S2 E25: Data Stewardship for Venture Capital and Private Equity Firms

Data Stewardship for Venture Capital and Private Equity Firms

Transcript

Jordan Eisner: Welcome to Compliance Pointers. I’m your host, Jordan Eisner. Good to be speaking with our president, Greg Sparrow, today. Greg, good to have you on.

Greg Sparrow: Jordan, excited to be here.

Jordan Eisner: Yes. And for our audience, Greg and I have worked together for over 10 years. We’ve had many discussions on the marketplace, business, core values, what we bring, what we see competition doing, amongst many other things in life. But this is the first time we’ve ever got on and done a podcast together. So we’re expecting this to be a smashing success.

Greg Sparrow: Usually over brunch, right?

Jordan Eisner: Yes. So today, we’re going to be discussing data stewardship for VC and PE firms, venture capital and private equity firms. We’re going to touch on market conditions. We’re going to touch on the importance of data protection and privacy. That’s where we feel CompliancePoint and our mission is of value, not necessarily this podcast, but what we and even those in our space do.

And then how to manage risk as it evolves through the lifecycle, right? Or as organizations really evolve through the lifecycle of these firms from startup to eventually exit.

So in addition to being our president, Greg has a background, I would say maybe a little bit as a serial entrepreneur, Greg, I know from the time even in high school, you were doing things, right?

Greg Sparrow: Going way back now.

Jordan Eisner: You have come and sold businesses and now are here with CompliancePoint. And I was going to say in addition to obviously your time spent in the field of information and data security, so anything you would add, I think that would be good tidbits for the audience before we dive into some of the questions.

Greg Sparrow: Yeah, I mean, as far as experience goes, I think my career has been a bit unique in that I really started on the deep technical side of things originally. I actually started out in the early days as you’ve alluded to, even doing software development, quickly realized that that was not what I wanted to do for a career, but have dealt with the coding layer as well as even the infrastructure involved in a lot of web application development and deployment, large scale e-commerce systems back in the late 90s, early 2000s.

From that just kind of fell into the information security side of things as we were doing a lot of these deployments, we realized that security was very important. Initially, we started penetration testing back in those days, we didn’t necessarily even know what to call it, but that’s what we were effectively doing, looking at hardening a lot of databases in the networks that surround these systems.

Jordan Eisner: You just called it trying to break things.

Greg Sparrow: Yes, exactly.

So from that really just took that ball and ran with it, really delved into the information security side of things, expanded that out and then have just grown through acquisition into what CompliancePoint is today. And now I’m really responsible for the business side of things.

So I do think my career is a bit unique in that I’ve kind of divided up both sides of that. I understand a lot of the core technology that we’re talking about and what goes on at a very low level, but also understand what drives businesses most fundamentally from a revenue and profitability standpoint. So a bit unique, I guess, in my career path.

Jordan Eisner: Agreed. Yes, that’s why I think your input is going to be uniquely qualified on this podcast here today.

So before we dive into the questions for our listeners, this is actually, this is our VC/PE series we’re doing on this podcast. So we’re going to talk today a little bit more overview of just the VC/PE marketplace, what does good stewardship mean there for organizations starting out in the lifecycle?

And then an additional podcast is going to be, where should organizations start when it comes to risk management and data management and good data stewardship within their portfolio organizations?

So let’s start with that, Greg. What’s the state of the VC/PE market today?

Greg Sparrow: So I think when you look at CompliancePoint, we’re involved in these marketplaces really in a couple of different ways. And I think we’ve seen a couple of different things play out over the last few years.

So oftentimes we’re involved on the sales side of it. So we’re involved very early on with startups, but we also get involved on the buy side, evaluating risk for targets where PE firms are looking at acquiring. So we deal with both sides of that, have quite a bit of experience in each of those areas, I would say.

To me, I think what has happened in the marketplace that we’ve seen in the last few years, we’re coming off a historically high valuation cycle in that marketplace, really high multiples. I think everybody probably understands all of that and what’s occurred in the last few years.

But I think with the changes that have gone on, things like higher interest rates, things like cooling from the economic perspective, we’ve seen the deal cycle slow down. And having conversations with a lot of these PE firms, what we’re looking at is essentially a cycle or a timeline rather that is extending out their hold time on these companies is really changing of late, I would say, in the last couple of years.

So what that really means from a PE firm portfolio perspective is that they’ve got to look at risk a little bit differently. Risk is more present, particularly in the areas in which we’re going to talk about things like data privacy, and data security, all of these areas where there is a much more material impact to these organizations and their enterprise value if they have a meaningful event during that timeline.

So we’re seeing as that timeline has extended out and the buy side slowing down, you’ve got to look at how you manage risk over that timeline in a more aggressive fashion. And I’d say from a PE perspective or a VC market standpoint, that’s really the change in our world as a professional services firm that we’ve seen is, I think historically the view has kind of been on the buy side or the VC side of things is like, that’s not really our problem. We’re not going to manage off of that. That’s really for the principles of the business to deal with.

And now I would say that they are looking at that like, hey, if we get this wrong, there’s material impact to enterprise value on an exit. And we’ve got to make sure that we’re putting the right frameworks or structure in place to help minimize the likelihood of something like that happening.

Jordan Eisner: So what we’ve talked about a little bit is data stewardship. And I think for a lot of people, they’ll think what the hell does that even mean?

So I think people ahead of these portfolios, most of the time they’re going to get a good sense of that. They’re going to know what that is by this point. Maybe back then when you said they were trying to push off some liability or least responsibility, they didn’t necessarily know. But most people in corporations nowadays understand that.

But just to confirm, when you say data stewardship, what does it mean?

Greg Sparrow: Yeah, I think that’s a good question. And I think it can mean different things to different people.

I guess for us, what I would say is we see data stewardship as a fundamental piece that we’re trying to bring value around really in all of our engagements and every customer that we work with. We feel like that’s very much a fundamental principle of what we’re trying to deal with.

So what does that really mean to us?

You’ve got your traditional view of that, especially if you come from the information security world where you’ve got the CIA triad, you’ve got confidentiality, integrity, and availability. That’s a very traditional view of that from an information security standpoint. I think data stewardship really is bigger than that, frankly.

I think you’ve got to look at really fundamentally what is the business trying to do with it, with the information that they have? What data are we trying to collect? What are they trying to do with it? What is the most primary stakeholder that you have in data stewardship?

And you’re obviously trying to facilitate and reduce friction as much as you can with how the business uses that information. That applies to everybody in the marketplace.

The things that I think businesses probably miss are the fact that there are other stakeholders in data stewardship. So you’ve got basically the consumers in the marketplace, maybe not even customers yet. They have certain rights and you have certain responsibilities around how you manage that information even if you don’t necessarily have a relationship with those people.

Same thing for your customers. Even regulators, to me, are a stakeholder when you think about data stewardship.

And then you’ve also got, as we’ve seen in the last few weeks, even a lot of risk and complexity around your downstream vendor network that you might have involved in processing this information or delivering services for your organization.

So I think when you talk about data stewardship at a high level, you’ve got to look at how do we identify the stakeholders that are involved in a given process or in a given data set. And then you’re looking at, based on those stakeholders that are involved, what are the risk or the business enablement functions that we’re trying to set up for this process. And I think that’s a very important piece.

To me, businesses naturally do very well with designing a business process to enable value for whatever service line, product line they have. What I think that they oftentimes miss is the fact that there are these other stakeholders and that if you’re not appropriately managing off of those risks or meeting those requirements of what those stakeholders expect, particularly in the regulatory area, there are meaningful consequences to how the business functions or what it might even be able to do going forward from a regulatory perspective.

Or if there’s a major breach, right, for example. What does that mean as far as fines or loss in brand recognition, goodwill, all of those things that really affect businesses today?

Jordan Eisner: In a world that’s way more scrutinizing nowadays than previously, right? It matters more so and earlier in the process, right? Which is maybe get ahead of ourselves a little bit on some of the questions or the other part of this podcast series.

Yeah, so I think you said what data is being collected and what they’re planning to do with it. Then I think you kind of mean this too, but I’d say for what purpose, right? Why?

That’s the big question, right? That’s a lot of, I’d say that consumer pressure these days. Why do you need that data? What are you doing with that data?

It’s an important thing that’s being asked, I think, of corporations today. How does it evolve through the startup lifecycle, right?

I think you talked about thinking a little bit with the end in mind there and the regulatory pressures and some of the core function in your business is going to be doing things that maybe dance around the topic a little bit too much. That could be a fundamental flaw as you start to evolve and grow.

So how’s it evolve?

Greg Sparrow: No, that’s a good question. To me, when we are implementing programs or looking at risk for a business, we really, I would say, break that down into three fundamental areas that we’ve built experience and expertise around as a company, kind of the pillars of our company, so to speak.

So we’re looking at really, again, from a data stewardship perspective and dealing with this lifecycle of how you engage the marketplace, how you manage and process information internally, and then how you also disseminate that information. We’re trying to help organizations basically look at how they’re addressing risk across that lifecycle in really around data security, data privacy, and then regulatory compliance issues.

So when you look at those three pillars, there are varying levels of importance depending on the maturity of the business. And I think one primary focus for us when we try and train consultants and engage with our customers is to really make sure that we’re helping to facilitate the business needs.

So instead of being a barrier, I think there’s this kind of historic conflict between usability and security and the security group and IT and the business. There’s always these tensions that go back and forth around getting what the business needs but doing it in a secure fashion.

And so I would say we look at everything and how we can help facilitate companies and facilitate their needs, but doing it in a way where we’re addressing risk really in these three core buckets that we talked about. And so that changes when you talk about where a business is at in its startup lifecycle.

So in a very early seed stage company, they are literally trying to get to a meaningful customer base, a minimum viable product. And a lot of their processes are going to be very ad hoc. They’re not going to really be focused on risk like we are. And what I think we can do very early on is to help these companies identify those risks that are hugely impactful to them.

And so maybe that is focused on the cybersecurity front of things, minimizing the impact of a breach. They’re probably as a startup not going to catch the eye of regulators. They just don’t have the size or scale.

So we’re looking at where does a business fit in the lifecycle, whether it’s basically in a seed stage, whether it’s early stage growth or scaling out right into a legitimate growth stage for the business, or even if they’re basically on the backside of that cycle looking at basically how do they expand, are they looking at M&A themselves, or even an exit. So they’ve gotten to scale and they’re trying to get to a meaningful number and exit for their principles.

So we’re trying to help prioritize across all of those stages the areas in which they focus. And I think done properly, we help the business grow and mature more quickly internally. We can help facilitate meaningful access to the marketplace, right? Because there are sometimes certain things that businesses are afraid to do that maybe they can legitimately do from a regulatory standpoint.

And then we can also help them demonstrate third-party validity, right? So attestation and assurances around the way the business operates. So helping to basically smooth out the deal flow, add velocity to the deal flow so that there’s less friction on the exit side of that equation.

Jordan Eisner: So I think you actually answered two questions for me. I was interested in how stewardship evolves, but then I was going to ask how we approach it. I think as CompliancePoint and you really talked about there with engaging the marketplace, storing and processing and then downstream, like kind of third-party risks.

So I think that’s the perfect jumping off point in other parts of this series and other podcasts where we’ll talk about maybe chronologically, how to do it, where to start, what are the next steps after that? What do you do as you’re getting close to exit? But I think this was a great starting point for this VC/PE podcast. I appreciate you coming on and looking forward to talking with you more on these, Greg.

Greg Sparrow: Glad to do it. And Jordan, thanks for all that you’re doing, right?

So you’ve been a great host for this podcast and we certainly appreciate all that you’re doing as well.

Jordan Eisner: Likewise.