Category Archives: Security

Kellblog Predictions for 2022

Well it’s time for my annual predictions post, a series now in its eighth year.  Before diving in, let me remind readers that I do these predictions in the spirit of fun, they are not business or investment advice, and that all of my usual disclaimers and terms apply.  I’m starting to believe that the value of this series is more about the chosen topics than the predictions themselves because my formula for creating these posts is to select interesting topics that I want to ponder, research them, and figure out a prediction for each topic along the way.

Let’s start with a review of my 2021 predictions, keeping in mind one of my favorite quotes, often misattributed (including by me) to Yogi Berra:  “predictions are hard, especially about the future.”

Kellblog 2021 Predictions Review
On my own admittedly subjective and charitable self-scoring system, 2021 was a pretty good year for Kellblog predictions.

1.  Divisiveness decreases but unity remains elusive.  Hit.  This is totally subjective, but I’d say that divisiveness in the USA has decreased a bit and that unity has most certainly remained elusive.

2.  COVID-19 goes to brushfire mode.  Hit, until recently.  Well, it certainly felt like brushfire mode until December.  As I write, it’s still early in the omicron wave, so I’m going to remain optimistic that current predictions of omicron being more transmissible but less lethal will hold true.

3.  The new normal isn’t.  Hit.  I don’t think many people believe that we’re returning to pre-Covid norms when, and indeed if, we enter a post-Covid world.

4.  We start to value resilience, not just efficiency.  Hit.  I don’t frequently write about supply chain, but I made this prediction because for years I have wondered if, in our quest to wrest inefficiency from the supply chain, we were undervaluing resilience to Black Swan events from wars to infrastructure failures to natural disasters [1].  One person’s inefficiency is another person’s insurance.

5.  Work from home sticks.  Hit.  At this point perhaps for the wrong reasons (i.e., omicron), but where and how we work has already changed and many of those changes will become permanent.  McKinsey is producing some strong content on the future of work as is my friend Dan Turchin on his AI and the Future of Work podcast.

6.  Tech flight happens, but with a positive effect.  Hit.  A lot of Californians have moved to Texas, Arizona, and Nevada — but a lot have also moved to California (i.e., from the Bay Area to cheaper parts of the state).  Florida, despite the hype, nudges out Oregon for fifth place.  My point was that this is normal and healthy:  you can long Miami and Austin without shorting Palo Alto which, by the way, would have been a bad idea in 2020.

7.  Tech bubble relents.  Miss, until recently.  My world is probably best approximated by the WCLD ETF, which opened the year at $53, recently hit as high as $65, and (as I write) is at $51.  Taking the longer view, WCLD has nevertheless more than doubled over the past 5 years, so a lot of this depends on what you mean by “bubble” and “relent.”

Towards that end, revenue multiple is a better bubble indicator than share price, so let’s take a look at the latest from Jamin Ball at Clouded Judgement.

Are multiples down?  Yes, from a median high of nearly 20x to 12x, nearly 40%.  So I’d say yes on “relent.”  On “bubble,” well, we’re still at 12x compared to what I’d say is a normal (eyeballed) range of 6-10x — so we’re still running hot by historical standards.  [2]

8.  Net dollar retention becomes the top SaaS metric.  Hit, depending on what you mean by “top” [3], but my real point was the NDR would replace churn rates as a method for valuing the installed base and I think it has.  See my SaaStr 2020 talk or my GainSight Pulse 2021 talks for more.

9.  Data intelligence happens.  Partial hit.  I’d say it’s “happening” much more than “happened” because we’re still early days in a multi-year category transformation.  My friends at Alation continue to crush it driving their vision of data intelligence extending from the data catalog [4].

10.  Rebirth of EPM.  Hit.  While the second-generation EPM vendors [5] continue to prosper (i.e., Adaptive within Workday, Anaplan and Planful as independent companies) the industry is nevertheless being reborn underneath with new firms such Cube, Mosaic, OnPlan, and Pigment blazing the trail [6].  It’s exciting to watch.

Kellblog Predictions for 2022
Well, here we go with our predictions for 2022.

1. Covid goes from pandemic to endemic.  I’m not sure we ever had a realistic chance to keep the genie in the bottle, as they did in New Zealand, but at least our actions bought us time to create and deploy vaccines.  By the way, if you look at this chart, you might argue that New Zealand, in the end, failed to keep the genie in the bottle.  [7]

See the big bump?  Yes, it does seem that trying to bottle up Covid was destined to failure.  Or was it?  Look at the scale.  Then compare New Zealand to Louisiana, which has a similar population.

The New Zealand peak is 200, the Louisiana peak is 30x higher at 6,000.  If nothing else, and since this is something of BI-focused blog, Covid has taught us a lot about How Charts Lie.

But back to our prediction.  I think 2022 will be the year we stop thinking in pre-Covid and post-Covid terms, and accept that Covid-19 will become endemic.  Much as malaria brought us screened windows and cholera brought us clean water supplies, Covid will be with us for a long time and bring with it lasting (and hopefully in some cases, positive) changes to our day-to-day lives.

2.  Web3 hype peaks.  Is web3 going to change everything because, as Chris Dixon argues, the best entrepreneurs and developers have learned not to build atop centralized platforms?  Or, as Stephen Diehl so indelicately puts it, is web3 bullshit whereby, “the only problem to be solved by web3 is how to post-hoc rationalize its own existence?”  Or are Moxie Marlinspike’s first impressions right — e.g., the missing element in “crypto” is cryptography and that decentralizing the internals of underlying layers won’t prevent centralization at the more nimbly evolving layers above?

Is web3 a ploy to put crypto bros in charge where “the promise of decentralization is just a veneer — and blockchain is, in fact, the worst kind of vendor lock-in?”  Or, did the venerable Grady Booch get web3 right in his retweet below?

Maybe Tim O’Reilly, the person who coined the phrase web 2.0, has the best take [8], arguing simply that it’s too early to get excited about web3.

It sure does feel like 2005.  There are a bunch of new ideas in circulation.  Everyone is talking about them.  People are struggling to understand them and building frameworks to organize and explain them.  And sometimes it’s hard to tell what’s foundational to the new concept and what’s trying to hitchhike a ride on the back of it.  Based on this, I think we’re building towards a web3 hype peak that should happen in 2022 [9].

I’ve always believed that blockchain was invented to support a specific use-case (i.e., bitcoin) and, unsurprisingly, is good for that use-case but has otherwise largely been a technology in search of a business problem — particularly in the enterprise.  Imagine if you went to SIGMOD twenty years ago and predicted the database of the future would be:

You’d have been laughed out of the room.  Despite that, the reality is that database (i.e., blockchain technology) is quite useful for cryptocurrency applications.  The addition of smart contracts were a very a powerful extension that came with Ethereum.  Changing from proof-of-work to proof-of-stake may eliminate the crazy wasted compute and associated energy consumption [11].

But, as I’d say with any special-purpose database — from an OLAP server to an XML database to the Hadoop ecosystem:  it’s great at what it’s built for, but why should you use it for something else?  The default answer is you shouldn’t [12].

When it comes to the decentralization argument, enterprises are inherently centralized in power and rely on centralized systems run by a centralized IT department.  Moving enterprises to decentralized internal systems does nothing to change lock-in factors of their products (e.g., network effects that lock you into Facebook).  Nor necessarily does empowering distributed networks with decentralized technologies — see the above-linked proof-of-stake recentralization arguments.  And if blockchain means automatic freedom from intermediaries, why is Coinbase worth $50B again?

I think DAOs are an interesting concept (great primer here), but the blockchain linkage seems contrived [13] — I could make a Dunbar-number-sized group with organic governance rules and run it via in-person meetings, Zoom, Slack, or of course, Discord.  (Arguably, Richard Branson did, many times.)

I don’t know why anyone would pay $10M for a CryptoPunk or $300K for a Bored Ape, but I do understand collectibles:  an ape costs $300K in part for the same reason that a 1943 bronze Lincoln cent costs $1M — scarcity.  I just thought we were going to use the Internet to eliminate scarcity, not artificially create it.

Finally, I think the self-referentiality of this ecosystem is interesting.  If you want to buy a non-fungible token (NFT) of a Bored Ape, you’re going to need to pay in Ether because that’s the currency the price is listed in.  Which in turn increases demand for Ether.  Note interestingly that while you can use Ether to buy an NFT, you can’t use an NFT to buy Ether because NFTs are not fungible, as Alexis Gay says, “in the sense that you couldn’t funge them.”

3.  Disruptors get disrupted.  When I graduated from college, Oracle (founded 1977) was a ~$30M brash upstart challenging the entrenched leader, IBM, who no one ever got fired for selecting.  I watched Oracle aggressively grow to $1B in revenues, flail several times trying to organically expand into applications, give up on building applications and instead acquire them, inexplicably get into hardware with the acquisition of Sun, and eventually plateau at $40B, effectively having become IBM in the process.  As the saying goes, we become our parents.

Salesforce (founded 22 years later) is well into that cycle, going from brash disruptor to organic grower to M&A-driven grower, though they do a better job of preserving the entrepreneurial spirit if not growth (both were growing at ~25% at the $20B mark).

This is an ongoing pattern driven by Clayton Christensen’s cycles of disruptive innovation.  If you watch this cycle long enough, you can see the disruptors get disrupted — e.g. Siebel was disrupted by Salesforce who was disrupted by Zendesk who is being disrupted by Freshworks.  What drives these disruptive cycles:

  • Feature creep, which leads to market overshoot over time.
  • Management changes, as leadership teams drift from a spirit of value creation for customers to value extraction from them.
  • Specialization, as market leaders build breadth with integration of good-enough products, an opportunity is created for great, point solutions (which often later expand to challenge the core product).
  • Technology platform changes, which antiquate previous architectures, allow new solutions to be built more quickly, and enable entirely new classes of applications.

For several reasons, I believe in 2022 we are going to see many disruptors get disrupted.  Why?

  • Change to cloud-native.  First-generation cloud solved a deployment problem; second-generation solves a development problem as well.  When I build new apps, I can rely not just on my previously developed or open source modules, but on live, running services.  Upstarts can stand yet again on the shoulders of giants.
  • Flood of venture capital (VC).  VC is flowing at unprecedented rates driving record funding amounts at both the early company-creation stage (e.g., seed, angel) and the later growth stage as well.
  • High-growth.  The combination of Covid accelerating digital transformation and unprecedented VC financing has accelerated software company growth (aka, the Covid boost).  At the second order, I can’t help but wonder if accelerating the growth cycle hastens the aforementioned process that creates new disruption opportunities.  Software companies become their parents faster.
  • Product-led growth (PLG).  SaaS provided provided both a market disruption opportunity and a total available market (TAM) expansion in each market segment.  While I’ll cover PLG more below, I think it will have a similar effect, providing both a disruption opportunity in existing segments while simultaneously expanding their potential.

4. Venture capital continues to flow.  2018 was the first year since “the OB” (the original bubble) that we again reached 2000-era levels of VC financing.  2019 dipped a bit, but 2020 came back strong, and 2021 looks to be a blockbuster [14].

PitchBook data reveals that while total funding and mega-funding (where the round raises $100M+) are up, deal is count slightly down, meaning average deal sizes are up and consistent with my view that VC today is have or have-not market.  The haves can raise can raise a ton of money and on good terms.  But the have-nots — those who have yet to demonstrate a strong team, product-market fit, or a scalable growth model — cannot, and face a frustrating form of hunger in the land of plenty.

They keys to success in this environment are two:

  • Raise when the raising’s good.  If you can raise money, you (likely) should.  If you can’t, figure out why — dig beyond superficial, “nice” explanations into real reasons, and then go fix them.  Fast.
  • But trigger spending on business signals.  You undoubtedly raised your most recent financing on the back of an aggressive operating plan.  But don’t, don’t, don’t — for example — hire 10 sellers because they’re in the plan:  hire them because the CRO made the last 10 productive and wants to hire 10 more.

One of these years — maybe 2022, maybe thereafter — VC will be in tighter supply.  So raise money in large quantity when you can.  Fear not dilution — you’ll likely be raising at (what are, by historical standards) stratospheric valuations.  Most of all, while you shouldn’t follow my miserly great-aunt Jo’s expense strategy (whose dying words were “don’t spend”), you should spend if, only if, and when it makes good business sense to do so.

5.  The metaverse remains meta.  If you’ve not taken the 10 minutes yet, you should probably look at this Facebook/Meta, rebranding launch video, a well-produced but at times amazingly awkward metaverse concept video.

The metaverse vision has provoked a range of reactions from dystopian nightmare to dead-on-arrival to heated discussions of “reality privilege” and accusations about the new billionaire utopian boondoggle.

It’s also invited a fair bit of parody, my favorite being the Icelandic tourism board’s, Icelandverse.

Back to the metaverse, I find the vision more Oasis-style (Ready Player One) dystopia than utopia.  While I find the idea of reality privilege interesting intellectual banter, no, I don’t think the best solution to humankind’s problems is to hook everyone into an alternative, virtual reality.  Good sci fi?  Yes.  Good reality?  No. Not in the least.

  • Are virtual worlds fun for immersive gaming?  Yes.
  • Do you need virtual (or crypto) currencies in those worlds?  No, they’re just an add-on money-making opportunity like a Starbucks card [15].  You can buy an upgraded weapon in a game today via a regular credit card [16].
  • Do you need virtual museums in which to hang your NFTs?  They’re cool and I guess collectors do like to show off their collectibles, so maybe [17].  That said, CryptoPunks weigh in at a slim 576 pixels so I don’t think you’ll need fancy display capabilities for some NFTs at least.
  • Do you need virtual real-estate within your virtual world?  Second Life had a full economy with Linden dollars and real-estate, so the idea’s not new, but metaverse real-estate is setting records today.  If the key to real estate is location, location, location, that’s not really a constraint in the virtual world.  That said, a key theme of web3 seems to be manufactured scarcity (which generative NFT collections do well) and which ultimately comes down to a simple matter of trust [18].
  • Can augmented reality help business applications, like customer service?  Yes, I think AR has numerous practical enterprise use-cases and, if nothing else, all the VR technology will benefit more pragmatic use-cases in enterprise.

6.   PLG momentum builds.  While I generally have a negative reaction to hype, and I don’t like the either/or nature of the slogan below, I do think PLG is a good idea.

Let me separate PLG into what I see as two pieces:

  • PLG as business strategy, where the business is built around a model in which marketing and community relations drive end-users to try a product, hopefully like it, buy the ability to use it (or use it more fully), tell their colleagues (directly or virally, e.g., through a Calendly invite), and repeat the cycle.  While Slack, Zoom, and Dropbox are frequently-cited examples, a full list might include over 300 companies.  (You can read a great anatomy of them, here.)
  • PLG as as set of product requirements.  I think PLG brings three core, generic product requirements, none of which have frankly been common to previous generations of enterprise software:  build a product that (a) is quick to deliver end-user value, (b) is easy and even fun for the end-user to use, and (c) is built with the company’s revenue growth strategy in mind, e.g., in-built virality and carefully-selected functional and enterprise-level pay gates.

Many of the concepts behind PLG aren’t new.  Open source has always been about building a community of users who love the product, though historically composed of developers and not end-users.  Market-seeding isn’t new, though prior-generation seeders like Crystal Reports did so not through marketing- and community-driven downloads and trials, but channels of distribution [19].  Consumerization of enterprise software isn’t a new idea , but I’d argue that it’s only become real with the advent of PLG.  Velocity sales models aren’t new either, but they’re also a key part of PLG.

Some PLG ideas are new:

  • User-experience (UX) as job #1.  Only when UX became critical to business/sales strategy did it get serious commitment instead of lip service (in the enterprise at least).
  • Growth teams, subordinating functional silos to united teams of marketers, engineers, analysts, and designers working together to drive growth.
  • Digital experience tools, that go beyond useability testing labs to track what users actually do in the software with an eye towards making it better — such as Pendo, Heap, and Amplitude.

While I think it’s serious overstatement to say, “sales- and marketing-led growth is dead; long live product-led growth,” I think it’s equally dangerous to dismiss PLG along with quarter-zip sweaters as the latest VC fad.  PLG brings many good ideas that companies should consider and map to their own business models.  Despite the risk of PLG noise drowning out PLG signal, I believe companies will increasingly and intelligently apply PLG principles in 2022 — and if you’re not thinking about how to do that, you should be.

7.  Year of the privacy vault.  While I’m not an expert in this field, I am learning more, and I see a lot of exciting things happening in information security:

  • Innovations in digital identity from companies like Ory and Presidio Identity [20].
  • Innovations in cloud security and governance from companies like Cyral and Privacera [20].
  • Innovations in enterprise privacy from DataGrail [20].

The emerging and ever-changing nature of information security is a big part of what interests me, because it means that a lot of smart people with interesting ideas are attacking numerous problems from different angles.  While this leaves me in a near-perpetual state of confusion, I’ll repeat what I’ve often said about the metadata space:  anyone who isn’t confused doesn’t really understand the situation (Edward R. Murrow).  In metadata, I feel like I finally do understand the space.  In information security, well, I’m still working at it.

In the past ~25 years, there’s a particular feeling I’ve had only on rare occasion:

I’ve met a lot of great entrepreneurs and worked with a lot of great companies during those years, but only those three times did I have the immediate reaction:

  • This is obvious.  (Well, post facto obvious, once you understood it.)
  • This is huge; everyone needs this.
  • I need to be a part of this.

In Anshu’s case it admittedly took more than one drink for me to understand the idea, but what I liked about it, what made it seem so post facto obvious was this:

  • Enterprises, where possible, should get out of the business of handling sensitive information.  I know it’s not always possible, but if the data is non-core to operations, why not delegate storing it to someone else?  While hospitals need to store medical images, does TurboTax really need to store your social security number to file your taxes once per year?  It’s hard.  Let someone else do it.
  • You can replace sensitive data with tokens.  You don’t need to store someone’s credit score when you can store a token that maps to it and isolate the score to a separate database.  It’s classic indirection.  But it usually means you can’t then do anything with the data — unless you incorporate the ideas in the next two bullets.
  • You actually need an API more often than you need access.  Most of the time you don’t need direct access to sensitive data, you just need to do something with it.  You don’t need to know someone’s credit score; you need to know if you can make them a loan and at what interest rate.  That is, you can pass a token for credit score to a service that returns approval status and approved rate in a loan approval application.
  • You can encrypt data without losing the ability to work with itPolymorphic encryption lets you verify the last four digits or a social security number or return all phone numbers in the same area code without first decrypting the data.  This means you can get utility from encrypted data.  Not being a security person, this idea was entirely new and fairly mind-blowing to me [22].
  • Vaults are an existing design pattern.  Google, Apple, and Netflix have taken a low-trust, tokenized vault approach to handling sensitive information in their internal systems.

We will see if my spider sense was correct a third time.  While my sense is most developed in data and analytics, I love modularization, normalization, and specialization and this play is about all three.  To hear the Skyflow story directly from Anshu himself, watch the video here.

8.  MSDS is the new MBA.  For decades, and often contrary to prevailing fashion, I’ve counseled people to consider getting an MBA during their career journey for any of the following reasons:

  • The knowledge.  MBA coursework is generally useful in business, regardless of the caliber of school you attend.
  • The network.  At a top school, you will likely become part of a great network that will benefit you throughout your career.
  • The career-change opportunity.  The MBA offers a unique chance to switch roles or industries (e.g., from engineering into product, from consumer to enterprise).

Given the time and cost of MBAs, it’s popular these days to say that MBAs aren’t worth the trouble.  Autocomplete confirms these doubts.

While I frequently still recommend MBAs to those who seek my advice, I find myself increasingly asking them:  have you considered a master of science in data science?  Such programs can be done in as little as half the time and at half the cost of an MBA, have numerous online and hybrid options, are offered by many prestigious schools, provide superior analytical training, and offer similar career change opportunity.

While a top-tier MBA will still be de rigeur in investment banking, VC, and management consulting for the foreseeable future, I do believe that mid-career professionals will increasingly evaluate the MBA and the MSDS as alternative means to advance their careers — and that many will take the MSDS route.

9.  Get ready for social impact.  Millennials, and for that matter, many of the rest of us, increasingly demand purpose in our work.  If we’re going to spend 40, 50, or more hours per week working, then we’d like the company to provide both a paycheck and a sense of purpose.  In the workplace, according to a recent Gallup report, millennials want leadership to change its approach:

The sense of purpose, however, goes well beyond the workplace and includes the desire to address societal concerns related to sustainability, capitalism, human rights, and social justice.  While Boomers and Xers were content to Party Like It’s 1999, the next generation wants to focus on the future and solving the world’s largest problems.  Good.

This drives for whom and how they want to work, the products they buy, the brands they value, the vacations they take, the causes they support, the hobbies they pursue, the lifestyles they lead, and the money they invest.  In short, everything.

This era has brought us everything from local organic produce and forks over knives to the 1% Pledge, the B Corp, DEI, impact investing, ESG funds, stakeholder capitalism, carbon offsets, and data rights as human rights.

I think Europe is leading the US on many of these changes so, as per the famous William Gibson quote, I get a glimpse into the future through my work with Balderton Capital which has not only committed itself to a set of sustainable future goals (SFGs), but also recently announced their first annual progress report on them.

ESG momentum will build in 2022.

10.  The rise of causal inference.  For the past decade I’ve told people that data science was the new plastics — in the sense of the famous quote from The Graduate.

While I think that was spot-on, this year I have a new “one word” —  causal inference.  Why?

  • Most of the data science we do today is some sort of classification and regression.  We can group like entities, we can predict into which group a new one will fall.  We can build a mathematical model of an independent variable and make predictions about it based on dependent variables.  It’s cool stuff, but in the end, this is about correlation.  How things move together.
  • Yet, we all know that correlation does not imply causation.  We know that windmill rotation doesn’t make the wind blow [24].  We know that waking up dressed doesn’t cause headaches and that ice cream sales don’t cause drownings [25]. Yet, most businesspeople today forget that when they’re interpreting data.  We say that correlation does not imply causation and then we say stuff like, “all of the customers who churned last quarter filed more than five severity-one cases in the past year!”  [26]
  • The first-generation of data science has given us lots of data and some great modeling tools to interpret data.  The bad news is that we — not data scientists, but regular analysts and business people — are not very good at interpreting it.
  • Where possible, we need to figure not just where variables correlate but what actually causes what.  To do so normally requires an experiment (i.e., a RCT) but sometimes causal questions can be correctly answered using observational data.  The insight about how to do that, by the way, is not trivial — it won the 2021 Nobel Prize in Economics.
  • The big guys are doing it.  A decade ago the hyperscalers had data science teams and typical companies, even large ones, didn’t.  Today, the hyperscalers have causal inference teams and typical companies don’t.  To the extent you believe the big guys are leading indicators of the mainstream, you should believe that determining not just correlation, but causation, is coming soon to a business meeting near you [27].  You can get ready the easy way or the hard way.

If you made it this far, thank you!  Read the links — there’s gold in those hills.  Remember that I write this post in the spirit of fun and to force myself to research interesting topics.  Have a happy, healthy, and Rule of 40 positive 2022.

Peace out / Dave.

# # #


[1]  I did study seismology (i.e., geophysics) after all.  Earthquakes happen.

[2]  As mentioned in last year’s post there are plenty of possible reasons for this including the possibility that the companies are higher quality and/or growing faster — see last year’s post.

[3]  Some might argue growth is top — particularly if you define top as most correlated to revenue multiple.  Based on data as of this writing, the R^2 between EV/NTM-revenue multiple and NTM-revenue-growth is 0.52 vs. 0.24 for NDR.  Play around here for more.

[4]  Reminder that I am an angel investor in and sit on the board of Alation.

[5]  Who are the first-generation cloud EPM vendors

[6]  I am an investor in Planful and Cube, an advisor to OnPlan, and occasionally chat with Mosaic and Pigment, among others.  Hey, I like EPM.

[7]  Louisiana actually has about a 10% smaller population (4.6M) than New Zealand (5.1M)

[8]  Tim’s What is Web 2.0 post is well worth reading both for the history lesson and, more subtly, to beam you back to a time where something was emerging and what it looked like for people to try and understand and describe it.

[9]  Gartner has a blockchain hype cycle (that lists numerous web3 technologies) but not a web3 hype cycle.  Currently, NFTs are at the approximate peak of that cycle.

[10]  Technically, BASE as a database concept didn’t exist at the time.

[11]  Though not without its own problems.

[12]  A repeated pattern in database history — everyone wants to rule the world because it’s a big world to rule.  Most of the time, however — and relational databases are a notable exception — the new database is not a great general-purpose alternative.  The reductio argument here is there should be no general-purpose databases as every purpose is a special one.

[13]  See prior comment about hitchhiking.

[14]  Sources include Statista, PitchBook, CBInsights, and (in one case) my estimates.

[15]  In addition to providing Starbucks with consumer data, they have $1.6B in prepaid value today.  Remember a big part of how Warren Buffet got to be Warren Buffet:  float.

[16]  Yes, I understand that games can force you into their currency by providing rewards in game-units and that you can create a one-way transformation between cash and game-units (i.e., you can buy units with cash, but not cash with units).

[17]  Museums provide access as their core function but also offer security, preservation, and education (e.g., docents) surrounding their works.

[18]  Trust that the promoters will keep their promise about number and trait distribution of works and avoid the tendency to excessively extract value by minting more and/or derivative works (e.g., mutant apes) that potentially undermine the original collection and devalue traits.  Creating scarcity is easy.  Preserving it might well be hard.

[19]  In many cases because, well, the Internet didn’t exist yet.  Microsoft helped to put Crystal Reports on the map by distributing it with Visual Studio.

[20]   Disclaimers:  I’m an advisor to Presidio Identity.  Ory is a Balderton portfolio company.  I’m an advisor to and investor in Cyral.  I have done some consulting with Privacera. I am an investor in DataGrail.

[21]  Which quite happily I made.

[22]  Read up on fully homomorphic encryption which enables you to perform calculations on data without first decrypting it.  While fully homomorphic encryption is prohibitively computationally expensive, another key Skyflow insight was that many “numbers” aren’t fully treated as numbers in practice — e.g., you might verify the last 4 digits of an SSN but you’re never going to multiply two of them.

[23]  The SFGs linked come from Balderton Capital where I work part-time as an EIR.

[24]  Reverse causation.

[25]  The third-cause fallacy.  Going to bed drunk increases both waking up dressed and having a headache.  Warm weather increases both swimming rates (which increase drownings) and ice cream sales.

[26]  They also all had, e.g., brown-eyed CIOs, more than $500M in revenues, and parking lots with more than 200 spaces.

[27]  Irony alert, I’m making a correlation-based argument here!

Why I’m Advising Cyral

When I sign up to advise a company, I’ll often do a post to let readers know and discuss the reasons why I like the company.  This post is about Cyral, a cloud data security company I’m advising that I’ve been talking with for over a year.

Earlier this year, Cyral announced an $11M series A led by Redpoint, Costanoa, and others.  That was on top of a $4.1M in angel seed financing, bringing the total invested capital to $15.1M.


Cyral does cloud data security.  I indirectly referred to the company in my 2020 Predictions post, where I talked about a new, data-layer approach to security.  Cyral acts as a database proxy on top of every data endpoint in your data layer, watching all the traffic, figuring out (via machine-learning) what is normal, detecting what is not, and either alerting or stopping threats in real-time as they occur.

I remember when I first met co-founder Manav Mital at Peet’s Coffee to discuss the company.  He was surprised that I actually understood a thing or two about databases [1], which was fun. During the meeting a light-bulb went off in my head:  why were data breaches always measured megarows or terarows (hundreds of millions to billions of rows) as opposed say rows or kilorows?  Can’t we stop these things while they’re going down?

I initially viewed Cyral as a next-generation data loss prevention (DLP) company because I thought DLP was about stopping security problems in real-time.  But DLP was more about content than data, more about classification than anomaly detection, and more about business rules than machine learning.  DLP could do things like detect email attachments that contained source code and intercept an outbound email with such an attachment.  It had nothing to do with monitoring traffic to the data endpoints in a company’s both on-premise and (increasingly) cloud data layer, providing visibility into activity, fine-grained data access control, and real-time protection against data exfiltration.  That’s Cyral.

Here are some of the reasons I decided to work with the company.

  • Manav is not only a great guy and (a fellow) member of the illustrious Aster Data mafia [2], he is a second-time entrepreneur, having co-founded Instart Logic, which raised $140M from a top set of investors and built a strong business before eventually hitting hard times in the highly competitive CDN space, ultimately being acquired by Akamai.  It’s great to work with Manav because he has the wisdom from both his successes and his failures on his nearly decade-long journey at Instart.


  • I think security is a race without a finish line and thus a great and growing market space.  In addition to data-layer anomaly detection, Cyral provides fine-grained access control in a world where too many applications defeat security using shared data-layer logins.  Cyral can distinguish different users even if they’re coming into the database through the same username/password.  What’s more, Cyral provides more than just security, it provides insight by giving you visibility into who’s doing what.


  • New cloud data endpoints from Snowflake to Redshift to Kafka introduce complexity that breaks traditional approaches to security.  The old approach to security was largely about building a strong perimeter.  In a hybrid cloud world, that mixes traditional and cloud data sources, there is no perimeter to defend.  The perimeter is dead, long live data-layer security!


When talent meets opportunity, great things can happen.

# # #


[1] Having worked in technical support at Ingres (RDBMS), as VP of Marketing at Versant (ODBMS), as CMO at BusinessObjects (a BI tool, but with an embedded micro-multidimensional DBMS), as CEO at MarkLogic (XML DBMS), as board member at Aster Data (SQL/MapReduce DBMS), advisor to MongoDB (document-oriented DBMS),  and as CEO of Host Analytics (which included a multidimensional modeling engine) well, heck, you think I might have picked something up.

[2] Aster Data was an amazing well of entrepreneurship and the success of its mafia is an untold story in Silicon Valley.  A large number of companies, some of them amazingly successful, were founded by Aster Data alumni including:  ActionIQ, Arcadia Data, ClearStory, Cohesity, DataHero, Imanis Data, Instart Logic, Level-Up Analytics, Moveworks, Nutanix, The Data Team, ThoughtSpot, and WorkSpan.