S2 E26: Risk and Data Stewardship Throughout the Business Life Cycle

Risk and Data Stewardship Throughout the Business Life Cycle

Also be sure to listen to the Data Stewardship for Venture Capital and Private Equity Firms episode.

Transcript

Jordan Eisner: So welcome to Compliance Pointers, where we talk about information security, data privacy, regulatory compliance, and all things, I think, in the spirit of today’s podcast, data stewardship. And this is a continuation of our series on venture capital and private equity organizations, and so the life cycle of those.

And we’re here again with Greg Sparrow, our President. I’m here again. I’m Jordan Eisner, for those of you who are not regular listeners to the Compliance Pointers podcast.

So Greg is our president. He has a plethora of experience in managing businesses, and entrepreneurship, but also, as we mentioned in a previous podcast in this series, technical expertise, software development, kind of fell into PCI, information security, cybersecurity, and had a long track record in that, and so continues to work in that, but from a higher level. And so he’s very, I think, in touch with the marketplace when it comes to VC and PE, watches that closely.

And then we, as a business CompliancePoint, have worked with lots of organizations in that realm on data security, data privacy, and all things data stewardship.

So last time we met, we talked at a high level, really, about that space, current market conditions, what’s going on with that. We talked high-level data lifecycle. We talked about what data stewardship means in that realm, and it might make sense to even revisit that definition just at the start of this. But really what we want to focus on today is what we think, or Greg, what you think organizations should do first from a data stewardship standpoint, right?

When they’re looking at the whole life cycle of things, and we’re going to try and come back to at the end of this podcast, how that can help maximize EV, right, and reduce external friction at the exit stage.

So that was a long introduction. You know, kind of a segue into this and a return to the series. What else would you add, I guess, into what we want to get into today, and then into answering, I think, that initial starting question of where we should start?

Greg Sparrow: First, thank you, Jordan, for the intro and for the invite on the show, as well as being willing to have me come back for part two. I do appreciate that.

So yeah, so I mean, as far as how you prioritize things across the lifecycle and what does data stewardship really mean, we talked about data stewardship in the last podcast. In essence, we’ve really built expertise, and we think there are three core pillars to data stewardship for an organization, and we focus on areas around data privacy, data security, and then regulatory compliance.

Those are really the three fundamental pillars as we see them for implementing good data stewardship for an organization. Where should you really get started with data stewardship, or what does that look like across the life cycle, as you asked?

I think certainly that depends on maturity. So we try and look at it. Really, we work with a lot of different organizations. We’ve talked about we work with everything from startups to mid-size companies to even some of the Fortune brands. So I think a lot of it really depends on the maturity of the organization. For this particular focus, I think we really would bake that into the startup life cycle.

So really, what do you use or how do you prioritize things from really the very early seed stages to growing that out into your early stages, to scaling out into growth, right, long-term expansion, and even final exit.

So in general, I think the point is you have to really look at identifying risk very early on. And in a seed stage startup, that really means what is it that is going to turn the lights off for you? I think we, as an organization, try and be very practical and pragmatic in how we look at maturing a business across those three buckets.

And when you’re starting up, you’re not worried about long-term regulatory risk, right, or even maximizing enterprise value on an exit, right? You’re really looking at, okay, how do we find a customer base? How do we get to a minimum viable product? And then what risks do we have as an organization that basically are going to kill us, right?

And so organizationally, what we’re trying to do really is look at where you play in the marketplace. What types of data do you have? How are you engaging the marketplace? What is your downstream third-party vendor network look like? And really bake into a couple of key areas to basically say, here are the main critical risks as an organization that you really need to be addressing as you get out of that early seed stage, right?

So that is probably the first part of that.

Jordan Eisner: If you’re thinking about risks at all, right? Obviously, in early seed is going to be thinking about risk, but it’s more so is this a viable product? Is this a viable business in the marketplace going to be receptive or going to have success?

And so I see you’re closely tying data risk with those early kind of rudimentary risks too when you’re talking about what keeps the lights on. Okay, if we do accomplish those things, then this is the next sort of risk that needs to come into my mind probably as a startup is, okay, it’s working. We’re gaining some traction. Now what sort of external risks, right? Do we need to start building fences around?

Greg Sparrow: Yeah, and in those three buckets that we talked about, I think really most fundamentally what organizations in that stage should be concerned about are the cyber risk, right? A large cyber event as a startup is going to be one of the most detrimental things you can face organizationally as far as trying to gain traction in the marketplace against your competition, gaining new customers. Those are really, to me, the main things you’re trying to avoid.

There are risks and these are other areas that we talk about, but as a small company, the reality is that those are less impactful and less likely to happen versus the cyber threat.

Jordan Eisner: This is maybe putting you on the spot a little bit, but if you see situations, right, early startup organizations where a cyber incident has turned the lights off, right?

Greg Sparrow: I think you certainly see it, I would say you definitely see it impact larger scale organizations. Yes, there are scenarios where you’ve had breaches that have occurred that have basically killed a product before it really was viable in the marketplace. There are absolutely examples out there in the marketplace where having a breach, losing faith, ruining the brand equity that’s out there absolutely tanks the company for sure.

Jordan Eisner: Okay. Cyber security, I think that makes sense, securing customers’ data, avoiding cyber incidents. What about after that?

Greg Sparrow: What I would say on the cyber side of things, I think it’s really very fundamental pieces, right? How do you literally secure data in transit, secure it in rest? How do you put proactive or detective controls in place to identify when malicious behavior is occurring within the environment? Just very fundamental bootstrapping pieces.

From there, I think you’ve got to start to build out a framework, right? Once you move past the very fundamentals, you’ve got a viable product, you’re scaling in the marketplace, you’re gaining customers, you’ve got to start to think about what types of frameworks do I want to put in place to standardize your efforts around things like data security? Typically, there’s a lot of different information security frameworks out there, right?

You can pick your standard, it doesn’t really matter in the industry. I think it somewhat matters based on the markets you serve. For example, if you’re a US-based organization selling into a US marketplace, there are many standards like NIST in the 800 series that are perfectly fine to deploy as a framework for information security.

If you’re selling internationally and you have a more international presence, your ISO standards, your 27,000 series, all of those are great frameworks. At the end of the day, they really have the same goals and it is really they all rhyme as far as what they’re trying to achieve or how they approach things. It’s just a different acronym for a different day.

Jordan Eisner: Right, which is risk management.

Greg Sparrow: Yes, exactly.

Jordan Eisner: It could be two birds, one stone with some of those because at least in my experience, a lot of the organizations I’ve worked with do those ISO, HITRUST, SOC 2 because somebody is asking them to. As they swim upstream right in their marketplace, those become requirements kind of table stakes.

But what you’re talking about here is seen beyond that and seeing that as something instrumental in the maturity of their business and not just a badge to get more business. Yes, that’s a nice consequence, but looking at that organizationally and buying into that and how that’s improving risk management, data stewardship, right?

Greg Sparrow: I think it’s largely what I would call like a defensive play, right? You’re trying to defend the brand. You’re trying to defend against a major event, bad press, for example, those kind of catastrophic events that occur early on, especially if you’re a small business, those are hard to recover from as we already talked about. I think it is about reducing friction though overall. I think that’s where as you scale, so kind of moving past that startup stage in the life cycle as you begin to scale out, I think the next makes sense approach is really how do you formalize your information security program in a way that reduces friction in the buying cycle?

Trying to not just reduce the risk across the board to the brand, but how do you help to facilitate the buyer actually buying your product or service, particularly in the B2B space, right? This becomes very important for vendor vetting processes and things like that.

Making sure you’ve got the right program in place and that’s where things like frameworks can help to reduce that friction in that buying cycle so that you’re speaking a common language about how you look at security and how you manage that security internally.

Within that, I would say, once you are at scale, you’re really growing the organization. I think the point is to not just have internal validation of your security efforts through something like a framework, but then shifting gears and thinking about to continue to reduce that friction in the marketplace, how do you implement something that is external validation around what you’ve put together?

Depending on the industry, there’s a lot of different security certifications you can achieve. There’s things like HITRUST in the healthcare industry. There’s ISO standards that we’ve already talked about that actually are certifiable standards.

I guess that is a little bit of a different piece between things like NIST in the United States and ISO. They are both frameworks, but I guess the difference there is that ISO oftentimes is a certifiable framework, meaning you can have third-party attestation around it, whereas something like NIST, HIPAA, those are regulatory frameworks that are done at the federal level and don’t have a formal certification associated with them. At least, it’s not recognized by the federal government. There currently are people that will offer reports on compliance and things like that, but there’s no official certification to that.

But SOC 2 is another example that’s done oftentimes in the CPA world that speaks to how you’ve implemented your security program. The idea is really just that you’re taking that common language that’s established by the frameworks and you’re having some third-party attest to it so that when you go to have these conversations and you’re being vetted as a vendor in that B2B space in particular, that you can reduce the amount of friction on a deal, that you have some document that says, hey, look, this is how we deal with information security, ideally avoiding a lot of the information security questionnaires that everybody out there fights with these days to say that, okay, here’s how we do it. Here’s third-party attestation. If you have questions beyond that, then we can talk specifics about what you might be looking for within our ISMS.

Jordan Eisner: Ideally, yeah, you skipped some of that vendor security questionnaires, and this may be getting off topic a little bit. I don’t see that a lot. I see SOC 2, ISO, and still after the view of the vendor security questionnaires, why do you think that is?

Greg Sparrow I think that a lot of the companies out there, a lot of the larger brands that are buying in that have large vendor networks, security is something in my mind, if we’re talking about purely this from a security perspective, it’s ever-changing. It’s a cat and mouse game. That’s always how it’s been.

There’s an attack. There’s a zero-day exploit. People respond. You put controls in place. We do all of these different things and adjustments to pivot around that. As those things evolve, I think the security teams bake those into questionnaires. I think that the common language that is established for things like SOC 2 or high trust or PCI, whatever it may be, those have helped to facilitate and standardize that conversation in the marketplace.

I think the point is that organizations do feel a need to move beyond that based on their risk profiles and what they’re trying to manage off within their environments. Frankly, it is a tough problem to solve for. There are technology players, platform players, even B2B service businesses that have tried to solve for some of the complexity around the focus on security questionnaires and reducing some of the complexity there.

I think all of them have had limited success. There’s been no silver bullet there. I think that comes down to the fact that every organization looks at security and risk in a little bit different through their own business profile and lens that they have.

Jordan Eisner: Well, let’s go back to the VC/PE front. What about organizations closer to exit? We’ve talked a lot about early stage and then as you’re maturing, what about closer to exit?

Greg Sparrow: As you evolve and scale and you start to think about just more traditional later term lifecycle, you’re just generally expanding in the industry. 

Program management. You’ve set up all of these programs, you’ve had them attested to. We see a lot of folks fall down around maintaining the security posture or being able to maintain the security certifications that they have. Program management to me becomes a very important factor in how you go forward.

Fundamentally, there’s two different ways you can address that. You can either build out your team and your expertise internally or you can hire companies such as CompliancePoint to really bring in that level of expertise and be a bolt-on to help maintain that posture, whatever it is that you’re looking at organizationally.

It’s difficult, I would say. There’s such a breadth and depth of knowledge that’s required across these three disciplines that we’re talking about. It’s very hard unless you just are a large organization to have that expertise or all of the expertise you need in-house. It’s very difficult to create that.

It’s also something that it’s hard to maximize your return on investment there. I think that is where consulting and expertise from a third party is an important piece to that.

The other side of that too is I think that really comes into play in the latter stages here is that as you’ve had success and you’ve built that brand, you have to realize that you will become more in the eye of regulators. This is a big part of our business is helping to build defendable and or risk-averse positions from a regulatory landscape standpoint.

More specifically, what we’re trying to do is really look at, for example, how organizations are engaging the marketplace right now. There’s a lot of risk with things like data privacy requirements. There’s risk with how you engage consumers and how you capture preferences and privacy and how you even dial out to them. There’s risk within all of those channels and how you communicate and making sure that you’re in compliance with that regulatory environment in those later stages becomes much more critical just simply because that’s how regulators like to start in a given industry.

They’re going to go after the bigger players, the bigger brands, because that’s what gets into the press. That’s what we all hear about in the press cycle. If you are one of those companies that you feel like has that type of exposure and that type of brand, protecting that brand becomes critical from a regulatory perspective. We see a lot of our focus shift into that regulatory landscape. How are we managing these programs in a way that avoids risk with those stakeholders? We talked about all the different stakeholders from a data stewardship standpoint in the last podcast.

What are we doing to make sure that if regulators do come in the door, are you buttoned up? Do you have the right documentation and evidence in place to be able to defend yourself on what did or didn’t happen for a given situation? That becomes very important.

I guess to shift to the last stage, it’s really about exit. I think that’s the goal for most startups. We’ve talked about deal flow slowing down of late in the last few years. Private equity companies are now holding or VC companies are now holding the portfolios that they have for longer periods of time.

They have to start looking at how are we putting a holistic program in place that really manages and mitigates all three of these areas, data privacy, data security, and regulatory compliance. How do we address all of those issues across that longer time horizon now with the idea that we’re trying to stop any one of those major events from affecting enterprise value.

There are multiple examples out there now. I think this was a debate that I used to have. I remember back probably 10 or 15 years ago around what is really the material impact of a breach on enterprise value. I think there’s many examples now where you do have a breach or something wasn’t disclosed and they are now going and clawing back enterprise value, adjusting the valuation models. All of those things get affected by one of these major events happening.

Overall, I guess I would summarize it, Jordan, is we are trying to be very practical and pragmatic as an organization with the maturity level and the stage that a business is in that we’re working with, but also be realistic and meaningful in the types of risks that we’re mitigating depending on what the goals are for that business.

We don’t want to come in and buy the Ferrari, for example, when a Honda will do for an organization, but we certainly want to be in tune with the risks that are present organizationally based on the size, scale, and maturity of the business.

Jordan Eisner: Yeah, a lot of good stuff there. I think the last thing you said is going to bring me to what probably is a good final question here with startups in particular. Managing costs is a big deal. A lot of what we’ve talked about and even what we advise when we work with different organizations on, it all sounds like a nice to have a consultant to be able to work through all this with you, but a lot of times in reality startups are on their own and they’re building the plane as they fly it. They’re figuring all this out.

Not necessarily how could CompliancePoint help because this is a podcast and we obviously have a vested interest in CompliancePoint, but just consultants in general and data security. If you were in the shoes of a startup knowing what you know, why would you seek a consulting firm to help you with data stewardship? What’s the value there that is worth that cost? How does that equate to ROI? Because that’s so hard to see for startups.

Greg Sparrow: You’re mitigating risks that are unknown. That’s always been the historical challenge in the industry. It’s like insurance. You’re buying it because you think you need it, but you hope you don’t. That’s always the mindset.

I would say the way I look at the industry and I think stepping back from our solutions specifically, there are many, many technology solutions that are out there that you can deploy for any given pain point that you have organizationally. Oftentimes, what I think we find is that there is a gap either internally or externally with the knowledge that that organization has around a given situation.

What I mean when I say that is if I’m building out a team, I would start with building a solid team that is knowledgeable, whether that’s an internal team or you’re doing that through a third party or some mix in between of those two things. Solving the knowledge gap that we have in this industry, I think, is the biggest challenge that organizations face.

It’s nice to check a box and to buy the brand new shiny technology thing that you think helps. If it’s not implemented properly, if it’s not maintained, if people don’t know what they’re looking at, if that information isn’t actionable for the organization because there’s a lack of knowledge there, it really doesn’t do a lot for you.

To me, I really would recommend starting from the other side of that, make sure that you have the right knowledge within your team, within your third-party vendors, partners, whoever it is that’s going to create an environment where regardless of the technology that you have in place, you can make actionable decisions around what really is going to impact your organization and how to manage off of that.

Jordan Eisner: Well I think that’s a good wrap up point, Greg. Thank you again for joining us. I guess we’re undecided on if we’re going to do another part in this series on VC/PE.

Greg Sparrow: I would love to come back.

Jordan Eisner: No this has been good. I think we talked, you know, overview, marketplace, things to think about on the first one. I think this was a little bit more right where to start and how to look at it through the process. So different feel for each and I think both are meaningful for our listeners. So thank you for that.

And to our listeners, thank you of course for listening. A reminder, we produce content like this on a regular basis. And so don’t miss an episode. Make sure you subscribe and if you have questions for Greg, he’s available. He’s on LinkedIn. I’m on LinkedIn. You can reach out to us at, you know, our website has many different channels to reach out to us, connect@compliancepoint.com. You can book a meeting with us from our website. So we are interested in your thoughts, your concerns and you know, your business needs to, right, where we can help.

So thank you everyone and until next time.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.