This Week in Enterprise Tech 512 Transcript
Curt Franklin (00:00:00):
This Week in Enterprise tech, we talk about how dark skin can be deadly when the tech is biased. And we bring you Jonathan Heiliger of Vertex Ventures, TWiET on the set
Announcer (00:00:18):
Podcasts you love from people you trust. This is TWiTT
Curt Franklin (00:00:31):
This Week in Enterprise Tech episode 512 recorded September 23rd, 2022. Smart Money Makes the World Go round.
Louis Maresca (00:00:43):
This episode of This Week in Enterprise Tech is, brought you by I R L, An original podcast from Mozilla, IL is a show for people who build AI and people who develop tech policies hosted by Bridget Todd, This season of IL looks at ai, real life search for il, your podcast player, and by big Canary Tech attackers on your network while avoiding irritating false alarms. Get the alerts that matter 10% off and a 60 day money back guarantee. Go to Canary, do tools slash TWiT enter the code, TWiT and the hat you hear about his box.
Curt Franklin (00:01:24):
Welcome to TWiET, your weekly source for everything that matters in the world of enterprise technology. I'm Kurt Franklin and I'm your host for this episode of tw. It is, as usual, going to be a great show. We've got a fabulous guest, some interesting things to talk about before we get there. And before I do anything else, it's time to say hello to my co-host for this episode of twt, Mr. Brian Chee. Brian, how are things on your end of the neighborhood?
Brian Chee (00:02:00):
I'm doing fine. You know, we're obviously watching the weather reports and seeing how things are going. It doesn't look like it's going to be horrible, but never hurts to be prepared. I am, however, tinkering a little bit with a technology. If you've been looking at the fiber to the home where fiber from the curb, this actually exists on a single strand of fiber and it's called a G pon. And what it does is it allows you a service provider like at and t or whoever to be able to go and string up to 128 homes off a single strand of fiber. And depending on how strong that optics are, you know, doing a 10 kilometer, 40 kilometer or even a hundred kilometer strand of fiber is well within the realm of reality. So hopefully as things like that unit that was like a 20 under $20 unit as those things start dropping in price, hopefully internet service providers will be able to go and do more interesting things. So lots of fun. Hopefully I'll be using some of those at the Orlando Maker Fair on November 5th and sixth.
Curt Franklin (00:03:19):
I don't know, I'm having all kinds of pictures of great campus wide deployments and going over a big campus with stuff like that looks cool. Well, we have, as I said, a great show and it's time to dive into it. Let's start with the blips. You know, we spend a lot of time here on TWiT talking about the extent to which disgruntled or careless employees are a security risk for enterprises large and small. I suppose on some level it's comforting to know that the same employee risk exists for the bad guys too. According to an article on dark reading, a developer for the Lock Bit ransomware as a service operation publicly released the ENCRYPTER code for the latest version of the malware lock bit 3.0, also known as Lock Bit Black to get gub. There was apparently Sun Job set dissatisfaction at work he here.
Curt Franklin (00:04:20):
Now the bad news is that other ransomware operators, including some that are just wannabes now have access to the builder for what is arguably one of the most sophisticated and dangerous ransomware strains currently on the market. The good news is that security researchers now have a chance to take apart the Builder software and better understand the threat. Now, lock Bits operators have tried to present themselves as a professional outfit, focus mainly on targets in the professional services, retail, manufacturing, and wholesale sectors. The group has promised on their honor not to attack healthcare entities, educational and charitable institutions, but since they are in fact criminals, security researchers has have observed groups using the ransomware, attacking the off limit targets. Anyway, now lock bit surfaced in 2019 and has since emerged as one of the biggest current ransomware threats in the first half of 2022. Researchers from Trend Micro identified some 1,843 attacks involving lock Bit, making it the most used ransomware strain the company has encountered this year. In a similar vein report from Palo Alto Networks Unit 42 threat research team described the previous version of the ransomware. That's lock bit 2.0 as accounting for 46% of all ransomware breach events in the first five months of this year. Now, while there is undoubtedly value for researchers in seeing this code, the ultimate advantage it brings may be small following the leak lock bits. Authors are likely hard at work rewriting the builder to ensure that future versions won't be compromised in the same way.
Brian Chee (00:06:15):
All right, so this article, which comes to us from the folks at ours, Technica, got kind of kicked into high gear because of the pandemic. Now for years, the studies have found some racial bias in a common oxygen measuring device called Pulse oximeters, as well as alarming dangers for inaccurate broad blood oxygen measurements in dark skin, patients see dark skin. Now the US Food and Drug Administration is summoning its expert advisors to review the problematic devices and consider new recommendations and regulatory actions. The FDA announced last Thursday that its advisory committee called the Anesthesiology and Respiratory Therapy Devices Panel, A R T D P will convene on November 1st to discuss Pulse oximeters. Until then, the agency renewed emphasis on the safety warning it issued in February, 2021, which noted that the ubiquitous devices quote may be less accurate in people with dark skin pigmentation. And the warning actually closely follow the study from December, 2020 that highlighted the same. Well, this is certainly story that makes me go, hmm, since I'm more than a little tan, and since I suffer from C O P D and use a pulse oximeter daily, I'm now wondering if perhaps my C O P D diagnosis is skewed because of the bias in this instrument.
Curt Franklin (00:07:56):
Well, according to a report by Anaconda, a data science platform firm, in the last past year, 40% of surveyed data scientists, business analysts and students have scaled back their use of open source components. Since vulnerabilities in open source components like the widespread flaws revealed 10 months ago in log four J 2.0 have forced them to reevaluate the code, frequently used in analysis and the creation of machine learning models. An article at Dark Reading points out that concerns over the security and open source software is a relatively new trend for the data science world. The security of open source components and the software supply chain in general has become a primary consideration among software developers, businesses, and national governments over the last two years. In May, for example, n issued guidance for to address software supply chain risks and a growing number of software vendors have joined with the Linux Foundation's open Software security foundation or open ssf.
Curt Franklin (00:09:04):
In general, software companies are not seeing any sort of decrease in open source usage overall focusing instead on improving the security of the open source software and using security as a primary guide in selecting their components. One major issue though is that companies have relatively few alternatives when moving away from one open source package than to adopt a different package whose maintainers they believe have put a greater emphasis on security. Now, how can developers really tell where that maintainer emphasis lies? Maintainers of the most critical projects off which there are hundreds, if not thousands, need to use secure dependencies, test their own code and validate the trustworthiness of contributors. The maintainers should also be publishing a security scorecard, a Google created initiative now managed by Open ssf gives a security grade to a project based on nearly 20 different criteria. Well, according to our criteria, that's it for the blips and it's time to bite. But before we get there, we need to hear from Luka.
Louis Maresca (00:10:23):
Well, thank you guys. I'll get you back to your enterprise and IT news in just one moment. But before we do, we do have to thank a really great sponsor of this weekend Enterprise Tech, and that's I R L and original podcast from Mozilla, IL is a show for people who build AI and people who develop tech policies hosted by Bridget Todd, this season of IRL looks at AI in real life. Who can AI help, who can harm the show features fascinating conversations with people who are working to build more trustworthy ai. For example, there's an episode about how our world is mapped with ai. The data that's missing from those maps tells us as much of a story as the maps themselves. You know, you'll hear all about the people who are working to fill in those gaps and take control of the data.
Louis Maresca (00:11:08):
There's another episode about gig workers who depend on apps for their livelihood, looks at how they're pushing back against algorithms that control how much they get paid, and seeking new ways to gain power over data to create better working conditions for political junkies. There are episodes about the role that AI plays when it comes to the spread of misinformation and hate speech around elections. A huge concern for democracies around the world. I really like season four episode one, Checking out online shopping there they talk about the hidden costs of shopping online and off. What are you giving up? Meta Brown, a data scientist from Amazon is on the show and talks about what happens when you make an online purchase. It just may actually shock you. Super compelling episode, definitely check it out. Search for IL and your podcast player. We'll also include a link in today's show notes and we thank IL for their support of this week and enterprise tech. Back to you guys.
Curt Franklin (00:12:06):
Thanks Lou, we appreciate that. And don't worry, we'll be hearing more from Lou later on in the show. But now it's time for our bite, our slightly longer and more detailed look at one of the stories that's been in the news this week. On Tuesday, Microsoft Release had big thick PDF detailing Windows elevens new security focused features. Among the big things they were talking about was zero trust. Now, zero trust is a topic we have looked at extensively here on twit. Some of that is because it's so darn important. And so some of that is because for a few years, Microsoft, Google, Amazon, and many others have been working with the US government to improve cybersecurity using zero Trust as one of the principle techniques. It's no con coincidence that the three big cloud service providers are looking at this because they are very well positioned to institute controls to prevent truly catastrophic cyber attacks. Microsoft, though is doing something a little bit different because they're moving security down the stack all the way down the stack into firmware. Now, there have been flaws in firmware that we've talked about before. Firmware for CPUs, printers storage area networks, network attacks, storage, all kinds of external devices provide locations where vulnerabilities can hide and attackers can gain access to a network.
Curt Franklin (00:14:10):
Now, according to Microsoft, these sorts of threats called for computing hardware that secure down to the very core, including hardware and processors, which stores sensitive business information. They say that with hardware based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to fort with software alone. So what are we talking about when it comes to Microsoft? The phrase is hardware root of trust in simple English. That means a starting point that is implicitly trusted. If you're talking about a pc, it's a component that checks the BIOS code to make sure that it's legitimate before it boots the machine. Now, anyone who's gone in and had to pull malware off a machine that has a malware compromise knows just how important this is because it's difficult to go in and mitigate things in the bios if the developer of that malware is any good at all. And there are new security measures including storing sensitive data like crypto keys and user credentials completely isolated from the operating system inside their own sort of software. Strong box. Microsoft requires a TPM or trusted platform. Module 2.0 chip to be installed on Windows 11. Machines that are new or upgraded, the company had required TPM 2.0 capabilities on their Windows 10 machines, but the latest version of Windows won't even run if the computer doesn't have that chip.
Curt Franklin (00:16:12):
Al Windows 11 machines all now include the Microsoft Pluton security processor in the system on a chip that has replaced the classic CPU on the motherboard. Pluto's not new, it's been around for a couple of years, but it eliminates an attack vector. Now, not all Windows love machines will have this chip, but all absolutely positively will have a TPM 2.0 chip. Now, Brian, I wanna bring you in because TPM chips have been around for a while. These aren't new and there are still a lot of concerns about how to properly set them up including some warning that if you do it incorrectly, if you do it badly enough, you break the system. So what do you think? Is it that hard? Is it that sensitive? And is there some sort of of key to getting it right?
Brian Chee (00:17:19):
I think a lot of any kind of hardware based security system is you gotta read the instructions. The days of being able to just wing it, you know, just stop, just read the instructions first. That was one of the biggest problems I I saw when people first started having to deal with U E F I and then TPM version one. It was frustrating because there was so much fud, fear, uncertainty and doubt going around. And the day people would go in and just, Oh, I can set this up. I'm, I'm an expert and paint themselves into a corner. You're also gonna need to make sure you start making sure you have a password vault or something to make sure that you don't lose those passwords. Now, my biggest question I had when TPM first started coming out was, how am I going to handle a TPM requirement on a virtualized server?
Brian Chee (00:18:29):
You know, especially if I start doing vdi, virtual desktop inter infrastructure, and I want to use Windows 10. When Windows ten first came out and they would say, Oh, you must have tpm. It's like how am I gonna do that on a blade server or a virtualized environment when I only have one TPM chip? It kind of got solved now in this massive tome of a pdf. They addressed this because Windows eleven's going to be a very key portion of VDI in the Microsoft world. They started going into a silicon assisted security measures using virtualization based security. So look for the new acronym vbs quote, The isolated VBS environment protects processes such as security solutions and credential managers from other processes running in memory. According to this pdf, even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware will help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment.
Brian Chee (00:19:43):
Sounds good to me. So there's a lot of things that are happening, and if you say why, it's because we've as an industry have been complaining very, very loudly that we want zero trust. We want to be able to not get hit by all this malware. We wanna be able to trust our computing environments. We wanna be able to basically get on with doing business. And this is one of those things that you're gonna have to take your spoon full of medicine TPM virtual environment the VBS and so forth. You're going to need to do something because if someone, if malware's going to get in and they go in, let's say for instance we get hit by one of those wonderful malwares that can get in, say like moon bounce or trick bot or low jacks that actually worms its way into the low level code.
Brian Chee (00:20:56):
What I keep hearing is, well, the only reliable way of fixing this is to actually throw away the machine which doesn't make anyone feel good about this. So for us to be able to keep moving forward with the cloud, the world of clouds, the world of hybrid environments, the world of, you know, massive computing we need to be able to trust the platforms. And so sorry folks, tpms gonna be something we're gonna have to deal with. We're gonna have to deal with, you know, half the dynamic root trust of and things like that. And we're going to have to start learning how to do this. So Windows 11 is that bitter medicine we're gonna have to take and get used to if we wanna do it. Unfortunately I've got a some reasonably old machines, so I've got a sneaky hunch I'm gonna have to save up my shackles to buy myself a new machine that does have TPM 2.0. And if that's gonna happen, I'm probably gonna try and see if I can get one that supports pluton so that I have a little bit more future that I can count on. And now then maybe I'll start going and do some interesting things with Windows 11 oughta be interesting, but from a security world, we want zero trust. Here's one of the foundation blocks.
Curt Franklin (00:22:23):
Well, Brian, let me, let me ask this. We say we want zero trust. We, we know that we've, we've heard that we know that this is a step in the right direction, but should we also temper expectations? Will having this chip mean that forevermore, we don't have to worry about any other part of security? Or is this a critical part but not a silver bullet?
Brian Chee (00:22:53):
Yeah, I think this, the latter. It's, it is a foundation stone. I, I'm not sure I'd call it a keystone, but is definitely an important foundation stone. You can't expect the ability to have a trusted computing environment if the foundation stones are weak. I guess that's the best analogy I can come up with. We need to be able to trust just because, you know, say for instance the used computing environment that market, you know, we actually had curvature on the, on the show not too terribly long ago, and they make their living refurbishing and selling, you know, computing devices and network devices. Well, if we can't trust them, gee, what are we gonna do? Does that mean we can no longer have used equipment? That doesn't sound like a really good solution. So I'm hoping this foundation stone will allow us to be able to start trusting.
Brian Chee (00:23:57):
It just means that, you know, like a, like a used car, you wanna make sure you have the correct keys. You know, both, you know, if you have an old car, you need the key to the trunk and the key to the doors in the used computing environment, you're just gonna have to make sure that the TPM chips are reset and that the passwords are turned over to you. So things to learn, things change. The world's gonna change. Foundation Stones, I, I, you know, that's actually a good title for the show. Foundation Stones
Curt Franklin (00:24:34):
<Laugh>, I, I like the idea of the foundation. I have looked at what is required to properly implement this. And, and you're right, read the instructions. It has details to the process, but it's not something that requires either an advanced degree in physics or Olympic level acrobatic skills in order to properly deploy. Just, you know, walk down the list, do it right and make sure you're not being either hasty or stupid in setting things up. And all should be well, you know, this is the sort of thing, Zero trust is gonna be the architecture that we lean on for a long time. It just makes too much sense. And so I suspect this is not the last time we've heard about this. I wouldn't be surprised if we don't hear about other operating systems making the same sort of requirements of hardware vendors in the very, very near future. Well, speaking of the near future, in our near future, we have a wonderful guest coming on. We're through with the blips, We're through with the bites. It's almost time for the guest, but before we can talk to our guest, we need to hear from Lou Moresca one more time.
Louis Maresca (00:26:01):
Well, thank you guys. I'll get you back to your enterprise and IT news in just one moment. But before we do, we do have to thank another great sponsor of this re enterprise tech, and that's Thanks Canary. Now, if there's anything we've learned from this last year, it's that companies must make it a priority to layer the security of their networks. We talk about it all the time. Now, one of those layers needs to be Thanks, Canary. Unfortunately, companies usually find out too late, they've been compromised even after they've already spent millions of dollars on IT. Security. You know, attackers are really sneaky, unbeknownst to companies, they proud of your networks looking for valuable data. But the great thing about Canary is they've turned this into an advantage for you. Now, while attackers browse after directory for file servers and explore file shares, they'll be looking for documents.
Louis Maresca (00:26:49):
They'll try default passwords against network devices and web services. They will scan for open services across the network. Now, things Canaries are designed to look like the things the hackers wanna get to. Can areas can be deployed throughout your entire network, and you can make them look identical, identical to a router, a switch, a NAS server, a Linux box, or a window server. So attackers won't know they've been caught. You can put fake files on them and name them in ways that hackers attention, and you can enroll them in Actor Directory. When attackers investigate further, they give themselves away and you're instantly notified. Canary Tokens act as tiny trip wires that you can drop into hundreds of places. Canary is designed to be installed and configured in minutes, and you won't have to think about them again. So the alert happens, Canary will notify you any way you want, and you won't be undated with false alarms.
Louis Maresca (00:27:46):
Get alerts by email or text message right on your console there through Slack, Web Hooks, Slog, or even their API data breaches happen typically through your staff, and when they do, companies often don't know they've been compromised. It takes an average of 191 days where company realized there's been a data breach. Canary solves that problem. Canary was created by people who have trained companies, militaries and governments on how to break into networks. And with that knowledge, it built Canary, you'll find Canaries deployed all over the world and are one of the best tools against data breachs. Visit canary.tools/twi for just $7,500 per year. You'll get five canaries, your own hosted console, upgrade, support and maintenance. And if you use Code TWiT and the how to hear about this box, you'll get 10% off the price for life. We know you'll love your things Canary, but if you're not happy, you can always return your Canaries with their two month money back guarantee for a full refund. That's canary.tools/twi and enter the code TWiT in the hatty here by this box. And we thank things Canary for their support of this week and enterprise tech. Back to you guys.
Curt Franklin (00:29:02):
Thanks Lou. We appreciate you taking care of business for us. Now it's time for our guests and before we bring him on, gotta say that in the technology industries in IT and security and networking, all of these, it doesn't matter how good your idea is, if you don't have enough money to develop it, market it, sell it, introduce it to the market, and build a market around it, it will never see the light of day. And in the IT world, that initial money more often than not, comes from a venture capital firm. As important as these firms are to the industry, we haven't had a chance to talk to venture capitalists very much here on this week in enterprise technology. So this week we're pleased to be able to have as our guest, Jonathan Heiliger, general partner at Vertex Ventures us. Jonathan, welcome to twit.
Jonathan Heiliger (00:30:20):
Hey, thanks for having me.
Curt Franklin (00:30:23):
We are, we are pleased to have you because we have a whole bunch of questions that we want to ask. And the first one is about you with all the misunderstanding and lack of understanding that many people have about venture capital it's gotta start with being a venture capitalist. How does one become a venture capitalist, or more particularly, how did you become a venture capitalist?
Jonathan Heiliger (00:30:58):
I think there's, there's lots of paths into venture capital, which is the, the good and the bad thing. Well, you know, so first off, like I said, thank thanks for having me. We started Vertex us about seven years ago. We're an early stage venture capital firm that backs enterprising founders, if you like the, the play on words there. And all five of us on the investment team are all former founders and operators and spend all of our time, you know, investing and helping founders hopefully be more successful at their business. But to answer your question, how did I get my start? I got my start in tech when I was 17. I almost dropped out of high school. I fell in love with this thing called the NSF net and worked at Stanford on commercializing it, turning it into the internet.
Jonathan Heiliger (00:31:43):
And at 19, I co-founded and was CTO of a web hosting company one, one of the first web hosting providers. And was very fortunate that that company was ultimately acquired by bigger and bigger fish and set me on my path for my love of infrastructure and building and, and helping scale engineering teams. And got to do that for 20 something years before making the change to venture capital. And, and so my move to venture capital was, was, was as a result of helping people along the way who had either helped me or who were building and solving interesting problems in tech. And I want, I just wanted to help them and give them some time and some feedback or connect them with somebody who might be a buyer for their products. And yeah, ultimately that's, that's, you know, the, the, the short story of what led me to venture
Curt Franklin (00:32:37):
Outstanding. Well, now I've got to ask a lot of people, the closest thing they will come to seeing venture capital at work is watching a show like Shark Tank. Is that for you anything like a realistic representation of the, the way you get pitches and the process by which you say, I've heard your pitch will give you this much for that much of the company? Or is the process that you work through radically different from that?
Jonathan Heiliger (00:33:15):
I think just like, just like everything on TV and in the movies or do you know, documentary movies, there's, there's shreds of truth there and there's shreds of truth with Shark Tank and in the world we live in of, or how we practice venture capital. But for the last 10 plus years, it's really been a very founder centric market. And, and the adage is that, you know, good founders can raise in, in any market. But I I think that adage extends to especially for the last decade, that, you know, people have been able to raise capital fairly easily and quickly just with, you know, sort of pitching an idea on Hacker News and, and, and letting people come to them or, you know, checking in some code in the GitHub and maybe it's an open source project, and then that gets some traction that pops up on an investor's radar.
Jonathan Heiliger (00:34:05):
And so, you know, candidly, Curtis, a lot of what we do is outbound, very thematic research. We spend about 60% of our time in capital in software infrastructure, which you could, you know, think of is you know, tools and technology to build other things, whether that's in the cloud or developer tools or data infrastructure. And then the other, you know, 40, 40% or so of the time in capital we invest at Vertex we're picking different vertical software markets to, to research, to build communities, to build our own sort of book of knowledge in and then, you know, find entrepreneurs to, to invest in. So yeah, we get, you know, we, we get pitched seven, 800 times a year and, and we make about five investments a year. And that's really a combination of people who find us through our network or through our website or through a, an accelerator like a Y Combinator or Alchemistic Accelerator get some, get some training, get some coaching or us reaching outbound because we hear about a cool new open source project or founder that's building a, you know, an interesting piece of technology in an area that we've been studying.
Curt Franklin (00:35:12):
You know, I I think it's very instructive that difference between the seven to 800 companies that present to you that you, you know about and are pitch to you and the five to 10 that you actually invest in every year that's a rejection rate that the Ivy League schools would would kill for. So let knock
Jonathan Heiliger (00:35:38):
On
Curt Franklin (00:35:39):
<Laugh>. When you, you look back at those five, five to 10 companies, those few companies every year, is there a common thread that links the companies that tend to be something that you want to work with? I'm going to guess with the, the disparity between the number of companies that pitch you and the number you support, it's not enough just to have a good idea for a product
Jonathan Heiliger (00:36:17):
A absolutely, right. The idea is actually, you know, is, is pretty easy. It's maybe how you got there that, that, that gets harder. So we, we find that we've, we tend to back two types of personalities or, or even people that have both of these traits in common. The first is that they're practitioners. They have some empathy because they've, you know, maybe worked inside of another company before, or they, you know, toiling away in a research lab on a problem for a long period of time. And, you know, they, they ran into issues, they ran into gates or problems or some frustration that they wanted a piece of technology to solve. And they got so frustrated that they built that technology themselves and they decided to, you know, build that, build a business based on having experienced that problem and being frustrated about it.
Jonathan Heiliger (00:37:02):
And then the, the second personality trait that we've found in common with the, the founders we invest in really is people who are who, who are infectious leaders, people who can who are magnets maybe for, for, for talent, where, you know, you sit down with them and you get excited about the idea and the vision and the business. And, and it's that combination of two things of, you know, people who are community builders who are curious and open-minded, but also opinionated combined with the, the practitioner's empathy that, that we have found is, is most, most represented across our portfolio. And today, our, today we work with about 40 companies having made 50 investments total in the last seven years. So, like I said, pretty, pretty concentrated. And the good venture capital is there's make a hundred investments a year, and there's people like that make five investments a year.
Curt Franklin (00:37:58):
Well, I, you have made that investment once you've said, Okay, we're going to, we want to back this company. And, and it sounds like you really are investing what at the seed level typically, and here, you know, we'll get into a little bit of insight or baseball for companies, for people who don't follow investment, there are a number of different stages of investment starting with the seed well the founders, then the seed then you go through a couple of things going to mezzanine, and then you start getting into the series A, B, C, D, Q L P, you know, ultimately ending up with one of two goals of either going public or being bought by somebody like Oracle. You know, those, those are the two outcomes. So I, like I said, I'm guessing that you come in very early in the process rather than being one of the big, you know, series D investors where hundreds of millions of dollars is in is often involved.
Jonathan Heiliger (00:39:10):
Yeah, absolutely. Great, great point. So yeah, seed grounds are relatively new phenomenon in venture. I forget exactly when it was the, the term was coined probably around 2005, 2006, I wanna say maybe a little bit earlier. But yeah, fundamentally to represent, you know, a small, modest amount of money to really prove out an idea or prove out a thesis. When I started my first company when I was 19, our first round was a series A and that was just, it was $5 million. And, you know, we were off and running and for a long period of time leading up to last year seed grounds grew to be 20, 30 million, just to sort of put it in perspectives and put it in perspective though, that's, that's changed pretty rapidly in, in 2022. So where we invest it vertex us is, you know, we, we invest super early at Pree or seed maybe a 500 k to million dollar check, and then we invest at the other side of our barbell, which is a eight to 10 million investment.
Jonathan Heiliger (00:40:08):
Initial, I important to note here also initial investment, Curtis, because there are funds who will invest once and then be done. Sometimes that's like a mezzanine investor to your point, which is typically the last round before a company does public. But also along the way, there are funds who will say, Hey, I'll give you your first money and then I won't invest again. We are the type of fund that is kind of a classic venture capital model where we reserve capital to continue investing in and, and working with the founders, working with the team. It's often called, you know, investing your parata in the company. So today our largest positions are 50, 60 million because we've been investing with the company for, for several years. Even though our funds are relatively small for that, those position sizes. So the fund that we just closed at the beginning of this month is our third fund.
Jonathan Heiliger (00:41:00):
It was a 200 million fund, and we'll make, you know, 20 ish initial investments in that fund. And then as those companies, the, the third outcome, unfortunately, so first choice outcome is we build a big company, go public. Second choice outcome is we merge or sell our business with another business. And that, by the way, that happens about 70% of the time in enterprise. And the third outcome is unfortunately we have to wind the company down because we didn't get tighter to the first two outcomes. And so anyway, we, we'll start out with 20 ish initial investments with the idea being that, you know, we'll, we'll learn along the way of which ones that, which ones are performing the best and have the, the best chances for the first two outcomes and double down on those.
Curt Franklin (00:41:45):
Well, the, the idea of continuing to invest, I think is, is fascinating. And, and you're right, it does distinguish you from many of the, the venture companies out there. Now, one of the things that I, I want to go back to the, what the movies tell us about venture funds and how they work with companies. And it tends to be one of two things. Either someone comes in, gives a company money and says, Call us when you're ready to pay us back. And, you know, maybe additional investments, in which case, call us when you're ready to pay back more. The other, and this is probably more common with movies and television, is that the venture capitalists come in, invest money, and then immediately take over and marginalize the founders. It, the founders are squeezed out, everyone's unhappy. It's, it's just terrible, terrible, terrible. So I assume that the truth lies somewhere between those two. Can you gimme an idea of, of what reality looks like, at least from the Vertex perspective?
Jonathan Heiliger (00:43:04):
Yeah, it's a, it's a great question. I don't have stats off the top of my head, so I won't, I won't quote numbers for you, but I would say that if ave in, in my view and in our experience in across our portfolio and our past experiences working at, at, you know, very well known firms, Excel partners Menlo Ventures and Sequoia Capital Crane Ventures, where d where different folks on our team have come from it is a failure state that a venture investor has to jump into a company the moment they invest that, that is a failure state. We are backing teams and want to see those teams and those people grow and develop over time. But I do think it's an important, it, it's an important note that not every person is good at every stage of a company. I, I learned about myself that I was really good at starting things and I was really good at, you know, tens of employees, two hundreds of employees when the companies that I was working at got to thousands of employees, I, I wasn't as good, I wasn't as effective, I wasn't as happy.
Jonathan Heiliger (00:44:08):
My performance ratings dropped, you know, I, I started flunking out, et cetera, and, you know, so that's how I figured out what stage of company I was good at. And so we do spend a lot of time with our portfolio companies, helping them build teams and recruit, because we're generally backing these personality types. I mentioned the so practitioner and the visionary. These are most often times people with technical backgrounds who don't have deep experience selling products, for example. And so we, one of the first things we do is help them hire their first go to market team and, and go to market leaders, which could be individual sales reps, they could be marketers to do demand gen or some their kind of product led growth or enterprise marketing. And our job there is to, is to show, show what good looks like. Hey, we've done this a hundred times, we know that these are the right attributes given the stage and market you're going after, But ultimately it's the founder's decision on who to hire. We, we don't tell them who to hire. We make suggestions on who to hire, and we tell them what attributes to look for. Does that answer your question?
Curt Franklin (00:45:11):
I think it does. And, and it's an important thing. You know, it's, it's interesting that you mentioned the being good at a different part of the company's growth. I know that there are some classic inflection points in the growth of a company that people look for. And I was always, I always thought that one of the most impressive things that Michael Dell ever did was when he hired a CEO because he realized that managing a company the size that Dell had become was out of his wheelhouse. And I, I think it would be good if more founders were able to do that. Well, I wanna bring, Please,
Jonathan Heiliger (00:45:57):
Sorry. I was just gonna say, I mean, I, I think that it's a really important realization that, like you said, that he had, and it does happen, you know, quite, quite often. I, I had the pleasure of working for Mark Zuckerberg for five years, as, as Facebook grew from that, hundreds of employees to tens of that to about well, not quite 10,000, 10,000 people, but along the way he hired Cheryl Sandberg as a chief operating officer cuz he saw it himself. The his own limitations you know, of a leader or Larry Page and Serge Brin brought in Eric Schmidt early on to be ceo, you know, of the, of the company because being CEO or any other C level job generally means different things the one than founders are doing at the very beginning, taking the big risk, the big leap working with customers and, and building the product you know, means you gotta be willing to do a five hour budget meeting and, you know, come up with a financial plan and arbitrate between what's happening in marketing and sales and finance and all of these other things.
Curt Franklin (00:46:59):
It, it is a, an interesting thing. It's good as Clint Eastwood says, a man's gotta know his limitations. And I I would say we, we can broaden that to simply say a founder's got to know their limitations. Well, I know that one of the things that you have to do as you're looking to invest is understand where the market in general is going so that you have an idea of whether the team and the products that you're looking at have a reasonable chance of succeeding in the market that's going to exist in a couple of years or in four years. And wanna bring in my cohost Brian Chee to, to ask some of the questions about, about how you look at that aspect of what you do.
Brian Chee (00:47:50):
Yeah, we, we've actually had a fairly US-centric conversation so far, and I'd like, you know, you to kind of step back and is the VC market or even technology in your mind different in the US versus, say the uk uk EU or Asia? Our art is enterprise technology all in the us. I, I, I hope not, but <laugh> are the good, are the good ideas outside of the US also
Jonathan Heiliger (00:48:23):
AB Absolutely, yeah. There are a lot of great ideas coming from outside the us. So Vertex is a, is a network of funds. We have cousins or, or, or relatives, if you will, that focus specifically on investing in China, in Southeast Asia and India and, and in Israel. And so we cover the US and Europe. And so, you know, my, my view tends to be more US centric just because that's where I spend, you know, bulk of my brain power, but there's innovation happening everywhere and in particular in SaaS and enterprise software. We do see and hear about a lot of companies starting in India not just to service the Indian enterprise market, but to serve globally, you know, excuse me, to serve businesses globally. You know, in, in our case of our portfolio for example, in in fund two, which was 18 companies, 40% of those companies, So just under, you know, half called eight of 18 started outside the US by the founder, started the company outside the US and then immigrated to the US to, to build and scale the company.
Jonathan Heiliger (00:49:24):
And what has generally happened in those situations is the technical team, the engineering team that, that nexus, if you will, that's somewhere else that might be in Israel, it might be in Switzerland or Portugal or the Ukraine. And then the founders of immigrated to the US and they, they're building the go to market team here because quite frankly, that in the case of enterprise software is the real special sauce of Silicon Valley in particular even within the US I think you know, I think if you were starting a, a bike sharing or scooter sharing company to service Germany or service the uk, you should absolutely start that company there and raise capital there and, and be local, really understand the market. But if you're starting a B2B software company you know, or, or an open source business that's servicing developers, again, that idea can happen anywhere. The development of that can happen anywhere. But by the time you start selling that software, the real expertise for that is today still concentrated in the us.
Brian Chee (00:50:25):
Well, let's go and ask a little bit more about the international world GDPR and other governmental speed bumps. <Laugh> have made life a little interesting. How big a speed bump has it been for the VC world?
Jonathan Heiliger (00:50:46):
Honestly, GDPR I think has been it's been a boon for the VC world because there's been all kinds of new companies that have gotten created around helping existing businesses manage their data both into and out of the eu and then in with California ccpa you know, dealing with all of these compliance excuse me, new regulations and new types of compliance regimes.
Brian Chee (00:51:10):
Very cool. Well, one more big question.
Jonathan Heiliger (00:51:14):
Sure.
Brian Chee (00:51:15):
There, there's a lot. Everybody ha thinks they have a great idea, but they don't always have a great team. Have you run into some organizations that have been really great, but our missing one piece, does Vertex or VC organizations like Vertex go in and try and help them realize their limitations? Or is that kind of one of the no-nos of vc?
Jonathan Heiliger (00:51:46):
I'd say historically, VCs hate to say why they say no, because we, I'll, I'll lump myself into this class are always concerned about the, you know, the opportunity to get another shot on goal, to get another, to have that founder come back and say, Hey, I, I did this new thing and now I'm totally different. Rather than turning off the founder by saying, you know, we didn't like X, Y, Z, we didn't like that you didn't have a business person on your team or a technical person on your team. There are class of investors, and I'll put myself in this class as well, or ourselves in this class as well, like, that are like Vertex that strive to give honest and actionable feedback to, to founders early. We, we are very careful with it. We, we try to be honest, we try to be positive.
Jonathan Heiliger (00:52:35):
But you're, you're absolutely right to hone in on the missing ingredient of a team is, honestly, it's probably the number one reason that we, but we end up not investing in a team or a company is because we, we see something missing and we do our darnedest to tell the founder or founders why we think it's missing and why we think it's important. And then, you know, they can decide whether or not they, they wanna solve that or not. And, and, you know, or heat our advice or not, or, you know, go to the knock on the next door to raise capital. We, we have made, I say that though, and, and, and I'll give you the opposite, which is we have made investments in solo founders purely technical founders who, who don't have a business co-founder. And then, you know, we, we tell 'em in the investment process, like, here's the number one thing we want to go do.
Jonathan Heiliger (00:53:21):
We wanna go hire a business person, but we wanna do it with you and make sure that they're bought into that on, on day zero, if you will. I was, I was recently in New York this week and I was sitting down with a, another investor at a very well known blue chip firm, and you know, he, he said his comment to me was, he mostly invested series A and beyond, which is kind of the million to $2 million revenue mark and up. His comment to me was, if the team's not perfect, I'm not investing.
Brian Chee (00:53:49):
Wow. Okay. Let, let me go show my old federal hat. There has been many, many, many times I've been involved with conversations within the US federal government and do o d where they're saying, Gee, I really wish Technology X was available, but I don't have a mechanism within the Department of Defense to go and fund that. Have you actually heard of people say, I wish Technology X existed. Can you go out and see if it actually exists in your proposals that people are pitching you?
Jonathan Heiliger (00:54:33):
Yeah, I mean, absolutely. We, we've heard that from I'm trying to think how to how to phrase it. But basically there are venture capital arms of the US government and of other friendly governments that invest in funds and invest directly in companies. And I think, you know, one of the, the goal, their major goals is to sponsor that type of innovation and, and research that maybe can't happen inside of the federal government. You know, we've seen a lot of things around communication, technology, new types of materials you know, new, new types of security you know, both attack prevention and, and things to, to, to thwart, excuse me attacks come with sponsorship by some of the, the government affiliated venture capital arms in, in our case, we spend, I'd say, more of our time just given that we've worked for so long in enterprise and worked in, in big organizations.
Jonathan Heiliger (00:55:33):
We spend time with the CIOs and CSOs and heads of technology or engineering of, you know, in financial services and high growth internet companies, et cetera. And that, that's part of our sort of theme building and community building at Vertex is we're, we're trying to constantly learn and understand sort of where are the gaps and problems, one so we can connect people just cuz that's building good karma. If I can help you solve a problem, you know, I'm, I'm hopefully, you know, earning credit and earning favor to come and ask you for help later down the road. And, and we use those, those interviews, those calls that time spent to inform ourselves as to, you know, where, where we should be spending our time. And, and if you, and, and you know, to use the analogy of going truffle hunting to find the people that are working on the big ideas that relate back to what we hear from, from enterprise or some governments.
Curt Franklin (00:56:27):
Well, Jonathan, you'll recall when we were talking before we went on air, we told you that 30 minutes would fly by, and darn if it hasn't it seems like there's a lot we could still talk about. Unfortunately, we've hit the end of our time now. One of the things we try to do here on twit is give our guests a chance to tell us what they want us to know about their firm. Now, many times that's a product they want or a service they wanna pitch. Things are a little different with Vertex, but what would you like us to know about Vertex that, that we haven't asked you about yet?
Jonathan Heiliger (00:57:08):
Well, I, I appreciate the opportunity. I feel like I got, I got to say it by, by weaving it into my answers. But I guess I, I would generally say that, you know, we're, we're still bullish on tech. We're, we're open for business. We're funding new, new, new founders and new startups in and around enterprise software and, and, and data infrastructure. And, you know, as a firm as a, as a boutique fund that's, you know, comprised of people who have been founders and operators like we like to work side by side with, with founders. And, you know, think that that's the, that's a great way to build a great, great and enduring companies. And, and, and with that, I'll thank you again for having me on the, on the buy.
Curt Franklin (00:57:48):
Well, thank you for being our guest. As I said, we've been, we've wanted to have a per someone from a venture capital firm here as a guest. And you are, you have been absolutely perfect everything we could have asked for. So thank you so much. Would love to have you as a guest again at some point in the future.
Jonathan Heiliger (00:58:10):
Awesome. Thanks so much.
Curt Franklin (00:58:14):
Thank you for being one of our viewers whether live or in a recorded version, we really appreciate you being here. Before I wrap things up, want to go over and ask my co-host and friend Brian Cheeef what he has planned for the coming week, What he's working on that's keeping him busy.
Brian Chee (00:58:36):
Well, you know, I like to tinker. In fact, you know, I think that should be my new nickname, Tinker. Anyway I love to also hear your suggestions. It was interesting enough, I didn't think venture capital was going, was something that our viewership wanted to see until I started getting hit by emails and Twitter messages. So, you know, why don't you throw some ideas at me on Twitter. I am A D V N E T L A B, that's Advanced net Lab. You get to see some of the things. I actually went and played a played hookie for a little while and went to go and see a war bird museum in Titusville, Florida. That's actually some pictures of a very rare double Mustang P 51, Mustang two Mustangs grafted together. There's only six of them left in the world. Got to see one in person.
Brian Chee (00:59:38):
Very cool. I also would love to get emails from you. People ask me questions, people make suggestions sometimes people complain at me, that's fine too. You know, it's also fine if English isn't your first language, you know, feel free to use a translator. I'll use a translator back. Just keep in mind that one or both of us are using translators. Not always perfect, but I will try. My Japanese is okay. My Spanish is a little better. My German is, eh, just a little bit. But I will try to answer your questions as best as possible. I am sheer spelled C H E E B E RT twi.tv. You're also welcome to throw email@twtwi.tv and that'll hit all the hosts PR folks. Send it to sheer@twi.tv. That way I can shuffle things going and try to not lose your email. I'm getting upwards of three or 400 a day, so takes a little bit to sort through. So please be patient. And we'd love to hear from you. So VC is one of the threads that people have been requesting along with things like cloud computing, hybrid computing zero trust, obviously lots and lots of ideas coming at us. And we will try to book guests that will fill your every wish. So want to hear from you. See you next week.
Curt Franklin (01:01:21):
Thanks Brian. And obviously as you heard him talking, Brian is not only my co-host here, but the producer of the show going out, finding our guests, making sure that all the eyes are dotted in, the tees crossed to make sure we can bring you people like our guests today. Now, if you wanna follow me, please do so on Twitter. I am at KG four gwa. My writing for most people appears on dark reading. That's dark reading slash mia om d i a got a piece coming out this coming week. Would love to get your opinion on that. Also, feel free of course to follow me on LinkedIn. I'm on LinkedIn as Curtis underscore Franklin. Would love to hear from you. Always appreciate hearing from members of the TWT Riot. Well, that's it for us this week. We'll be back again next week, bringing you more news from the world of the enterprise. Remember, if you want to know all there is to know about enterprise technology, just keep quiet.
Speaker 6 (01:02:41):
Hey, we should talk Lenox. It's the operating system that runs the internet, bunch of game console, cell phones, and maybe even the machine on your desk. But you already knew all that. What you may not know is that TWiT now is a show dedicated to it, The Untitled Linux Show. Whether you're a Lenox Pro, a burgeoning assisted men, or just curious what the big deal is, you should join us on the Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills. And then make sure you subscribe to the Club TWiT exclusive Untitled Linox Show. Wait, you're not a Club TWiT member yet. We'll go to twit.tv/club twit and sign up. Hope to see you there.