When David Dalva, vice president of security science for the digital risk management firm Stroz Friedberg, started working with private equity firms a few years ago, he made a surprising discovery about his clients’ information technology culture. “It’s a very open, friendly environment,” he says. “Even though they compete on the business side, on the infrastructure side, they’re constantly communicating with each other about how they’re solving problems. They spend a lot of time together, understanding and learning from each other.”
Dalva witnessed that firsthand last December, when he gave a cybersecurity presentation to a small group of IT leaders from middle-market private equity firms. He spoke with Middle Market Growth about why more firms should harness the collective brainpower of IT roundtables—and what makes private equity’s IT collaboration different from other industries.
MMG: Can you talk a little about the work you do with middle-market private equity firms?
David Dalva: We look at their overall security program: governance, processes, technical IT infrastructure and physical security. Based on what we see, we help companies build a remediation roadmap for their security program. That includes technology, and also policy and procedure—like the importance of establishing a security governance committee. It’s a holistic way of helping firms manage risk proactively.
MMG: Last year, a client contacted you about doing a security talk for a group of IT leaders from middle-market PE firms. What’s the purpose of that group?
DD: It was a roundtable of senior IT people from middle-market PE firms. They get together several times a year and talk about a range of topics—like applications for portfolio management software, or how they’re managing vendor relationships.
This time they wanted to understand best practices to prepare for a breach. They asked me and a colleague to come talk about what it means to have a good incident-response program. We had a couple of meetings with the group’s leadership to discuss content. Once we agreed on that, we went to New York to deliver our talk at a lunch-and-learn. It lasted about an hour and a half—we had about 20 people, some in person and some by phone. There was Q&A time throughout our talk and at the end. I’ve heard about larger PE firms doing round table groups like this too. The group I spoke at is the only middle-market PE roundtable I know of, but that doesn’t mean others aren’t happening.
“What I found about private equity, as an industry, is that there’s a lot of communication between the firms at the IT level. They talk a lot, they share ideas.”
MMG: What’s the benefit of having those senior IT people meet up and ask questions?
DD: Twenty brains are better than one. If someone is dealing with an issue, it’s so much better to speak with peers in the same situation, to understand what they’ve done, to get a commonality of best practices. Ultimately they’re able to solve problems much less expensively and quickly by sharing experiences.
Even though these firms compete in their business, the IT departments don’t compete. Ultimately what they end up getting is a more efficient IT infrastructure, and that benefits everyone. What I found about private equity as an industry is that there’s a lot of communication between the firms at the IT level. They talk a lot, they share ideas. Even though they don’t have a formal quarterly CIO roundtable, it’s like everybody knows everybody.
MMG: That might be surprising to people who think of private equity as competitive, not collaborative. Do you agree?
DD: Let’s look at another industry for comparison. Say you have Coke and Pepsi trying to bottle their product. (Information technology) is a critical part of the efficiency of the operation—it determines how fast they can bottle. So it becomes a competitive advantage for lots of companies in manufacturing. But in private equity, IT is a support function. Private equity is more of an intellectual business, as opposed to a process-based business. I don’t want to go so far as to say that IT can’t create a competitive advantage. It certainly can. But when you’re dealing with firms based on brainpower, not based on automated processes, it doesn’t harm them to share methods on the infrastructure side.
MMG: How does that level of IT collaboration compare with other industries?
DD: I do work with other industries. I can’t claim deep exposure to them. But I’ve seen more communication in private equity than other industries. I can’t think of another example where they formally get together with competitors. When I was first exposed to private equity a few years ago, I was heartened by the level of information sharing that happens automatically. It’s a cultural thing for them.
MMG: Would you like to see more roundtable IT meetings—and if so, why?
DD: Yes. I think it’s terrific. Unlike the big conferences, which are more formal, I think these smaller sessions—with a more grass-roots approach—are very beneficial to these firms. They should all consider being part of that.
MMG: What happens at these small meetings that can’t be accomplished at a big conference?
DD: I think it’s more of a focus issue. It becomes inherently more collaborative. At a big conference, you are either listening to a presentation or you’re chatting with somebody in the hall. With these smaller forums, you get a bunch of people together to talk about a particular topic in a completely open and nonattributable way, which I think is far more productive for getting things done and raising your concerns. If I were running a small PE shop, that’s what I would want. //
S.A. Swanson is a business writer based in the Chicago area who frequently writes about technology.
COMMENTS