这家私募巨头携巨资进入网络安全领域

私募最近开始在网络安全领域发力并非什么秘密，而且理由充分。研究机构Gartner预计，随着网络攻击和数字诈骗变得越发常见，今年全世界为保护敏感数据和信息而投入的资金将达到空前的1240亿美元。

这意味着打算提供网络安全解决方案的公司也将比以往更多，而且这些公司都需要发展资金。KKR等私募巨头已经进入该领域。2016年，KKR的Next Generation Technology Growth Fund（NGT基金）完成融资，共筹集资金7.11亿美元，计划投入处于成长阶段的科技、传媒和通信公司。

迄今为止，实际情况证明网络安全行业是该基金投资方法不可或缺的一部分，它的目标还包括企业软件、金融科技和消费互联网企业。这只基金已经通过Cylance等端点安全软件公司取得回报。今年早些时候，黑莓斥资14亿美元收购了Cylance。同时，该基金还领投了英国人工智能企业Darktrace，后者于去年9月完成了最新一轮融资，估值16.5亿美元。

最近的消息是，《财富》杂志今年3月报道KKR同意参股佛罗里达初创公司KnowBe4，投资5000万美元，对KnowBe4的相应估值为8亿美元。KnowBe4的领导层包括声名狼藉的黑客凯文·米特尼克，其业务是向公司及员工提供网络安全培训，从而建立抵御钓鱼式攻击和数据入侵的“人肉防火墙”。

KKR的董事总经理文尼·莱特里一直在参与指导上述投资。他是该公司一支20人团队的成员，其他成员则来自于硅谷、纽约和伦敦等地。据莱特里介绍，NGT基金目前投资了11家公司，“已经运用了约90%的资金”。虽然高估值背景下的2018年对该基金来说是“真正缓慢的一年”，KKR只进行了葡萄牙科技公司OutSystems这一笔投资，但实际情况证明今年这只基金更为活跃，除KnowBe4外，它还在2月投资了密歇根州软件公司OneStream。

莱特里在曼哈顿中城的KKR办公室接受了《财富》杂志的采访，谈到了KKR在网络安全领域的投入，数据是否真的是新石油以及KKR三分之一的员工面对钓鱼式攻击时中了招。

《财富》：作为私募领域老牌巨头，KKR推出成长基金的动力是什么？

文尼·莱特里：我觉得这项策略是亨利·克拉维斯和乔治·罗伯茨一直试图在公司推广的那些东西的产物。我们的决策是转向我们所说的成长导向型并购。也就是说，追逐那些收入增长快而且仍然有机会扩大规模的公司，而不是对资金充裕、增长缓慢的传统公司进行金融性收购，对后者要使用杠杆，同时通过控制成本来获得回报。这些成长导向型收购背后的主旨是通过保持或提高收入增速并帮助[公司]扩张来取得回报。

我们看到有很多机会朝我们而来。这些机会真的很有意思，但只是对我们的并购基金来说太小了。目前我们的北美并购基金的规模是140亿美元，让这种规模的基金拿出5000万美元或者1亿美元来并不会有什么明显效果。

而且你也看到了，这些公司不上市的时间变得长了很多。十几年前加入KKR时，它们的不上市状态平均会保持六年半左右；现在这个数字是大约11年。所以可以看出，价值创造从以往传统上的公开市场转移到了私募市场，而我们此前没有投资这些公司的资金池，这就是NGT基金诞生的经过。

你怎么形容NGT基金打算投资的公司？

我们不会冒技术风险或商业模式风险；我们认为，在风投资金领域，人们都在尝试提出一个想法，然后围绕它来建立一家公司，但你不知道自己能否创造出一种技术，也不知道会不会有人付钱来买。这方面的风险回报可能非常高，但这不符合我们的偏好，也不符合我们的差异化思路。

我们觉得自己真正擅长的是[投资于]已经走过技术风险阶段，而且产品和市场已经匹配的公司，一般我们会定义为收入达到或超过2500万美元。我觉得就门槛而言，我们投资的公司的平均收入范围是5000万美元至6000万美元，但它们增长迅速，而且我们认为这些通常是局域性或区域性的公司有机会成长为全球性企业。

网络安全一直是NGT基金关注的主要投资领域之一。是什么促使你瞄准这个市场？

在网络安全方面，你会听到人们到处在说“数据就是新石油”什么的。对此，我们的看法是，资产和价值已经出现了从实体形态到数字形态的巨大转变，而目前保护这些数字资产的一般都是密码、网络以及其他种类的方法。

犯罪活动不再是打劫银行和艺术品博物馆，而是窃取数据和信息。如果愿意，就会看到这种数字化犯罪，我们认为这真的很有意思。我们入驻了几百家公司的董事会，而每个董事会都会讨论网络安全问题。10年前，没有人听说过首席网络安全官或者首席信息安全官；现在，差不多每家公司都有了，防护需求只会逐步增大。

NGT基金为什么投资KnowBe4？这样做怎么就和你们的策略一致呢？

尽管针对端点和网络安全设置了重重保护，但90%的安全漏洞依然出现在员工或消费者层面，就是这个原因让KnowBe4显得这么有意思。

我觉得有件事情可以说一下，作为我们尽职调查的一部分，我们和首席安全官一起对部分KKR员工进行了钓鱼式攻击。我们觉得自己的公司里尽是非常诚信的聪明人，但尽管如此，超过三分之一的受测试员工还是点开了那封恶意电子邮件。我们在投资委员会会议上讲了这件事情，这让情况变得非常明了，那就是如果在我们这样的公司，人们仍然需要接受那种培训，那它就应该可以广泛应用到市场中去。

而且这是一种连续的[培训]，因为这样的攻击会不停地变化。KnowBe4的有趣之处在于他们一直在对培训进行更新，包括内容以及推出那些新东西，从而保持领先位置。

你曾说去年的高估值限制了你的能力。那么现在你对估值怎么看？整个环境究竟降温了没有？

总的来说，市场上的估值仍然相当高。如果看数据的话，它会告诉你进入风投期和成长期公司的资金都在增多，但投资的笔数变少了，所以单笔投资的金额在不断上升。

作为客户资金的管理者，我们必须真的保持自律。至于2018年，就投资而言它对我们来说真的是一个缓慢的年份；我们只做了一笔新投资，那是一家很棒的公司，叫OutSystems，总部设在葡萄牙里斯本。此外还有12项投资我们没能成为最终的赢家，其中11项都是因为价格。我们回来跟团队谈了，也看了模型，但就是对我们报价的预算感到不放心。今年我们已经做了两笔投资[KnowBe4和软件公司OneStream]，也就是说我们的成绩已经是去年的两倍。

你们的基金已经用了90%左右，接下来会做什么？

我觉得可以说这个策略非常成功。我们不打算停止这项工作。（财富中文网）

译者：Charlie

审校：夏林

It’s no secret that private equity has been on a cybersecurity kick as of late—and for good reason. With online attacks and digital fraud only becoming more prevalent, global spending on technology to protect sensitive data and information is expected to reach an unprecedented $124 billion this year, according to research firm Gartner.

That means there are more companies than ever seeking to provide cybersecurity solutions, and those companies need capital to grow. Enter the likes of private equity giant KKR, which closed its $711 million Next Generation Technology (NGT) Growth Fund in 2016 with an eye toward investing in growth-stage companies in the realm of technology, media and telecommunications (TMT).

Thus far, the cybersecurity sector has proven an integral part of KKR’s investment approach to the fund, which also targets enterprise software, fintech, and consumer internet companies. The NGT Fund has delivered returns through the likes of endpoint security software firm Cylance, which was acquired by BlackBerry for $1.4 billion earlier this year, and is a lead investor in British artificial intelligence firm Darktrace, which closed its most recent funding round in September at a $1.65 billion valuation.

More recently, KKR agreed to take a minority stake in Florida-based startup KnowBe4 via a $50 million investment that valued the company at $800 million, as Fortune first reported in March. KnowBe4, which counts notorious hacker Kevin Mitnick among its leadership, offers cybersecurity training to companies and their employees that aims to build a “human firewall” against phishing attacks and data breaches.

KKR managing director Vini Letteri has helped guide these investments as part of a 20-person team spread across Silicon Valley, New York and London. According to Letteri, the NGT Fund, which today has 11 companies in its portfolio, is now “about 90 percent invested.” While 2018 was “a really slow year” for the fund amid a high-valuation environment—with KKR making only one new investment, in Portugal-based tech firm OutSystems—this year has already proven more active, with both the KnowBe4 deal and a February investment in Michigan-based software firm OneStream.

Letteri sat down with Fortune at KKR’s offices in Midtown Manhattan to discuss cybersecurity bets, whether data really is the new oil, and how one-third of the KKR team fell for a phishing hoax.

Fortune: What prompted KKR, an established giant in the private equity realm, to launch a growth fund?

Vini Letteri: I think the strategy is an outgrowth of something that Henry [Kravis] and George [Roberts] have been trying to drive at the firm. We made a strategic decision to shift towards what we would call growth-oriented buyouts. That is, going after companies that have high revenue growth but still have the opportunity to scale—versus financial buyouts of legacy, cash-rich, slow-growth companies, where you put leverage on them and make your return by containing costs. The thesis behind these growth-oriented buyouts was that you make your returns by helping maintain or accelerate revenue growth and helping [companies] expand.

We were seeing a number of opportunities come our way which we thought were really interesting, but were just too small for our buyout fund. Today, our North American buyout fund is $14 billion, and the idea of writing $50 or $100 million checks from a fund that size, it just wasn’t going to move the needle.

And you also have the phenomenon of these companies staying private a lot longer. When I started at the firm a dozen years ago, the average company stayed private around six-and-a-half years before they went public; today that number is around 11 years. So you’ve seen this shift in value creation from what traditionally used to happen in the public markets now happening in the private markets, and we didn’t have a pool of capital to invest in those companies—which is how the Next Generation Technology Fund came about.

How would you describe the profile of the companies that the fund looks to invest in?

We are not trying to take technical risk or business model risk; we think of that as the land of venture capital, where you’re trying to take an idea and build a company around it, but you’re not sure if you can build the technology or if somebody will pay for it. The risk-reward there can be tremendous, but that doesn’t match up with our appetite and where we think we can be differentiated.

Where we feel like we’re really good is [investing in] companies that have moved through that technical risk phase and have product-market fit, which we generally term as having revenues of $25 million or more. I think on entry, our companies on average have somewhere in the $50-to-$60 million of revenues range, but they’re growing fast and we see an opportunity to scale those typically local or regional businesses into global enterprises.

Cybersecurity has been one of the key investment areas that the NGT Fund has focused on. What’s prompted you to target that market?

On the cybersecurity side, you hear these phrases that people throw around, like “Data is the new oil,” or whatever. We think about it as, there’s been this big shift in assets and in value from physical assets to digital assets, and the things that generally protect those digital assets today are passwords and networks and other types of things.

Criminal activity is no longer breaking into banks and art museums; it’s stealing data and information, and you see this digitization of crime, if you will, which we think is really interesting. On every board that we sit on, which is hundreds of boards, cybersecurity is a topic of conversation. A decade ago, nobody had heard of a chief cybersecurity officer or a chief information security officer; now, pretty much every company has them, and the need for protection is just going to increase over time.

What drew the fund to invest in KnowBe4, and how does it fit within your strategy?

Despite all of the protections that you put in place for endpoint and network security, 90% of security flaws still happen at the worker or consumer level, which is why KnowBe4 was so interesting.

I think I can share this; as part of our diligence, we worked with our CSO [chief security officer] to actually launch a phishing attack on a subset of KKR employees. We think this place is full of high-integrity, intelligent people—and even then, over a third of the employees that we sent it out to went ahead and clicked on the malicious email. We brought that up in the investment committee meeting, and it became so obvious that if, in a place like this, people still need to go through that sort of training, then it’s got to be broadly applicable out in the marketplace.

And it’s continuous [training], because these types of attacks change all the time. The interesting thing about KnowBe4 is they’re constantly updating the training, the content and developing new sorts of things to stay in front of that.

You’ve said that high valuations hindered your ability to make deals last year. What’s your current take on valuations? Has the environment cooled at all?

In general, valuations continue to be pretty high within the market. If you look at the data, it would tell you that there’s been more money that’s gone into both venture- and growth-stage companies, but there’s been a lower number of deals, so the dollars-per-deal have gone up.

In our role as stewards of our stakeholders’ capital, we have to stay really disciplined. If you look at 2018, it was a really slow year for us from a new investment standpoint; we made one new investment, a great company called OutSystems based out of Lisbon, Portugal. We issued 13 term sheets—we had one that was accepted, which was OutSystems, and then of the 12 where we weren’t the ultimate winner there, 11 of those was because of price. We went back, talked to our team, looked through models, and we just couldn’t get comfortable budging from our offer. We’ve made two investments already this year [KnowBe4 and software firm OneStream], so we’ve already doubled what we did last year.

With your fund now around 90% deployed, what’s next?

I think it’s fair to say the strategy has been very successful. We have no plans on stopping what we’re doing.