CIOs and CISOs have a tough ask: Consider the burgeoning field of emerging technology options, separate the startup wheat from the chaff and land on a product or service that truly makes a difference.
One response to this quandary is to adopt a venture capital mindset. That is, thinking about technology choices the same way a VC considers the startup landscape and its investment strategy. In this approach to select emerging tech, the VC's deal pipeline becomes the CIO's or CISO's idea pipeline. The VC's company portfolio becomes the enterprise technology stack.
This innovation mindset manifests itself in different ways. In some cases, it's a matter of taking on a new IT management philosophy. In others, it's a matter of tapping VCs as technology thought leaders to get a better handle on the coming wave of developments. And, at another level, CIOs and CISOs become VCs, investing in companies to access to new technology or influence its direction.
VC mindset to vet IT: Laying the groundwork This change in thinking -- and acting -- might also require structural and cultural change among enterprises. Organizations might have to rework internal processes to more rapidly adopt and diffuse emerging technologies, for example. Looking at IT through a VC lens also calls for a different way of considering risk, with enterprise technologists placing bets on early stage companies. Making such choices, while avoiding lock-in when things don't work out, has ranked among the hardest parts of a CIO's role. As CIOs and CISOs absorb VC lessons, they will need to fine-tune their spending and prepare to embrace the unconventional, according to Ross Hosman, CISO at Drata, a security and compliance company, and the former head of cloud security at JPMorgan Chase. "CISOs really need to start taking this mindset because you have a limited number of dollars to deploy for your security program," he said. "And just because something has always been done the way it has been done doesn't mean you can't shake it up." Such bold steps must also be rapid ones. Sean Beard, vice president at Pariveda Solutions, a business and technology consultancy with headquarters in Dallas, said CIOs need to get ahead of the tech curve "before the business comes back and says, 'We need you to do this,'" he added. With on-the-cusp technologies such as real-time 3D, a component of the metaverse, the goal is to get on top of the development before competitive advantage evaporates. "The VC mindset is to be able to bring [technology] in, evaluate it and incorporate it if it's good, and reject it if it's not," Beard said. An idea funnel and rapid tech diffusions are aspects of the venture capital mindset
The initial task for the CIO as VC is navigating the new technology funnel. Tony Olzak, CTO at Trace3, an IT services provider based in Irvine, Calif., runs the company's VC briefings program, in which CIOs hear from VCs and companies coming out of stealth mode. A key aspect of the VC mindset is simply learning about what's out there. "In order for you to invest in great ideas, you have to hear about great ideas," Olzak said. "How are you doing that as a CIO?" In order for you to invest in great ideas, you have to hear about great ideas. How are you doing that as a CIO? For starters, CIOs can take a page from a VC's portfolio management -- or, possibly, Taylor Swift. The singer/songwriter might write 100 songs of which perhaps 20 will make it to final production, with 12 included in an album and two or three released as singles, Olzak noted. Technology investments roll the same way. "In VCs, when you look at their funding cycles and their funnel, they'll review 100 companies and only one of them will get funded at the end of that cycle," Olzak said. With that in mind, CIOs should consider creating their own deal flow or idea funnel, he said. That means creating a network through which they can encounter novel ways to harness technology and support enterprise objectives. "And not just technology to drive efficiencies, but technologies to transform your business," he added. VCs have extensive networks, Olzak said, noting that perhaps only 10% of their funnel comes from cold-calling startups trying to pitch them. The bulk comes through established relationships, cultivated in the course of investigating the various technology spaces they want to tackle. The typical CIO or CISO lacks the time to comb the industry for the right innovation contacts. But some work directly with one or more VCs to build their networks and tap into transformational thinking. They might also work with consulting firms that can make matches. Trace3's VC briefing program, for instance, starts with the consultancy learning about a CIO's or other executives' most pressing problems and then gathering a group of startups that address those challenges. The executive can then hear several presentations all at one go. "It's kind of like speed dating," Olzak said. A line-of-business leader at a large enterprise needed real-time access to data, along with an understanding of how to use AI and predictive analytics. The company's IT department said the initiative would take two years. The business, however, needed the capability much sooner. When the client came to Trace3 with its problem, the service provider lined up a VC briefing involving 13 previously vetted startups. "We've met the founders multiple times and we understand the technology," Olzak noted. The briefing surfaced two Series A startups whose offerings, in combination with legacy technology integration, let the client launch a proof of concept in six weeks, Olzak said. That paved the way for a production deployment and an expansion of the project into eight business units.
A CIO's network need not be limited to external sources, however. Darren Person, global CIO at The NPD Group, a market research firm in Port Washington, N.Y., said CIOs might work with a venture organization within a larger enterprise. In that scenario, CIOs share their technology strategy with the venture group and the group determines if any of its acquisition or investment targets line up with the IT teams' strategies. At small to midsize businesses, a business development group takes the place of a venture organization. That's the case at NPD and Person said his discussions with business development follow a similar model: "We talk about the technology strategies that we have and if there is an opportunity to potentially accelerate our technology strategy through some kind of partnership or acquisition." The business development group shares profiles of the companies it's tracking. The next step is to determine, from the CIO point of view, whether any of the companies are worth considering and, if so, what type of relationship to pursue. The relationship "could be an investment, taking a small stake in a company that had some interesting technology or partnering with an early stage startup," Person said. As for outright acquisition, NPD considered purchasing the assets of a company that had technology for automating the data coding process. The deal didn't materialize, but illustrates how the company could bolster its in-house IT -- in this case its data science team -- through acquisition.
The tech-manager-as-investor approach is also evident in Silicon Valley CISO Investments (SVCI), a group of 60 CISOs that serve as an angel investor syndicate. The group conducts quarterly assessments of early stage companies, perhaps 10 to 30 firms although the numbers vary. At the end of cycle, as many as five companies are considered for investment. SVCI mainly focuses on companies at the seed, Series A and Series B funding levels, Hosman said. "We're a smaller VC [and] our investments are smaller," Hosman noted. But SVCI introduces its portfolio companies to larger VCs that can provide additional funding. SVCI's cybersecurity-related funding recipients include Drata, Island, Orca Security and Tines. Hosman became Drata's CISO based on his involvement with the investor group. "We made an investment in Drata and, as part of that investment, I joined Drata." The Drata investment demonstrates SVCI's approach, which is to fund companies that address the day-to-day needs of security practitioners. "Part of what we look for is companies that are solving a problem that we have and Drata solves a major problem in the security compliance space," Hosman said. That problem, in a nutshell, is the lack of automation in the security compliance process, which he said has been very manual, time-consuming and tedious. Drata's technology "solved the need that I had at JPMorgan Chase, where I was looking at how do we do compliance in our cloud environment," Hosman recalled. He conferred with AWS' CISO on that issue and learned the hyperscaler deploys 700 developers to automate security and compliance. But hiring that volume of people isn't practicable for the typical CISO. "When we saw Drata, this was kind of a no brainer for us," Hosman said. "It solves that need that a lot of CISOs or chief compliance officers have."
The single-minded pursuit of a specific CISO or CIO pain point is what VC-minded IT leaders are looking for in an investment candidate. "The pitches that I see that are really successful are the people that focus on the problem statement," Hosman said. "The pitches that I see that don't do really well are from people that try to tell the lofty stories, like how they're changing the world." Beard at Pariveda said business leaders considering startup partnerships should beware of "shiny object syndrome" and resist the urge to jump on the technology bandwagon. His advice: Don't lose sight of the practical. "The first question is, "What are the use cases?" Beard said. "Work backward to the stack to understand the different technologies we need."