Software designed to help emerging VC and PE firms growFIND OUT MORE
Allvue’s Chief Information Security Officer, Frank Vesce, joined a handful of industry colleagues at the 2024 Private Funds CFO New York Forum to discuss the importance of information technology and Security in the “Beyond the Back Office” series.
The panel was moderated by Michael Walfish, Founder of Walrus Security. Joining him were esteemed experts Jason Kaslow, CFO & CCO, Tiger Infrastructure Partners, John Spiridis, Managing Director, Varagon Capital, John Stecher, Senior Managing Director and Chief Technology Officer, Blackstone.
The panel discussed how teams outside of finance, including information technology and security, work in tandem with finance and operations to address the challenges of managing technology and security risk.
Below are key takeaways from the lively conversation.
Michael Walfish kicked off the discussion by asking the panelists to share examples of recent threats they’ve encountered. The panelists collectively agreed that phishing attempts, including spear phishing and smishing, are key threats that are becoming more sophisticated, especially with the rise of artificial intelligence (AI). Jason Kaslow highlighted that DocuSign is most notably being used for phishing attempts, receiving legitimate documents from DocuSign sent from illegitimate people. The panel agreed on the importance of taking due diligence in educating their staff on security awareness and to regularly help combat these attempts. In addition, Frank Vesce highlighted the way he combats these threats is using AI-generated simulations to make them as real as possible to help further educate employees.
One of the challenges many companies face is the lack of resources required to manage security. A live poll during the session showed that at least 40% of attendees who work for firms with under $5 billion in AUM, at least partially, outsource security. The panelists had a range of experience working with in-house security teams and outsourcing to security providers, such as Managed Security Service Providers (MSSPs). The panel discussed recommendations on how firms without dedicated security staff can begin to tackle security, starting with establishing peer groups and professional networks to share knowledge and experience. Jason Kaslow emphasizes how speaking with peers from other firms is immensely helpful to understand what other firms are doing, especially related to quickly addressing the latest emerging cybersecurity issues or scaling team bandwidth.
Speaking the same language isn’t just about communication; it’s crucial for allocating scarce resources effectively. Often, non-technical decision-makers lack the context to understand complex cybersecurity needs. The panelists discuss how to bridge the technology “black box” and foster a shared understanding of risks, priorities, and available solutions. John Stecher highlights that as a technologist, being able to speak the language critical to make business decisions around security and technology makes all the difference in the world.
Frank further highlights that if you aren’t technical, don’t let technology intimidate you. A great way to get started is to align on foundational controls, which are publicly available on the Center for Internet Security (CIS) website. These controls can fuel informed discussions with your decision makers and security teams (whether in-house or outsourced) to start asking questions such as “where do we stand on a specific control, such as Asset Management and Patch Management, and how are we graded on these controls?” to identify gaps and prioritize investments. Great dialogue can take place without being technical at all with foundational controls.
The panel emphasized through several questions the importance of conducting a cyber risk assessment to serve as the foundation for assessing your cyber hygiene and building a security program. It was evident this topic resonated with the audience, as 74% of the attendees who hold COO / CFO titles or work within those organizations at their firms have championed a tech investment or risk assessment. The cyber risk assessment is designed to pinpoint key vulnerabilities across the firm’s systems and data and further quantify the potential impact of breaches. Armed with this data, key stakeholders, from the CEO and IT to Finance and your security provider (whether outsourced or in-house), can then effectively collaborate on the firm’s risk tolerance, prioritize critical vulnerabilities, and identify the most essential controls to improve their security posture. This further leads to informed investment decisions for allocating internal and outsourced resources while also creating urgency for action to invest in cybersecurity.
Here at Allvue, we conduct continuous vulnerability scanning on all assets and undergo multiple assessments and penetration tests by both internal teams and experienced third-party providers. Does your alternative investment software provider do this?
In addition to establishing your security program with foundational controls, the panel discussed additional strategies for proactively managing the security of your firm. Frank highlighted the importance of conducting cybersecurity Tabletop Exercises, informal, discussion-based simulations where cross-functional stakeholders to test your disaster response plan and identify weaknesses, informing necessary control improvements. CFOs and CIOs are encouraged to observe these exercises for collaboration and awareness of the firm’s preparedness.
Additionally, Frank recommended developing a business continuity plan that pinpoints critical services for each function (HR, finance, etc.) and outlines rapid restoration steps in case of disruption. Lastly, the panel discussed consulting vendors, such as MSSPs and other service providers, on potential threats based on industry incidents, allowing firms to proactively implement controls and avoid repeating similar vulnerabilities. By actively collaborating across functions and learning from external expertise, firms can significantly enhance their preparedness for cybersecurity challenges.
At Allvue, we maintain best of class security measures adopted from industry standards and frameworks, aligning with our mission to ensure your data remains safe and available across all our solutions.
Want to know more about our data strategy capabilities and the security behind our front-to-back office product suites? Reach out for a demo here.
Learn more about how Allvue can help your business break down barriers to information, clear a path to success and reach new heights on the investment landscape. Fill out the form below and we’ll reach out to talk more about how we can help your business.
At Allvue, we’re committed to harnessing technology and expertise to tackle the biggest challenges facing the private capital space. Our Resources hub, offering blog articles, whitepapers, case studies, videos, and more, shares industry best practices and reflects the experience and learnings of top Allvue experts and our partners motivated to see this industry continue to grow and thrive.
Our goal is to provide guidance as well as food for thought for anyone interested in the private equity, venture capital, private debt, and public credit spaces – whether you’re learning the fundamentals or getting ready to raise your fifth fund. Many of our articles contain links to trusted third-party resources to support our takes, and all our content is regularly reviewed and updated to keep current with the fast pace of alternative investment innovation.