Rob Cummings is the Managing Director and Chief Technology Officer of Falfurrias Capital Partners, a private equity firm that acquires and invests in middle-market businesses. Rob is also the Co-founder and former Director of DealCloud Inc., a software provider that serves businesses in the private equity, investment banking, corporate development, lending, and business development corporation industries.
In addition to his current role, Rob serves on a variety of boards, including the Apex Center for Entrepreneurs, Charlotte Angel Fund, Skipper, and many others.
Here's a glimpse of what you’ll learn:
- Rob Cummings talks about his background in business information technology and his current role as Chief Technology Officer
- How a company’s privacy and security risks impact its ability to sell
- The importance of prioritizing your business’ privacy and security—not just its revenue
- Some of the biggest security challenges that Rob’s portfolio companies are facing today
- How to prepare and implement a privacy program at your company
- Rob’s top personal privacy and security tip: take a breath before replying to an email
In this episode…
Is your company really doing enough to mitigate its privacy and security risks? Do you have a plan in place to protect your business from dangerous scams, data breaches, and other privacy and security concerns?
Unfortunately, for many companies, the answer is no. However, this lack of protection can have disastrous outcomes, such as lost revenue, stolen employee and client data, and an inability to sell your business in the future. So, what can you do to boost awareness and implement practical protective measures at your company right now?
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Rob Cummings, the Managing Director and Chief Technology Officer of Falfurrias Capital Partners, to discuss the ins and outs of common—but dangerous—privacy and security risks. Listen in as Rob reveals why revenue isn’t the only important part of your business, how to implement an effective privacy program, and his biggest personal privacy and security tips for individuals everywhere. Stay tuned!
Resources Mentioned in this episode
- Rob Cummings on LinkedIn
- Falfurrias Capital Partners
- DealCloud, Inc.
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: email@example.com
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.
Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:20
Hi, Jodi Daniels here. I'm the Founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant and a certified informational privacy professional, helping to provide practical privacy advice to overwhelmed companies.
Justin Daniels 0:38
Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problems and coming up with practical implementable solutions. I am a cybersecurity subject matter expert in business attorney.
Jodi Daniels 0:59
And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e-commerce, media agencies, professional services, and financial services. In short, we use data privacy to transform the way companies do business. Together, we're creating a future where there's greater trust between companies and consumers. To learn more, go to redcloveradvisors.com, and today.
I'm so excited to have Rob Cummings with us. He is the Managing Director and Chief Technology Officer at Falfurrias Capital Partners, a Charlotte based private equity firm that acquires or invests in middle market businesses. As the managing director, he provides management oversight and guidance to the various portfolio companies as well as leads various strategic initiatives for the business. Rob, we're so delighted to have you here with us today.
Rob Cummings 2:02
Good morning, Justin. Jodi, good to be here.
Jodi Daniels 2:06
Justin Daniels 2:07
You fail to mention Rob's most important credential. He's a graduate of where?
Jodi Daniels 2:12
All right, right, right, right. The two of you share Virginia Tech pokeys
Justin Daniels 2:19
for the video. Should I get up and do the hokey pokey? Yeah, we don't want to see that.
Jodi Daniels 2:22
Is that really a thing? do you do that?
Justin Daniels 2:35
Oh, I'm sure. With a little bit of alcohol to project Oh.
Jodi Daniels 2:37
Well I, did not know this. I'm so excited to be able to use this against you in the future. Okay,
Jodi Daniels 2:44
well, Rob, take us back a little bit. And help us learn how you started in your career and how you got to where you are today working and investing in middle market companies.
Rob Cummings 2:57
Great. So I'm at Virginia Tech, I was what's now called Business Information Technology, graduate bcit, which is basically combining business and technology as part of the business school. And I'm probably one of the few people that can say 30 years later, I still use my degree. So you know, my entire career has been around Business and Technology, mostly on the technology side worked and been part of executive teams for a number of different software companies. But I joined Falfurrias Capital about 1012 years ago. And I as you mentioned in the introduction, I'm the Chief Technology Officer. And really, I have two functions. Working with our portfolio companies, I either tech enable a product or service for the for our portfolio companies, or I drive efficiency at those portfolio companies through the use of technology. And so data privacy and security falls into my span of control. So whether it's in due diligence and looking at the controls that a company may have in place, or not having in place to a company that's under our ownership for a number of years, making sure that they're staying up to date with regulations.
Jodi Daniels 4:11
Justin Daniels 4:13
So Rob, it's interesting, you're our guest today, because later today, I'll be on a 90 minute phone call with all the CEO portfolio companies of a private equity group to talk about ransomware because one of the portfolio companies has now had to manage that and we're going to talk all about that, but I'd love to get your perspective today around how you feel a lot of the companies that you are looking to invest in or our portfolio, portfolio companies are managing privacy and security risk.
Rob Cummings 4:44
You know, it's interesting, it's become a thing the last two years Um, so if I go back two years ago, part of my standard due diligence process, because I always run technology, due diligence, would cover data privacy and security flaws. years ago, that was not the case. So any new investment, you know, there's a whole checklist that we're going through in it and at times, were collecting data may be a really important business process, the company, I may bring in a Red Clover Advisors to, to help with the diligence. But point being is it is always a it's one of the items that we go through as part of technology diligence, I would say that companies are much more aware of it today. So, you know, a lot of times, I mean, we just did a acquisition and fall on acquisition in the last 30 days for a company and, and, you know, just being candid the the acquisition of the portfolio company, they don't have a lot of this in place. So immediately 100 day plan, these are all high priority items that we need to work through. On the add on acquisition had a lot more in place. It's a it's a focus area. So both on the data privacy and security side, so answer your questions, it's all over the place. But the one thing I would say is some of our investments that are maybe five or six years old, so they're we're still harvesting those investments. Since it wasn't necessarily a thing that we looked at five or six years ago, I'm going back and saying, Hey, we need to be investing in data privacy and security. And, you know, we even we sold a company last year, and again, God is knows about this, we actually did a sell side project to do a full data, privacy study and work on the data inventory, individual rights agreement for that portfolio company in preparation for the sale. And so because we knew if Rob is looking at it from an investment perspective, potential buyers of our portfolio companies are going to be looking at the same thing. And so we were able to basically get the house in order. In order to sell that company. This is one of many things that we did, but we did it pre sale before we sold the company.
Justin Daniels 7:01
So Rob, I want to ask you a follow up question that you kind of alluded to. So to what extent on deals that you're either investing or potentially in the sales cycle, where if they don't have the right privacy or security controls in place, how is that affecting the price that are you that you are willing to pay? Or is that just built in as we know, we're gonna have to do this? It's just part of the cost of doing business.
Rob Cummings 7:27
But I think that brings up a bigger question. I you know, there are so many factors that can lead to a deal not getting done. And this is just one of many things that we look at, like, you know, concentration is the is the reported EBIT da, what it's really said. So, there's a number of things that we look at to determine whether or not we're going to invest. I personally haven't seen security or data privacy crater, a deal, per se. But I have seen it, where it becomes some red flags that even our underwriters on the deal are coming back to us and saying this needs to be fixed within within the first 100 days of ownership. So goes on the 100 day plan, and we make sure that, you know, the day after closing, we are addressing some deficiencies that may have come up.
Jodi Daniels 8:21
When you're evaluating and you find these types of companies, for those that don't put it as a priority. It sounds like in those situations, it might go on a special 100 day plan. As you're evaluating obviously, all types of points, right. It's not just privacy and security, but it's one of them. What is the viewer the perception of that company, when they might have put privacy and security a little bit lower, does it? You know, is there any view of this is this is concerning. This isn't concerning. Just kind of curious to know, as an investor when you're evaluating a company. And obviously, we're very slanted from this privacy security side. But when you see that, what are kind of the triggers that come to mind?
Rob Cummings 9:05
Well, I get back to what I said before, is there house in order. And typically, if there isn't a focus on security and data privacy, there's probably some other issues that we're going to uncover. And it may be a combination of a number of different things that leads us to make a decision to not invest. So I think it's going to be rare that the company is completely buttoned up, but they've totally forgotten about data privacy and security, you're really not going to see it's going to be symptomatic of the culture that the management team has has has created as an example.
Jodi Daniels 9:40
So I have a follow up question to that because my kind of thoughts or sentiments when I'm talking to some of the types of companies that you might be investing in, they haven't tackled privacy and security because it's not a priority. They're very focused on revenue and, and growing and all those types of things and they Think, while I don't need to focus on it, I'll just take the risk. So when you come or there's an acquisition, how do you because that's a bit of a culture piece. So how do you help adjust that for them or educate them on? That was a that was your philosophy, then this is why now we need to also focus on it.
Rob Cummings 10:23
Yeah, it's a good point. And I've certainly seen it a number of different times on Yeah, it's an education process. And, you know, whether it's going back to specific regulations, you know, the one thing I'll say, here's the response I'll get is, we don't have a data privacy issue, because we don't collect any any, you know, PII for example, personally identifiable information. And then you're like, Okay, well, your accounting system, your CRM system, do you have a client contacts, email address? And their phone number? Oh, yeah, yeah, we have that, where you're collecting Privacy Information, then. And so that's, that's what we see, you know, the immediate response because they don't want to focus on it as well, we don't, we don't have any privacy information. We don't have any PII on our servers, you dig a little deeper and you find out No, that's not necessarily the case. Now, maybe it's just an email address and a phone number. And it's not, you know, credit card information and that type of thing. But I would say, everybody has this information, you have to know who your billing contact is in your in your accounting system in your CRM system, you're specifically marketing to these individuals. So everybody has some level of PII, we have to determine if it's part of your core business process. And then where's it being? Where's it being stored? And is it being you know, is it behind firewalls? Is it secure ties, so to say, so it's an education process. And I think you hit the nail on the head, it's got to be part of the culture that it's important to, to be in compliance and to respond to potentially any deficiencies. Make sense?
Justin Daniels 12:04
So kind of, in a related question, from your perspective, what is the biggest challenge you see with your portfolio's companies and what they face from a privacy and security perspective, particularly in light of, I'd say, the last two months, I've seen ransomware demands go through the roof, as well as solar winds has some really serious ramifications for business in general, going forward.
Rob Cummings 12:27
Yeah, there was a mimecast breach that was was sent out this morning. Um, and you know, we have some portfolio companies that use mimecast for, you know, controlling email spam. So that's one thing I've been working on all morning is okay, did it potentially impact a couple of our portfolio companies and our firm that uses mimecast? It looks like the specific Brett did not impact any of those. Any of those companies? But yeah, the biggest thing I look, every single one of our portfolio companies is a potential breach target, you know, and you know, you're you, you can have the controls set up. So you can see hackers trying to come in from China or whatever it may be, and you're thwarting those those attacks. But, look, I've lived through a number of them. I've gotten the call late at night that such and such portfolio company, you know, someone clicked on a phishing email, and putting put in some security criteria. And now we have a breach on our hands. It's happened numerous times. I hate to say that, that it's happened, but it's just think it's the reality of the world that we live in. And, you know, all that I can do is just make sure that we have procedures for one of the one of the governance documents that we always ask for is a cyber incident response. So if there is a cyber attack, how do you respond? You know, how do you handle it internally? How are you notify your management team? More importantly, how do you get the How do you stop the breach? How do you get the forensics teams involved to see what the potential damage was? And then how do you in what's the word I'm looking for? How do you get the the insurance guys on board because the insurance providers that we use, they will have certain certain firms that they have approved already to do the investigative work to do the remediation work, but you need to you need to act on that pretty quick. So everybody now has a cyber Incident Response Plan.
Justin Daniels 14:34
So Rob, I wanted to ask you a follow up when you mentioned specifically that incident response plan. From your perspective, when you're working with the different portfolio companies, what is your expectation as to how often they actually practice the plan?
Rob Cummings 14:49
Good question. We definitely asked the plan be updated on an annual basis. Um, you know, I think it's fair to say that there's always a You know, run through a simulation like a disaster recovery simulation that's, you know, adjacent for this, but similar. I would love to say that all our portfolio companies do that on an annual basis, but I don't think that they realistically do. So, you know, it's my job with oversight as the CTO and working with our level 11 portfolio company, is to remind them that these things that they have to have an updated incident response that they need to be practicing doing going through a disaster recovery drill, or an incident response drill. You know, I'm not sitting there. So it's not like I can force the hand, but it's my job to make sure that, that we are going through these, these steps. And that we have our portfolio companies have their house in order.
Jodi Daniels 15:51
So switching back to kind of the privacy side, where we've talked about security and incident response and preparing, there's likely companies listening, who are looking to potentially have some type of investment going forward. So if they wanted to prepare and have a privacy program, which of course includes security, but for the moment, let's kind of start with the privacy piece first. And then we could come back to the security part. What would you recommend that these growing companies do to help create start solidify, put any word in place their privacy program?
Justin Daniels 16:33
Well, that's the shameless plug for Red Clover, but hiring hiring Red Clover,
Justin Daniels 16:38
really gracious, I
Jodi Daniels 16:40
was not, I assure you, it was it was.
Rob Cummings 16:46
What I said before is, well, we were preparing to sell a company a year ago. And we knew that we had to tackle this, they did not have a data inventory, they did not have a, you know, any type of response procedures. And we knew this was going to come up and diligence. So we went ahead and engaged, affirm Red Clover to do a data privacy audit. And so, you know, several deficiencies were uncovered. And then we went through a month or two exercise to, to make sure all the things that I just mentioned that that am in towards there, that the that response was there that we had procedures in place. So then when it came up, and due diligence from potential buyers, it was a checkbox. Yeah, that that's, that's, that meets our standards, move on to potentially other issues, and overall due diligence. So my recommendation is hire experts. Um, you know, I don't have the expertise, per se. And I don't think there's a lot of, for example, private equity firms that necessarily have the expertise also. Now, some of our larger portfolio companies may even have a CFO on staff. But that I think that's going to be pretty rare, we invest in the lower middle markets. And so for the most part, these companies aren't large enough to have a full time Sisa. But that being said, they can hire and have a part time see. So which I know is, again, another service that you provide, that can work with their company, as well as a number of other companies.
Jodi Daniels 18:25
What do you think, in the types of companies that you're investing in who should own or be responsible for privacy?
Rob Cummings 18:33
It's a great question that seems to fall into to my world as of late as the Chief Technology Officer, but I'm not sure if it makes sense to be part of the Technology Group. I almost turn that question back to you as to where where have you seen ownership? I mean, certainly, the Office of the legal office is another place where you could see it. Where else have you seen it?
Jodi Daniels 19:05
So that's the kind of the interesting piece is it's in a variety of different places. But you know, it depends on the size of the company, the bigger the company, the they might have a general counsel on staff. And so it might fall under them, because so often they're from the privacy side, it's a privacy law, and would fall to them from a security point of view, it's generally, you know, a C, so and Justin, you can talk about where you think c says, should fall, but the seaso should? Well, I'll just let you wear shorts, he says, I'm not going to speak.
Justin Daniels 19:38
I think it to Rob's point, it depends for a lot of the companies that Rob works with, they have no Sisa
Jodi Daniels 19:45
well, but let's let's take some of the larger companies that might have a CEO or someone, someone in the company even if you don't have a full time CFO is going to still be responsible at some capacity might just be part of their job. Then the
Justin Daniels 19:57
question, well, then I'm going to throw back at the larger question. What about the Chief Compliance Officer? Because a lot of privacy and security is that so then you throw that person to the mix. I think to your point, Jodi, the larger you get with the company, you have all these different people who have a hand in the privacy and security role mix. So how do you put one person in charge? Because you and I see all the time where it's like, different people have different pieces and parts and no one person is responsible. And that's how things fall through the cracks because someone else thinks it's Jodi's responsibility, not mine. And I think for the kinds of companies that Rob works with, they really don't have that role. So from company to company, I suspect Rob might tell us, it can reside with a CTO here, it could reside with a CFO here, it could reside with someone else, it really goes all over the board, and then you throw in their varying degrees of technical understanding, which is probably why for a lot of the lower middle market companies, they really need to pull in those third party experts tell them what they don't know.
Jodi Daniels 20:57
Yeah, so certainly the CFO is often if there's no legal counsel, a CFO tends to own it, because there's fines and there's risk. And so a CFO is trying to manage, oftentimes the risk and those fines. And then,
Rob Cummings 21:10
as a compliance officer, I think that's where we make the most sense. But, you know, to Justin's point there is that the companies that we deal with that we own, our you know, lower middle market, they don't necessarily have a compliance office, they may not even have any type of inside counsel that's even on their team. And so that's all outsource. So, but yeah, I'm not sure if I believe I mean, I believe that security and protecting your assets and protecting your data is a technology role. But data privacy, I'm not sure it belongs there. I personally, I've just inherited it, learn enough to become dangerous.
Jodi Daniels 21:52
I yeah, no, I think the privacy side sometimes is owned by the person who also owns security. And I don't think it should fall there. I do think there should be a separation of managing the data, how I market to you how I use that data, is likely very different from the technical capabilities of how I'm going to protect it and make sure that God the employee doesn't click on that phishing email.
Justin Daniels 22:21
Yeah, totally agree.
Jodi Daniels 22:22
Yeah. So it often goes back to how the type of data the company has, and how it's using it and where the biggest risks to that data is.
Justin Daniels 22:36
So, Rob, we want to change gears a little bit, because we ask all of our guests this question is, we'd love to get your thoughts on what is your best personal privacy tip, perhaps something you've learned from working with all of these companies? You know,
Rob Cummings 22:50
it's a more of a personal story, but it applies to businesses also, it's really simple. Just take a breath every when you get emails, and you quickly want to reply, because you're in the heat of battle during your day, just take a breath, and make sure it is not a phishing email, phishing emails can be disguised so well. And so I've trained myself to look up at that that sender email address, and is it legit or not? Because you can mask those sender email addresses. But the reason I say it's personal is because I have a personal story that I'll share. So last summer, sitting at the poll, and all of a sudden, my phone starts blowing up with Chase fraud alerts. And, you know, that Sunday, I'm getting all these alerts saying that, you know, X amount of dollars is being tried to being charged to my credit card. So I immediately have the the family text. And you know, I think everybody has these that have children that have mobile phones, and my children are in college. And so I sent out a family text and I said, who's trying to charge the credit card with XYZ merchant, and I get a response from my daughter, and she's like, She's like, something's wrong with my laptop, my Mac, I'm getting all these pop ups in the pop up said to enter my credit card information here. And I'll fix the problem. And I'm like, Ah, you know, that's, that's exactly what they want to do. So, you know, she, She's fast, and immediately was like, well, I can't stand these pop ups on my laptop. So I need to get it fixed. Let me just enter in the family credit card to fix it. That's so terrible response. You know, so, I mean, that caused a whole, you know, freefall of issues, you know, got it. You know, make sure that, you know, someone hasn't taken over our credit card. I can't remember if we actually had to get a whole new credit card or not, but, but it just goes you know, she was presented with a pop up it wasn't necessary. A phishing email. But yeah, my recommendation is don't spam. Just take a minute, take a breath. And just make sure if you're entering credit card information or personal information, just make sure it's coming from a legit source. So one, one very common phishing technique is to ask for just login credentials to the company network, or to your email or something like that. Because a lot of times, people will use the same username and password for accessing a lot of their corporate assets. And so once a hacker has that information, they have a number of different entry points into your network. And I've seen it happen with more than one of our portfolio companies. That's how they got in. And once they can get into the internal network, they can cause a lot of damage.
Jodi Daniels 25:52
Yeah, it's a great story and a good reminder to educate not only yourself, but your family members who might also be impacted. And know your your information, too.
Rob Cummings 26:04
Yeah, I mean, I think you guys have younger children, but you know, they reach an age where they're supposed to be responsible adult adults. But they don't realize the impact, you know, and it's a weird conversation to have with your children, you know, but you got to educate them so that they understand that my daughter just doesn't immediately enter in like, Hey, I enter the credit card information, all these problems go away. It doesn't work that way.
Jodi Daniels 26:32
I wish I wish it was that simple. Like the magic lines, right? nearing
Rob Cummings 26:38
the end of that story just to finish up. So of course, her laptop was completely compromised, which, you know, the world was going to come to an end because the laptop didn't work. So ended up having to take the laptop to Geek Squad over Best Buy and get it re imaged and all that kind of stuff. And now we have some ridiculous program that if anything ever happens, that laptop again, you know, Geek Squad will go as far as replacing it. So Donna, you got to protect your kids from themselves.
Jodi Daniels 27:09
That's a great, good, good story. So Rob, when you're not solving, phishing email problems or credit card disasters or advising portfolio companies on what they should or shouldn't be doing? What, what do you like to do for fun?
Rob Cummings 27:26
Well, I'm getting old. So we, we are just this year empty nesters. So we have two kids that are in college. And so we went ahead and bought a beach house. And so we have a beach house, in the Outer Banks and up north carolina that we just closed on a month ago. And so that's going to take up a lot of our time. But the hope is, is that you know, we always did a family family vacation or vacations every year. But as kids get older, and they have their own agendas and their own friends and they are becoming adults. You know, it's hard to get the you know, the family afford together. And so we're hoping that the beach house will be the magnet for years to come. So we have a lot of renovation work to do to get it ready for that. But you know, that's, that's where we're focusing time right now. First thing I did is, you know, in this working from home environment is I set up a great office at the beach. So I'm at home right now, but I do have the option of being extremely productive, even though I'm you know, 65 yards from the ocean, if I need to be.
Jodi Daniels 28:35
That sounds lovely. That sounds really nice. Well, Rob, thank you so much for joining us today. How can people connect with you if they'd like to learn more about you or what the firm? That's
Rob Cummings 28:48
right, LinkedIn is the best. So Rob Cummings. I think I have an under Rob Cummings Charlotte. I tend to do that. So live in Charlotte, but they can find me on LinkedIn. My contact information is out there. Twitter handle also i believe is our upcoming CLT. So love to connect. And yeah, thank you for for having me on the show today.
Justin Daniels 29:15
Great to have you.
Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven't already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.