As a managing partner investing in cybersecurity at Thoma Bravo, “diplomacy” in my world is usually limited to my interactions with business owners and executive teams. The goal is to create new investment opportunities and help our portfolio companies grow and serve their constituents.
But at the 2023 Milken Institute Global Conference in May, I participated in a cybersecurity panel discussion titled “Digital Defense and Diplomacy: Enhancing Global Cyber Coordination.” When I was asked to participate in the Milken panel, I was concerned that I might be a bit of an outlier. In a group of specialists with extraordinary expertise in government and public sector cybersecurity, I was asked to represent the “voice of the private sector.”
What Does a Private Equity Firm Have to Do With Cybersecurity?
Thoma Bravo has been investing in cybersecurity companies since 2009. We have a portfolio of cyber companies with an enterprise value close to $40 billion that generates a total annual revenue of $5.8 billion and employs more than 20,000 people (at end of 2022). My job is to help build great cybersecurity companies through equal parts innovation and business management to generate returns for those investors who trust us with their capital.
So, what could I lend to a conversation about the “high politics” of cyber conflict between countries and the dynamics of government policy involved in these critical discussions on defense, deterrence, and the like?
On the face of it, these seem like very different — and some may even argue incompatible — cultural contexts in which to talk about cybersecurity. However, in practice, the public and private sectors have quite a lot in common when it comes to the digital environment.
Public and Private Sectors Have Similar Challenges and Goals
The challenge of digital security is fundamentally equivalent for both the public and the private sector. Both environments share the simple goal of protecting the underlying fabric of today’s digital economy and society. As digital transformation proceeds, that increasingly means protecting the economy and society as a whole regardless of sector. All these blurring lines have driven a growing focus on public-private partnerships (PPPs), an attempt to bridge the best of these two cultures and strengthen cybersecurity overall as a result.
That makes good sense; cybersecurity in practice is a societal-level problem that impacts both the private and public sectors. But I find that a great deal of what is said and written (and to a lesser extent attempted) in cybersecurity PPPs tends to be high-level, abstract, and overly aspirational. In private equity, there’s little room for dealing in abstraction.
When we invest in cybersecurity companies, I look for concrete actions that can create efficiencies, enhance performance, and result in measurably better outcomes in both security and business terms — and seek to do so sooner rather than later.
4 Ways to Advance Public-Private Cybersecurity Partnerships
The Milken panel helped me see how the public sector could better harness that kind of private-sector pragmatism to make progress on a shared agenda. I’ve crystallized those thoughts into four points of common interest, language, and perspective — actionable areas of crossover that have the potential to advance and accelerate the PPP agenda.
Adapt the calculus: It’s important to recognize that the bad actors we are trying to defend against are making decisions about what and what not to do in a rational, cost-sensitive way. This logic lies not only at the heart of national defense, but also at the heart of a CISO’s decisions about what security products to spend precious resources on. But public and private defenders alike need to better understand the granular motivations and calculations of bad actors to make good decisions about cybersecurity priorities and investments. Hacktivists, for example, have a different rational calculation than state actors or pure profit-seeking criminals. An important PPP focus ought to be on sharing what we have each learned about those calculations over time.
Cover the basics: The weakest links in the security value chain are often not the most scientifically sophisticated or interesting attack vectors, nor those that tend to garner the most attention among researchers. More cybersecurity efforts today are still basic protections that amount to fixing the easy holes in our defenses — things we already know how to fix. Both governments and private companies need to pay much greater attention to fundamental cyber hygiene — things like two-factor authorization (2FA) and identity management. This might not be the stuff of exciting storytelling or scientific intrigue, but it’s still where defenders often get the most protective bang for the buck. Execution on basics can make a great deal of difference.
Innovating for profit: The acceleration in digital technology — and, of course, most recently in generative AI — means that cybersecurity R&D is absolutely critical to the future of defense. But R&D expenditures by themselves don’t always produce appropriate value. We need R&D to be productive, by which I mean great innovation should be channeled and focused by business discipline. With that in mind, the drive for profitability is a feature of productive R&D, not a bug or an unfortunate constraint.
Learning to row: Lastly, I believe that information sharing between the public and private sectors needs to be systematic and specific to be most useful to both. One of my fellow panelists brought up the example of particularly valuable information sharing in the run-up to the Ukraine invasion. We were all “rowing in the same direction,” he said, as the government shared pertinent intel with those private companies well-positioned to act on it. We need to constantly be practicing this kind of information sharing — building both the requisite muscle and coordination to row in tandem — especially when neither sector is in crisis.
I left the Milken panel with a strengthened belief in the critical role that PPPs will play in the future of cybersecurity. For those PPPs to be successful, it will take less finger-pointing (in both directions) and more substantive collaboration. That means identifying specific areas for partnership and measuring results over time, with the goal of benefiting society in general, including public and private organizations.