Why Corporate Boards Need Cybersecurity Experts

Karen Wendel July 12, 2017

“War is too serious a matter to entrust to military men.”

Georges Benjamin Clemenceau, French Prime Minister, 1906-1909, 1917-1920

On October 21, 2016, millions of users were impacted by the largest ever Distributed Denial of Service (DDoS) attack. Users were unceremoniously booted off their favorite websites, including PayPal, Twitter, Amazon and CNN. Hundreds of private enterprises found themselves shut off from core business flows, with email and chat services suddenly unavailable. Payment and ecommerce sites slowed to a crawl and in some instances, stopped altogether. More painful, however, were the ransomware attacks that followed in the aftermath, as cybercriminals held data and access hostage. The cybercriminals, many of whom were not involved in the original attack, leveraged control that was harvested from systems exposed during the DDoS process as IT administrators tried desperately to reduce normal operations for their employers.

Why does this matter? Isn’t this just another example of the type of thing the IT department should address?

The answer is a resounding no. To paraphrase George Clemenceau, ‘Technology is too important to be left just to the technologists’/. The world has moved into a next phase where everything is literally connected and interconnected. Making certain one has the right firewalls installed in no longer enough.

Yet when asked, the clear majority of PE firms will say that their priorities when looking to create and drive value in their portfolio are centered around expertise in operational efficiencies or sales effectiveness. They will go so far as to say that they do not even have a CIO or CTO in their portfolio firms. When hiring operating partners, they hire for operational or sales skills. The net impact is a compounding one – the PE firms do not hire the expertise to drive to the right questions at either the C-suite or Board level, then they fail to hire the expertise within the companies themselves. In the end, a single attack or series of hacks can not only damage the companies, but can destroy value at an exponential or logarithmic rate.

A straightforward and simple approach to address this? Hire an operating partner with cybersecurity expertise.

The goals of this operating partner would focus on both strategic and operational issues. This individual would undertake tasks such as those outlined below:

Establish an overarching portfolio view of cybersecurity as something more than just a technology issue; educating and informing the deal and operating partners regarding the strategic implications of cybersecurity at a company and portfolio level.

For example, if a firm has a large percentage of portfolio companies dependent on electronic commerce where large amounts of personal identifiable information is being held, the firm may consider working with a single consolidated cloud or processor partner that could store such data outside the companies themselves, removing a significant cybersecurity threat at a company and portfolio level.

Review the cybersecurity status of each portfolio company, using the cybersecurity maturity model developed by NIST.

Review the PE firm’s cybersecurity states using the same maturity model.

Hold training sessions with each portfolio company Board on a quarterly basis, including working with the Board Audit Committee to ensure both a strategic view of cybersecurity (e.g. why is certain data being stored, why is data being kept for specific periods of time, who are the strategic partners and how does the company interface with them).

Leverage an overarching cybersecurity strategy framework for the company that weaves the necessary concepts into the basic structure of the company, not as an adjunct.

Provide updates to the PE firm’s operation partners regarding emerging threats.

Share information and learnings around cybersecurity, both positive and negative, from the portfolio companies and similar industry players.

Participate in due diligence activities for prospective deals.

Identify potential deal flow related to cybersecurity and adjacent spaces.

Skeptical individuals may say that these capabilities could be acquired from an outside provider, whether a major accounting firm like EY or PwC, or a specialized provider like Rapid 7 or Mitnick. The challenge associated with such firms is that their approaches are almost always technology-centric, with a focus on the same core set of issues around vulnerabilities and risks rather than a strategic set of questioning more suited to C and Board level conversations. By engaging an internal operating partner with responsibility for driving and creating value while also protecting value, a firm can more tightly control the information flows regarding its portfolio. It can also build an internal information base regarding cybersecurity that can be used as a competitive weapon in the value creation process.

Candidates for such a role would be individuals outside the normal technology group. Typical CIO, CTO, and CISO candidates tend, simply due to the nature of their work and roles, to be very siloed, with a heavy reliance on pure technology solutions as opposed to governance and strategic discussion. The ideal candidates for such a role would be executives that had run businesses in the cybersecurity space and had been successful in driving the strategic dialogue at their own or customer firms.

The value of such expertise will only increase as the level of cybercrime and cyberwarfare increases. Relying on external resources, which are increasingly scarce, will place firms in difficult positions and increase the cost of hiring external players. Establishing a structure within the firm where that resource resides internally and the knowledge can be captured, acted upon, and shared, will be valuable to LPs, the firm and its portfolio.


Your email address will not be published. Required fields are marked *

two × four =