Neil Kimber
Principal, Accel-KKR
Digital Safety, Governance, and Privacy
Accel-KKR is an American technology-focused private equity firm with over $10 billion in total assets under management. The firm invests primarily in middle-market software and technology-enabled services businesses, providing capital for buyouts and growth investments across a range of opportunities including recapitalizations, divisional carve-outs, and going-private transactions.
Cybersecurity breaches and attacks have been increasing at a significant pace. Accel-KKR is a private equity firm that invests solely in software and tech-enabled services companies, and a small number of Accel-KKR’s portfolio companies have been affected in the past 18 months. Such attacks can be costly and damaging to the companies and it distracts the business from everyday operations. With its roster of portfolio companies, Accel-KKR needed to know how prepared each company was in minimizing cyberattacks, and where each company should be investing time and effort to improve their cybersecurity maturity.
Accel-KKR identified the NIST Cybersecurity Framework (CSF) as a basis for building an assessment tool for portfolio companies to measure their cybersecurity maturity. The firm then worked with a consultancy firm to design an assessment tool that measured individual companies against 120+ security indicators, scored and ranked each company. Each company was then furnished with a list of suggested improvements leading to an actionable plan that is owned by senior management and reported at the board level. The rollout of this initiative began with a presentation to all portfolio CEOs and CTOs emphasizing the need for cybersecurity vigilance through the use of first-hand recounting of security breaches and a roadmap that each company could own and take proactive actions.
Over 90% of portfolio companies underwent the cybersecurity assessment. The result of each assessment was a 25-page detailed report and a maturity score based on a scale of 1-100, accompanied by a customized action plan to improve the respective scores. The program was well received by CTOs and CISOs as it allowed them to honestly capture the maturity of their organization in a standardized and measurable way; the results of which helped to drive board and CEO buy-in on plans to make real improvements. In many cases, Accel-KKR received feedback that this initiative helped to justify the expense to make necessary improvements to corporate security, as typically companies struggle to prioritize budget to improve corporate security when it is often viewed as a cost rather than a critical service.
Each company was scored on a scale of 1-100. The resulting scores were separated into quartiles and improvement goals were set for each quartile. Higher scores experience diminishing returns for future improvements. The results were a tight normal distribution. Each company also took the assessment twice – the second time was based on where they believe that their organizations could be by the end of a pre-set time period. This second assessment generated a projected score for the end period along with an individualized cybersecurity action plan for the company. These plans are divided into initiatives for every quarter of a year, and are reviewed and tracked at quarterly board meetings.
The solution was built as a SaaS solution using a SPA UI and a .Net backend behind a public Web API. The assessments were delivered through an online application as a series of sectioned questions, scored automatically against pre-determined weighted answers. The results were distributed via email and the application allowed for the administrator to review scores across all portfolio companies and to make comparisons.
This program changed the way Accel-KKR and its portfolio companies viewed and budgeted for cybersecurity initiatives. For many companies, cybersecurity had not previously had the focus and scrutiny that the issue required. With this initiative, a new expectation was created that the output of this initiative and the resulting cybersecurity improvement plan will be owned collectively by senior leadership, not just the CTO or CISO, and that senior leadership would be held accountable by the board for the plan’s progress. With the buy-in and strategic alignment solidified at the highest level of leadership, the companies now have the mandate to deliver upon these plans and to allocate budget appropriately to ensure that the plans are executed. The individualized assessment gave each company a clear plan and timeline to execute, and a sense of priority and urgency with which to execute the plan. This corporate-level clarity and buy-in also resulted in these plans being communicated as a part of annual corporate goals and embraced across the employee base.
The level of participation amongst all portfolio companies was impressively high, with buy-in from boards and leadership teams, and individualized action plans that provide clear roadmaps for continual improvements.
About Accel-KKR
Accel-KKR is a technology-focused private equity firm with over $10 billion in assets under management. The firm invests in middle-market software and technology-enabled services businesses, providing capital for buyouts and growth investments across a range of opportunities including recapitalizations, divisional carve-outs, and going-private transactions.