Tech Debt is Common. What does it mean for IPO readiness from a cybersecurity perspective?

6 minute watch | 7 minute read | July.29.2024

Most high-growth companies have technical debt: work owed to IT or software development due to shortcuts that advance the business. That’s natural. But what if the debt carries security risks? Orrick capital markets partner Jamie Evans sat down with Kroll CISO David Dunn to discuss how companies and investment bankers preparing for an IPO can address the risks.

The Takeaways

For the Investment Banking Team:

Determine security ownership. Take a step back and start the conversation by assessing who owns security from an operations, product and regulatory compliance perspective. CISO responsibilities are varied and continue to expand, so dive in to learn the company’s current approach.

Consider security not only for the network but for product. Customers are hyper-focused on product security and how the responsibility is managed within an organization. It may be one of the most important indicators of value and risk for a business.

For the Late-Stage Company CISO:

Sync with your teams. Ask your infrastructure, product and compliance teams early and often: What’s keeping you up at night? Use this exercise to build trust and identify areas for focus and improvement.
Demonstrate an effective record. If security issues arise, Dunn says the No. 1 way CISOs can instill confidence is through a record of issue-spotting and process execution.

For more on due diligence considerations, tune in to The Evolving Role of the CISO: From evangelizing product to collaborating with the C-suite.

Transcript

Jamie:	I’m Jamie Evans. I'm a partner here at Orrick in our Capital Markets Group.
David:	And I'm Dave Dunn. I'm the Chief Information Security Officer for Kroll.
Jamie:	So, Dave, one of the things in my practice that I'm most involved in in the 20 years that I've been doing this is representing investment banks as they're considering underwriting companies and potentially accessing public markets. And one of the things that my clients are most often interested in is cybersecurity, readiness, controls, etc. And they oftentimes are looking to legal to assess in conversations with companies what is the state of affairs. And I'm curious from your perspective, if you were sitting in that seat and saying, okay, I'm meeting with the CISO and I need to be able to assess and then translate for my client the nature of the risk, how would you initiate that conversation with a CISO?
David:	I think the first thing I would ask is what's the scope of the CISOs job? What are the responsibilities? And based on that answer, I would ask them just more detailed information. What specifically do you do in the operations space? What do you do on the product side? What do you do as it relates to regulatory compliance type issues? That's the number one question is understanding the ownership and then based off of whatever the answer is, so say the CISO doesn't own the technical controls, maybe it may not own endpoint security. Who does? And you know, and what is the sort of state of affairs from that perspective?
Jamie:	And what are some of the answers that you'd want to hear either to understand, hey, this is an organization that has prepared itself in the right way, is investing in the right things… What would you want to hear?
David:	I would want to know that I had a CISO that was heavily engaged both in infrastructure architectures and security architecture as well as the product side, right? When you look at the primary, the actual risks to an organization, they are going to come from those two areas, right? Whether you have inventory, asset management issues, right, you need a CISO that is on top of understanding what that infrastructure looks like and how it's secured. But also on the product side, it's critical that security is embedded in the product side because if it's not, then there could be a tremendous amount of unknown unquantified risk there.
Jamie:	One of the core areas where I focus is okay, I've identified an issue, right? I've uncovered something as a result of having that conversation. What next? Meaning in my case, my client's going to ask me, they're going to say, okay, you've identified that issue. How should I think about the magnitude of that? Right. Should I think about disclosing it? How do I think about is it an enterprise-wide risk? Like is it an existential risk? Like, how do I think about assessing that?
David:	Yeah, I think it’s always going to be err on the side of disclosure. But really it's the first thing I would ask is if I found something, was this known before and is there a plan? Right. Like were they aware of it? When you look at companies that are growing, particularly security often lags behind. Right. You're pushing hard with building an infrastructure, making things work. Security can sometimes lag behind. A lot of the times, organizations know that they have that technical security debt and the fact that they have acknowledged it and have a plan can give you a lot of confidence. And then really from there, it's about can you quantify what that risk looks like? What's the likelihood that it's going to happen? And if it does, how much is going to cost?
Jamie:	So, Dave, let's spend a few minutes talking about being on the other side of that conversation. And so, you're someone who's a CISO at a company, say you're even getting ready to go do an IPO transaction. So a very transformative moment for the company and one in which there's going to be a tremendous amount of scrutiny from the bankers, from the investment community generally, you're prepping to have that conversation with underwriters counsel. You probably aren't that familiar with the process and what's actually happening. You've just been told by your general counsel, Hey, I need you to come participate in this diligence session. What are the questions you're asking your team? What are the things that you're doing to prep for that conversation?
David:	I'm asking you well before that, but I'm asking what keeps you up at night? When I talk to my security architecture team, what are the things that keep you up at night? When I'm talking with our business information security team, what are the product issues that you're concerned about? Where is, what technical debt do we have and what is our plan for addressing that technical debt?
Jamie:	So I'm a banker and I've gone to my investing committee and they've said to me, okay, we want to follow up on this. We want to understand what's the remediation plan. How do we measure that? Right. We're not experts. We're people who are merely assessing risk for the bank. How are you going to provide comfort to that banker that you are all over that issue and that they can have trust in you?
David:	I think there's a couple of things. Number one is that it's documented that you said, hey, this is what the risk is. This is what we're going to do and be able to provide evidence of a prior scenario where something similar, some other risk existed and where you put that plan together, where you executed on that plan that it was successful and now you've moved on to this, whatever this next issue is. So it's having a plan and being able to show a history of successful execution on process.
Jamie:	So, Dave, you're coming in, you're doing some diligence on behalf of a banking client. What are some of the answers to your questions that you'd hear that would be a real concern?
David:	I think what would concern me the most is if I talk to the CISO and I said, what are the things that you're concerned about? And the CISO came to me and said, I'm concerned about A, B and C, and after digging in, after getting a little bit more technical, with those answers, those weren't my concerns. My concerns were D, E and F. I think that's where I would really start to have some concerns that if what I saw as their risk and what they saw as risk didn't align, that would be my number one concern.
Jamie:	Dave, thanks so much for sharing your time with us.
David:	Absolutely.