This interview is part of our Infra Angel Spotlight series where we showcase some of the best angel investors in the infrastructure IT and cyber-security space and how they help founders build the next generation of modern software companies.
Dan Nguyen-Huu spoke to Michael Sutton, founder of Stonemill Ventures and former Zscaler CISO. Michael has a long 20+ year history in cybersecurity and has invested in startups such as Orca, runZero, Greynoise, and FleetDM
Michael shared with us his experience of working in startups then pivoting to working as an angel investor.
I’ve always been into computers, ever since I was a kid. I grew up in a time when having a PC was not the norm. In fact, my family had one of the first Commodore 64s as my dad was into tech. No one thought the purchase was a good idea except for him– and me, of course. I latched on to it right away. Early on, I was entirely self-taught. I got into hacking because my goal was always to get free software and break licenses… that was my first foray into cybersecurity, though I didn’t realize it at the time.
When I got to college, I majored in accounting and became a CPA because I figured I knew about computers already. Ultimately, accounting wasn’t the right path for me. However, I’m glad I got that education because I learned a lot about business and finance which has ultimately helped me in the investment world.
I pivoted within my accounting firm to start working in their IT audit department, which was a much better fit for me. After several years in IT, I then decided to get into startups. I found a job at a company called iDefense, which was a startup working in the threat intelligence space in Washington D.C area. That gig was my first foray into the startup world.
I’ve always loved working at startups!
In fact, I was at a few startups that got acquired by big companies. My first company, iDefense, was acquired by Verisign. My second, SPI Dynamics, was acquired by HP. After those acquisitions, I’d stay around for a little while but ultimately found that working for the bigger corporations wasn’t for me. I much preferred the chaos of a startup– I liked wearing different hats and found the excitement inspiring.
The third startup I worked for was Zscaler. I was one of the early engineers and spent 10 years at the company, helping to grow it to a multi-billion dollar company and working through an IPO. I held roles as both Vice President of Research and CISO. In that instance, I was there from inception to IPO so I saw and learned a lot along the journey.
Funnily enough, I assumed I’d start my own company after Zscaler’s IPO. I even had a list of ideas that I would periodically pitch to friends. Along the way, I’d often meet people who were already pursuing the ideas I had. More often than not, I’d get to know the person and decide that I’d actually rather back that person than compete with them. This is what kicked off my interest in investing.
I had the idea that investing was the right path for me because I liked building things. I saw that working as an investor and advisor would allow me to work with multiple people at multiple companies.
About six months after the IPO, I stepped down after ensuring the company would have a soft landing and that I wasn’t putting the company at risk by leaving. From there, I went headfirst into investing. I’d love to say I knew what I was doing, but I didn’t. I had no idea but dove in and figured it out as I went.
I am fairly narrowly focused, although I've broadened over time. When I started investing, I invested exclusively in cybersecurity. Some thought my focus was too narrow, but I felt strongly that cybersecurity was what I knew. It was a superpower– I have lived and breathed cybersecurity for 20+, have great connections in the space, and was comfortable analyzing the technologies.
Cybersecurity is pretty broad and the field is still in its infancy in many ways. I have made 35+ investments and I'm not worried about running out of opportunities anytime soon.
Over time I have broadened a bit. I now describe what I invest in as “cyber plus,” meaning I invest in cyber and cyber-adjacent technologies. These are often AI or DevSecOps companies that have cyber as an element but wouldn’t necessarily describe themselves as cybersecurity companies.
There are certain types of founders I’m attracted to. They are technical founders that have vision and passion. Their idea keeps them up at night and they feel strongly that they just have to pursue it. This is a person who is going to quit their day job and go all in.
I always say I need the hacker and the hustler. The hacker is a technical visionary, typically a CTO, but not always. And my hustler is the business person, typically the CEO, but again, not always. But it's not black and white either. I'm okay with two hackers that can evolve into hustlers or are humble enough to know that they need help and they're going to bring somebody in at the right time.
What isn't a right fit for me would be two hustlers and no hacker. It’s not a good fit for me to work with a team who wants to find a CTO to manage the technical aspects. No, I need that technical visionary, that person who knows what they want to do and just has to do it.
I like working with teams in the early seed stages when they’re trying to put everything together. I don’t necessarily have all the answers, but I try to point them in the right direction whenever they come to me with questions.
Ultimately, I can add a lot of value on the fundraising site. It inspires me to help founders put together their next rounds. I love when I meet a founder, love what they’re doing, and can help them find the right leading investor and team that can help them reach their goals. I'm a big proponent of what I call “founder operator angels,” especially in the pre-seed and seed stages where it's a first-time founder who hasn’t done this before. I love to bring in angels who bring a lot more to the table than just the check. These are people that have walked a mile in that founder's shoes and can give a lot of support.
One area that maybe isn’t as obvious but that I am spending more time in is MSP security tools. Specifically I am interested in how to sell security in the SMB space. Surprisingly I have really done a full 180 on this thesis. Five years ago, if you talked to me about some company that was building security for the SMB market, I would've said, nope, not interested, go away. Small businesses, they don't have the resources, they don't understand it, they don't have the budget, they just don't care. One of my earlier investments, Huntress, which is an endpoint security play, really changed my mind on that. I don't think anyone would argue that Huntress is necessarily succeeding because they built a better technology than enterprise tools like, say, a CrowdStrike or Sentinel One or something like that, but what they did that was so brilliant is they were laser beam focused on that SMB market but by selling through the MSP channel and not doing direct sales.
The security stack for an SMB is not going to be the same as the security stack for a Fortune 500 company. They're not going to have the same depth, the same number of layers, but they need all the same core facets. They need endpoint security, they need network security, they need workflow, they need all of these things. So that's one part of my thesis is to figure out what all those different parts are that the SMB market needs that can be sold through the MSP channel.