12 minute read
NO VIRUS VACATION FOR BAD GUYS
The Nashville Capital Network’s Sid Chambless takes stock after his team’s 50th investment
Advertisement
he Nashville Capital Network this
T summer hit a notable milestone: Some 17 years after being launched to pool growth capital for early-stage ventures in and near Middle Tennessee, it invested in its 50th company, Atlanta-based healthy food venture ModifyHealth. e organization has put to work about $81 million since 2003 and its portfolio companies have combined to subsequently raise more than $980 million from other investors. Executive Director and Managing Partner Sid Chambless, who has been there from the beginning, spoke to Post Editor Geert De Lombaerde about the state of a airs in venture capital and what’s next for the NCN.
How has the NCN evolved most notably over the past 17 years? Our core strategy is still the same. We’re in a unique market where there are a large number of very successful entrepreneurs who have an appetite to invest in the next generation and the NCN can do the administrative work of pulling together deals. We refer to what we do as the acceleration round. We’re not going to mash our foot to the oor but what if we hire two more salespeople? Can we grow revenues more quickly?
Early on, it was mostly one lead individual saying, “ is is going to be the price and the structure of this deal” and others followed or didn’t. Now we have so much more data about terms, about the pricing of follow-up rounds and so on. We’re helping our individual investors better price the risk.
There was a lot of chatter in the mid2000s about the dearth of early-stage capital in the region. Has that narrative changed? I wouldn’t say that was ever the core issue. Yes, it was harder then to identify investors who knew how to invest and to help businesses grow. But with each of our funds, we’ve expanded around the edges. e biggest change has been that there are now more better-quality opportunities. More people are coming out of large organizations with great ideas and strong networks and we have more seasoned executives in both software and health IT to help them grow.
And then you look at some of the organizations that have attracted national private equity players. ey have put Nashville on the radar for Google Ventures and other large investors. e VC arms of Humana, UnitedHealth and Cigna have all invested with us.
How is COVID changing what you do? So much of what we do comes down to “Do we believe this team can do what they’re saying they can do?” So COVID has changed how we do our due diligence. We’re doing more background checks, taking a little more time
Sid Chambless
to get comfortable with things. But the ModifyHealth deal, for example, looks very much like it would’ve pre-COVID.
Deal ow the last two years had already been a bit slower. A lot of private equity has been raised and invested and recapitalizations are tying up management teams for a few years. So we’re having to wait a little, maybe track people a little longer and look for others who have ideas that are keeping them them up at night. e best thing for us to do is to stay in constant contact with our people. But what used to be breakfast, lunch or drinks is now Zoom, Zoom and Zoom. e way we sh o our pier has changed.
Does that also impact plans for your next fund? Not so much. e biggest di erence for us versus ve years ago will be that we’ll be able to point to some pretty meaningful exits. Trilliant Health from our Partners Fund produced an outstanding return for us in less than 24 months and before that, we had Aspire Health and Emma. We have other companies on great trajectories — XOi Technologies, Groups360, Contessa Health, AxiaMed and more. For our next fundraise, we can point to a lot of follow-up transactions and exits.
We’ve invested in eight companies from our most recent fund and we have two more in the queue before the end of the year. In 2021, I’m con dent we’ll raise another fund. We’re not going upmarket and we’ll still focus on the capital gap. But we could cut bigger checks — our typical deal has been an average investment of $4 million with the NCN taking half — and still do the same number of deals.
Cybersecurity pros talk about what’s current, what’s next and what business leaders should be doing to protect their organizations
ollowing up on a story in our sum-
F mer magazine about cyberattacks during the spread of COVID-19, the Post hosted a July panel discussion on cybersecurity that featured Debbie Gordon of Cloud Range, Mary-Michael Horowitz of Asylas and Dan Hulen of Cherry Bekaert. Here, lightly edited for brevity and clarity, are some excerpts from that chat, which was moderated by Post Editor Geert De Lombaerde.
DE LOMBAERDE: If you’re a business leader framing or reframing your thinking on this, where do you begin and who do you involve?
HOROWITZ: You want to involve board members, members of the senior leadership team, any business process owners and of course end users. I would say, “Involve everyone!” e best clients for us are the one whose senior management team are very much involved and understand this and want to do the right thing.
First, you want to understand what you’re protecting. Where are all the places that your data lives? You can certainly rely on technology for that exercise but you also want to talk to the stewards of the data. You want to talk to your third-party vendors as well to understand how your data is owing through their networks and that they’re being good stewards of your data. en you’ll want to look at the threat landscape. What are the current threats against your crown jewels? Are you going to accept that risk, transfer that risk or mitigate that risk? en you’ll want to assess your current security programs. Is it worth it to retro t them or to start fresh? A lot of times, we nd that starting fresh is more cost-friendly.
Once you’ve evaluated your organization against a framework, you’ll want to iterate and improve that plan. It’s not a set-it-and-forget-it type thing, unfortunately. And I’d be bad at my job if I didn’t highlight the need to practice an incident response plan. It’s very, very important to have some table-top exercises to put that plan to the test. e plan never goes as planned. GORDON: e one thing that we tell all our customers is that, even if you have a plan, it doesn’t matter if you don’t practice it. You can know every rule of football but if you get on a eld with an NFL team, you might get killed. You have to actually do it.
Traditional table-top exercises typically start with an event already happened: You get a call from the FBI and they say, “We’ve found 500,000 of your customer records on the dark web.” What do you do? We actually simulate the attack happening. We use the analogy of a ight simulator a lot. When you’re practicing anything, you have to create muscle memory.
HULEN: In terms of incident response, having that plan is absolutely critical. If you wake up rst thing in the morning and your entire network is down and all of your machines are encrypted, who are you going to call? Many people really don’t know. It’s not written down or it’s old.
If you do not have cyberliability insurance, I would put that at the top of the list and I would get some good counsel for coverage. ere are a lot of types of insurance out there. It may cover the introduction of legal counsel. It may cover some ransom fees you may have to pay. And it may cover some basic forensics. But it may not include data recovery. So if you have to recover all of your data and you have to start from scratch, that may be one of your most signi cant costs.
DE LOMBAERDE: How much has changed in the past few months as so many of us have been working from home? Is security a fundamentally di erent conversation now?
HULEN: Absolutely. ere are a number of new risks. A couple of di erent things are happening. ere’s the use of personal home computers, especially if they’re able to access their materials via the cloud. If you’re not locking down your various cloud systems, that could be a major problem. Obviously, home networks aren’t very secure and there’s plenty of opportunity to jump in. You can also have infected machines on the network. And your personal home computer doesn’t have a local rewall so it’s ready to be compromised. ere’s greater use of corporate VPNs and remote desktop-type technologies out there
but some of those have been hastily put together. If your IT group has put up a remote desktop and it’s not properly secured and it doesn’t have multi-factor authentication, that just opens up the corporate environment.
Another risk in working from home is the risk of greater downtime. If you have an issue, it’s just so much more di cult now for your IT service folks — either managed services that are outsourced or inside — to try to get to you and help you out.
Similarly, and related to not being in the of ce: Many corporate machines are not getting patched. e advent of the cloud is changing that game and that’s getting a lot better. I don’t have to be VPNed in. I can get those patches sent down to me.
GORDON: What you’ve been talking about is very much user-focused. It’s also a much di erent environment for the cyberdefenders. ey’re not sitting in a security operations center with ve or 10 people, being able to look at logs and talk about and go through the same type of incident response that they would before they were working at home.
You can’t just lean over to your neighbor and say, “Hey, what do you think about this alert?” You might have to call somebody. And security people, stereotypically, they might not talk a lot and they’re happy being home and we have to force that on them. It’s a lot di erent when people aren’t in the same room with each other.
DE LOMBAERDE: What have companies generally been getting better at these last few months?
HOROWITZ: I’ll start with the good. ey’ve certainly gotten better at paring back on all the extras and getting back to the fundamentals of running a business. ey’ve gotten better at the work-life balance and working remotely from a technology standpoint. I’ve been so impressed with how quickly IT teams were able to pivot to a work-from-home environment. I know it was clunky and it was weird but it’s 2020; everything’s weird.
But they haven’t gotten better at security. Some folks don’t necessarily understand that the threats haven’t gone away. e bad guys aren’t taking a COVID vacation, I assure you. It’s almost like they’ve just been waiting for some op-
DAN HULEN, CHERRY BEKAERT
portunity like this to pounce. Ransom demands have gone up 33 percent since Q4 of 2019.
It’s not the time to hope that cyberattacks go away. I can’t stress enough the importance of securing that remote workforce. Now that you have it in place and you’re good at it, let’s take a look at how the wheels maybe fell o your security program because now you have a whole new attack surface with your workfrom-home employees.
DE LOMBAERDE: How should companies of various sizes think about bringing people in house versus contracting out for IT security services?
HOROWITZ: It doesn’t matter what size your organization is. You really need to look at it from a risk perspective to your organization. I’m from the world of outsourcing so I’ll say that, with the shortage of security professionals, you don’t want to have to worry about hiring someone and it just being a revolving door. And unless you’re someone of equal or greater talent, it’s really di cult to even interview these people, right? But if you hire an organization, you have this agreement in place that they are doing these things for you.
GORDON: ere’s a reason the managed security services industry is growing so fast. ere are more than 2.5 million open jobs in cybersecurity and it’s getting worse. e number of threats grows and you can’t just accelerate people’s skills and learning. So companies need to outsource. ey don’t know how to interview people, they don’t know what they don’t know and it’s not their skill set.
Technology can’t solve every problem. At the end of the day, people are going to be your weakest link in the chain. So much has been focused on technology and these thousands and thousands of products, but at the end of the day, all of that is for naught if you don’t have the people who know what they’re doing.
DE LOMBAERDE: Dan, is there a benchmark for business owners and leaders for how much they should allocate to spending in IT security?
HULEN: ere are certainly general benchmarks. Overall, IT spending is about 2.5 to 2.7 percent of revenue. at has gone up over the last 10 years or so from about 2.3 to the 2.7 range. en you’ve also seen an increase in IT security spending: In 2005, the IT security spend as a percent of the overall IT budget was about 7.5 percent. at’s gone up, as of 2017, to 10.6 percent.
So if I’m a $20 million revenue company and my IT spend on average is about $540,000, the portion of security would be about $60,000. What’s interesting, though, is that, with the advent of cloud services, we’re seeing nascent businesses that are very disruptive to traditional industries and the amount of money that they’re spending on IT is not $540,000. ey’re not spending that at all but that $60,000 for security is about right.
DE LOMBAERDE: We’ve received two questions that get at this topic. A lot of organizations are looking at their budgets and where they could cut. Where can people cut back and still be safe?
HOROWITZ: I’m not telling them to stop spending money. It’s something I refuse to do. ey’re already not doing enough, honestly. I get it: All of those is time and money, right? If money and time were in nite, everyone would be as secure as possible, I have no doubt.
Again, these things are not set-it-and-forget-it. You have to keep these things alive and do the things you established in your security program. If you say, “We’re just going to sit it out this year,” then you’ve essentially gone against your plan.
GORDON: ere are a lot of companies that invest in technology that, for lack of a better term, sits on the shelf. One of the things that companies can do to determine where they need
