ICONIQ’s Murali Joshi: Driving Visibility and Deeper Connectivity in the Automated, Modern Security Stack
Thesis BriefsMurali JoshiICONIQ CapitalCybersecurityWorkflow AutomationConnectivity ToolsEVC List 2022

Terra Nova Insights Team,

ICONIQ’s Murali Joshi: Driving Visibility and Deeper Connectivity in the Automated, Modern Security Stack



The convergence of three trends - bloating enterprise security budgets, proliferating attack vectors and security software providers, and exploding automation tool sets in response to shrinking SecOps head counts - have resulted in an excessively costly and siloed security stack. Murali Joshi, principal at ICONIQ Growth, examines the growing realization, amongst CISO’s, CTO’s, CIO’s and CFO’s alike, that the future cybersecurity stack must offer seamless connectivity and granular visibility in order to be automated effectively. While these connective tools will improve compliance and security workflow automation, the exact catalyzers are unclear.


Why is security visibility and connectivity such an important category moving forward?

  • Enterprise budget for cybersecurity has proven resilient in this current, challenging macroclimate, birthing numerous software platforms that address the wide range of attack vectors. “We’ve seen resiliency and even minor expansions of growth within cybersecurity,” says Joshi. The magnitude of this trend was accelerated by the pandemic. “A ‘best-of’ stack has emerged to tackle points within each attack vector, including several category-defining companies we’ve been fortunate to partner with at ICONIQ Growth,” he says.
    • Subsequently, security workflow automation tools have emerged to fill the productivity gaps amongst security operations centers. “The shrinkage of security talent - able to do more than Level 1 or Level 2 tasks - has resulted in most security operations centers looking to automate as many workflows as possible,” he says.
  • These trends have resulted in a landscape of siloed security solutions that lack interconnectivity and result in bloated, overlapped spending. In addition to different points of automation, there will be a prevalent need to connect siloed security architecture and improve interaction from both a cost saving and optimization perspective. “I believe that there's going to be a prevalent need to manage the spending and navigate between disparate silos of the software stack alongside the automation of all these security tools.”

What are the business models that might be attached to this category?

  • Compliance automation companies that streamline workflows. Compliance automation is a particular pain point as it typically takes anywhere from 12-18 months to become software complaint, “Being able to navigate that workflow in a matter of weeks or months is really powerful as it reduces so much of the associated costs and energy and empowers to more effective and scalable and to develop consumer trust,” says Joshi.
  • Connective tools that improve real-time visibility and reporting across the stack of cyber and IT assets, possibly via a ‘single-pane’ dashboard view. “These tools streamline the processes and reduce the time spent by knowledge workers on building queries,” he says. Going deeper, we could see the birth of a generation of security observability tools that parallel what data observability has done for the cloud. “These tools could consolidate and manage feeds from the SIEM, EDR, CSPM, and wherever else is needed to provide a holistic security worldview. Everyone claims to offer different pockets of visibility, but it’s really painful to keep logging in to all these different tools.”

What are some of the potential roadblocks?

  • Various security tools - which cater to different audiences - are championed and owned by different teams across the security stack, complicating clarity and decision making around congregational solutions. “Some cloud security platforms, for example, catered towards the CISO, as opposed to the security practitioner or network architect. On the flip side of that, you have tools that are widely adopted by developers or DevSecOps teams,” says Joshi.
  • While multiple trends are indicating the eventual need for connective visibility, the catalyst that will drive real adoption is unknown. “The reality is that no one's forcing any of the security organizations to consolidate around adding data flows or supporting interconnectivity. They can operate, and probably will operate for the near term, as different silos. The catalyst, the ‘why now,’ that will drive interconnectivity is unanswered,” he says.


saidbyblock~ in a Zoom Interview
Murali Joshi

I spend most of my time in enterprise software, particularly around cybersecurity and infrastructure. I work closely with companies in similar peripheries within the cybersecurity ecosystem.

We've invested in a lot of different parts of what I believe is the modern security stack. This includes the identity space, endpoint detection, compliance automation, cloud workflow and protection, zero-trust security, cyber IT asset management, and more.

Going a layer deeper, from a thesis standpoint, there are two themes, or core pillars, within cybersecurity that I’m most excited about.

The first is what I believe is developer-centric, software value chain security. This involves recognizing that stack for the CI/CD workflows and ensures that there is a full level of visibility and access into the code and products that are being pushed.

The second is security automation. Automation has always been a core pillar in a lot of companies and a lot of businesses, especially in environments that are more constrained by the macro economy, so what we’re looking for specifically are more ways to automate security workflows. We are starting to see a proliferation of a security stack, as CISOs demand more and more attention and focus in terms of technology, budget and security. There's a lot of opportunities to automate and reduce cost and focus on that.


Q: In regards to the source of decision pressure for adoption, who are the most likely candidates?

A: "I think the pressure will come from people recognizing that their security spending has become meaningfully bloated. And they recognize that there's an overlap between many security tooms. The question is - even if you have the ‘best-of’ across every different kind of attack vector - will these platform companies provide similar use cases across additional attack vectors.

As a result, if you're a CISO, CTO, or CIO, you recognize that you can solve different problems in a more consolidated and effective way. Those solutions, longer term, might win. That would probably increase the impetus to truly think about creating more automation in these workflows, reducing the cost, maintaining better visibility, and most importantly, connecting different systems to eliminate isolated alerts and responses as much as possible."

Q: How does incumbent pressure affect this market?

A: "While there are certainly multi-product, multi-category tech conglomerates on the public side that do really well in terms of innovating and growing, a lot of people have realized that there’s a lot of cake left uneaten by public companies with scaled business that aren’t doing things effectively. I think there's a pretty real opportunity to find innovation in those under addressed areas."

Q: On a broad level, what new technologies are in play and enabling more effective automation tools.

A: "When people think of automation and security, they often think of the Security Orchestration Automation and Response/Remediation (SOAR) category, many of these solutions were acquired by large security public companies. Over the last couple of years, a new generation of automation vendors have become more effective at creating tools that focus on addressing incidents, streamlining compliance, reducing alert fatigue, remediating low-level vulnerabilities and more as they arise.

Going a step further, automation is addressing many of these challenges, but it itself is requiring broader and deeper proactive visibility around system interactivity, which isn’t typically the case today. A lot of security orchestration tools were more focused on how to navigate things like the ticketing and more painful workflows through that, and I think there's something to be said about even just having data connectivity between different security platforms and systems. The pace of innovation for what that looks like right now is still a big question mark, but it's an area that I'm most excited about over the next five years."


Underlying homogeneity across security stack vectors could indicate future consolidation when security is a lower priority for enterprises. “In general, many of these tools claim that they are doing lots of research about different vulnerabilities and scanning these tools, but, at the core, a lot of these use cases are pretty similar. The big differentiator is, oftentimes, just the vector or surface area that they protect or respond to. The bigger question is whether we will see convergence and overlap for security platforms,” says Joshi. Typically, there are long-term cycles of consolidation for security. In five years, what was once a wide and disparate stack could be much more narrow.

The 2022 EVC List honors the top 50 rising starts in venture capital. Terra Nova’s Thesis Brief series showcases each investor’s insights and category expertise.

Related Posts

Costanoa's John Cowgill: Overlooked Bets On AI in the Enterprise

Costanoa's John Cowgill: Overlooked Bets On AI in the Enterprise

John Cowgill, Partner at Costanoa Ventures, points to some of the more overlooked and contrarian business models within this closely watched ecosystem. As the space matures, competition between emerging companies and quick-to-adopt incumbents will determine the winners...