking up and solving new ideas. And I’d love to meet those people at that stage, because we’re great investors and we want to invest when we know these people, because like I said, team is a big part of this. And team is people, so you’ve got to get to know the people. And while they’re forming their idea, if we really love the idea and they don’t quite fit our financial profile, what can we do to help them kind of succeed with the idea? And maybe that gives us a preferential to invest, because they know us and they like us. And then you’re working together for the next 5 to 10 years, which is weekly, monthly, quarterly, daily phone calls and conversations. So you spend a lot of time together.
Jonathan Reiber:
I mean, that must be some of the most exciting parts of the job, to just be out there sensing ideas, sensing technologies, meeting people, interacting with the community, and then getting the chance to build partnerships with people you really like.
Marcus Bartram:
Totally. It’s also the most frustrating, because sometimes you don’t win the date. You don’t get married and you see these guys go and build these amazing companies, and you kind of miss the opportunity. But yeah, it is, it’s just one of the parts of the job, and it’s actually really fun. I actually really like the part after you invest and you kind of help these companies build their businesses. The most fun is when they’re super successful and everyone makes money and everyone goes on to build a bigger business, and you’ve done years and years of hard work to get there. That’s really rewarding.
Jonathan Reiber:
Yeah, of course. To see from the idea to the exit, which is a good opportunity for us to pivot to, I think, the next line of questions that I wanted to ask you about, which is what do you see in cybersecurity and security overall these days that excites you? What are some of the trends where you say, “I want to learn more about that and I want to meet people doing that kind of stuff.”?
Marcus Bartram:
Yeah, totally. I think cybersecurity is one of these really interesting industries that kind of builds on shifts in tech changes and tech trends, and it builds on changes in how criminals behave and the techniques they use to commit crime. Because cybersecurity is preventing crime. So we spend a lot of time thinking about the changes in how technology and technology infrastructure and architecture is changing. And that’s an ongoing kind of process.
And we’re literally sitting and talking about what do we think the next shift in IT architecture is going to be. And then I think out of that then spawns where do the next really big cybersecurity companies come from. And here and now today, I think there’s a bunch of really interesting problems around data security. I think there’s interesting problems around identity, and identity is still a big topic of conversation. It’s not solved.
I think organizations are moving, and there’s already really successful companies, some of these spaces, still going through this digitization of their applications and user experience. That’s creating opportunities for kind of cloud security companies. I think the emergence… Well, not the emergence, but the crypto world is just ripe with opportunity for security companies. It seems to be so easy to commit fraud, there just seems to be lots and lots of opportunity there. So we’re spending some time there. Whether we invest is the question, but we’re spending time there.
Jonathan Reiber:
That’s a good one. I mean, I think it’s worth clarifying because when you say crypto, I think of the crypto mining people that hit me up on Twitter and Instagram pretending to want to be friends and then 10 text messages in, and I always know they’re going to do it, which is why I talk to them. They’re like, “Hey, have you thought about Bitcoin investment? Have you bought Bitcoin?” But you’re not talking about that part of crypto, are you?
Marcus Bartram:
No, it’s more the infrastructure and the building blocks of this industry. I’m still very much a new student to that industry, so I’m going to extend a political license to myself to talk about it, but the-
Jonathan Reiber:
I hereby grant you a license so you’re not the only one doing it. You have a license.
Marcus Bartram:
Thank you. Appreciate it. But there’s still so many building blocks that are being created in that industry, and there’s still these sort of tectonic shifts that are occurring as people try and figure out how to create companies, create infrastructure, and really kind of build the pieces of the puzzle in that market. And then at the top of that, you have people who have crypto projects.
I mean, the fraud thing is really interesting because it sort of goes back to KYC and know your customer and know your client. It goes to a level of trust and a level of… There’s transparency in what people are trying to achieve, and there’s stories every day about people that put money into a project. The projects’ founders get the money and then they disappear. It’s just ridiculous. And then you have there’s a very successful company we’re not invested in-
Jonathan Reiber:
You’re talking about people investing in a project and then them disappearing in conducting a criminal act, basically.
Marcus Bartram:
Yeah, essentially. Yeah, totally.
Jonathan Reiber:
What’s KYC? I’m not familiar with that.
Marcus Bartram:
It’s like when you-
Jonathan Reiber:
Kentucky City.
Marcus Bartram:
Yeah, Kentucky City. No, it’s know your customer. So when you open a bank account, you have to rock up and provide a bunch of data around who you are, and the bank validates that and you get to open an account. That’s a very basic sort of function that is absent in a lot of the kind of blockchain industry. But there’s companies solving for it and there’s things that are going on to solve for it. And how do you manage identity? Identity is a really interesting problem to solve for in the blockchain in crypto market. So yeah, it’s a fascinating space and one we’re going to spend more time in.
Jonathan Reiber:
Cool. Well, folks, take it as a note, learn more about the blockchain and crypto space. I mean, it’s been on my radar for a while. I feel like I need to read at least three Economist articles about it or Financial Times articles about it. I know people that have made a lot of money at it. But I’m glad to hear that you’re thinking about it, Marcus, because that-
Marcus Bartram:
Go find some people who are deep into it and go and talk to them. That’s a better way to do it.
Jonathan Reiber:
Yeah, totally. Well, maybe we could do that as one of our next conversations is do a dive into blockchain. What are some of the other areas of particular interest in cyber these days outside of blockchain? Which, I mean, it sounds really cool.
Marcus Bartram:
Yeah. So spending a lot of time looking at companies that are helping enterprises predict threats that are coming. So-
Jonathan Reiber:
I know a company that does something like that. Yeah.
Marcus Bartram:
A little bit like that. But it’s more like as criminals set up, effectively, a project to commit ransomware. They build a bunch of infrastructure. And as companies that are seeing all the early signals of that infrastructure being created, they can tell that to customers, and that’s sort of important information for enterprises. And then that allows them to put defenses in place ahead of an attack. So it’s sort of a preemptive type work.
Like I said, I still think identity, there’s lots of things to solve our own identity. We’ve sort of recently invested in a company called Strata Identity, which is solving some really interesting problems in that market. But I do think there’s more to do there.
Jonathan Reiber:
You’re talking beyond two-factor authentication for validating identity.
Marcus Bartram:
Yeah. Totally. When you peel back the onion of an enterprise, the identity infrastructure is very, very complex. And generally, they have multiple generations of technology doing something in identity related to products or employees or customers. And if the digitization of these organizations is moving these applications into the cloud and a roadblock to that is identity, then how do you migrate these old identity architectures into these new modern environments?
There’s still a bit of sales pitch, but Strata helps kind of solve that as a first problem, and abstracts away all of that complexity.
Jonathan Reiber:
Cool.
Marcus Bartram:
Equally, we’re investors in North Zero back in the day, which is a really sort of foundational identity company in the relationship between an enterprise and its consumer base or customer base. It’s simplifying that environment, but there’s lots and lots of complexity and there’s lots of, lots of problems to be solved in that part of the industry.
Yeah. I mean, I think we’re also interested in… Well, I am also interested in data security. How do you secure your data as a corporation if identity’s now the new front or data is kind of the crown jewels. And security around data is really hard to do, but it’s really important. So there’s a bunch of early stage companies that are having another go at solving security around data.
Jonathan Reiber:
Yeah. What are your thoughts on zero trust? If you have any strong opinions, I’d love to hear them.
Marcus Bartram:
I think it’s really hard to implement architecturally, but I think conceptually, it’s the right way to think about how you build security, which is you have to validate to get access. You don’t trust anybody. So I think that makes conceptually really good sense is then how do you implement that in your organization, which is really tough.
The other thing I would say in security, there’s really basic operational challenges that are still to be solved. Talk to any number of CISOs, and they’re wrestling with basic problems like patching and the block and tackling of their industry, and keeping talent and application coding and improving security and the actual core of an application being written. I think all these are other areas that are really fascinating, and still good companies to be built there.
Jonathan Reiber:
As somebody who came to the technology sector from the national security community, and now this is coming up on my fourth year and working in technology, so I’m still relatively new to it. There’s a part of me that says, “Look, there are cybersecurity solutions out there that I know work pretty well.” And I see a breach and I’m like, “Well, if only they’d had that solution,” which they don’t, “they’d be in a much better position,” right? But then what you’re actually saying on the other hand is the internet and the way the technology grows introduces consistent operational problems, some of which simply haven’t been solved, right? There are some great solutions that are out there. But then there’s others that it’s just like, “This problem won’t go away.” The sheer scope of vulnerability management, like what to do and how to solve what I imagine… I haven’t yet seen a good solution for how to automatically prioritize and patch. I haven’t seen something that would do that.
Marcus Bartram:
No, exactly. And it’s not going away. It’s only getting harder and more complex and more broad, and new technology and changes to architecture just add to the complexity of it. And part of it is you’ve got people in the middle of this as well, and people are people, they make mistakes, stuff isn’t done, stuff’s not configured, manual processes don’t work. There’s just an endless opportunity for errors to be identified and fixed and tools to help solve for them.
Jonathan Reiber:
Yeah. The one that I would love to talk more about sometime with you, and we’re running out of time, but this idea of sensing when criminals are building ransomware infrastructure. That seems really, really, really cool. If you could interpret it through behaviors on the internet, and then being like, “This is the shape of this amorphous thing that’s soon going to become very clear.” It sounds like you have a particular company in mind that does that, but that seems really neat. I don’t know how much more you can talk about it.
Marcus Bartram:
Yeah, there’s a few companies that are coming out the same problem in different ways, but it’s literally what it is. It’s like, “What are the building blocks when you’re going to launch an attack?” And can you identify the marshaling of those resources in such a way that you can get enough signal that you can tell a customer that there’s a potential issue? And the further you can get in front of that and if you can deliver that signal more accurately, then the value to the customer is really high.
Jonathan Reiber:
I mean, the analogy is like we’re watching troop movements in Europe in advance of an invasion, and we know the troops are going to happen. It’s here, it’s there, and then it… Or whatever it may be like. And this is why the Russians and the United States hid their nuclear missiles on submarines, right? Hide them so you can’t see them.
Marcus Bartram:
You can’t see them, what are you going to do?
Jonathan Reiber:
Say again?
Marcus Bartram:
Yeah, if you can’t see them, what are you going to do? It’s the surprise. So it just takes out the element of surprise.
Jonathan Reiber:
I love that. I love the idea of being able to see ransomware attacks forming through the resource-based analysis. I’d love to learn more about it. I should ask, because you’re one of our investors, what was it that attracted you to breach and attack simulation? Obviously, you’re not going to say anything that’s not extraordinary, so…
Marcus Bartram:
Pressure’s on.
Jonathan Reiber:
Yeah, totally. Yeah. Yeah, but I was curious, what were some of the tips in your head that thought, “You know what? This is really neat. I want to invest in this.”?
Marcus Bartram:
Yeah, totally. I’ll go back to the things we talked about. We met the team and I really loved the founders and thought the vision of what they’re trying to do is really interesting. And in terms of kind of the product and the market opportunity blended together, if you like, we’d invested in a bunch of what I call cybersecurity kind of tools at this point, who are trying to find bad guys, detect threats, provide intelligence, whatever it’s going to be.
But AttackIQ are coming at the cybersecurity market totally orthogonal to that in saying, “You’ve got all these tools. How do you improve the efficacy of everything you’ve already purchased? How do you validate when you put these tools in, that they’re still doing the same job you need them to do one day, one week, six months, one year later?” So I think that was a really unique sort of point of view to be able to test for that and then give that to a customer and say, “Here’s all the weaknesses in your defenses. Go and do these three things, and you will solve some of these problems. And do it from the point of view of an attacker and them trying to hack into your system.”
There’s a concept in sort of engineering of a control system, and I think in fullness, the vision for this is the control system identifies when the control goes out of limit, sends an alert, the engineer goes and adjusts the control, and it happens in somewhat real-time. And that sort of idea doesn’t exist in security today. And if you can build that, that’s a really big and important and interesting company in the market. Because there’s no CISO I’ve met yet who has a system that gives them that level of efficacy on their security controls. So that was the vision which I love. Love the team, love the team today. I think the vision is still super valid, and the market is enormous.
Jonathan Reiber:
Yeah, exactly. I remember when I first met AttackIQ, the idea, A, was completely different from all the other companies that I’d looked at before, which was really important to me, having been doing cybersecurity now forever. 12 years, right? Off and on. I wanted something totally different that solved a real problem. It’s really heartening to hear what you said, because that’s the same kind of vision that I had for why I joined. And then the team was really it. Right off the bat, I trusted my bosses.
Marcus Bartram:
Yeah.
Jonathan Reiber:
Yeah, it’s super heartening to hear. Yeah.
Marcus Bartram:
Yeah, great team. Really mission-driven. Very focused on the outcome and focused on the vision, which is outstanding.
Jonathan Reiber:
Yeah. Well, Marcus, it’s been such a pleasure having you today. I think for anyone listening, particularly for potential founders, you can get a feel for Marcus Bartram here. He’s diligent, trustworthy, hardworking, and obviously puts his heart into it. So we’re very lucky to have you as an investor and a partner. I’ve learned a lot from our two conversations, and I’m looking forward to more. But thank you very much for coming on today. I think this will be really helpful for anyone particularly interested in learning about what it means to be a venture capitalist working in the cybersecurity industry. I’m sure they’ll find this really interesting. Do you have any parting thoughts before we depart?
Marcus Bartram:
Jonathan, it’s been a real pleasure to chat to you, and I’ve really enjoyed the conversation. Mainly parting thought, we’re happy to talk to anyone about our founding, who’s founding a company and wants to talk to somebody who might be interested in investing downstream. But yeah, really loved the chat. Really nice to talk to you.
Jonathan Reiber:
Great.
Yeah. So you can find Marcus on LinkedIn, or you can look up Telstra Ventures and find his bio on the website. We’ll put those in the show notes for listeners out there. And thanks again for tuning in.
Marcus, one thing we may ask you next time, because I asked Rob Hornbuckle this last time, which is who his heroes are. And I think for next time, I want to ask you that question too. I might have to-
Marcus Bartram:
All right. You’re on. I’m on notice. Sounds good.
Jonathan Reiber:
All right. Be well, everybody. Thanks again.