Index Ventures’ Shardul Shah On ‘The VC Spring’ And Stunning Wiz Growth

‘I feel like 2024 has been, overall, a change of season,’ Shah tells CRN.

The climate for venture capital investing is significantly improving following the “VC winter” of recent years, particularly in terms of cybersecurity startup investing, Index Ventures Partner Shardul Shah told CRN.

“It definitely feels like we're in the VC spring,” said Shah, who noted that Index has had one of the busiest periods in its nearly three-decade history when it comes to investments.

“I feel like 2024 has been, overall, a change of season,” he said.

Shah, a partner at Index Ventures since 2008 who is based in New York, led the firm’s early investment into cloud security vendor Wiz, which went on to become the top-valued cybersecurity unicorn (with a $10 billion valuation) amid an unprecedented growth rate in the security industry (recently reaching $350 million in annual recurring revenue after launching in 2020). Other major investments led or co-led by Shah have included Datadog, Coalition and Expel.

Driven by numerous factors — including the arrival of GenAI-powered attacks and increasing regulatory pressures — Shah said in a recent interview that he sees little chance of a slowdown in the pace of customer spending on cybersecurity. In fact, “this year, I think cyber spend is going to have a second wind,” he said.

Shah also discussed how GenAI is changing the security product landscape, why the cloud security opportunity continues to grow and his view on the reasons for the massive success at Wiz. The interview followed CRN’s recent discussion with Wiz CEO Assaf Rappaport and newly hired President Dali Rajic, who disclosed that Wiz is making its channel efforts a top priority in 2024.

What follows is an edited portion of CRN’s interview with Shah.

What are some of your major expectations for the cybersecurity market in 2024?

In 2024, I think we're going to see a second wind in cyber spend. AI is raising the stakes for cyber. And while there's a lot of conversation around when will the IPO window open — is that in the second half of 2024, or not — what is interesting is that for companies that are thinking about going public, I think there's going to be a lot more attention to their cyber strategy.

[2024] has been very active for Index. And it's not just AI. It's broad-based — by stage, by domain, by geography. But I feel like 2024 has been, overall, a change of season. With 2023, a lot of people thought of it as the VC winter. It definitely feels like we're in the VC spring.

What do you see as the main reasons for that?

It's not surprising — because like I said, this year, I think cyber spend is going to have a second wind. And it draws on AI and IPO readiness. But overall, our research shows that there will be an acceleration of security spend this year. This is due in part to re-acceleration of cloud services. This is due in part to an election cycle, globally — not just a single election, but 60 elections around the world. And this is also due to regulatory pressure. So I think there are a number of drivers that are going to accelerate security spend.

What's pretty clear is, the platform is king right now. Palo Alto Networks [said] they're not expecting as much acceleration — but my view is that Palo Alto was never a coherent platform. Companies like CrowdStrike, Datadog and even Wiz — those are much better examples of coherent platforms.

So on one hand, I think buyers want solutions to business problems. And as a consequence, they want to deal with fewer disconnected products and they desire simplification. The next level of that is seeking a platform that actually creates coherence across a number of different use cases. Whereas like Palo Alto has arms and a leg and a shoulder, acquired into the organization and kind of stitched together. But companies like CrowdStrike and Datadog and Wiz, from the get-go, were built in a really different way, with a really different set of user experiences.

What’s one of the biggest ways you see GenAI changing the security product landscape?

We think AI is going to drive a resurgence in that email security category. Now criminals will take [a phishing email] and push it through ChatGPT and get better grammar, better syntax and effectively better reach ability on email phishing campaigns. This is going to require a different set of solutions to manage [the threat].

The prior generation of email security companies built a product where it's one-size-fits-all. In some ways, that's really powerful and good. But there's no personalization. So today a common email phishing attack is against new joiners of the company. In that first five days, it's a moment [for an attacker] to send someone an email and say, “Hey, I'm a software CEO, please wire me $10,000.” And in that moment, because [the new employee] is not conditioned to the communication style of the organization, they might be more susceptible to that type of communication. For an existing email security provider to personalize for an organization — where new joiners have a different set of rules — is architecturally impossible. Compound that with the personalization of attacks that can come from AI email phishing campaigns, and it’s untenable for existing architectures to manage against that attack.

Will existing platforms have the courage, the capability, the competence to rearchitect your entire business? I think when something is in motion, it stays in motion. There's inertia. It's this incredible power. And it's so hard to completely re-platform a business once it has meaningful scale. So my view would be, yes, there will be a new [email security] startup that has a different architecture from the get-go.

How do you see GenAI benefiting the cyber defense side?

I think there are a range of opportunities. There’s one thing that I haven't seen yet, that I hope to see in 2024 or 2025. As part of their platforms, the best [cybersecurity] companies in the world operationalize security research. One of the reasons Wiz is a thought leader in cloud security is that they discover net new, critical vulnerabilities. Importantly, their platform allows their customers to be protected against these vulnerabilities. So they operationalize their security research. And that's a massive comparative advantage in the market. I think in the future we might see “AI agent security researchers” — meaning, we might see organizations that are focused on threat detection and response in other areas, that utilize new technological capabilities to create security research and operationalize it within their own platform.

What do you see as the major opportunity still unrealized in cloud security, that companies like Wiz are capitalizing on?

One of the main drivers of risk and vulnerability in the cloud is human error. I think there's a criticality in Wiz, which is not fully appreciated — which is how usable the product is by different departments. When you look at the usage of Wiz, it goes well beyond the security team. Because engineering organizations and operations organizations can be involved in remediation of critical vulnerabilities — which could be from threats due to adversaries or errors that were made by the team.

I think the best estimates out there would suggest 5 to 10 percent of cloud infrastructure spend will accrue to cloud security. That represents a pretty substantial addressable market opportunity — which is why, when you do the research, the No. 1 area of spend in security in 2024 is cloud security. That’s why CrowdStrike, Zscaler, Palo Alto Networks and many others are trying to tell stories around cloud security, because it's such an important opportunity. And given the magnitude — [at least] 5 percent of $700 billion of spend — that addressable opportunity can support multiple companies that are significant. My assessment is, generally the market leader takes disproportionate market share. And so there's obviously a lot of interest and aggression in trying to become the market leader in cloud security itself.

As part of that, I think we'll probably see more consolidation. It's not new. We were involved in Duo Security when it was bought by Cisco for $2.3 billion. We were involved in Signal Sciences when that was bought by Fastly for $775 million and in Adallom when it was bought by Microsoft for a few hundred million. M&A in security has been consistent for the last decade. But I would anticipate more M&A to come.

What are the biggest reasons you believe Wiz has been so successful?

The [Wiz] founders made a number of critical decisions that set themselves up to be really different. From the get-go, they knew what it meant to build an enterprise grade solution — everything from the product to how one makes a customer feel [as] an enterprise grade solution. Second, they understood what the business' requirements were — around agility, as an example — and were able to construct a solution relevant for that problem.

Then, they built a product that had really special ergonomics. The product is simple, but it's not simplistic. It can deliver value to an individual [and also] to teams and organizations very rapidly — which is really hard balance to strike without eroding the value proposition to any one of those stakeholders. To pull this off, they definitely made some decisions from an architectural perspective that were extraordinarily valuable, including [on the] graph-based database — but again, with an eye toward building a platform with multiple products that could be used in concert. To deliver against that, they were really opinionated about their org design and how they could enable an engineering team to move quickly with high quality in parallel — all while scaling the business extremely rapidly in a competitive environment. And so this combination of market demand, the product engineering opinions that we've talked about and go-to-market execution I think are the contributors to why Wiz grew from zero to $350 million of ARR in three and a half years.