Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and Certified Information Privacy professional, and provide practical privacy advice to overwhelmed companies.

Justin Daniels  0:37  

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:55  

And this episode is brought to you by oh thanks, Basil joining the party, your tambourine. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. Red Clover works with companies in a variety of fields including technology, SaaS ecommerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit What’s going on with you today? You got a lot of multitasking over there. You’re trying to pet the dog deal at the phone, you forgot to turn off the water bottle.

Justin Daniels  1:41  

I’ve failed at all of it. According to my tomorrow

Jodi Daniels  1:44  

dog care on the mic. It’s awesome.

Justin Daniels  1:48  

Well, let’s get on to better topics and introduce our guests which I’m excited to have today. So we have Philip Lewis, who is a partner with Fulcrum Equity Partners. He also currently serves on the Board of Directors of Kevel, Stratasan, Advantum Health, GoPivot, and LiveSource. He previously served on the Boards of Stax by Fattmerchant, MFG, and Resolvion. He also previously worked with SaaSOptics, helping implement operational cadences and revenue partnerships as well as working with the team through its successful exit. Additionally, he served as CFO of RivalHealth and help guide the company through its merger with gBehavior. Now branded GoPivot. Good morning, Philip.

Philip Lewis  2:30  

Good morning. Thank you for having me.

Jodi Daniels  2:32  

What did you have for breakfast? Yours? I can what radio DJ voice?

Justin Daniels  2:37  

I’ve got going on today?

Jodi Daniels  2:38  

Yes. You’re very excited. Well, there you have it. Well, fellas, it’s so exciting to have you here today, we always like to start with understanding how your career has progressed to what you’re doing today. So if you can share with us a little bit of your journey.

Philip Lewis  2:54  

Yeah, so a little bit of a non traditional route to get into venture capital got laid off. So that’s how it’s a great way to start. But working in investment banking with ag Edwards, back in the day, when my Kobe was buying them, and they got laid off Fulcrum was looking, I just happen to be looking for an analyst they were just starting. So it was just the three founders at the time raising our first bond, I connected to them through kind of three degrees of separation and joined really at the start. So been here doing this for about 15 years now. Because progressed up the chain from analyst to partner, taking a few different detours, as you mentioned a few different companies and some various operating roles. I’m helping with growth help with finance. And yeah, it’s just been an interesting journey. I love working with entrepreneurs love helping them grow.

Jodi Daniels  3:45  

Thank you for sharing, I think lots of people start all kinds of new careers when they are laid off or, you know, circumstances present themselves. So I think it’s worked out for you,

Justin Daniels  3:57  

sir. Awesome. So Philip, what we’re going to talk a lot about today is about cyber risk on deals. And so like to begin by asking you, How has cybersecurity and privacy changed how you evaluate deal risk?

Philip Lewis  4:16  

Yeah, I mean, I think it’s a really a constantly evolving topic. You know, back 15 years ago, I don’t think there really was a lot of thought put into it. You know, frankly, there wasn’t, you know, ransomware wasn’t on the forefront of people’s minds. cyber breaches were on the forefront. I mean, frankly, you know, SAS was just beginning at that point, or really just beginning to go mainstream. At this point. It is at the forefront of your mind on a transaction you’re looking at, I think the whole diligence process before you would never ask questions around, you know, what is your perimeter security look like? What is your mobile device management? What is multi factor authentication? Do you have it in place? And frankly, just over the last couple of years before, you didn’t really think about all the different endpoints you’re working with, you need to make sure people’s home access is safe. Because before you just really had to worry about them logging on at work out, everyone’s work logging in at home. So I think the level of diligence you have to do and the number of questions you ask on the front end, to make sure that you don’t end up in a precarious situation is, is really changed and evolved over the last kind of, you know, a couple decade and a half, and really, again over the last few years.

Jodi Daniels  5:33  

So as you go through that diligence, and you’re identifying and asking these kinds of privacy and security questions, how can that impact the deal?

Philip Lewis  5:43  

Well, I mean, I’d say the biggest thing can, you know, the biggest issue can be, you know, potentially, if their security situation is, you know, really immature, it could, you know, delay the deal, I’m not sure, depending on just how their posture is, if it’s going to kill the deal, I’ve not seen that. But I have seen, hey, you need to get some new plans in place, we need to make investments, really day zero, to get your, you know, cyber posture secure. You know, making sure the company is on board with spending money to kind of get that in place, I think the other way it could evolve is depending on the history of the company, and any breaches they’ve had and their response to it, you know, what liability is out there for the company, or ongoing liability from previous kind of incidents. So it’s definitely something that you dig into a lot more, and you have to pay it on how what you find could delay a transaction.

Jodi Daniels  6:39  

So my follow up to that is kind of related, can it how can it if at all impact the rate of return on an investment

Philip Lewis  6:47  

Anyway, well, the investment doesn’t end up getting done, obviously, or the exit of the company doesn’t have getting done that would affect it, I think a lot of times when you sell a company, you’re going to have to get some sort of Escrow put into place, you know, you so that’s going to be a percentage of the transaction value is going to be put into escrow. And you know, you’ve had incidents in your past, that could be a much larger percentage. So it could delay your return by delay in the amount of cash that gets in your pocket at close. Additionally, a lot of time insurance, you know, agencies will underwrite that escrow. And if you have, you know, black clusters, IRA, you know, policies procedures in place, there have been incidents in your past, they might carve those out, so you won’t get that cash at closing. So you could see it, you know, really reducing your rate of return based solely on the cash flows that you’re gonna be receiving from an exit. Additionally, they might hold back a certain portion of the purchase price, because they have to invest in upgrading your, you know, cyber policies, procedures, infrastructure, the investment they’re gonna have to make, they’re gonna say, Well, you should have made this, we’re not going to pay you as much at the exit, because we have to go and spend this cash to fix all the problems that you had before, even if they still like the business. So it could impact your right or betray a number of different ways.

Jodi Daniels  8:07  

The rule of thumb is prevention. Do all these things in advance before they come talking to you?

Philip Lewis  8:14  

Yes. And it’s no, you’re never done? I think I think a lot of it is, are you doing the right things? Are you taking the right steps? Are you making, you know, are you putting it at the forefront of your mind, you know, it’s one of those things, it can always be better. And you know, the bad guys can always figure out a way. But if you have taken, you know, the appropriate steps and more to show, hey, we’re taking this seriously. We’re putting the right things in place, we have the right mitigation strategies, with the right response strategies, then I think that’s going to give a you know, a buyer and investor a lot more comfort and looking at your business.

Justin Daniels  8:54  

But felt one of the things I wanted to ask you about is what type of specific investments have you seen made in portfolio companies to manage cyber and privacy risk post close, one thing that comes to mind that I’d love to hear your input on is corporate governance, about how you might want to separate out the IT function from the security function.

Philip Lewis  9:11  

I think that’s definitely a lesson learned that we have seen is that, you know, you have to have the security function reporting directly to you know, ideally, the CEO, but potentially the CEO and president that you know, can’t be reported to the CTO. Just because the CTOs job is to deliver technology. And they’re trying to get the technology delivered, you know, in the best, most efficient way possible that the salespeople can go out and sell. The security person’s job is to make sure your infrastructure is secure. And the software that’s being put out is secure. Sometimes those are not in lockstep. So you need to make sure that security individual is reporting up separately, and independently of the CTO and can provide kind of an an, you know, unbiased feedback to the CEO and then it’s a big As a business decision, you know, certain items, you might say, hey, you know, we think the risk profile of this, you know, security issue is not that big, you know, it could be something where there’s no privacy data, there’s no significant data, there’s no, you know, access to other systems, it’s siloed, you know, might only be a sandbox saying, Hey, okay, I get this, but the business decision makes sense to, you know, go forward with it. But you don’t want the technology person making that decision, you want that to go kind of the CEO and the board to, you know, understand the risk, understand, you know, what the benefits are, and then they’ll make a informed decision. You know, a couple of other factors that we make sure in place now, multi factor authentication. I mean, that’s something that I’ve talked to a leading cyber attorney about is, you know, actually putting a deal rep in place to say that you have to have multifactor, you know, installed for any access to your systems. You know, I think that is 100% of best practice, and something that we’re doing now, you know, so those would just be a couple of areas where I would think you’ve seen kind of deal terms starting to evolve based on kind of cyber risk.

Justin Daniels  11:17  

Philip, is it fair to say you’re starting to see, like, you talked about MFA being specified like a specific rep and warranty in the deal Docs as to where maybe before it just said something general about will have just administrative and technical cyber measures. Now it says, you will have MFA, you will have endpoint detection, are you starting to see it get more detailed around that in the documents themselves?

Philip Lewis  11:39  

It’s coming, I’m not sure it’s 100% there yet, you know, we’re putting that in place. And it’s definitely something that we are considering, not just consider we’re doing and I think you’re gonna start seeing it more and more often, just because, you know, actually, when you asked about post closing investments, I think one of the biggest items is fishing, you know, your people, your employees are your biggest, you know, vulnerability. So we actually, we invested in a company called PhishLabs, we’ve since exited it, but they essentially provide kind of phishing, security awareness, training, intervention, screening, to try to keep your people from, you know, clicking on links, and one of the things that if you click on a link, there’s a multi factor to be able to get into any item, even if you know, you click on that link, you could still be protected. So I think every piece, every layer you can put into place to you know, keep your people from causing issues is just gonna, you know, decrease the likelihood that a bad actor can get into your systems.

Jodi Daniels  12:39  

And now this makes you so happy. Smiley, three favorite letters MFA. So felt we’re talking a lot about the security measures, which are, of course, really important. Where are you seeing if you can just share a little bit from the privacy side? How have any of the different privacy laws, for example, impacted? The different, you know, your due diligence efforts and how companies are approaching their privacy measures? Yeah,

Philip Lewis  13:07  

yeah, I think a lot of it has to do the different kind of languages going into contracts. You know, especially GDPR, anybody who’s working and Europe has to be compliant with GDPR, that’s definitely a bigger issue. Anybody working in California, you know, the whole privacy world is unique, because different states have different measures, obviously, California, different countries have different measures. So a lot of that I think, falls into kind of the, the language and contracts. And really, that’s something in diligence that we have our attorneys dig into deeply to make sure that you know, everything structured in a way that’s you know, CCA compliant, GDPR, compliant, or any other state specific privacy laws that are in place that our companies have to, you know, comply with.

Jodi Daniels  13:53  

I think that’s really interesting. I often will talk to some smaller companies who say, Oh, I’m too small for some of those. And I think what this conversation is highlighting, and what I always tell them is, okay, but if you ever want to have investments, it’s going to come up in the diligence process. So now would be a really good time to start thinking about it. And I think that syncs with what you’ve just shared, as well, you’re looking for these types of issues, and what their preparation is, as you’re going through diligence.

Philip Lewis  14:21  

Yeah, and I think part depends on the stage of the company. I think that’s a good point. If you’re really early stage, you’re sometimes it’s again, back to the you know, business risk versus you know, this basically the business was reach it and say, it’s, I’m willing to take this risk because I am so early stage. And one thing you can think about as an early stage company, there are some special privacy others and smaller steps you can take, you know, there’s some boilerplate language. There’s some things you can do hate using the term check the box, but if you’re a super early stage, the listening to this, you take a few extra steps, you know, talk to your attorney to get some just basic boilerplate documents, language procedures, put in a place, that way, you’re a step ahead of the game, I think sometimes it’s very intimidating to think about how much work needs to be done to be compliant versus a lot of, you know, a lot of this is somewhat off the shelf at this point where you can at least have step one done at an early stage or step one, two, and three done. And it might not be as big of a leap as it was five, six years ago, when a lot of this was just coming out a lot more of it’s out there in the public domain right now to be able to go ahead and implement. Make sense.

Justin Daniels  15:31  

So Philip, what do you like to see in your due diligence process when it comes to portfolio companies managing cyber and privacy risks?

Philip Lewis  15:41  

No, but it’s tough to say exactly what you want to say, I think one of the biggest items is an attitude towards privacy. Um, you know, it’s funny to say that’s, you know, a sock two is basically BS, I mean, you could, you could have that put into place. But at the end of the day, if you’re not actually following everything in there, all you’ve done is spent a bunch of money on a great checklist of things you have gotten done, I think it’s the whole attitude towards security, that it’s front of mind on these CEOs, that they’re, you know, really living it, they’re saying, Hey, we’re putting in place multifactor, we’re putting not putting away as we’ve put in place, multifactor, we’ve put in place, you know, fishing training, we’ve we’re doing these actives, where we’re actively making sure that our employees are aware of the vulnerabilities out there, versus doing a bunch of forms that check a box.

Jodi Daniels  16:37  

I would love to expand a little bit when you said, you know, it’s top of mind. And obviously, those are some of the really tactical steps that CEOs can take. Where do you see a company successful with making it throughout the whole organization? So if you can share a little bit, you know, I’ve done my MFA, if I’ve put those measures in place, I’m, what does it look like to not just have that sock to checklist, but to actually have it be a part of the organization?

Philip Lewis  17:06  

Yeah, I think it’s really just, you know, a one big thing is just the whole security awareness training, that you make sure that it’s not optional to complete, that it’s one of those things that for your employees, they need to complete their security awareness training, every month. And that’s just a period, end of sentence. And if you don’t, you’re no longer going to work at the company, versus some companies like, oh, yeah, we’ve signed up for, you know, this vendor, that vendor got about, you know, 40% compliance, but whatever. I think that’s more of just the attitude towards making sure that you’re being proactive, you’re taking the steps, you’re making the investments. You know, when you take on investment did, you know I say, stock too, is BS, I mean, that’s a little tongue in cheek, you still want the company say, I’m going to go invest in this, I’m going to go invest in, you need PCI compliance, I’m going to go and invest in high trust, it’s your may that but at the end of day, it’s actually implementing those items, and really push it to your employees to make sure that they are taking the measures they need to take to be safe, your password, you know, security are they you know, you can’t just have password 123, you actually have to have more complicated passwords, you have to change them on a regular basis, you have to, again, multi factor to change a password. You know, there’s just a lot of steps that you want to see your company’s taking, versus just these checkbox, things that you know, you still need to do, but at the end of the day, aren’t going to actually protect you.

Jodi Daniels  18:33  

So, on that note, given all that you’ve learned from privacy and security, what is your favorite privacy and security tips that you share with your friends when you’re at a backyard barbecue?

Philip Lewis  18:47  

was always talking about backyard barbecue?

Justin Daniels  18:50  

sadly, felt that’s what we talked about.

Philip Lewis  18:55  

You know, I mean, it’s gonna sound repetitive, probably, but it’s multifactor. I think that’s the single most important thing you can have in place. You know, that is security awareness training, just to keep it front of mind. But I think multifactor is the easiest thing you can do. Everyone’s used to it at this point before people say, Oh, IP parking, I like doing it. And frankly, it’s just kind of table stakes. And if you’re not doing it, you’re, you know, you’re being lazy. You know, I’ve got to do it to log on to any system here at fulcrum. And, yes, I have to go click an extra button or send an extra text message or do whatever that multifactor isn’t set in place for you know that system, but it’s worth it at the end of the day. It doesn’t take that much time.

Jodi Daniels  19:40  

It’s a leading tip that we get on our show.

Justin Daniels  19:44  

So felt when you’re not out helping entrepreneurs and being on boards of companies. What do you like to do for

Philip Lewis  19:50  

fun? Um, well, I used to be a lot more fun, but now I’ve got a soon to be six and four year old um, so Whoa, most of my free time is centered around them and coaching T ball and now an assistant coach on my daughter’s soccer team. So I love that you know if I do have any free time away from coaching kids athletics, you know love playing golf love going out to dinner with my wife. You know, those would probably be some of the things love a beach trip every year. And if you can ever get a weekend away without the kids at the beach, that’s always fun. Those are a few of the things mostly mostly Kochi kids sports at this point, though.

Jodi Daniels  20:33  

Well, thank you so much for joining us. If people want to connect and learn more, where should they go?

Philip Lewis  20:40  

Yeah, you can find all my contact information at our website, feel free to email me,, at Philip Lewis on Twitter, Philip with one L. So those would be a few places you find them on LinkedIn as well. So feel free to reach out.

Jodi Daniels  20:57  

Excellent. Well, thank you again for sharing all this really important information for entrepreneurial and growing companies.

Philip Lewis  21:05  

Of course, thanks for having me. They really enjoyed the conversation.

Outro  21:12  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.