Overview:

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Matt Goldstein (00:01):
Trade secrets are easy to protect when your
trade secrets or the tooling andthe fixtures and the machinery
that are in your factory. Andthe only way to get into your
factories to get a job there orsteal the key. And by the way,
there's a guard in a gray suitwalking around at night when the
factory is not running. Buttrade secrets kind of go out the
window when your business is aCAD file and all you really need

(00:26):
to know is where's the file, andwhat is the printer that prints
it? Does that immediatelyeliminate all competitive
advantage for some category ofmanufacturing? You better hope
not.

Announcer (00:37):
Welcome to Tough Tech Today with Meyen and Miller.
This is the premier showfeaturing trailblazers, who are
building technologies today tosolve tomorrow's toughest
challenges.

Jonathan (00:50):
Welcome to Tough Tech Today with Meyen and Miller.
this is Matt Goldstein, ManagingDirector of M12, Microsoft
Venture Fund. Matt has anawesome background, we're going
to be diving into it. But to putit short, he invests in
optimism, and in specific typesof investments being on the

(01:14):
levels of other frontiertechnologies like software
services, blockchain, 3Dprinting, drones, the list goe
on. And we will be getting intthat. But first, welcome Matt.

Thank you thrilled to be here.

Jonathan (01:31):
So let's go first into this investing in optimism
because this is a great,interesting way to put it and I
empathize completely. So couldyou elaborate on what you mean
by that?

Yeah, I'm a pretty, anxious, pessimistic
person. And I love my job,because my job is to hang out
with people smarter than me, whoare solving important problems
and making the world a betterplace. And I get to play some
teeny tiny role in helping thembe successful and thereby making

(02:07):
the world better place. I wouldbe shocked if most VCs didn't
end up in the job via sci-fi,through some way, shape or form.
And, you know, my particularappetite is for the more
optimistic variety. So I yeah, Iget to hang out with people who
are trying to change the worldin ways that I find very

(02:28):
exciting. And I've summarizedthat by... in the phrase
"investing in optimism".

Jonathan (02:33):
So your forte I say is, one of them at least, is in
cybersecurity. And for most ofus on the consumer side, it
means that I have to put inbigger passwords or passphrases
to my phone, to my computer, toeverything and then a unique
password for everything. And sothat can be quite a hassle and

(02:56):
annoyance to... at leastperceived to be... for a lot of
folks. Could you just... tolevel set on the importance of
cybersecurity and why there areinvestment opportunities in this
and why it really matters to momand dad in terms of why they
should be caring about thisfrontier work?

Yeah, that's a really interesting way of asking
the question. Look, the gapbetween the physical and digital
world is shrinking every day,right? My parents have a safety
deposit box that's located at...
No I'm kidding, I'm not gonnatell you where it's located. And
I don't know what they have init, right? Some documents or

(03:35):
something, right? I don't haveone; I've got PDFs and they live
somewhere. My username... No,I'm not gonna tell you that
either. So this gap betweenphysical and digital is
disappearing. And, man, it's areally interesting question. You

(03:57):
know, humans have been buildingwalls and building locks and
devising weapons to defendthemselves and their families
and their property since timeimmemorial. So cybersecurity
feels new. But it's an obviousand natural extension to our
lives becoming digitized. Soit's obnoxious, I completely

(04:21):
agree with you that... a lot ofthe steps we have to take are
obnoxious to me, that isnobody thinks that their front
door lock is obnoxious, right?
So it's simply a function of thefact that cybersecurity is
nascent, that these tools arenew, that technology is changing

(04:42):
faster than the physical world.
And it is up to us and it is upto the entrepreneurs and
technologists who are buildingnew cybersecurity solutions. And
really, sorry, the people whoare building digital solutions
to first off make their productsmore secure. And second, the
cybersecurity vendors to helpthem make their products more
secure so that it can start tofade into the background. And
you know, you wouldn't think ofit any more than you would think

(05:04):
of your door lock as beingobnoxious.

Forrest Meyen (05:07):
So your focus is on cybersecurity and B2B
companies. And have you foundthat B2B businesses are still
kind of getting used tocybersecurity as part of the
doorlock? I know that, mom andpops, like me and consumers are

(05:29):
still really getting up tospeed, but what's the current
state for enterprises?

Yeah I mean it runs the gamut, obviously. Some
industries... well, let's see, Ithink you could think of it as
as two different axes, right?
Some industries inherently caremore, and some industries
inherently care less, right? Andfinancial services inherently
cares more, because they don'twant to lose money and be on the
hook for it. And then the otheraxis might be the regulatory

(05:59):
axis, right? Are there specificrequirements, or certifications,
SOC 2 for example, that they arerequired to achieve, I guess,
would be the right word, inorder to be compliant, in order
to be able to offer theirsolution or perhaps in order to
be able to offer their solutionto a specific customer segment,

(06:20):
like the government? Maybe theworst quadrant to be in is the
high requirement to low inherentcare, right? These are the
sectors that tend to get hackedand the hacks have tremendous,
far-reaching consequences for

you and me (06:42):
we have to reset passwords and deal with identity
theft. I don't need to point atany specific hacks in our
history for us to think aboutthe personal consequences of an
enterprise being hacked.

Sure. What industries are those that kind
of meet that profile?

I don't have a good answer for you. I mean, I
think certain arcanesub-segments of governments, the
OPM hack, for example. I cannever remember which credit
bureau it was.

Was it Experian?

... yeah, they both start with E. Legacy
industries that have notnecessarily adapted to the
digitization of every othercomponent of our daily lives
would be another classicexample.

Okay. And as far as threats go, like, what do you
see is the biggest threat incybersecurity? Like, is there a
particular type of tack or hackor new technology that is really
kind of the frontier ofcybersecurity?

So, I have two answers to that question. And I
think both of these answers willtake us in an interesting
direction. One is the businessmodel, the business model of
attackers. In the past,hackers you think about the
hackers movie with AngelinaJolie way back in the day,
right? It was, it was fun. Itwas interesting. It was
curiosity. There was no businessmodel here. That has changed

(08:24):
dramatically. And surprise,surprise; incentives drive
behavior. So to the extent thathacking is a business, and it's
an organized business, in someparts of the world, it's a very
organized business with callcenters and boards of directors
and balance sheets. You need notbe surprised that they get very

(08:45):
good and very professionalized.
And so the challenge forcybersecurity practitioners and
software developers is to...

well, it's twofold (08:55):
one, make themselves a slightly less
appealing target than the nextguy, right? You don't have to be
the fastest person running awayfrom the bear, you just have to
not be the slowest. The otherconcern here is the
fundamentally asymmetric natureof attacker-attackee of the

(09:18):
cybersecurity landscape orecosystem. Targets tend to be
companies, companies havewebsites and LinkedIn profiles.
You know who the people are. Youknow who their vendors are, you
as an attacker can go figure outwhere they keep things, they
have to make public filings,right? There's a lot of
information out there about anygiven target. As the attacker,

(09:41):
you know, you're not a nationstate, you're a group of
individuals who may or may notbe in the same building or the
same city. These individuals mayor may not even know each
other's real identities. So theattackers are hidden and
amorphous and don't operate onany specific timetable or

(10:03):
schedule. They can adapt theirtactics and ways that
organizations can't operatingin a public marketplace. So
cybersecurity is fundamentallyasymmetric. And part of my
investment thesis forcybersecurity is to find ways to

(10:23):
address that and find ways toflip that script a little bit
and find ways for defensiveactors to coordinate and take
advantage of their shared scale,to start to flip the script and
come up with a unified defenseagainst an amorphous attacker.

Jonathan (10:45):
With this part doing really well, in my opinion, in
terms of keeping it from beingthe fear mongering that some
folks advocates forcybersecurity have, like that
the whole world is out to get mypassword or something, which,
you know, may or may not betrue. So then it seems like that

(11:06):
there's also this privacy anglethat... you know, the rule of
thumb is like if you don't wantsomething accessible to people,
don't put it on the internet.
But as we've seen, through thepandemic of that we're spending
a lot of time in a place withpeople that we didn't expect to
be spending this much time with,or the other side, where we're
spending so much time apart fromloved ones and friends, longer

(11:30):
than we expected to. And so thatlatter case is where we need to
be communicating through digitalmeans. And so it's mandatory
that I'm putting it on theinternet. It's just having to
ride on the internetinfrastructure to do my routine
communications. And so thatthen, I have nothing to hide
argument starts to come up well,like, well, I don't need an

(11:53):
encryption, because I'm justtalking about my cat. But what's
more at the heart of thatprivacy need?

Yeah, look, I have family members who work in
a in-person job, do notparticipate in social media, do
not have any IP messaging,right? They have a mobile phone
that they use for phone calls,and the occasional text message.
Their job does not require themto log into anything on a

(12:25):
regular basis. And cybersecurityis still relevant to them,
right? Both to your point aboutprivacy and the simple fact that
you don't need to to participatein an ecosystem to be a record
in their database somewhere. Andthinking more about the business

models of attackers (12:42):
identity theft, trading corporate corpi,
a PII of personal data. Youdon't need to be an active
participant in this ecosystem tobe threatened by it, right? So
the concerns apply to everybody.
But to your point about aboutfearmongering. You know there's

(13:05):
an element of education,certainly. I don't think you
need the cops pounding on yourdoor and saying, did you
remember to lock your door tojust learn as you grew up, that
you generally lock the door whenyou leave the house. At the same
time, as I said at thebeginning, it's up to us, both
as cybersecurity practitioners,call them lock builders, as well

(13:28):
as the home builders, theapplication builders, to make
their solutions, to make theirproducts inherently more secure
and inherently less attractiveto attackers. For the last 20
years, the business models of,not attackers, but of the
internet, have focused oncollecting more and more data.
And we're starting to reach apoint where maybe collecting all

(13:50):
that data is a liability. Andmaybe keeping that data as a
liability. And maybe a betterbusiness model is to purge data
and not have anything, not putyour crown jewels in the kitchen
window that face the street,right? Because you just don't
have them. Because you're alittle bit more of a minimalist.
So I think there are economicconsiderations, business model

(14:16):
considerations for bothattackers and attackees,
attackers and technologists andsoftware developers that need to
be considered before we evenstart getting into this whole
shift left, build a more secureapplication, build a more secure
house, and then the next layerof the onion which is what
cybersecurity vendors do I hire,what solutions do I purchase,

(14:38):
how do I configure them, how ismy cybersecurity team trained,
how do I train my employees tobe vigilant? These are layers of
the onion that are critical, butthat could be so much thinner if
we just did a better job at the

Jonathan (14:53):
If I'm, say, medium sized business or a corporate
beginning.

(15:14):
intranet, and I thought I wouldhave been doing right by
adopting solar winds and thelist goes on in terms of tools
that seems like everybody'svetted it, seems like it's going
well, and in many cases, folkshave vetted it. But there's
these the zero day attacks andother forums that make it so

(15:37):
that the world shifts reallyquickly. Is there a sort of,
based on your sort of view as aninvestor in the next generations
of these kinds of securitymeasures and technologies, is
there advice to the admin, theperson who is... he or she has

(15:59):
to work with commercial off theshelf technologies, but they're
being faced with sometimesfrontier tech kind of
challenges...?

A microscopic percentage of big breaches are
the result of incredibletechnology innovation on the

part of the attackers (16:18):
a microscopic percentage. Keep
your software updated, configureit correctly, and enforce good
cyber hygiene, password hygieneand other related topics and you
have eliminated 99% of theattack surface. But okay, people

(16:43):
are still going to buycybersecurity solutions. So
there's this concept that's beenaround for a long time called
defense in depth, which any realcybersecurity practitioners who
are watching this are gonnalaugh for my poor explanation of
it, but look, it is the layersof the onion, it is wrapping
layers upon layers ofapplication security and web

(17:04):
application firewalls andauthentication services, and
identity services; it's justwrapping things over and over
and over again, so that ifsomething gets breached, you
have another layer of securityunderneath it. But the problem
here, as evidenced by theSolarWinds attack, is that every
one of these things that youwrap is in and of itself, an

(17:25):
attack surface. Software is notperfect, unless you're NASA and
doing kind of formalverification.

Even then it's not perfect.

Yeah, I know. I thought that was... generally
speaking, software isn'tperfect. And so again, you're
much, much better off notgetting too creative, exercise
really good hygiene, keepingyour software updated. And then,
you know, very slowly anddeliberately identifying the

(18:00):
specific elements of yourbusiness, not just your
infrastructure, but yourbusiness that make you
vulnerable, identifying theassets that people are
interested in, right? Is itcustomer data? Is it employee
data? Is it payment information?
Is it.. I don't know, what else?
Those are some examples. Can Iretain less of that? Can I get

(18:24):
rid of some of it, so thatthere's less to be exfiltrated?

Jonathan (18:30):
So it sounds like it's a bit of a case where we've been
sort of high on the hog, so tosay, of, of ingesting more and
more data, and everybody wantsto have their own sort of
fiefdom of data so we can do bigdata things on it. But really,
now it's about... let's bereally selective about what we
truly need to know and to workwith.

That's exactly right. And then taking it a step
further, this whole concept ofzero trust, right? It's all
about conditional access. Somaybe we keep something because
we need it, but under whatcircumstances do we need it?
What are the processes andprocedures tfor getting access
to it? You know being verycareful and selective about the

(19:11):
data that you keep, where youkeep it, when you keep it. I
mean, again, these aren't evencybersecurity topics; these are
just like life, right? These arejust kind of personal hygiene
topics.

We kicked off this discussion talking about
how a lot of the physical worldis now being digitized. And
another interesting, you know,set of investments in your
portfolio is 3D printed. So Isee you're an investor in
Markforged, which is a 3Dprinting company, not too far

(19:44):
from me, actually. So that's thedigital world becoming physical.
I wonder if you can talk alittle bit about what makes 3D
printing really interesting, andhow do you think it's gonna be
used in the future of business,like in the next 10 years.

Yeah. Do you want to talk about the
cybersecurity of 3D printing?

Well actually, yeah, that's a good transition.
I'm curious. Yeah, yeah, goahead.

So I've known the Markforged team since 2014
or 2015. David and Greg are twoof the smartest people on the
planet, as far as I'm concernedor aware. I am not a mechanical
engineer. It's not space that Iknew well, and certainly not a
space that I continue to knowwell enough to claim being an

(20:38):
expert by any stretch theimagination. So my initial
investment was really just a beton the team and on the market.
And on this fundamental beliefthat supply chains would need to
get shortened, that just-in-timemanufacturing means just in time
for every component. And that 3Dprinting in its various forms

(21:00):
was inevitable. I prepared sometalking points on my favorite
books, because, as I said at thebeginning, I think everybody
comes into this industry viasci-fi in some way, shape or
form. So it was Neal Stephenson,however you say his name. He's
my boy. So Cryptonomicon is thething that kind of created my

(21:24):
interest in cybersecurity,certainly, but startups and
venture capital more broadly. Hehad a follow-on-work Diamond
Age, which, which is the thingthat taught me a lot about 3D
printing, but it exposed me tothe fantasy of what could be
possible in the not too distantfuture. So yeah, invested in

(21:47):
Markforged. And been with themon the ride of our lives for the
last six years. And of course,they're in the process of
SPACing, which is pretty cool.
And then I have anothercybersecurity investment company
out of Israel calledNanofabrica, which is doing
nanoscale 3D printing using atwist on a Vat Polymerization
technique. So teeny tiny partsthat need to be incredibly

(22:10):
accurate. Look, for bothMarkforged and Nanofabrica,
whether you're talking about ashift lever on a motorcycle,
like the one that Markforged hasalways had in the front of their
office, or you're talking aboutsomething that's part of a
medical device, or a componentthat's going to get embedded
somewhere in your body orthreaded up a vein or an artery
somewhere. You know,historically, the process for

(22:33):
manufacturing these thingswas... I think the Markforged
deck used to have this pictureof this guy working a CNC
machine, and he was in his 70s,wearing the blue overalls, and
they always called him Frank,right? The answer was always
Frank, right? You've got thiscustom part, and you send it
off, and that person sends itoff, and that person sends it
off. And at the end of thischain of sending off these

(22:53):
designs, and these parts wasFrank in workshop operating the
CNC machine. And we think aboutscale in every component of the
technology industry, it's alwaysabout scaling the work that we
do, and you can't scalemanufacturing if you can't
digitize the process. So anoverarching theme of all of our

(23:17):
investment activities is digitaltransformation, and why
shouldn't manufacturing bedigitally transformed? And
digital transformationmanufacturing doesn't just mean
cooler Kanban boards or touchscreens on the line? Like why
can't some of these actualactions be taken by machines?
And why can't these machines bekind of operating in a recurring
fashion? Just just like a justlike a lambda function, right?

(23:40):
Or just like a microservicesomewhere? Why can't
manufacturing be amicroservice's architecture? So
that's what inspired my interestin the space; beyond that, it's
been very kind of team driven,looking for new technologies and
the teams that are capable ofexecuting on them, trying to
ignore the 3D printing marketsize I think that's the most

(24:03):
common objection we hear toinvestments and say, look, this
is not about 3D printing, thisis about manufacturing and what
is the market market size ofmanufacturing? Well, it's
everything right? Everythingthat isn't software is
manufacturing in some way, shapeor form. So looking at the CNC
market, looking at the EDImarket... looking at the EDM
market, excuse me. 3D printingwill grow the pie, right? All of

(24:29):
these are grow-the-pietechnologies. Cybersecurity for
3D printing is a cool topic. Iget yelled at whenever I use
this term, but DRM for designs,right? DRM for CAD models.
Everybody hates the word DRM andso they get all touchy when I
when I use the phrase. When Ilhear the pitch, I'm like, oh,

(24:51):
god, so you're building a DRMfor CAD models.

Jonathan (24:55):
For the audience, in case you haven't been...

Yeah, Digital Rights Management. We're all old
enough that we dealt withripping DVDs and ripping CDs.

Back when Napster was cool and no one knew it was
wrong.

Not that any of us have ever have ever ripped
any content from any sourceever. But trade secrets are easy
to protect, when your tradesecrets are the tooling and the
fixtures and the machinery thatare in your factory. And the
only way to get into yourfactories to get a job there or
steal the key. And by the way,there's a guard in a gray suit

(25:34):
walking around at night when thefactory is not running. But
trade secrets kind of go out thewindow when when your business
is a CAD file, and all youreally need to know is where's
the file and what is the printerthat prints it. Does that does
that immediately eliminate allcompetitive advantage for some
category manufacturing, youbetter hope not. National

(25:58):
security concerns, right? A lotof these 3d printing companies
have big military and defensecustomers and contracts. Because
the things that they're makinggo into other things that we're
not supposed to know about. AndI don't know about and that's
fine. I don't want to know. Sohow do you protect this stuff?
It's not just a matter ofprotecting the file, but

(26:18):
understanding when it's used andhow it's used,. instrumenting
files that can communicate witha central service. Back to back
to my earlier point about whatdo you keep: should we be
keeping all the previousversions? Where do we keep it?
Who has access to it? What canyou do with it? As I said at the
beginning, the separationbetween physical and digital is

(26:39):
shrinking in both directions,and so cybersecurity applies
even to the 3D printing market.

Jonathan (26:47):
The intersection of the physical and the digital is
really an interesting point andabout the sort of... is my whole
business just a CAD file? Andextrapolating that out to the
global... nation state level,you're based and invest from the

(27:08):
United Kingdom, do work with alot of sort of companies
spanning the globe and a companyMicrosoft, ultimately that's
global... what kind ofdifferences and whether it's
toward nationalism, sovereignty,etc., what kind of differences
are you seeing in the market andthe mentality of the folks that

(27:31):
you're working with?

Yeah, interesting question. So as you
point out, Microsoft's a globalcompany, and when we started M12
about five years ago, Satya saidto us, Microsoft's a global
company, we want you to be aglobal firm. So it took a while.
You can't kind of flip a switchand go from a three person team
to a 10 person team, spreadaround the globe and trust each

(27:56):
other and understand each otherand be able to do deals
together. But we have scaled upover time. So we now have five
or six investors in SanFrancisco. I moved to the UK
about 18 months ago to to openup our European presence. I've
got three colleagues in Israeland Tel Aviv and one in

(28:16):
Bangalore in India. I mean, it'san entirely separate topic that
we can spend as much time as youwant on but this general concept
of kind of pre versuspost-COVID: startup location,
companies are global, companiesare remote, the Silicon Valley
diaspora has really accelerated.
Oh, and by the way, as long aswe're close enough on timezones,

(28:40):
I don't really care where yousit at all, kind of lowering the
bar to taking a meeting. Andhopefully that means that we're
all a little bit more inclusivein our investing activity and
investing practices. Yeah, it'sa cool topic. In the domains
where I spend time, I mean, B2Bbroadly, but cybersecurity and

(29:00):
infrastructure. Let's see. Sothere's this macrotrend of
trying to keep... quote unquote,keep China off the cap table. It
just represents risk toentrepreneurs and to founders,
in terms of where you're able toraise follow-on capital, who's

(29:20):
willing to be your customer,you're probably not going to
land a US or a Five Eyes revenuecontract. If you have too
much... quote unquote, too muchChina on your cap table, it can
become a concern for investmentrounds, it can become a concern
for exits. I am by no stretch ofthe imagination and expert on
CFIUS. Nor can anybody who's notan attorney get to a level of

(29:45):
sophistication and comfort onCFIUS. And so we just simplify,
we really have no choice and wesimplify by just trying to keep
China off the cap table.

Jonathan (29:56):
Could you elaborate a bit on... in terms of why that
is... of the keep China off thecap table? It's not just like a
particular country that theywant to just like, as a newcomer
entrance or something... thereare more sort of nation state
reasons for trying to avoid thatkind of investment, right? And

(30:21):
some sort of historicalprecedents for being concerned
about...

I mean, look when you're tiny, you think
geopolitics means nothing toyou. When you're larger,
geopolitics are surprisinglyrelevant to the day-to-day job
of a founder and a VC. Becauseyou've got to exit somewhere and

sometime (30:42):
somebody has to buy you or you have to go public.
And in the meantime, you have toclose a bunch of revenue. And in
the meantime, you might betaking out debt or hiring
employees. And as you go throughall these processes, people want
to understand who owns you,who's on the cap table, who are
the beneficiary owners of thework that you're doing, who has

(31:06):
control over the business, whohas board seats. Washington is
not incredibly nuanced, right?
They sometimes they don't takefor granted when we say, oh,
they own 10%, but they don'thave board seats, they don't
have information, so it's justpassive. That's not
satisfactory. That's not asatisfactory answer. So
sometimes we have to be verycareful because what a shame

(31:28):
that you're going out and tryingto close a big contract. And the
company is unwilling to dobusiness with you based on a
million dollar investment youtook five years ago from one
particular party. So you have tobe unbelievably careful. That is
doubly a concern when you'retalking about sensitive IP,
certainly within thecybersecurity realm, or really

(31:51):
anything inside of thecybersecurity world, but going a
layer deeper, anything thatdeals in cryptography is
incredibly sensitive; export

restrictions (32:01):
ITAR, right? Again Washington is not always willing
to accept, oh, they're just apassive investor. Well, okay, do
they get to come to your boardmeetings? Have you ever afforded
them a demo copy of yoursoftware? Did you breach ITAR
restrictions by forwarding thema copy of your demo that happens
to use some cybersecuritysomewhere in it? Did they get a

(32:23):
demo of the product in order tomake the investment? Did you
breach ITAR, then? It'sterrifying. The tiniest misstep
can can really screw up yourbusiness. So unfortunate as it
may be, and I say this assomebody who lived in China for
a couple years and studied thelanguage, in many cases, you
just have to keep China off thecap table.

So can you talk a little bit about just M12 as a
whole, what your strategy is,what kind of makes you different
from a traditional VC.

Sure. Yeah, M12, we're 5 years old. We launched
in 2016. Anybody who spent toomuch time in the valley has
heard and probably hasrightfully heard to be kind of
careful or cautious aroundcorporate investors, corporate
venture capital; the argumenthas always been, their

(33:20):
incentives differ frominstitutional investors, and
from those of the entrepreneur.
People come and go, strategieschange, the groups get stood up
and shut down. And the shortanswer is, I agree with all of
that, and it's largely true. Allthat said, I've always believed
that corporate venture doneright, should be better, not
worse than institutional,because we have more to offer to

(33:41):
entrepreneurs than just mycharming personality in your
boardroom. Or if you'reAndreessen, the 100 people that
they have on their platformteam. So, we drew a lot of
lessons from our friends atGoogle Ventures, GV, as they

(34:01):
prefer to be known. The pointbeing, you can build a
professional, institutionalgrade, financially driven
venture firm, that also happensto have access to the corporate
parent, and use that access todrive value, unique
differentiated value that noother investor can drive for the
portfolio companies. And as a

r (34:23):
you're driving specific value for the entrepreneurs, you're
making the rest of the cap tablehappy. Your corporate parent is
engaging with startups andmeeting them earlier than they
would otherwise. And hopefully,everybody's making a bunch of
money in the process. So that'show we're structured. That's how
we operate. We're about 30people, 10ish on the investment

(34:43):
team. We have two platformteams, market development and
portfolio development. Portfoliodevelopment is all about opening

doors to Microsoft (34:51):
they're not quota-carrying, they're not here
to shove anything Microsoft downanybody throat, they're here to
count on doors, grease the skidsand try to help our portfolio
companies create therelationships that they're
looking for with arguably thelargest, most important B2B
software company in the world.

(35:13):
Market development focuses onhelping our portfolio companies
engage directly with potentialend customers, often those are
Microsoft customers too buttrying to go directly to the
Fortune 500 or or the Fortune450 (term I invented, the
fortune 500 minus all the othersoftware companies). Yeah,

(35:38):
trying to help our portfoliocompanies land revenue from some
of these other largeenterprises. So that's what we
do. We are we are early stageB2B investor, we're focused on
series A and B, we invest inanything B2B, where software is
the point of leverage, and thenwe have this incredibly unique
differentiated value at which isunparalleled access to

(36:01):
Microsoft.

Jonathan (36:03):
So let's talk a little bit on the personal side that
has led you to this reallyinteresting position... so I
think a lot of folkswould becurious as to how did younger
Matt get into this opportunityto be able to look across the
across the world for someawesome frontier tech?

Yeah, so I started my career as my resume
quite literally said for quite awhile a bad software developer,
you know self taught. Yeah, Ijust I want to make sure nobody
quizzes me, right? So I was selftaught and worked for systems

(36:47):
integrator doing CRM systemsintegration work first job out
of college, or out of uni, asI've learned to say here, and
then slowly worked my way intothe startup world, spent several
years as the very early employeewith a venture backed startup in
the automotive space. So thiswas the the mid 2000s, there

(37:10):
were four or five automotivestartups that raised hundreds of
millions of dollars to build newcars and bring them to market.
You've heard of one of them,that would be Tesla. I did not
join that one. I joined one ofthe other ones. We were trying
to build the cheapest car thatan American would buy 4-doors,
power windows and locks, airconditioning, CD player,

(37:30):
automatic transmission, brandnew for $10,000. Incredibly cool
company, incredibly cool storyand ambition, raised about $110
million in venture capital, lostall of it. That's a story for
another time. But suffice it tosay, losing $110 million is a
great story to tell when you'retrying to get into business
school. So that's what I did.
And starting my MBA, not knowingthe difference between a mutual

(37:58):
fund and a hedge fund, not beinga finance guy by any stretch of
the imagination. love startups,I love tech, I had no idea what
I was gonna do. Found myself ina conversation with a San
Francisco based seed fund.
Charmed them through my arcaneknowledge of B2B software and

(38:21):
SAS before SAS was really aword. I think these days if you
were to go into any of these MBAcampuses, the number of people
who came from enterprisesoftware came from B2B software
is a much larger proportion ofthe class. Back then I was
unique and exotic. Landed aninternship and within about two

(38:44):
weeks decided, this is exactlywhat I want to do. If you're
geeky, intellectually curiousand have just a little bit ADD,
I can't imagine a more fun job,right? My job is to get coffee
with people smarter than me andask them questions. And you
slowly start to figure out yourstyle and your focus areas and
the things that you have aninterest in and hopefully a

(39:07):
little bit of domain expertise.
And if you don't have the domainexpertise, you can build it over
time by just meeting hundredsand hundreds, if not 1000s of
companies in a particulardomain. And that's kind of how I
ended up in the industry.
Cybersecurity specifically, Ijoined a firm called Trinity in

(39:27):
2012. And on my first day orsecond day, one of the partners
said, go sit next to that otherguy and go build a cyber
practice. Because I think theyhad a sense that this was an
important sector. And it wasn'ta sector that they'd spent an
enormous amount of time in thepast. And how many years is it

(39:49):
later? What was that? So abouteight years later. I've made
half a dozen cybersecurityinvestments. I've met well over
1000 cybersecurity companies. Iaggressively stopped short of
calling myself an expert, but Ithink I know enough to be
dangerous. And I know thelandscape. And cyber as a
investment sector is the giftthat keeps on giving. It's the

(40:12):
industry that never goes out offashion, the problems are never
going away, and cybersecuritywill never be solved. And you
could view that as a cynicalstatement, right? Like, I don't
want it to be solved, so I cankeep making money. That's not
what I'm saying. I'm saying itis fundamentally asymmetric
problem. And as long as thatasymmetry exists, the economic

(40:36):
incentives of attackers to getincredibly creative match the
economic incentives of defendersto find newer and better
creative solutions to theirattacks.

Jonathan (40:46):
What am I gonna do with my bit... my crypto
wallets, then? How am I gonnakeep those safe?

I don't... I have done one crypto investment.
It's not a space that I feelsuper comfortable talking about.

So when you're meeting these companies, I mean,
you talked about Markforged, youalready had kind of a
relationship with the foundersand knew them very well. But
when you have that first meetingwith founders, what's kind of
like the indicator to you thatthat you're interested in a
follow up meeting? Do you get agut feeling? Is it just great

(41:24):
people? What really makes thedecision whether you want to go
further?

I have two answers to that question. One
is... so one of the biggestthings that I've learned through
the COVID era has been that wecan do our job entirely
remotely. I've made twoinvestments now without ever
meeting the teams in person. Andwhile I do think it's important
to eventually meet them, and Ilook forward to going to board

(41:54):
meetings again someday soon, andbuilding a more personal
relationship with theseexecutive teams, we were able to
do it. And part of what we didwas we did, we did a lot more
diligence. And I think ourdecisions were more thesis
driven and more data driven, andless gut and heuristic driven.
And I am not saying that gut andheuristics aren't important: you

(42:17):
know, venture capital is the artof making decisions in the
absence of perfect information.
So gut will always play a role.
But I think that the days of inperson first meetings with
entrepreneurs are over. I thinkit's healthier for me, I think
it's healthier for theecosystem, I think it will
hopefully lead to more diverseand inclusive investing. So now
my approach is meet everybodyremotely at the beginning. Do as

(42:43):
much diligence as I can upfront. And then again, I look
forward to eventually meetingpeople in person again, one day
and using my gut and using myheuristics to verify my
diligence and not the other wayaround. To the broader question
and how it relates tocybersecurity, certainly being
thesis driven. On the one hand,knowing what you're looking for,

(43:03):
on the other hand, I always say,it would be a disaster if I knew
more than an entrepreneur aboutthe sector that he or she is
operating. That's not how itshould be, right? I'm a
generalist. And there are thingsthat I know a lot about like
fundraising, and VC fundoperations, but the specific

(43:27):
nuances of my portfoliocompanies, businesses is not and
should not be one of thosespaces. So within cybersecurity,
there are certainly things thatI look for. I look for data
moats, and that's, I think, atopic we should spend another
minute or two on. But taking astep back from there, cyber is a

(43:51):
unique and distinctive technicaldomain, and you see almost no
movement back and forth betweenkind of traditional software
developers and cybersecuritydevelopers. (I was trying to
think of a good metaphor forthat, I don't have one right
now.) But so the short answeris, in cyber, I look for a lot

(44:12):
of domain expertise, andexperience in addition to the
other more general things welook for in any investments, in
addition to hopefully somethingthat checks a particular thesis
box that I've been working on ordeveloping.

Great. And you said you wanted to touch on data
moats. I think now would be agood time, what is the data
moat? I've never heard that.

So maybe I over prepared. Because I was just
nervous that a bunch of expertswere gonna make fun of me after
after you post this. So we weretalking about asymmetry. And I
was saying, my philosophy and myapproach to making unique and
differentiated investments incybersecurity is to try to do

(44:57):
things that start to flip thatasymmetric equation, that start
to allow for alignment andshared scale between large,
stationary enterprises thatcan't disguise their borders or
their perimeter or they can'tdisguise their assets. They are
what they are. But we have otheradvantages, and our advantages

(45:21):
are scale and our advantages arethat we're on the right side of
the law. And our advantages areor should be that we can
coordinate with one another. Inthe past, that's been very

difficult (45:30):
it's been very difficult because of data
management and privacy and dataaccess. So tools and techniques,
whether they're graph databases,or federated learning, are
starting to enable types ofcoordination that couldn't exist

(45:50):
in the past. And when thatcoordination is applied to
cyberdefense, I think it becomesvery powerful. We have two
investments in our portfoliocybersecurity investments that I
describe as a giant graphdatabase upon which they build
some cool products. So one ofthose is SpyCloud. And I wanted
to make sure I use theirlanguage, not mine. So SpyCloud

(46:13):
gives you access to the world'smost comprehensive repository of
compromised credentials and PII.
So on the one hand, they'reprobably the most attractive
asset for attackers in theuniverse, because they have... I
don't know, billions, right?
Where are the notes? ... 118billion recovered breach assets,

(46:33):
23 billion total passwords,right. So when they...

Jonathan (46:38):
That's quite a nice pot to go after. That's like
bigger than one basket orsomething...

Yeah, when they... I assume I can tell the
story... when they came in andgave a demo to Satya, they liked
paused and was like, so can wedo the demo? And Satya, can we
can we use you? And he said yes.
And kind of went into Maltegoand the graph database and
pivoted from asset to... youknow, here's this name, so
here's where we think his emailaddresses are, here's where we

(47:05):
think his phone numbers, is thisyour password? Oh, dang. Right?
Now, obviously, once you getthis enormous corpus of data,

what do you do with it (47:14):
you build products, and the easiest
to explain product is passwordreuse prevention, assume they
have a better term for it, butessentially safeguarding the
identity of employees and users;you go to reset your password,
or you're asked to reset yourpassword. It's got to be this
long, it's got to be thiscomplex. And it can't be a

(47:35):
password you've used herebefore. Oh and by the way, it
can't be a password that you oranybody else has used anywhere
ever in the history of theinternet. That's pretty cool.
That's pretty cool. So that'sone product you can build on
this data moat. And it's thekind of thing that you can only
achieve with scale and withcoordination. I promise you

(47:55):
metaphors, I do love metaphors.
The other company that operatesin a very similar similar vein
or similar domain is calledHYAS, H-Y-A-S, HYAS InfoSec.
They're entirely focused onadversary infrastructure, right?
So the command and controlinfrastructure, the servers, the

(48:17):
domains, the IP addresses thatattackers use for coordinating
their attacks for operatingtheir botnets. So here's my
favorite metaphor. I love thisone. Think of an organization as
a prison, and think of thecybersecurity team, as the
guards and they've got x-rays,and they've got pat downs, and
they've got bars on the windowsand they scan all the produce

(48:41):
that comes into the kitchenarea. And the warden is
absolutely sure no cell phoneshave been snuck into my prison.
We are an illicit cell phonefree zone, we have the best
security, no way anybody snuck acell phone in my prison. That's
cool, but I'm just gonna gocheck the cell tower across the
street from the prison, and Ican see 11 SIM cards pinging off

(49:03):
of it. I don't know how they gotthere. I don't know who snuck
them in. But they're unaccountedfor. And they're pinging off
this tower, which means they gotit. So by instrumenting the
infrastructure, going directlyto the cellphone towers, to the
infrastructure of the globalInternet, dumping a bunch of

(49:23):
stuff into a giant graphdatabase and then building
products on top of it, you couldstart to flip the script. And
this is another example ofcoordination and building these
data assets that createdefensive tools and products
that couldn't have existed inthe past, and I find those
really exciting so that's thekind of thing I'm looking for.

Jonathan (49:44):
So the history of security, and let's keep it
specific in terms of likecybersecurity, is you got the
white hats, who are... guardiansof all that is good and moral
and nice, and the black hats whoare working at getting access to

(50:04):
stuff that they shouldn't have,that a locked door is a
challenge and I want to getthrough that lock door just to
see what's there. And perhapswith nefarious intent. In
cybersecurity, specifically, Isee it as... where it's always
at the interface of where thereare industries changing, for
example, whereas moreelectronics and specific

(50:25):
computers start to get on boardlike a Jeep Cherokee, that
started to cause cars to behackable, which was prior an
unthinkable concept. And then,at DEFCON, the US Air Force had
recently held a hack-a-sat,hacking satellite competition.
And now, I'm not saying thatthose those issues are resolved.

(50:50):
They're still work in progress.
But now we have the emergence ofpotentially accessible quantum
computing that's coming onlinesome evidence that this could
work. And so that puts a threatto the ability for us with our
usage of algorithms to encryptdata and storing it. And if I

(51:11):
want to be mean, evil, I couldgrab any encrypted information I
can find and sit on it for oneyear or one decade, whatever it
takes for me to get access to aquantum computer and see what
was discussed. Could youelaborate on this need for
post-quantum security?

Yeah, I mean, you already nailed the thesis,
right? Which is fine. Peopletalk about quantum as something
in the future and something forus to develop, and they talk
about how quantum will break allencryption. And that means we'll
need new encryption. And sopeople are building the
computers, and they're buildingthe encryption for the computers

(51:55):
simultaneously, and they thinkthat's all good. As long as
those two things arrive within afew months of each other,
everything's fine. But to yourpoint, the scariest part about
quantum computer development isthe fact that there is plenty of
encrypted data sitting out therethat people have saved or
retained for a very long timethat will suddenly be

(52:19):
vulnerable. And certainly someof it is no longer relevant, but
some of it is, right? Promised Iwouldn't talk about blockchain.
So the one area where we spent alot of time recently is in
quantum key distribution. Sothis long term vision of the

(52:40):
quantum internet, which isunbreakable point-to-point
communication, where you knowwith absolute certainty whether
a transaction, a packet, someelement of communication has
been intercepted or sniffed orspoofed is a beautiful vision.
But there are challenges indistributing entanglement. And

(53:03):
in so, you know, quantumcomputers operate on this
concept of entanglement andentanglement has range concerns
and range considerations. So ifyou agree with the fundamental
premise, the beginning premisethat we need to get kind of
quantum resistant encryption setup before the quantum internet,

(53:25):
two things are playing out. Oneis we need quantum safe for
post-quantum algorithms. And theother thing is that we need to
solve for this issue of quantumkey distribution, making sure
that the keys themselves aren'tintercepted and kept and
sniffed. Yeah, so these areincredibly cool topics. I am far

(53:50):
from an expert. I'm incrediblyblessed to work with my
colleague, Samir Kumar, who isour resident expert on the topic
and is on the board ofPsiQuantum. But it's cool when
we have a lot of fun riffing onthe tangents between quantum and
cyber.

Jonathan (54:11):
That's definitely a pretty extreme nerd level
discussion.

Yeah. We're getting sci-fi pretty quick.

Jonathan (54:18):
Yeah.

I think we want to give you an opportunity to
make whatever pitch you want forour audience. Whether it's
pitching M12 or just theimportance of cybersecurity in
your own life. But we just wantto give you that last moment to
have the last word.

Sure. I'll go back to what we talked about at
the beginning, which isinvesting in optimism. And this
is not me bragging saying I havethe best job in the world. But I
really do love my job. My job isto spend my days over the
horizon and see what I can...
see what small contribution Ican make to bring those things
closer to reality and closer tohome. In your prep, you said,

(55:01):
why is this important and who isit important to? It's important
to three people. It's importantto me personally, because it's
fun. And I feel good about whatI do every day. Hopefully I'm
doing well and doing good by thepeople who entrust me with their

(55:22):
capital, and entrust me withtheir vision and their stories.
And so hopefully I'm makingmoney for my LPs and also
helping these entrepreneursachieve their dreams and giving
them the capital and theresources they need to be
successful. Look, I invest incompanies that matter, I invest
in companies that are doing coolthings that aren't cool for

(55:44):
their own sake, but arefundamentally important to the
future of our species, and thefuture of our society. I want to
be investing in companies thatare solving big problems, right?
I'll throw out one other randomone, it has nothing to do with
cybersecurity, but I led theseries A in a company called
Nautilus Labs in New York, whichis voyage optimization, so speed

(56:06):
and route optimization for theglobal shipping industry. The
global shipping industry, mostpeople know is the one of the
largest polluters in the worldthat consume an enormous amount
of a fuel that emits a lot ofgreenhouse gases. And it's a
particularly kind of tech-averseindustry or legacy industry.

(56:31):
Introducing software... very,very basic optimization and
analytics, the kinds of thingsthat every sophisticated
software business does everysingle day inside their
application performancemonitoring solution... we can do
that for ships. And we can tellcaptains and ship owners and
operators, don't go this way atsix knots go that way at seven

(56:55):
knots, you'll still arrive atyour destination... maybe I
should flip the speed... you'llstill arrive at your destination
on time, you'll consume lessfuel doing it. And by the way,
when you get there, fill up atthis place, not at that place.
And I know the maintenance logsays you don't need to scrub the
hall for another two months, butaccording to our data, you're
moving a little bit slower thanwe expected you to. And that's

(57:17):
probably due to the fact thatyou were hanging out in the Gulf
of Mexico for three weeks whenthe water was two and a half
degrees warmer than we normallyexpected it to be. And so we
anticipate there's someunnatural growth on the ship and
that's slowing things down. Oh,and by the way, when you go
bring the ship in to getscrubbed, take it to this
vendor, not that that vendorbecause according to our data,
the ships perform thispercentage better when they use

(57:39):
that particular vendor to solvethese problems. Incremental
stuff can have an unbelievablyenormous impact on businesses
and on carbon emissions and onthe world that we live in. And I
think that's cool. And thatmakes me happy. I'm Adam,
managing director at M12. Staytough.

Thanks for tuning in to Tough Tech Today. We've
just kicked off a brand newseason, which means we'll have
another episode in only twoweeks. In this episode, we'll be
talking with Virginia Burger.
She's the co-founder of NewEquilibrium Biosciences. Please,
if you enjoyed the show, spreadthe word. The best thing you
could do on YouTube is leave alike, subscribe, and of course,

(58:22):
leave a comment. We loveinteracting with our viewers.
And if you're on the podcast,leave us a five-star review and
share with a friend. Thanksagain and we'll see you next
time.

All Episodes

M12 bets big on the digital frontier with Matt Goldstein

Overview:

Show Notes:

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}M12 bets big on the digital frontier with Matt Goldstein

Overview:

Show Notes:

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

M12 bets big on the digital frontier with Matt Goldstein

On Purpose with Jay Shetty