The financial entrepreneur Carsten Maschmeyer invests, among other things, in start-ups that offer software programs for more cybersecurity. In the interview, he explains what is important, in his eyes, for IT startups and what role digitalization plays.
There are already many (established) cybersecurity providers. So, why is cybersecurity / risk management and GDPR such a promising field both for investors and startups?
Maschmeyer: Nothing stands still when it comes to cybersecurity, regulation and risk management! The fact that they are constantly changing is what makes them such exciting issues. Just take a look at the entire technology landscape and how it has changed over the last few years. This change has led to many regulatory and security-related challenges and for which solutions are required. One example of this is the GDPR. A quick glance at many websites of German DAX companies suffices to demonstrate the risk of penalties because companies are not implementing the GDPR. And it is specifically in this area where our investment in Usercentrics is helping companies avoid such infringements. This issue alone shows how important, topical and interesting the issues of cybersecurity and regtech are.
You have invested in the startups Alyne and Usercentrics amongst others. What was the deciding factor behind these investment decisions?
Maschmeyer: These are two genuine startup highlights! Alyne is a provider of governance, risk & compliance software and Usercentrics is a consent management platform and they both offer ex-cellent solutions for those security risks which arise due to data usage. And both companies are market leaders in their respective growth markets. And just as important are the people behind them because also for me the founders themselves are always the reasons to invest. The founders and CEOs of Alyne and Usercentrics, Karl Viertel and Mischa Rürup, come from the respective sectors and are true professionals in cybersecurity & regtech. Germany is a hub for these issues throughout Europe. Therefore it is a perfect breeding ground for good investments.
What do you look out for in general when you are dealing with cybersecurity / risk management / GDPR startups? Do you have a special method you use to assess the potential of a cybersecurity business idea?
Maschmeyer: There are three methods – need, verification and inspection. Specifically this means that there must initially be a security gap which presents an ongoing threat for the company and which is not going to disappear any time soon. This problem must then be verified with the companies before it is aligned with our market and product theses. One good example of this is the GDPR where users can gain control of the usage of their data on the internet. Through the many types of hacks or lately through Cambridge Analytica, as users we have become aware how important this control is. Therefore GDPR will endure for the long-term and will fundamentally change the market for analytics.
In your view what are the most important aspects for a good business idea in the field of cybersecurity to also become a successful company – specifically unlike other startups?
Maschmeyer: In real estate the success-criteria is: location, location, location. In startups it is: team, team, team. Therefore, the founder team is always crucial for every startup. To ensure their success they should possess different abilities and skills as this is the only way they can complement each other. And they should not economize on staff members! Because they need and rely on them! Of course there is also the question of the product itself. In the cybersecurity industry it is not important for a solution to look cool or have a chic front-end. Much more crucial is whether it really offers the customer a benefit and an advantage. Otherwise it won't sell. Therefore strong and experienced founders who can also convey these benefits clearly to the customers are all the more important.
Sales are your hobbyhorse. How should cybersecurity startups approach the issue of sales in your opinion?
Maschmeyer: I always say: “Sales are the second founding step”. When the product is ready a startup must concentrate totally on sales. The most important aspect here are people. I advise eve-ry startup to employ good sales people. I then often hear “We can't afford good sales people”. I then answer ironically: “Then try it with bad sales people!” Specifically in sales roles people must be empathetic and have good communications skills. And because we are talking here about issues that require explanations, sales people must also have the technical knowledge and have a good understanding of the subject.
At Command Control startups will have the opportunity to pitch their business ideas to the attendees and to an expert jury. In your experience what is the most important aspect to consider in such pitches to the public? What specific tips do you have, bearing in mind that these pitches will not only be seen by investors but also by potential new customers?
Maschmeyer: I view a pitch as good if, as an investor, I wake up on the following day, recall the presentation and want to meet the founders again. This not only applies to investors, but also to new customers. A pitch must therefore generate excitement and conviction when transmitting the idea or the product and must create a desire for more! It must also be explained in such a way that I immediately understand what it's about. As an investor the founders must convince me they are doers and have staked all their passion and energy into the startup and their idea. And I need to have the confidence that they will also persevere when times get tough.
As an international cross-sector Summit, alongside the pitch sessions Command Control is also offering startups further opportunities to present themselves and forge new contacts (stands in the startup area, matchmaking options, etc.). How can startups take the best advantage of their participation in the event?
Maschmeyer: By networking! Because “without networking it´s not working!” Every time you have sector-relevant discussions or seek out conversations with potential customers, this is always a learning experience.
How do you assess the quality of the German cybersecurity startup sector in an international comparison?
Maschmeyer: Very good! In Germany we have an excellent environment for startups from the cybersecurity sector. Our technical universities are instrumental in promoting new developments. The Munich Security Conference also demonstrates the significance of Germany as a security market as does the Cybersecurity-Hub in Bochum that has long been attracting positive attention with its strong spin-offs. We must therefore trust ourselves. However, I would like to see the security authorities become more involved in the startup environment. The Bundeswehr has taken an initial step in this regard and others should follow.
Now a change of perspective towards startups in general. What role does GDPR compliance and its verification play for digital-focused startups?
Maschmeyer: This is very important, yet this is not always the case, either in startups or in large companies. Infringements committed often do not incur verifiable damages. However, there are also some cases such as the 1&1 example in which the authorities take drastic measures and impose heavy penalties. It is also clear that the more often such cases arise, the faster this issue will increase in importance. I’ll say this once again: Most German DAX companies are not GDPR-compliant according to the ECJ judgment.
And last but not least. In another interview you advised never to invest in startups which are dependent on political regulation. How do you see the situation for startups which focus on GDPR-related applications against this backdrop?
If a startup today has a business model that is dependent on political regulation, then the issue must not be too small-minded and regionally limited or immediately implode due to individual clauses. This is not the case with the GDPR because people want to regain control of their data – and in fact worldwide. Therefore I see this issue as a good starting point for this business model.