By: Allvue Team
February 12, 2024
Allvue’s Chief Information Security Officer, Frank Vesce, joined a handful of industry colleagues at the 2024 Private Funds CFO New York Forum to discuss the importance of information technology and Security in the “Beyond the Back Office” series.
The panel was moderated by Michael Walfish, Founder of Walrus Security. Joining him were esteemed experts Jason Kaslow, CFO & CCO, Tiger Infrastructure Partners, John Spiridis, Managing Director, Varagon Capital, John Stecher, Senior Managing Director and Chief Technology Officer, Blackstone.
The panel discussed how teams outside of finance, including information technology and security, work in tandem with finance and operations to address the challenges of managing technology and security risk.
Below are key takeaways from the lively conversation.
#1 Double-edged sword: Artificial intelligence fuels both sophisticated cyberattacks and innovative defenses
Michael Walfish kicked off the discussion by asking the panelists to share examples of recent threats they’ve encountered. The panelists collectively agreed that phishing attempts, including spear phishing and smishing, are key threats that are becoming more sophisticated, especially with the rise of artificial intelligence (AI). Jason Kaslow highlighted that DocuSign is most notably being used for phishing attempts, receiving legitimate documents from DocuSign sent from illegitimate people. The panel agreed on the importance of taking due diligence in educating their staff on security awareness and to regularly help combat these attempts. In addition, Frank Vesce highlighted the way he combats these threats is using AI-generated simulations to make them as real as possible to help further educate employees.
#2 Resourcing security teams and partnering with industry peers
One of the challenges many companies face is the lack of resources required to manage security. A live poll during the session showed that at least 40% of attendees who work for firms with under $5 billion in AUM, at least partially, outsource security. The panelists had a range of experience working with in-house security teams and outsourcing to security providers, such as Managed Security Service Providers (MSSPs). The panel discussed recommendations on how firms without dedicated security staff can begin to tackle security, starting with establishing peer groups and professional networks to share knowledge and experience. Jason Kaslow emphasizes how speaking with peers from other firms is immensely helpful to understand what other firms are doing, especially related to quickly addressing the latest emerging cybersecurity issues or scaling team bandwidth.
#3 Speaking the same security language: why it matters
Speaking the same language isn’t just about communication; it’s crucial for allocating scarce resources effectively. Often, non-technical decision-makers lack the context to understand complex cybersecurity needs. The panelists discuss how to bridge the technology “black box” and foster a shared understanding of risks, priorities, and available solutions. John Stecher highlights that as a technologist, being able to speak the language critical to make business decisions around security and technology makes all the difference in the world.
Frank further highlights that if you aren’t technical, don’t let technology intimidate you. A great way to get started is to align on foundational controls, which are publicly available on the Center for Internet Security (CIS) website. These controls can fuel informed discussions with your decision makers and security teams (whether in-house or outsourced) to start asking questions such as “where do we stand on a specific control, such as Asset Management and Patch Management, and how are we graded on these controls?” to identify gaps and prioritize investments. Great dialogue can take place without being technical at all with foundational controls.
#4 Conducting cyber risk assessments to prioritize and drive urgency around investments
The panel emphasized through several questions the importance of conducting a cyber risk assessment to serve as the foundation for assessing your cyber hygiene and building a security program. It was evident this topic resonated with the audience, as 74% of the attendees who hold COO / CFO titles or work within those organizations at their firms have championed a tech investment or risk assessment. The cyber risk assessment is designed to pinpoint key vulnerabilities across the firm’s systems and data and further quantify the potential impact of breaches. Armed with this data, key stakeholders, from the CEO and IT to Finance and your security provider (whether outsourced or in-house), can then effectively collaborate on the firm’s risk tolerance, prioritize critical vulnerabilities, and identify the most essential controls to improve their security posture. This further leads to informed investment decisions for allocating internal and outsourced resources while also creating urgency for action to invest in cybersecurity.
Here at Allvue, we conduct continuous vulnerability scanning on all assets and undergo multiple assessments and penetration tests by both internal teams and experienced third-party providers. Does your alternative investment software provider do this?
#5 Future-proofing your business with proactive cybersecurity measures
In addition to establishing your security program with foundational controls, the panel discussed additional strategies for proactively managing the security of your firm. Frank highlighted the importance of conducting cybersecurity Tabletop Exercises, informal, discussion-based simulations where cross-functional stakeholders to test your disaster response plan and identify weaknesses, informing necessary control improvements. CFOs and CIOs are encouraged to observe these exercises for collaboration and awareness of the firm’s preparedness.
Additionally, Frank recommended developing a business continuity plan that pinpoints critical services for each function (HR, finance, etc.) and outlines rapid restoration steps in case of disruption. Lastly, the panel discussed consulting vendors, such as MSSPs and other service providers, on potential threats based on industry incidents, allowing firms to proactively implement controls and avoid repeating similar vulnerabilities. By actively collaborating across functions and learning from external expertise, firms can significantly enhance their preparedness for cybersecurity challenges.
Learn more about why Allvue is an industry leader in securing your data
At Allvue, we maintain best of class security measures adopted from industry standards and frameworks, aligning with our mission to ensure your data remains safe and available across all our solutions.
Want to know more about our data strategy capabilities and the security behind our front-to-back office product suites? Reach out for a demo here.
