A venture capitalist walks into a bar
My abortive adventures with VC money in the Bay Area.
I spent a fair amount of time in the SF Bay Area, but I always thought of myself as an outsider. I wasn’t there for the hustle and I didn’t care for your blockchain product pitch. Everybody else was changing the world; I was there just to keep the infrastructure safe.
Yet, if you live in the South Bay and have a successful career in information security, you will sooner or later be chatted up by a venture capitalist. Most VC fads come and go, but cybersecurity is forever: an important, perpetually unsolved problem where promises sell better than tangible results. And so — one day, pretty much out of the blue, two VC firms showed up and asked if I wanted an “oh, wow” amount of money to build a security company.
I confess that I was flattered — after all those years, this place was finally noticing its humble servant’s true worth! Of course, deep down inside, I knew that the VCs’ interest in my life’s work wasn’t quite as genuine: they were juggling billions of dollars and wooing me with a script perfected on countless souls who came before me. I was not a unique snowflake; I was a small, calculated risk. Still, all the warm fuzzies aside, it seemed like a reasonable trade: capital to build something cool in exchange for a decade of my life.
But it wasn’t just a stranger’s all-too-sudden interest in my ideas and life goals; other details also didn’t feel sincere. For one, there was the constant sense of urgency: “we’re about to throw money at any security idea; be there or be square”. I think it was their way to weed out folks who liked to chat but were never going to take the plunge — but why did it need to be a charade? I’m sure the strategy was also meant to impress that the VC world operates at breakneck speed, so the payoff is just around the corner. A quick adventure — in and out, hardly any commitment at all.
My other realization was that the amount they offered wouldn’t go far if you’re trying to play by the “fast growth” rules of the Bay Area — it was just enough to get you hooked. Pay yourself below market rate, hire six good engineers, lease some office space, buy equipment, pay for legal and accounting services… and presto, you’re burning through millions a year with zero revenue. You must start thinking about your next round of fundraising before that “oh, wow” check even clears.
My point isn’t that it’s a folly to start an infosec business, or that VC money is bad. But when they come to you, the firms want you to feel special and think you’ve just won the lottery. All this courtship is choreographed to obscure the real trade-offs.
Click here for a thematic list of posts on this blog.
Disclosure: I had a more specific calculation in the second-to-last paragraph here, which led to some incredulity on HN before the story got nuked - "unless you're paying the engineers $400k/yr each, I'm not quite sure how this would add up".
I don't think the exact figure was important, so I edited it out instead of getting deeper into the weeds; but the short answer is that in the Bay Area, an SWE costs you quite a bit more than the base pay in their contract. I don't know the startup numbers, but I've heard the Big Tech estimates, and the overhead is nuts. Even if you can do half of that, the median SFBA SWE - expecting $250k/year - is not going to cost you $250k.
But again, it's beside point: either way, you're still burning millions a year. What sounds like a sum that would personally set you for life is not enough to get the business to sustainability, and you will be very quickly needing more. You can be a lot more heroic and frugal than is the norm, but VCs get impatient if you're moving too slow - and progress isn't measured in lines of code.
This is epic 😂
"I confess that I was flattered — after all those years, this place was finally noticing its humble servant’s true worth! "