New Resources Consulting CEO Mark Grosskopf has bought and sold about a half a dozen companies in the past 20 years, mostly around services, engineering, technology, and software. And though cybersecurity is a high-ranking concern for many in the business world, Grosskopf said at the Milwaukee Smart Business Dealmakers Conference that it’s not a top priority for him, primarily because of the types of companies he buys.
“For my world, it's either services, which at the end of the day, can I get people out to work for their clients, and it's on their systems, so I don't have to worry about my cybersecurity on that side. And if it's software, do I have the assets? Are they protected? Are they somewhere where I know where they're at?” Grosskopf says. “But beyond that, it's not a great ordeal for us.”
Not only has the meaning of cybersecurity changed quite a bit over the years, there wasn’t much of a focus on cybersecurity. For his purposes, when he would target companies for acquisition, he wanted to know where the IP assets were, make certain that they have the protection that they needed from a hardware and people perspective, and that they were doing testing so it wasn't easy to get in the back door. But there's not a huge ordeal that he goes through today for cybersecurity.
“I guess if you're buying maybe a different kind of company — manufacturing, whatever it might be,” he says. “We used to do, back in the day, what we used to call business continuity plans, and there was just lots of processes around how to run this company if I don't have my systems, like what happens? We don't really do those projects anymore, so I'm not sure if companies have that anymore as a backup plan — like what do I do if I don't have systems that can run the company? Like if I can’t do this can I still get products out the door? I'm not sure if that's a lost thing — I can't live without the computer systems? But I do think that it's something that folks should think about and focus on.”
When making acquisition, he says he relies largely on lawyers and IT consultants to ensure the existing cyber policies and cyber security meet their criteria. He says while things such as patches and firmware upgrades are happening constantly from the providers to close holes and fix vulnerabilities, it also makes sense to have people on your team to make certain those happens.
“You might think I've got some of the greatest hardware and I got a wall here, whatever. They've got to patch that all the time,” Grosskopf says. “And it takes quite a bit of time. And you've got guys that work overnight to do that and make sure that it happens.”
Still, he says that’s likely overlooked more than anything with clients they have. They’ll keep software and hardware around that’s years old. And because it’s expensive, few want to spend the time and energy to deal with it, so they’re working with server software that's old and can no longer be patched.
“From an acquisition perspective, I wouldn't worry about it too much,” he says. “The last we sold I think was to a very large French company, billions of dollars. It was a very small company I sold. And I think they sent us a list of due diligence and it was pages and pages of this stuff around security and cybersecurity. And we're like, ‘We don't really do any of that,’ because it was a tiny little company that they bought. And then we asked them, ‘So, how do you do this?’ And they're like, ‘Well, we don't do any of that either.’ Like, well, that's great, so, I guess we're both there. Nobody's doing it.”