WEBVTT

00:00:02.350 --> 00:00:05.070
Welcome to the Growing EBITDA Podcast, where

00:00:05.070 --> 00:00:07.669
we unlock the doors to management and technology

00:00:07.669 --> 00:00:10.689
insights in the middle market. Join us as we

00:00:10.689 --> 00:00:13.230
explore innovative strategies to drive revenue

00:00:13.230 --> 00:00:16.129
and EBITDA growth, interviewing industry leaders

00:00:16.129 --> 00:00:18.949
and technology experts. Whether you're looking

00:00:18.949 --> 00:00:21.809
to streamline operations, understand the latest

00:00:21.809 --> 00:00:24.629
tech trends, or lead your company towards exponential

00:00:24.629 --> 00:00:28.050
growth, you're in the right place. Stay tuned

00:00:28.050 --> 00:00:32.859
and let's grow together. All right. Back in the

00:00:32.859 --> 00:00:36.119
studio. Hey, Mike. James, where are you at today?

00:00:36.799 --> 00:00:39.200
Actually, I'm home this week, Mike. Oh, great.

00:00:39.820 --> 00:00:42.500
First time this year? Yeah, actually, it is the

00:00:42.500 --> 00:00:44.399
first week this year I've been home. Monday through

00:00:44.399 --> 00:00:46.600
Friday? Monday through Friday. You home this

00:00:46.600 --> 00:00:49.039
week, too? Excellent. I am not. I'm headed to

00:00:49.039 --> 00:00:51.939
California tomorrow morning to go see some colleagues,

00:00:52.140 --> 00:00:55.840
but didn't travel last week. So, you know, that's

00:00:55.840 --> 00:00:59.979
a win. That's a win. Good ski season? Great ski

00:00:59.979 --> 00:01:02.590
season. Great ski season. Always wish I could

00:01:02.590 --> 00:01:04.709
have skied more, you know, but living in Colorado

00:01:04.709 --> 00:01:07.170
helps. That's for sure. Our quarter inch of snow

00:01:07.170 --> 00:01:09.409
here in Houston didn't. I heard about that. You

00:01:09.409 --> 00:01:13.170
get the skis out? Yeah, I did. I did. Just to

00:01:13.170 --> 00:01:15.569
look at them. Are those like alpine water skis?

00:01:15.569 --> 00:01:16.829
Is that what they call them down in Houston?

00:01:17.590 --> 00:01:21.230
Yes, correct. And you tow them with a boat or

00:01:21.230 --> 00:01:24.750
a truck? It's Texas, so a diesel powered truck.

00:01:24.969 --> 00:01:27.650
There you go. There you go. Lifted. Lifted. Lifted.

00:01:28.150 --> 00:01:30.700
All right. So, James, what are we talking about

00:01:30.700 --> 00:01:33.159
today? Today, we're going to talk about cybersecurity,

00:01:33.359 --> 00:01:35.400
but with an interesting spin on it, Mike, which

00:01:35.400 --> 00:01:37.000
I think is a good one. And I'm glad that we're

00:01:37.000 --> 00:01:38.980
having the conversation together again. It's

00:01:38.980 --> 00:01:41.280
how do we address board level concerns? So we

00:01:41.280 --> 00:01:43.180
had our cybersecurity episode for folks that

00:01:43.180 --> 00:01:45.140
may not have heard it. Go back and listen. But

00:01:45.140 --> 00:01:47.239
one of the topics that came out was how do we

00:01:47.239 --> 00:01:49.840
address some of those board level concerns? So

00:01:49.840 --> 00:01:52.579
how do you do it? Well, let's just dive right

00:01:52.579 --> 00:01:55.420
in, man. Let's just get right at it. So I think

00:01:55.420 --> 00:01:58.269
a lot of times. Our episodes, and you and I talk

00:01:58.269 --> 00:01:59.810
about this, and just so everyone knows, we do

00:01:59.810 --> 00:02:02.209
have conversations before the show where we talk

00:02:02.209 --> 00:02:03.730
about themes and go over what we're going to

00:02:03.730 --> 00:02:06.069
discuss. And sometimes we have this feeling of

00:02:06.069 --> 00:02:10.150
like, maybe what we're talking about is too simple

00:02:10.150 --> 00:02:12.530
and sometimes not simple enough. But I think

00:02:12.530 --> 00:02:14.469
today we're going to talk about kind of some

00:02:14.469 --> 00:02:16.729
major components of that. And we're going to

00:02:16.729 --> 00:02:18.370
start with the simplest, which is just understanding

00:02:18.370 --> 00:02:22.289
your risk and understanding that portfolio. One

00:02:22.289 --> 00:02:24.229
of the things I think about organizations are

00:02:24.229 --> 00:02:27.250
really good at threat protection. is around the

00:02:27.250 --> 00:02:29.590
physical security side. So we go to facilities

00:02:29.590 --> 00:02:31.289
all the time. They have cameras up. They have

00:02:31.289 --> 00:02:33.849
locks on the door. They make sure there's badges

00:02:33.849 --> 00:02:35.770
or some form of system. And they have a sign

00:02:35.770 --> 00:02:37.930
-in, sign -out sheet, most likely. But what I

00:02:37.930 --> 00:02:40.289
think a lot of times is something that isn't

00:02:40.289 --> 00:02:42.069
thought about as we look at smaller businesses

00:02:42.069 --> 00:02:45.150
on the smaller side of the mid -market is those

00:02:45.150 --> 00:02:47.110
invisible threats. And we've all heard them.

00:02:47.210 --> 00:02:50.669
The phishing attacks, the cybersecurity events.

00:02:51.050 --> 00:02:53.610
It makes news cycles. We hear about it all the

00:02:53.610 --> 00:02:55.960
time. And as we discussed in our last episode,

00:02:56.180 --> 00:02:59.159
there's a lot that isn't discussed in the media

00:02:59.159 --> 00:03:01.400
or that you read about, which is some of these

00:03:01.400 --> 00:03:04.560
smaller things. And so when we think about how

00:03:04.560 --> 00:03:06.800
do we start to understand and educate ourselves

00:03:06.800 --> 00:03:09.460
is we have to understand what good looks like.

00:03:09.780 --> 00:03:12.879
And a lot of times at Trivista, we see folks

00:03:12.879 --> 00:03:15.120
understand what good looks like at the time of

00:03:15.120 --> 00:03:18.069
diligence. So if I'm a... Family run, family

00:03:18.069 --> 00:03:20.949
owned business. I don't really have a good perception

00:03:20.949 --> 00:03:23.430
of what my gaps are and what my issues are. I

00:03:23.430 --> 00:03:25.370
just assume I'm doing well. I'm working with

00:03:25.370 --> 00:03:27.090
my IT professional, whether it be an internal

00:03:27.090 --> 00:03:29.030
or external resource. And they tell me, hey.

00:03:29.449 --> 00:03:31.610
We got to charge an extra 50 bucks a month, but

00:03:31.610 --> 00:03:33.150
you're going to be good. And I say, perfect.

00:03:33.330 --> 00:03:35.650
That's great. There's not really a lot of folks

00:03:35.650 --> 00:03:38.310
who go out and measure themselves against industry

00:03:38.310 --> 00:03:41.110
standards and what looks best. And so that leadership

00:03:41.110 --> 00:03:42.849
team that you're working with, whether again,

00:03:42.969 --> 00:03:45.629
internal or external, can maybe have a misperception

00:03:45.629 --> 00:03:47.870
of where they are on the journey and getting

00:03:47.870 --> 00:03:51.629
some of that guidance. As a listener, and just

00:03:51.629 --> 00:03:53.750
as a quick aside, if you want some of that guidance,

00:03:53.789 --> 00:03:55.860
there are great groups out there. Obviously,

00:03:55.860 --> 00:03:57.099
that's one of the things that Trivista does.

00:03:57.219 --> 00:03:58.819
But there's great groups you can reach out to

00:03:58.819 --> 00:04:01.219
today. Prepare yourself, have those conversations,

00:04:01.400 --> 00:04:03.439
and do what they would call a gap analysis. So

00:04:03.439 --> 00:04:05.340
reach out to your favorite cyber professional

00:04:05.340 --> 00:04:07.159
and say, hey, I want to do a gap analysis on

00:04:07.159 --> 00:04:09.080
my cyber. They'll know what you mean and should

00:04:09.080 --> 00:04:11.139
be able to jump into action. And the reason we

00:04:11.139 --> 00:04:13.879
do those gap analysis is a lot of times, and

00:04:13.879 --> 00:04:15.139
unfortunately, another thing you read about,

00:04:15.280 --> 00:04:17.720
everyone reacts to things, a reactionary culture.

00:04:18.139 --> 00:04:20.860
It's a tough one for me to say. I think what

00:04:20.860 --> 00:04:22.899
you're trying to say is a reactive culture. There

00:04:22.899 --> 00:04:25.339
it is, a reactive culture. I didn't react well

00:04:25.339 --> 00:04:27.720
to the need of the word. And that really means

00:04:27.720 --> 00:04:30.360
that, hey, when something happens, I react quickly

00:04:30.360 --> 00:04:33.920
and mostly I react well to that. So I wait for

00:04:33.920 --> 00:04:36.199
that event to happen to be prepared for that.

00:04:36.379 --> 00:04:38.779
And so I think we've seen more and more on the

00:04:38.779 --> 00:04:40.889
opposite of that. folks start to go out and get

00:04:40.889 --> 00:04:43.709
insurance for cybersecurity, be a little more

00:04:43.709 --> 00:04:46.850
proactive on finding those solutions, maybe standing

00:04:46.850 --> 00:04:49.490
up multi -factor authentication for email. But

00:04:49.490 --> 00:04:51.189
there's still this idea that I'm going to react

00:04:51.189 --> 00:04:53.050
to some of these events because I'm not fully

00:04:53.050 --> 00:04:55.189
prepared. And when you think about it and understand

00:04:55.189 --> 00:04:56.850
your risk, if you don't know what your risks

00:04:56.850 --> 00:04:58.730
are because you don't understand what they could

00:04:58.730 --> 00:05:01.170
be, you have a misperception of where you are

00:05:01.170 --> 00:05:03.089
in your journey. you're going to have to react,

00:05:03.290 --> 00:05:05.850
which can cause quite a bit of turmoil and challenges.

00:05:06.269 --> 00:05:08.009
So I know we talked a little bit about this as

00:05:08.009 --> 00:05:10.610
well last time, Mike, but board season, we got

00:05:10.610 --> 00:05:12.009
through the holidays, we got through the end

00:05:12.009 --> 00:05:13.930
of year, beginning of year. Cyber is always a

00:05:13.930 --> 00:05:15.810
big topic that time of year. Kind of how does

00:05:15.810 --> 00:05:17.189
that resonate with what you're hearing in the

00:05:17.189 --> 00:05:21.269
field? You know, I think in general, there's

00:05:21.269 --> 00:05:24.949
still a lot of lack of understanding at the board

00:05:24.949 --> 00:05:30.870
level about cybersecurity. I think... Most businesses

00:05:30.870 --> 00:05:33.509
that I'm involved with who take cybersecurity

00:05:33.509 --> 00:05:39.110
seriously have either had a cyber incident, a

00:05:39.110 --> 00:05:43.610
breach, so to speak, or have a board member or

00:05:43.610 --> 00:05:46.089
executive who have lived through something like

00:05:46.089 --> 00:05:49.970
that at a different organization. You know just

00:05:49.970 --> 00:05:51.750
as well as I do, I still walk into businesses

00:05:51.750 --> 00:05:57.519
every month and find cybersecurity. completely

00:05:57.519 --> 00:06:02.620
lacking in some cases and not absent, but deficient

00:06:02.620 --> 00:06:05.560
in many others. Certainly, there are some companies

00:06:05.560 --> 00:06:08.019
that are leading the way here, leading the charge,

00:06:08.180 --> 00:06:10.779
who've invested appropriately, who have the right

00:06:10.779 --> 00:06:13.699
skill sets either internally. It's actually difficult

00:06:13.699 --> 00:06:15.160
to have all the right skill sets internally,

00:06:15.339 --> 00:06:17.639
but it's really about having good skill sets

00:06:17.639 --> 00:06:20.139
internally and complementing those with external

00:06:20.139 --> 00:06:22.839
resources because you really can't do this on

00:06:22.839 --> 00:06:25.490
your own. And I think candidly, I think there's

00:06:25.490 --> 00:06:28.069
just a lot of people out there who continue marching

00:06:28.069 --> 00:06:30.730
along thinking, hey, I haven't had a cyber breach,

00:06:30.910 --> 00:06:33.629
so we must be good. Right. I think there's just

00:06:33.629 --> 00:06:35.529
a lot of it's not just at the board level, but

00:06:35.529 --> 00:06:37.329
it's at the executive team level, too. There's

00:06:37.329 --> 00:06:39.089
just a lot of kind of lack of understanding of

00:06:39.089 --> 00:06:43.149
the breadth and depth of a breach and how much

00:06:43.149 --> 00:06:44.769
it can impact the business. You know, it's one

00:06:44.769 --> 00:06:48.750
thing if one of your employees gets hustled via

00:06:48.750 --> 00:06:51.990
email or via text message to. Use a company credit

00:06:51.990 --> 00:06:54.649
card to buy some gift cards for somebody, right?

00:06:54.889 --> 00:06:57.350
We hear about that stuff sometimes. It's another

00:06:57.350 --> 00:07:01.149
thing if these bad actors are able to get into

00:07:01.149 --> 00:07:03.769
your internal system, maybe it's your ERP system,

00:07:03.930 --> 00:07:07.689
and shut it down. Or let's say you're a printing

00:07:07.689 --> 00:07:10.430
business. Steal all of your source artwork, and

00:07:10.430 --> 00:07:13.110
now you can't print any of your production that

00:07:13.110 --> 00:07:15.050
week, that month, that year. Think about how

00:07:15.050 --> 00:07:16.589
embarrassing it's going to be to go back to your

00:07:16.589 --> 00:07:18.930
client base and go, hey, we had a cyber breach.

00:07:19.439 --> 00:07:22.860
All your sensitive files got hacked. We can't

00:07:22.860 --> 00:07:25.240
access them. Can you send us new ones so we can

00:07:25.240 --> 00:07:28.540
get back to producing your displays or whatever

00:07:28.540 --> 00:07:30.420
it is that you may be printing, right? And that's

00:07:30.420 --> 00:07:33.579
just one example. You can have entire businesses

00:07:33.579 --> 00:07:36.800
get taken down, production systems, transportation

00:07:36.800 --> 00:07:42.040
management systems, ERP systems, CRM systems.

00:07:42.339 --> 00:07:45.560
What if you immediately lose the ability to invoice

00:07:45.560 --> 00:07:47.560
your customers because somebody takes over your...

00:07:47.879 --> 00:07:49.939
financial system, right? And until you've kind

00:07:49.939 --> 00:07:52.120
of lived through one of those issues until you've

00:07:52.120 --> 00:07:54.519
had some of those scars, oftentimes, I don't

00:07:54.519 --> 00:07:58.240
find people taking this as seriously as, as we

00:07:58.240 --> 00:08:01.759
would encourage them to. Yeah, that's important.

00:08:01.920 --> 00:08:04.160
I'd like to shout out one particular listener,

00:08:04.220 --> 00:08:06.620
a podcast that I'm very proud of, Mike, and that

00:08:06.620 --> 00:08:09.839
would be yourself. Because to hear you naturally

00:08:09.839 --> 00:08:13.360
drop bad actor as part of your statement, as

00:08:13.360 --> 00:08:15.180
you're not even thinking about as you go through,

00:08:15.279 --> 00:08:17.939
hey, We may not touch a lot of folks on this

00:08:17.939 --> 00:08:20.339
podcast, but I'm glad we got you. That was an

00:08:20.339 --> 00:08:22.920
excellent quote. Is the reason you did this podcast

00:08:22.920 --> 00:08:24.920
in the first place to try and get me to appreciate

00:08:24.920 --> 00:08:28.120
cybersecurity more, James? I'll never say. Or

00:08:28.120 --> 00:08:32.139
maybe try to get that funding up. One of the

00:08:32.139 --> 00:08:35.429
things I think is interesting, Mike. I think

00:08:35.429 --> 00:08:37.029
there's a lot of, and we haven't done a podcast

00:08:37.029 --> 00:08:39.129
on this, and again, maybe another future podcast

00:08:39.129 --> 00:08:41.590
around what the structure of a board is and what

00:08:41.590 --> 00:08:44.169
the makeup of a board. I think because it's such

00:08:44.169 --> 00:08:47.169
a quintessential piece of this podcast, we should

00:08:47.169 --> 00:08:49.049
talk about boards a little bit, just because

00:08:49.049 --> 00:08:51.009
I think maybe some of our listeners have thought

00:08:51.009 --> 00:08:52.929
about boards at family -run businesses, where

00:08:52.929 --> 00:08:54.409
it's just some friends and maybe some family

00:08:54.409 --> 00:08:56.509
or your internal team, or they hear this kind

00:08:56.509 --> 00:08:58.929
of Wall Street board where you just assume it's

00:08:58.929 --> 00:09:01.070
a bunch of execs flying in on private jets and

00:09:01.070 --> 00:09:03.840
having fancy meals. I think it's maybe important

00:09:03.840 --> 00:09:07.379
to talk about, like, what is the understanding

00:09:07.379 --> 00:09:09.460
of a board member? Or maybe how about this? What's

00:09:09.460 --> 00:09:11.980
the profile of a board member? Maybe you can

00:09:11.980 --> 00:09:13.720
talk a little bit about that. And then what's

00:09:13.720 --> 00:09:15.100
the general understanding? I know you mentioned

00:09:15.100 --> 00:09:16.919
that they have maybe suffered a breach before,

00:09:17.059 --> 00:09:19.279
but let's go profile a board member and how much

00:09:19.279 --> 00:09:21.519
they really know about cyber or kind of the experience

00:09:21.519 --> 00:09:23.940
level of these board members in the cyber arena.

00:09:25.299 --> 00:09:28.100
Sure. So boards come in all different shapes

00:09:28.100 --> 00:09:32.879
and sizes. But generally speaking, broad generalities

00:09:32.879 --> 00:09:35.580
here. You tend to either have boards that are

00:09:35.580 --> 00:09:38.620
comprised of like family shareholders in a founder,

00:09:38.779 --> 00:09:42.519
family owned business setting. When the business

00:09:42.519 --> 00:09:44.559
gets sold, you know, if it gets sold to a private

00:09:44.559 --> 00:09:45.840
equity fund, the private equity fund is going

00:09:45.840 --> 00:09:47.860
to build their own board. Oftentimes that's going

00:09:47.860 --> 00:09:51.580
to be comprised of the CEO, maybe the CFO from

00:09:51.580 --> 00:09:54.179
the management team, maybe the founder, if they're

00:09:54.179 --> 00:09:56.320
still involved, if they've continued to remain

00:09:56.320 --> 00:09:58.779
a shareholder to some degree, a minority shareholder

00:09:58.779 --> 00:10:01.120
in the business, maybe as an example. And then

00:10:01.120 --> 00:10:03.980
maybe two or three or four people from the investment

00:10:03.980 --> 00:10:05.879
group, from the private equity fund. Obviously,

00:10:06.000 --> 00:10:08.139
publicly traded companies, big, large global

00:10:08.139 --> 00:10:10.820
organizations, they tend to have more diverse

00:10:10.820 --> 00:10:14.019
boards, where maybe it's the CEO is a board member.

00:10:14.259 --> 00:10:16.500
Oftentimes, the CEO can be the chairman as well

00:10:16.500 --> 00:10:18.740
as some of those boards. And then maybe some

00:10:18.740 --> 00:10:22.639
outside directors from other industries, maybe

00:10:22.639 --> 00:10:25.000
one or two from large institutional investors,

00:10:25.419 --> 00:10:28.039
the Black Rocks and, you know, Vanguard's and

00:10:28.039 --> 00:10:30.789
those types of folks. But in the mid -market,

00:10:31.009 --> 00:10:33.049
if it's a private equity -backed business, it's

00:10:33.049 --> 00:10:35.230
kind of as I described. Or if it's a family -owned

00:10:35.230 --> 00:10:36.549
business, oftentimes you have some family members.

00:10:36.710 --> 00:10:39.669
And quite frankly, I think in my personal experience

00:10:39.669 --> 00:10:42.250
in both those settings, founder -owned businesses

00:10:42.250 --> 00:10:44.330
and boards that I've been associated with and

00:10:44.330 --> 00:10:47.669
private equity -backed businesses, the risk that

00:10:47.669 --> 00:10:49.669
you always run, in my opinion, is kind of groupthink,

00:10:49.809 --> 00:10:51.710
right? So you get a couple of people from the

00:10:51.710 --> 00:10:52.990
management team. You get a handful of people

00:10:52.990 --> 00:10:56.009
from the investor group. What do you have? Well,

00:10:56.070 --> 00:10:59.740
you have a diverse set of... experiences and

00:10:59.740 --> 00:11:02.700
battle scars that people have learned from. Hopefully,

00:11:03.019 --> 00:11:04.600
people have had some exposure to different industries.

00:11:04.700 --> 00:11:07.860
That's often the case. Even still, while that's

00:11:07.860 --> 00:11:09.539
typically a much more professional board than

00:11:09.539 --> 00:11:12.980
a founder -owned, family -driven board, oftentimes,

00:11:13.240 --> 00:11:16.559
there'll still be gaps. Cybersecurity is one

00:11:16.559 --> 00:11:19.259
of them. Quite frankly, in the 15 boards that

00:11:19.259 --> 00:11:21.799
I've been on over the last 20 years, I don't

00:11:21.799 --> 00:11:23.480
know that we've ever had somebody who would say

00:11:23.480 --> 00:11:27.710
that they're even close to a well -versed is

00:11:27.710 --> 00:11:30.629
intermediate from a cybersecurity expertise perspective,

00:11:30.870 --> 00:11:33.950
let alone an expert. And I think that, you know,

00:11:33.950 --> 00:11:36.110
that's an opportunity for a lot of businesses,

00:11:36.250 --> 00:11:38.909
right? It's an opportunity to bring that in.

00:11:39.009 --> 00:11:40.450
You know, so you asked the question, kind of

00:11:40.450 --> 00:11:41.870
what do boards look like? I kind of gave you

00:11:41.870 --> 00:11:43.830
a little bit of an answer. Hopefully that's helpful

00:11:43.830 --> 00:11:46.710
to some folks. There's no such thing as a perfect

00:11:46.710 --> 00:11:49.049
board, but I think certainly this is a topic

00:11:49.049 --> 00:11:51.169
that if your board's not talking about cybersecurity,

00:11:51.389 --> 00:11:53.309
especially over the last couple of years with

00:11:53.309 --> 00:11:54.990
everything that's happened in the world, you

00:11:54.990 --> 00:11:57.769
need to prioritize it a lot more. So Mike, since

00:11:57.769 --> 00:11:59.990
baselining the board, right, so now you've kind

00:11:59.990 --> 00:12:01.970
of baselined that communication, you've baselined

00:12:01.970 --> 00:12:04.789
the persona of a board. So I'm new, recently

00:12:04.789 --> 00:12:07.250
acquired, and I want to get cybersecurity worked

00:12:07.250 --> 00:12:10.600
into my board pack, right? What's the best way?

00:12:10.659 --> 00:12:12.720
Because to be frank, and not myself, just so

00:12:12.720 --> 00:12:14.659
the listeners don't think, what the heck is this

00:12:14.659 --> 00:12:16.940
IT professional telling me this question? But

00:12:16.940 --> 00:12:19.240
let's put myself in the position of CEO for a

00:12:19.240 --> 00:12:20.779
minute. I'm speaking from a place of ignorance.

00:12:21.080 --> 00:12:23.279
I can't bring my IT management team. I'm not

00:12:23.279 --> 00:12:24.600
going to bring my outside consultant, but I'm

00:12:24.600 --> 00:12:27.460
going to present to you board around cyber. What

00:12:27.460 --> 00:12:29.919
is a way that you've seen kind of that leader

00:12:29.919 --> 00:12:32.379
that's going to present on cyber be successful

00:12:32.379 --> 00:12:35.289
in articulating? kind of what they know and what

00:12:35.289 --> 00:12:37.610
their gaps are to make you feel comfortable with

00:12:37.610 --> 00:12:39.350
where they are on the journey. I'm trying to

00:12:39.350 --> 00:12:41.590
give a little tactical bit of advice, if you

00:12:41.590 --> 00:12:45.210
don't mind. This is definitely a topic that unless

00:12:45.210 --> 00:12:49.190
you are, in fact, an expert, claiming ignorance

00:12:49.190 --> 00:12:52.610
is your absolute best friend. I think coming

00:12:52.610 --> 00:12:55.169
to the board and saying, hey, I'm worried about

00:12:55.169 --> 00:12:58.309
cybersecurity, not that there's some glaring

00:12:58.309 --> 00:13:00.210
risks that I'm aware of, because if there was,

00:13:00.250 --> 00:13:02.769
I'd be talking about those today. I'm just concerned

00:13:02.769 --> 00:13:05.070
about where the world is going and I don't feel

00:13:05.070 --> 00:13:08.169
like we have the internal resources to really

00:13:08.169 --> 00:13:10.049
run it to ground. Let's just assume that's the

00:13:10.049 --> 00:13:12.929
example that we're going to use. Ask for permission

00:13:12.929 --> 00:13:14.490
to bring in some outside experts. I mean, some

00:13:14.490 --> 00:13:16.269
CEOs may not even have to ask for permission,

00:13:16.450 --> 00:13:18.549
but certainly get the dialogue going with your

00:13:18.549 --> 00:13:20.690
board. Start getting your board members educated

00:13:20.690 --> 00:13:22.190
that this is something that's a priority for

00:13:22.190 --> 00:13:24.490
the business. And by the way, we're making the

00:13:24.490 --> 00:13:26.149
assumption that they haven't already jammed this

00:13:26.149 --> 00:13:28.769
down the CEO's throat as a critically important

00:13:28.769 --> 00:13:30.990
topic. Most private equity funds these days.

00:13:31.480 --> 00:13:33.159
are keenly aware of the risks, they're going

00:13:33.159 --> 00:13:35.879
to be socializing that with their CEOs. You know,

00:13:35.879 --> 00:13:38.639
and I think given that context, just coming to

00:13:38.639 --> 00:13:40.879
your first board meeting, maybe as a private

00:13:40.879 --> 00:13:42.899
equity backed CEO, maybe you're new to the role

00:13:42.899 --> 00:13:45.139
and saying, hey, cybersecurity is a real issue

00:13:45.139 --> 00:13:48.460
for us. The same as worker safety is a real issue

00:13:48.460 --> 00:13:51.039
for us amongst other topics, and making sure

00:13:51.039 --> 00:13:53.440
that at every board meeting, you don't have to

00:13:53.440 --> 00:13:55.299
dwell on these topics. But at every board meeting,

00:13:55.340 --> 00:13:57.279
you're touching on them a little bit. Oftentimes,

00:13:57.399 --> 00:14:00.029
we'll start board meetings with hey, here's what's

00:14:00.029 --> 00:14:01.809
happening from a safety perspective across our

00:14:01.809 --> 00:14:04.330
workforce. We've had zero recordable injuries.

00:14:04.889 --> 00:14:07.490
Awesome, right? Maybe leading with, we've had

00:14:07.490 --> 00:14:10.570
zero cyber breaches. Awesome. It just kind of

00:14:10.570 --> 00:14:12.950
sets the table and sets the tone, gives the board

00:14:12.950 --> 00:14:15.450
a good understanding that the CEOs, one of the

00:14:15.450 --> 00:14:17.210
things that they're focused on is the right thing

00:14:17.210 --> 00:14:19.909
to be focused on for the business. I think if

00:14:19.909 --> 00:14:21.929
the business is immature from a cybersecurity

00:14:21.929 --> 00:14:24.580
perspective, talking about who you're going to

00:14:24.580 --> 00:14:26.679
bring in from the outside to run penetration

00:14:26.679 --> 00:14:30.480
tests, to do a gap analysis, sharing those reports

00:14:30.480 --> 00:14:32.620
with the board, even if there's a bunch of glaring

00:14:32.620 --> 00:14:35.860
nasty things in there. But coming to that next

00:14:35.860 --> 00:14:37.600
meeting, say, hey, I want you to read this. And

00:14:37.600 --> 00:14:39.639
by the way, we're coming to share at the next

00:14:39.639 --> 00:14:40.879
board meeting, we're going to share the plan

00:14:40.879 --> 00:14:42.519
on how we're going to remediate these things,

00:14:42.620 --> 00:14:44.340
both internal things that we're going to do,

00:14:44.379 --> 00:14:45.899
some outside experts that we're going to bring

00:14:45.899 --> 00:14:48.649
in to help us. to help us mitigate these issues.

00:14:49.129 --> 00:14:50.970
This just really is one of those topics, James,

00:14:51.049 --> 00:14:53.409
that as you know better than I do, in fact, you

00:14:53.409 --> 00:14:55.129
just can't ignore this, right? The risk is too

00:14:55.129 --> 00:14:57.570
great for the business. No, awesome. Yeah, I

00:14:57.570 --> 00:14:59.929
think honesty is always the best policy, especially

00:14:59.929 --> 00:15:02.450
in this space. And to your point, Mike, I have

00:15:02.450 --> 00:15:05.769
seen a lot of... senior leaders and organizations

00:15:05.769 --> 00:15:07.909
reach out to us and say, hey, I'm about ready

00:15:07.909 --> 00:15:09.450
to present this slide. Can you give it a once

00:15:09.450 --> 00:15:11.929
over? Or we're asked to provide a slide to say,

00:15:12.029 --> 00:15:14.250
if you were brought in to remediate, what would

00:15:14.250 --> 00:15:16.470
be those first steps you do? And we get asked

00:15:16.470 --> 00:15:18.330
that question a lot. I think it's also an interesting

00:15:18.330 --> 00:15:21.870
point. And for our PE listeners out there, having

00:15:21.870 --> 00:15:25.009
a playbook around what at the level of the organization

00:15:25.009 --> 00:15:28.309
you feel the cybersecurity stance should be is

00:15:28.309 --> 00:15:31.009
really important. So we were at this operating

00:15:31.009 --> 00:15:33.230
partners gathering in Utah and they're having

00:15:33.230 --> 00:15:35.509
a conversation and we got invited to participate.

00:15:35.649 --> 00:15:36.470
And one of the things they were talking about

00:15:36.470 --> 00:15:38.850
is they had established a playbook for cybersecurity,

00:15:39.269 --> 00:15:42.049
minimum requirements, non -negotiables, and then

00:15:42.049 --> 00:15:44.460
preferences. And they actually... gave that to

00:15:44.460 --> 00:15:46.019
their management team, kind of like if you think

00:15:46.019 --> 00:15:48.059
like a management book, day one, put it on the

00:15:48.059 --> 00:15:50.279
desk, there it is. And they found that the cyber

00:15:50.279 --> 00:15:52.039
to be one of the more important because it was

00:15:52.039 --> 00:15:54.259
one of the highest things they felt exposed.

00:15:54.360 --> 00:15:56.399
And this is a manufacturing distribution, primarily

00:15:56.399 --> 00:15:58.320
that's what they own. And they felt that to be

00:15:58.320 --> 00:15:59.860
one of their highest risks that could affect

00:15:59.860 --> 00:16:02.220
the value of the organization. Yeah, absolutely.

00:16:02.320 --> 00:16:06.480
I mean, the impact is so, it can be so far reaching

00:16:06.480 --> 00:16:09.600
and broad. You can take down a whole business

00:16:09.600 --> 00:16:13.490
with a bad cyber breach. And it's something that,

00:16:13.509 --> 00:16:17.730
to a large degree, is within your control, right?

00:16:17.850 --> 00:16:20.009
Listen, I think about it like worker safety.

00:16:20.350 --> 00:16:25.029
It is 100 % within your control to create a safe

00:16:25.029 --> 00:16:27.450
working environment. Now, that doesn't mean that

00:16:27.450 --> 00:16:29.730
you're not going to have hazardous working conditions,

00:16:29.909 --> 00:16:32.590
but you can work to make it the safest environment

00:16:32.590 --> 00:16:35.549
that you possibly can so that you're mitigating.

00:16:35.919 --> 00:16:38.240
risk to the business, but also in that case,

00:16:38.259 --> 00:16:40.340
mitigating the risk to the employees directly.

00:16:40.980 --> 00:16:43.000
Cyber is kind of one of those, I think that's

00:16:43.000 --> 00:16:45.759
a good analogy. Something might not go wrong,

00:16:45.840 --> 00:16:48.919
but if it does, you're really going to regret

00:16:48.919 --> 00:16:51.700
that it did. So taking every step that you possibly

00:16:51.700 --> 00:16:55.279
can to protect the business, to protect its assets,

00:16:55.460 --> 00:16:56.980
to protect its people, it could be dealing with

00:16:56.980 --> 00:16:58.440
a business with a lot of personally identifiable

00:16:58.440 --> 00:17:01.960
information. To set up those protections is just

00:17:01.960 --> 00:17:04.279
critically important. While we were talking,

00:17:04.440 --> 00:17:07.019
I also sent an email to my lawyer to register

00:17:07.019 --> 00:17:09.740
a trademark around days without a cyber incident.

00:17:09.859 --> 00:17:11.819
That little board that has the day clicker on

00:17:11.819 --> 00:17:14.460
it that you can reset. I appreciate that tip.

00:17:14.559 --> 00:17:17.680
I'll give you 5 % of income. So appreciate that

00:17:17.680 --> 00:17:20.500
one. That's a good one. So maybe let's move into

00:17:20.500 --> 00:17:23.380
the remediation. What could I talk to you about?

00:17:23.480 --> 00:17:26.400
Maybe let's talk about how we improve it. Does

00:17:26.400 --> 00:17:28.650
that work? Yeah, let's do it. we talked about,

00:17:28.670 --> 00:17:30.990
you know, how to understand where we're not educated

00:17:30.990 --> 00:17:32.849
on it. We talked about how to talk about it.

00:17:33.029 --> 00:17:35.130
Let's talk about that positive side, which is

00:17:35.130 --> 00:17:37.349
the quick ways to improve it. And Mike said it.

00:17:37.390 --> 00:17:40.589
And when you talked about it was the, the security

00:17:40.589 --> 00:17:43.769
audit. And now I'm using the word audit on purpose,

00:17:43.809 --> 00:17:47.029
not assessment, not tabletop exercise. You'll

00:17:47.029 --> 00:17:50.210
hear from it professionals audit. And so to Mike's

00:17:50.210 --> 00:17:52.829
earlier point around using for looking for analogies.

00:17:53.339 --> 00:17:56.019
When I think about the analogy of a financial

00:17:56.019 --> 00:17:59.279
audit, it's I dig in, I go deep, I do lots of

00:17:59.279 --> 00:18:01.240
information, and I come out with ways to improve.

00:18:01.660 --> 00:18:03.779
So I think understanding your vulnerabilities,

00:18:04.019 --> 00:18:07.000
engaging an outside firm to perform that audit,

00:18:07.119 --> 00:18:09.339
and going through and digging into your cyber

00:18:09.339 --> 00:18:12.220
situation will give you a very nice playbook.

00:18:12.589 --> 00:18:15.170
slash worry report around the things that you

00:18:15.170 --> 00:18:16.670
need to do better and you need to improve on.

00:18:16.789 --> 00:18:18.750
It'll also work as a great document to educate

00:18:18.750 --> 00:18:20.950
you and understand some of those industry terms

00:18:20.950 --> 00:18:24.430
and go deeper. And typically in today's market,

00:18:24.490 --> 00:18:26.509
when there's a rep and warranty process attached

00:18:26.509 --> 00:18:31.009
to a transaction, you need at least a light cyber

00:18:31.009 --> 00:18:34.170
touch diligence because it's required for the

00:18:34.170 --> 00:18:37.450
rep and warranties. Those are mostly assessments.

00:18:37.670 --> 00:18:40.150
And Trivista does assessments most of the time

00:18:40.150 --> 00:18:43.069
during... its diligences as well. So having that

00:18:43.069 --> 00:18:45.930
deeper level after that transaction moving forward

00:18:45.930 --> 00:18:47.470
is important. And we talked a little about that

00:18:47.470 --> 00:18:49.769
in the 100 -day plan. So folks are putting together

00:18:49.769 --> 00:18:52.410
a 100 -day plan. And how often should you redo

00:18:52.410 --> 00:18:54.569
an audit? Is that an annual thing? What do you

00:18:54.569 --> 00:18:57.549
think? Yeah, so I think I prefer to do an annual,

00:18:57.650 --> 00:19:00.529
but I want to put a caveat on this. I buy a new

00:19:00.529 --> 00:19:03.950
company, I add a new system, or I make an IT

00:19:03.950 --> 00:19:06.549
personnel change, I kick off an audit immediately.

00:19:07.240 --> 00:19:09.220
There are certain events that I want to do an

00:19:09.220 --> 00:19:11.559
additional audit because I've done a large change

00:19:11.559 --> 00:19:14.539
to my environment that merits an audit. If I'm

00:19:14.539 --> 00:19:16.859
running the shop every day, normal day to day,

00:19:16.960 --> 00:19:19.000
every year makes sense. Maybe even a couple of

00:19:19.000 --> 00:19:21.140
years if you're a low risk business. But anytime

00:19:21.140 --> 00:19:22.859
I make a major change, which by the way, in the

00:19:22.859 --> 00:19:25.200
world of PEs often, I'm running that audit. It's

00:19:25.200 --> 00:19:29.059
a great spend. Interesting. Yeah. And I think

00:19:29.059 --> 00:19:33.099
that just speaks to, on the spectrum, I'm probably

00:19:33.099 --> 00:19:35.599
cybersecurity intermediate from a board member

00:19:35.599 --> 00:19:38.099
perspective. But I couldn't answer that question

00:19:38.099 --> 00:19:41.779
myself, right? I think it's just still uncharted

00:19:41.779 --> 00:19:46.640
waters for so many of us out there. We need more

00:19:46.640 --> 00:19:49.240
folks with this kind of experience and perspective

00:19:49.240 --> 00:19:52.539
having these conversations. No, I agree. And

00:19:52.539 --> 00:19:55.579
one of the ways to help chart those waters is

00:19:55.579 --> 00:19:58.440
employee training. And employee training could

00:19:58.440 --> 00:20:01.559
be extended to your board. We do have quite a

00:20:01.559 --> 00:20:03.700
few folks that extend their employee training.

00:20:04.160 --> 00:20:06.740
to outside groups, whether they're 1099s or others,

00:20:06.859 --> 00:20:08.559
we do a lot of work with companies where we also

00:20:08.559 --> 00:20:10.660
participate in their cyber training. You said

00:20:10.660 --> 00:20:12.779
earlier, it's somewhat controllable and a lot

00:20:12.779 --> 00:20:14.720
of it is on us for best practices. Your number

00:20:14.720 --> 00:20:16.619
one threat is your employees, whether it be email

00:20:16.619 --> 00:20:18.680
or other things. So it's an important thing to

00:20:18.680 --> 00:20:22.039
stay on top of. The human error side is what

00:20:22.039 --> 00:20:24.680
will eat you alive on cybersecurity. The little

00:20:24.680 --> 00:20:26.859
silly things that don't have to happen that do.

00:20:27.140 --> 00:20:29.720
And so we made a big transition internally at

00:20:29.720 --> 00:20:32.319
Trivista. We used to have this arduous two -hour

00:20:32.319 --> 00:20:34.599
training video every year that we pushed out

00:20:34.599 --> 00:20:36.960
to everyone. And I'm sure people multitasked

00:20:36.960 --> 00:20:39.339
their way through the video, clicked on the answers,

00:20:39.420 --> 00:20:43.099
trying to guess the questions, and passed. We

00:20:43.099 --> 00:20:46.480
found a new training solution that every quarter

00:20:46.480 --> 00:20:48.819
pushes out a 15 -minute video that's actually

00:20:48.819 --> 00:20:51.480
kind of funny, kind of nice. has some simple

00:20:51.480 --> 00:20:53.579
questions, goes over a basic concept, and it's

00:20:53.579 --> 00:20:55.839
kind of drip campaigning you into those cyber

00:20:55.839 --> 00:20:57.740
improvements. I know, Mike, you consume those

00:20:57.740 --> 00:20:59.059
videos. What are your thoughts about that transition

00:20:59.059 --> 00:21:01.420
from that kind of bigger monolithic video to

00:21:01.420 --> 00:21:05.079
the new process? Well, I'm simple -minded, so

00:21:05.079 --> 00:21:06.619
anything you can give me in a bite -sized chunk

00:21:06.619 --> 00:21:09.859
tends to work better. Perfect. I like that. I

00:21:09.859 --> 00:21:12.640
will say this section will be called Simple -Minded

00:21:12.640 --> 00:21:15.980
Solutions for Simple -Minded Folks. And then

00:21:15.980 --> 00:21:18.460
the last one I think that's important to talk

00:21:18.460 --> 00:21:23.470
about is... The preparation and policies. So

00:21:23.470 --> 00:21:25.069
I'm going to tie it back to what you said, Mike,

00:21:25.130 --> 00:21:26.990
because I like it. When I think employee safety,

00:21:27.349 --> 00:21:29.589
lockout, tagout, we're all familiar with, right?

00:21:29.670 --> 00:21:32.069
So I'm in a plant. I need to go do work. I used

00:21:32.069 --> 00:21:33.630
to work in paint manufacturing, right? So you

00:21:33.630 --> 00:21:35.930
go in these big vats of paint. Lockout, tagout

00:21:35.930 --> 00:21:37.470
was a big training, how you make sure that it

00:21:37.470 --> 00:21:39.549
doesn't kick on when someone's hoisted their

00:21:39.549 --> 00:21:42.309
way down into this tank. Lockout, tagout a bit

00:21:42.309 --> 00:21:44.859
for cybersecurity is if I have an event. Who

00:21:44.859 --> 00:21:47.420
do I alert? Who do I call? What are my next steps?

00:21:47.539 --> 00:21:50.519
What's my process? So on all of our laptops that

00:21:50.519 --> 00:21:52.180
we have for our team members and our communications,

00:21:52.339 --> 00:21:54.960
we have the 800 number for support because heaven

00:21:54.960 --> 00:21:56.299
forbid you have a cyber event, you can't get

00:21:56.299 --> 00:21:58.480
into your laptop, you can't Teams me, you can't

00:21:58.480 --> 00:22:00.759
chat me, you need to call somebody. So there's

00:22:00.759 --> 00:22:02.940
that ability to know, again, like lockout, tagout,

00:22:02.960 --> 00:22:05.359
who do I communicate with? The second part is

00:22:05.359 --> 00:22:08.710
incident response plan. So your point, if I have

00:22:08.710 --> 00:22:10.829
a medical emergency or there's an earthquake,

00:22:11.029 --> 00:22:13.650
where do people go? Or who do I call when I need

00:22:13.650 --> 00:22:15.650
medical? Or what's my nearest ambulance? What's

00:22:15.650 --> 00:22:17.390
my nearest hospital? That type of preparation

00:22:17.390 --> 00:22:21.589
around cyber. Instant response plan really is

00:22:21.589 --> 00:22:23.970
a fancy way of saying, when things go sideways,

00:22:24.190 --> 00:22:26.210
how do I start to remediate? So we talked about

00:22:26.210 --> 00:22:28.190
that call, but it's also informing the user,

00:22:28.289 --> 00:22:30.710
don't continue on the conversation. Turn off

00:22:30.710 --> 00:22:33.700
your machine. disconnect, stop going. And I think

00:22:33.700 --> 00:22:36.099
a lot of times, I think about this when I grew

00:22:36.099 --> 00:22:38.640
up riding dirt bikes. And so you ride these dirt

00:22:38.640 --> 00:22:40.119
bikes and a lot of times when you're having a

00:22:40.119 --> 00:22:41.740
problem on a dirt bike, you try to overcompensate

00:22:41.740 --> 00:22:44.480
by throttling up or pulling through. And really

00:22:44.480 --> 00:22:47.099
the trick is sometimes just letting go, eating

00:22:47.099 --> 00:22:48.960
the dirt for a second and getting back up and

00:22:48.960 --> 00:22:52.039
dusting off. In cyber, it's important to express

00:22:52.039 --> 00:22:55.109
to your users. what that plan is, how they gracefully

00:22:55.109 --> 00:22:57.970
exit an incident, not shaming in the moment to

00:22:57.970 --> 00:22:59.450
be able to get through that and then going back

00:22:59.450 --> 00:23:01.470
and fixing it. So when I think about kind of

00:23:01.470 --> 00:23:04.210
my next steps to summarize for folks, get that

00:23:04.210 --> 00:23:06.549
audit, understand where the challenges are, continue

00:23:06.549 --> 00:23:08.789
to talk about with your employees. Mike, you

00:23:08.789 --> 00:23:10.390
brought up a great example at the board. Take

00:23:10.390 --> 00:23:12.150
that example to your employees and say, this

00:23:12.150 --> 00:23:14.109
many days on an incident. And the last one is

00:23:14.109 --> 00:23:17.509
have a plan. So I think that's the big things.

00:23:17.630 --> 00:23:19.829
And candidly, I learn on all these episodes,

00:23:20.029 --> 00:23:23.730
you know, on this topic, certainly. My key takeaway

00:23:23.730 --> 00:23:27.589
is if you're on a board, ask for that annual

00:23:27.589 --> 00:23:34.250
audit. Keep your eyes open for changes in the

00:23:34.250 --> 00:23:37.369
business, new IT leader, new system being introduced.

00:23:37.609 --> 00:23:41.230
Let's do another audit. Be penny wise and pound

00:23:41.230 --> 00:23:44.410
foolish is the risk if you don't. Doing those

00:23:44.410 --> 00:23:46.230
audits more frequently, getting that training

00:23:46.230 --> 00:23:48.720
across the enterprise, asking the CEOs. Hey,

00:23:48.759 --> 00:23:50.079
when was the last time we did training? How do

00:23:50.079 --> 00:23:52.039
we do training? What's the efficacy of that training?

00:23:52.640 --> 00:23:54.299
And then, you know, asking to see the incident

00:23:54.299 --> 00:23:55.980
response plan. I think those are good nuggets.

00:23:56.920 --> 00:24:00.680
So before, go ahead. Oh, no, I was going to say,

00:24:00.759 --> 00:24:03.000
I'm glad you got something out of it. And the

00:24:03.000 --> 00:24:05.140
thing I was going to ask you, Mike, sorry at

00:24:05.140 --> 00:24:08.250
the end. So we've gone through this whole thing

00:24:08.250 --> 00:24:10.309
around communication, board, and action plan.

00:24:10.450 --> 00:24:12.390
And I heard your kind of summary for the board

00:24:12.390 --> 00:24:14.289
level and folks and some of your learning. So

00:24:14.289 --> 00:24:16.490
I appreciate that. But to kind of go back, which

00:24:16.490 --> 00:24:17.849
we always talk about and try to keep ourselves

00:24:17.849 --> 00:24:21.549
true, is if I'm in a leadership role and I'm

00:24:21.549 --> 00:24:24.210
going into before a transaction and I'm about

00:24:24.210 --> 00:24:26.069
ready to engage the private equity firm or go

00:24:26.069 --> 00:24:28.809
into this whole process, maybe kind of the final

00:24:28.809 --> 00:24:31.420
thought here of like... what should I be thinking

00:24:31.420 --> 00:24:33.720
about before I kick off that process as it pertains

00:24:33.720 --> 00:24:36.980
to cyber? Because I got a question after our

00:24:36.980 --> 00:24:39.279
last episode from somebody, which I thought was

00:24:39.279 --> 00:24:41.759
interesting, on, hey, this is all great. You

00:24:41.759 --> 00:24:43.299
talked a lot about what happens in the middle

00:24:43.299 --> 00:24:45.539
of it or when I'm in an event. But they were

00:24:45.539 --> 00:24:47.380
asking more kind of like that, and you talked

00:24:47.380 --> 00:24:48.880
about this in a previous episode too, that buy

00:24:48.880 --> 00:24:51.119
-side diligence, or sorry, sell -side diligence,

00:24:51.339 --> 00:24:54.200
that sell -side diligence preparation. What is

00:24:54.200 --> 00:24:56.140
something that from this conversation that maybe

00:24:56.140 --> 00:24:59.019
you could tell that user, hey, think about...

00:24:59.180 --> 00:25:01.099
preparing for that, going into that transaction

00:25:01.099 --> 00:25:03.700
cycle during that sell side, this is the one

00:25:03.700 --> 00:25:05.380
cyber learning I've learned that would make you

00:25:05.380 --> 00:25:08.980
most successful. So I think what you're asking

00:25:08.980 --> 00:25:12.680
is, as you get ready to start thinking about

00:25:12.680 --> 00:25:18.680
selling a business, how should you frame up your

00:25:18.680 --> 00:25:20.720
thinking around cyber security? Yes, sir. Yeah,

00:25:21.940 --> 00:25:24.640
I mean, I think go back to what we just talked

00:25:24.640 --> 00:25:26.279
about. When was the last time you've done an

00:25:26.279 --> 00:25:27.660
audit? You got to ask yourself these questions.

00:25:27.759 --> 00:25:29.119
When was the last time you did an audit? How

00:25:29.119 --> 00:25:31.339
is your employee training? Do you have an incident

00:25:31.339 --> 00:25:33.420
response plan? When was the last time you did

00:25:33.420 --> 00:25:36.480
a penetration test? I think it's the same things,

00:25:36.700 --> 00:25:38.319
right? Because you got to assume that if you're

00:25:38.319 --> 00:25:40.619
selling a mid -market business, we're not talking

00:25:40.619 --> 00:25:42.980
about selling a mom and pop store down on Main

00:25:42.980 --> 00:25:44.140
Street. We're talking about selling a business

00:25:44.140 --> 00:25:48.480
with 100, 200, 500, 1 ,000 plus employees, formidable

00:25:48.480 --> 00:25:51.220
enterprise. You got to kind of have your ducks

00:25:51.220 --> 00:25:53.400
in a row. And listen, having your ducks in a

00:25:53.400 --> 00:25:55.960
row does not mean no skeletons in the closet.

00:25:56.140 --> 00:25:58.279
And skeletons in the closet. doesn't necessarily

00:25:58.279 --> 00:26:01.720
mean like really scary things. But what I mean

00:26:01.720 --> 00:26:03.759
by having your ducks in a row is you're thoughtful

00:26:03.759 --> 00:26:05.420
about your business, in this case, thoughtful

00:26:05.420 --> 00:26:07.460
about cybersecurity. You know, maybe you don't

00:26:07.460 --> 00:26:10.579
have the best systems and protocols and processes,

00:26:10.700 --> 00:26:14.019
procedures in place in the world, but you should

00:26:14.019 --> 00:26:16.779
at least know kind of what you have and set up

00:26:16.779 --> 00:26:18.720
realistic expectations for yourself in terms

00:26:18.720 --> 00:26:20.500
of what other people are likely going to find

00:26:20.500 --> 00:26:24.400
as they hire SWAT teams of experts to come in

00:26:24.400 --> 00:26:27.029
and pick these things apart, right? Because Let's

00:26:27.029 --> 00:26:28.150
say you're selling this to a billion -dollar

00:26:28.150 --> 00:26:31.089
private equity fund. These are some pretty smart

00:26:31.089 --> 00:26:33.069
folks. They don't get entrusted with a billion

00:26:33.069 --> 00:26:34.549
dollars unless they kind of know what they're

00:26:34.549 --> 00:26:36.710
doing and they've got some good resources at

00:26:36.710 --> 00:26:38.950
their fingertips. They buy businesses all the

00:26:38.950 --> 00:26:41.109
time. They know what to look for and what to

00:26:41.109 --> 00:26:44.730
watch out for, and you having a good sense as

00:26:44.730 --> 00:26:46.690
to what they're going to find is typically a

00:26:46.690 --> 00:26:48.990
good starting point because you may decide, hey,

00:26:49.109 --> 00:26:51.289
these are some easy things to fix, and why have

00:26:51.289 --> 00:26:54.490
to have a hard conversation about them? Just

00:26:54.490 --> 00:26:56.480
fix them. And then sell the business. Maybe you're

00:26:56.480 --> 00:26:59.420
one month behind. And likewise, maybe the things

00:26:59.420 --> 00:27:01.900
that they find are like, hey, listen, we've worked

00:27:01.900 --> 00:27:03.500
on these things. We don't know how to get them

00:27:03.500 --> 00:27:06.579
better than they are. Or it would cost $10 million

00:27:06.579 --> 00:27:09.480
or something like that to become world -class

00:27:09.480 --> 00:27:11.079
here and go have a conversation with prospective

00:27:11.079 --> 00:27:13.640
investors about it. But I think knowing what

00:27:13.640 --> 00:27:15.420
they're going to find to a large degree just

00:27:15.420 --> 00:27:17.579
puts you in a much better position overall. And

00:27:17.579 --> 00:27:19.319
Mike, by the way, that's such a simple but great

00:27:19.319 --> 00:27:21.779
answer. Just do everything we said, despite not

00:27:21.779 --> 00:27:24.259
having a sponsor backing you. Go figure, right?

00:27:24.440 --> 00:27:28.920
Yeah, that's good. So Mike, can I end with some

00:27:28.920 --> 00:27:31.180
trivia, man? Are you ready for some trivia? Let's

00:27:31.180 --> 00:27:33.640
do it. You know, we hear about cyber attacks

00:27:33.640 --> 00:27:35.980
all the time. And again, Wall Street Journal

00:27:35.980 --> 00:27:38.759
always covers kind of the bigger ones. What percentage

00:27:38.759 --> 00:27:41.880
of small to mid -sized companies do you think

00:27:41.880 --> 00:27:43.619
are actually targeted in these cyber attacks?

00:27:45.740 --> 00:27:51.299
My guess would be, even though the prize is probably

00:27:51.299 --> 00:27:54.920
smaller for the bad actors, I venture to guess

00:27:54.920 --> 00:27:57.279
it's the majority of attacks are focused down

00:27:57.279 --> 00:28:00.559
market. Because these hackers, they got to be

00:28:00.559 --> 00:28:02.299
reasonably smart or else they wouldn't be able

00:28:02.299 --> 00:28:04.079
to figure out how to get into all these companies'

00:28:04.200 --> 00:28:06.259
systems. And I have to think that if I was in

00:28:06.259 --> 00:28:08.140
their shoes while the bigger prize is hacking

00:28:08.140 --> 00:28:12.150
into Boeing or Airbus or some large... multinational

00:28:12.150 --> 00:28:15.410
corporation, you've got to think that their protocols

00:28:15.410 --> 00:28:18.049
are a little bit stronger than maybe your $30,

00:28:18.230 --> 00:28:20.869
$50, $100 million business backed by a private

00:28:20.869 --> 00:28:23.069
equity firm with lots to lose if you can get

00:28:23.069 --> 00:28:25.410
the keys to the kingdom. My guess would be probably

00:28:25.410 --> 00:28:27.769
more often than not down the market. I would

00:28:27.769 --> 00:28:29.170
say, yeah. Hey, that's actually pretty close,

00:28:29.190 --> 00:28:32.069
though. It's actually around 50%, which is why

00:28:32.069 --> 00:28:34.069
we talk about this so much. It's not just a big

00:28:34.069 --> 00:28:36.269
company issue. To your point, it's an issue for

00:28:36.269 --> 00:28:38.920
all of us. Yeah, it's a good reminder, James.

00:28:39.099 --> 00:28:41.019
I think like we've talked about, most businesses

00:28:41.019 --> 00:28:42.700
don't realize how jeopardized they probably are

00:28:42.700 --> 00:28:45.220
today and need to start taking it more seriously

00:28:45.220 --> 00:28:47.740
because certainly there's not going to be less

00:28:47.740 --> 00:28:50.380
cybersecurity breaches in the future or cybersecurity

00:28:50.380 --> 00:28:52.660
attempts in the future. There's certainly going

00:28:52.660 --> 00:28:55.039
to be more of them. Yeah, man. Well, hey, that's

00:28:55.039 --> 00:28:57.119
I think that we have everything for today. Listeners,

00:28:57.119 --> 00:28:59.079
thanks for listening in. Don't forget to subscribe

00:28:59.079 --> 00:29:01.480
and like, and we'll catch you on the next episode.

00:29:03.039 --> 00:29:05.079
Thanks for tuning into this episode of Growing

00:29:05.079 --> 00:29:08.269
EBITDA. If you liked this episode, hit subscribe

00:29:08.269 --> 00:29:11.829
or follow us on LinkedIn for updates. Got a topic

00:29:11.829 --> 00:29:14.630
you'd like us to cover? Drop us a message. We'd

00:29:14.630 --> 00:29:15.329
love to hear from you.