If you have a growing SaaS company, security may be far down your list of priorities.
I’ll be blunt… it shouldn’t.
Security maturity can be make-or-break for SaaS clients and maybe even more importantly, SaaS investors.
As a Partner at Reitler Kailas & Rosenblatt, Jesse Nash has a wealth of experience representing early-stage SaaS companies and venture capital investors, so he’s seen how security helps and hurts deals from both sides.
He joined me today to go over:
- How he counsels SaaS on security matters
- How he counsels venture capital & private equity firms when approaching a SaaS
- Why security has become such an important part of the investment process
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Hey there. And welcome to another episode of The Virtual CISO Podcast. I’m your host, John Barry and with me as always the Anna to my Elsa, Jeremy Sporn. Hey Jeremy.
Jeremy Sporn (00:37):
So judging by our alter egos this week, it feels like we’re going to be going a little into the unknown.
I hope your kids get a lot of older, faster. Your references are not Disney films much longer. What did you think of my conversation with Jesse?
Jeremy Sporn (00:57):
So, internally we talk a lot about kind of shifting the kaleidoscope, turning your vantage point, to see things from different perspectives. It can really reveal truths that you just don’t normally see. And that’s exactly what Jesse did for me. Talking from his vantage point as a lawyer who represents SaaS firms at various stages of their growth, he reveals things that I just had not seen before. One of my favorites is how VCs and private equity firms view security and privacy while making their investment decisions.
Yeah. I think that over that word reinforces our decision to have some people from related fields on the show and not just InfoSec. I enjoyed the conversation with Dr. Khan for the same reason. I think it’s always a good idea to have people from outside of your realm outside of your domain. Because when you live in a world every day, it’s rather easy to become myopic. I think that’s a good way to prevent that.
Jeremy Sporn (01:54):
Agreed and security in the SaaS space in particular is very multifaceted. I mean, you and Jesse, I think do a great job breaking down the key stakeholders and how each of them views SaaS security. And most importantly, how the presence of solid security or lack of security affects SaaS’ ability to gain funding, gain new customers, keep customers, really their ability to grow.
Reasonable laughing. My dog has this tendency to bury bones. So I unfortunately left the deck door open where we store some pool stuff. And he usually buries it in the garden, but he actually went down, climbed through the deck and he was under the deck and buried it under the deck and he just came back up carrying, it’s all dirty and he’s got spider web. I’m inside… You can leave this in this introduction because somebody’s got to sit and wonder, “Why does he have such a shitty grid on his face?” Because, he’s not walking around trying to figure out a new place to hide it instead of eating. I have no idea why. Anyway, so getting back to the podcast, I do think that we actually hit the mark on this one, so to speak. And I think we’ve walked that line where both our more technical as well as our more managerial oriented listeners will get a lot of value from this particular podcast.
Jeremy Sporn (03:18):
Agreed. And if you have a dog, you know exactly what John’s talking about. If you don’t, you can laugh on your own. But if you work for a SaaS or want to invest in a SaaS or purchase a SaaS, this is for you. Jesse’s perspective is someone in charge of making sure deals with SaaS firms get done. He’ll give you key insights into what makes doing business with a SaaS easier, more complicated, obviously around the security domain. He really does a great job breaking down what you need to hear.
Agreed, no further ado. Let’s get to the show. Jesse, thanks for coming on today. How are you?
Jesse Nash (03:58):
I’m great, John. Thanks for having me. We’re in the middle of COVID. So I got to ask, I hope everybody’s safe and healthy on your side, your family and your company.
As much as you can be in these crazy times. Yeah. We’ve been fortuitously blessed in terms of actually real direct impact either to my family or the company. How about yourself?
Jesse Nash (04:17):
Yeah, same here. My family’s healthy, if not a little bored-
A lot bored.
Jesse Nash (04:22):
My clients are doing well. Business is rolling in the tech space, to some degree. It’s interesting times, but there’s a lot happening, so it’s fun to be a part of it.
Cool. Thanks for coming on, looking forward to chatting. I’ve had the opportunity for us to chat many times before and I know how much value you bring to a conversation. So let’s start super simple. Who are you and what do you do?
Jesse Nash (04:45):
Sure. My name is Jesse Nash, I’m a partner at the law firm Reitler Kailas & Rosenblatt. We handle growth stage technology and life science companies and the funds that invest in them. So we’re a boutique law firm about 40 attorneys located in Manhattan. I work out of our office in Princeton, especially since I’m not going the heck into Manhattan until they find a cure for this thing. So yes, we represent the funds and the tech companies. We’re all their stages of growth and each step along the way in their life cycle. From formation to M&A.
Before jump into the heavy duty stuff, the security and privacy of our joint space, right? Where we intersect. Let’s get to know you a little bit. What’s your drink of choice?
Jesse Nash (05:27):
Okay. So, typically I favor the Brown liquors, mostly bourbon nowadays. So I enjoy a good old-fashioned. In the summertime though, I tend to move over to the rums. So right now I’m in a mojito phase. You just happened to be catching me in my mojito phase.
I won’t give you too much crap about the mojito phase. The bourbons we share and you and I have had a bourbon on occasion together, over a dinner.
Jesse Nash (05:58):
On my shelf, I’ve got a couple of good ones and I was really surprised. I just revisited and I forgot how good Jefferson’s Reserve is. I don’t know if you’ve had that.
Jesse Nash (06:03):
No, I definitely have. Yes. In fact, I have a bowl of it right now. Yeah. I’ve been doing Bib & Tucker and Hudson.
Yeah. I’m not a huge… I think Hudson’s overrated personally. Actually, what I prefer out of a smaller batch bourbon, also from New York is Widow Jane which is also on my bookshelf. That’s out of Brooklyn. Widow Jane out of Brooklyn is really awesome for its price point, a really nice little bourbon. We can talk bourbon and I will encourage you to go from the Manhattan, try a Boulevardier next time.
Jesse Nash (06:34):
The next step you order. Think of it as a Bourbon Negroni. It’s got the Campari, it’s got this sweet vermouth, it’s a little bit… It’s a diff different and interesting drink.
Jesse Nash (06:45):
Whatever masculinity you achieve by ordering an old-fashion, you surrender by having a French name, Negroni. Okay. Got it. Will do.
Listen, I don’t need to compensate. I mean, maybe you do.
Jesse Nash (06:57):
All right. So, like you mentioned that you represent early stage investors or the SaaS that they invest in. As you know, we do a lot of work in the SaaS and PE venture space, so I really thought it would be interesting to have an attorney’s perspective as opposed to just the InfoSec guys perspective. So when you’re working a transaction, tell me about how privacy and or data security issues arise in your transactions.
Jesse Nash (07:26):
Yeah, sure. So, my transaction involves a lot of B2B SaaS. So for whatever reason, that’s who calls and that’s who my fund clients invest in. It seems to be, that’s kind of a rhythm with me and my particular practice. So, I’ll talk about data security and privacy from that view of the world. First on the company side, what my early stage and growth stage SaaS companies are trying to do is understand the regulatory environment their customers needs in terms of data security and privacy and efficiently building an infrastructure that matches up with those expectations.
Jesse Nash (08:03):
On the private equity side, the venture capital private equity side, what I’m doing is in transactional and M&A due diligence, trying to get a handle on the data security and privacy risk and compliance that those companies are experiencing to see whether they are a viable investment candidate or not. Because, private equity funds want to make sure that number one, they’re not stepping into a lot of risks in terms of data security and privacy and noncompliance. Number two, that their potential targets are in compliance with all their contractual obligations and their customers are happy and they’ve made the right investment so far to make their customers happy.
Jesse Nash (08:40):
Number three, when it comes time to exit that company, there’s going to be a solid story in terms of data security and privacy compliance, that’s not going to be a due diligence drag when they go to sell the company for hopefully multiples of what they invested in it.
Got you. So in terms of, let’s say you’re counseling one of your SaaS clients. Right? What are the most important issues that you’re suggesting they address right out of the gate maybe before they start going towards a deal?
Jesse Nash (09:07):
Okay. So, there was a McKinsey article that came out last September, and actually you and I spoke about this, I’d recommend it to everybody. McKinsey, it’s called securing software-as-a-service, anybody can Google it. But what they did was they interviewed CISOs from major companies about their experiences in doing business-to-business SaaS transactions. What they experienced was a gross kind of… Well, not gross, a pretty significant disconnect in terms of the B2B SaaS company and how it was approaching these CISOs and engaging, becoming a partner and a stakeholder in the customer’s data security and privacy infrastructure. So, basically what these CISOs say is, “Look, our biggest drawback to going on the cloud, to engaging SaaS vendors and moving these functions into outsource SaaS companies is data security and privacy. That is the number one impediment. It’s not cost. It’s not a product need match. It’s not loss of control or other operational concerns. It’s data security and privacy. That is the biggest issue in terms of an impediment to the growth of SaaS.”
Jesse Nash (10:18):
At the same time, SaaS is growing like wildfire, right? So, 20% year-over-year growth, every company that does a tech offering wants to have a SaaS component. The reason they want to have a component, well, there’s several reasons, but the biggest one, John, is because you get more multiples on sale in terms of business valuations. If you have sticky subscription revenue and if you have services revenue are one-off transactional kind of JV type revenue. So everybody wants that sticky subscription revenue. Everyone wants those. Everybody wants that seven to 10 times revenue multiple. And they’re out trying to create SaaS platforms to achieve that.
Jesse Nash (11:01):
CISOs are going, “Look, how about the data security and privacy? Really need you guys to step up and be a bigger stakeholder in helping me do my job.” And so that’s been the impasse that I’ve seen. So what would I say to my customers or my clients on those early stages before we get into the transaction stage? Number one, develop a data… Well, okay. Number one is understand the regulatory environment your customers are working in, understand their expectations in terms of data security and privacy, and make sure you have a clear and precise data security policy that matches up with that. So we’re not working from square one every time we do a tech transaction.
Got you. And in terms of, if I asked you that same question going towards… So now let’s say you’re working with a venture capital firm and they’re making an interest in making an investment. What would the guidance be there? Would it be just the analog to that? Make sure that they’re got their security and privacy house in order?
Jesse Nash (12:02):
Yeah. Sure. So if I’m talking to a B2B SaaS company, who’s thinking about doing a venture capital round, we’re going to go through a dry run diligence checklist. John, I know you and Pivot Point do significant amount of fund side diligence work on early growth stage tech companies. So this is near and dear to your heart. I’m sure. But what I try to do is I walk them through what sort of diligence these funds are going to be looking at. It’s basically this exact same concepts, I mentioned. Just coming back the other way and conceptually. Hey, look, what is this company’s client base? Looking at that client base, what is their regulatory obligations? What is the market expectations in terms of data security, privacy? Does this target meet those expectations? Okay, now that we’ve got that as table stakes, let’s go into their individual contractual commitments and understand what the heck it is that they’ve committed to and understand whether they’re in compliance, number one and number two, what the go-forward cost is of achieving and maintaining that compliance?
That’s actually really interesting the way you just said that. I don’t know if you and I have ever spoken about the ISO 27001 scoping process, but it’s remarkable in that the questions that you’re looking to answer that creates a structured approach to doing that. In ISO 27 001, we always tell people that it’s about what is the information that you’re processing that somebody wants insurance on? Right? What are your client’s data? What are the laws and regulations that govern the operation of that data? What are the client contractual obligations associated with that data? Who are the key vendors and third parties that have access to that data? How does that data flow to you through you and back to your clients? Right? All of the types of things that are going to give you that identification of the things you’re going to need to be able to do to satisfy the request, if you will, from these CISOs.
Jesse Nash (13:45):
Yeah. Same basket of concepts. You got to manage, you go to identify that risk and manage it and understand what it looks like on a go forward basis if you’re an investor.
Got you. So, like you mentioned, we do some due diligence on the technical side. Is there an equivalent, as an attorney, are you doing due diligence as well? Is there a due diligence component to what you’re doing? Because if you think about due diligence, right? There’s certainly the business side of the due diligence, the financial viability, any company liabilities associated with lawsuits and intellectual property and things of that nature. There’s the technical stuff, right? Are they secure? Do they have a good privacy program in place? Are they built on good technologies and things of that nature? What about on the legal side? Is there sort of a legal due diligence or is that just ensuring that the other due diligence has happened?
Jesse Nash (14:29):
Yes. There’s some things as a lawyer you understand and there’s some things you don’t, but of course any good lawyer is going to pretend like they understand everything. Right? But the reality is that there’s kind of two levels of diligence. One is working with guys like you, John, to create a awesome due diligence checklist, right? You’re literally soliciting information, confirming certain specified data points, like regulatory obligations, contractual commitments, client expectations, things like that. You’re soliciting that in a kind of a due diligence checklist Bible that you drop on these target companies in the case of an M&A, or in an investment, same difference. And then in the context of negotiating reps and warranties in the document, you’re having them rep to certain things.
Jesse Nash (15:21):
So each company is going to be different and I don’t want to paint too broad a brush about the types of reps that are appropriate for each type of deal. But the reality is you’re trying to connect the dots between the information at the due diligence phase that they disclosed in connection with your due diligence checklist in response to your diligence checklist and you’re trying to make sure that those data points are ported over to the actual deal in terms of factual statements or soliciting, and in terms of reps and warranties and information that is scheduled to qualify and quantify those reps and warranties. So you’re cramming everything that you guys do at pivot point in your diligence, and you’re putting into the document itself. That’s how you mitigate and shift at risk.
Got you. From your perspective, how much of that is trust and how much of that is verified? Is there a standard ratio you use? Does it depend on the deal size?
Jesse Nash (16:12):
Yeah. I don’t know if I have a trust but verify ratio I use. Certainly I try to… Look, we try to draft the most draconian, broad statement you possibly can in these reps and just kind of hope that it holds up. So look, the reality is when you are an investor in an early stage company, you don’t have a lot of deep pockets to go after in terms of being made whole of some if these reps fail. So it puts a lot of strain on the diligence that a fund is going to do. And increasingly look, in data security and privacy, it’s been no surprise to any of your listeners has really come on strong, say the last five to seven years and funds have caught up. They’ve really caught up and their diligence really tracks it accordingly.
Jesse Nash (16:58):
If you’re a fund, you’re looking at the saleability and scalability of that target, right? So you want to know that. Say they have, a company has 10 customers and $2,000,000 in revenue and they’re looking to do a million dollar series A. You want to make sure that they could go from 10 customers to 100 and you want to see the internal processes are there that will allow for that scalability. So data security and privacy and investment, and having the right kind of core infrastructure in place is a key part of that scalability. Because if they don’t have the right investment and they have to do it with your money, it’s a different growth trajectory than if they already had done the investment. This is an important issue in all venture capital and private equity investing.
Jesse Nash (17:43):
Nobody wants to give you money if you have an early stage company, nobody wants to give you money so you could deal with the stuff that you should have already done, right? They want to give you money so you could take that money and invest in R&D and sales and marketing and scale the crap out of that business model and grow to the stratosphere. So they can get multiples for the funds investors. Right? That’s what it’s about.
So question for you, does security and privacy, is that in that bucket of things you should have had done?
Jesse Nash (18:11):
Yes, absolutely. So look, the days of funds giving term sheets to pre-revenue companies are long gone and that’s one of kind of the upsides to some of the market corrections over the past few years is that VC is significantly more selective in terms of investing in companies that have approached the marketplace and there’s some sort of indicia that the marketplace is picking up what they’re throwing down, right? That they have a product market match and that they have a proven revenue stream. Well, that means if you have a proven revenue stream and you have a bunch of deals already out there in the world and you’re not in compliance with those deals, that’s going to be a gating issue for an investor, right? You got to have that nailed down before you come to me for a check, rather than take my money so you can backfill in the data security and privacy infrastructure after the fact and hope you don’t have a breach in the interim.
Jesse Nash (19:09):
I want to fund growth and scaling. I don’t want to fund infrastructure you should have already had in place.
Got you. So then the benefits of… Let’s talk about what would be the best… So if I’m a SaaS and I’ve made these investments or I’m making these investments now, what are the benefits that I’m going to see from a lawyer’s perspective? Is that going to be time to market, time to revenue? What are the key things that are going to happen, if I’ve done it right?
Jesse Nash (19:34):
Yeah. So if you’ve done it right, there’s going to be a product market match and all those things that McKinsey is talking about, where they’ve interviewed the CISOs and they say, “Look, we’d love to go on the cloud and McKinsey, we’d love to do this. We see all the value with pushing out these functions off of our systems onto the cloud, but data security, privacy are the major gating concern.” So if I’m an investor and I see that a company has hurdled that data security and privacy challenge and has an infrastructure in place, I have a belief that there’s going to be a better product market match than would otherwise be the case. And that’s a big concern in terms of me knowing that this company is going to scale.
Got you. And from the same perspective, because I have shortened my time to run your time to market. I’m going to be that much more appealing to a potential venture firm that’s looking to make an investment.
Jesse Nash (20:28):
Absolutely. Yeah. So, I spend every single day of my professional life… I am doing business-to-business tech transactions, and I will tell your listeners that without a doubt, the biggest issue in negotiating these deals, and I’m typically on the company side. So I’m typically on service provider side, right? The biggest issue, I’m dealing with general counsels at these companies that don’t necessarily understand my product or what it does, but they sure as heck know data security and privacy are a big problem, right? So they’re trying to push every risk on some of my clients in terms of risk allocation provisions in the contract about data security and privacy. The biggest drag on these deals is dealing with that. And either educating the GC, the general counsel, the target company, or the relevant business stakeholders as to why they’re asks are unreasonable or huddling with my clients and saying, “Hey look, this is actually a pretty legitimate ask. Is there any way we can accommodate?”
Jesse Nash (21:32):
Yeah. That’s why, I mean, if you can say, “Hey, we’re ISO 27 001 certified or SOC 2 tested or FedRAMP or some recognized framework, you can kind of… You’re in a position to push back on those asks.
Jesse Nash (22:20):
And I guess that’s actually another advantage that I never really thought about. Right? And as an attorney, this would probably be important to you, is that you can’t push back from a position of non strength and having ISO or having SOC or something of that nature behind you as a position of strength. So you can say, “I don’t need that control.” And we proved that we have an independent objective third party audit that says so. Oh, okay. We don’t need that. But if you’re sitting there and you’re negotiating the terms of a contract, and you don’t have that, you’re kind of stuck between a rock and a hard place. Right?
Jesse Nash (22:50):
Absolutely. Well said. I’ll do you one further, I don’t know what the hell a lot of this stuff means in terms of days-
I just love it.
Jesse Nash (23:00):
But I do know what ISO certification means and I love drafting in documents. So, that’s how lawyers work. We just work with what we know, and those objective standards are key because they’re easy to slap into a document and easy to insist that the other party complies. So absolutely those objective standards are often the straw that stirs the drink.
Got you. We got into contracts a little bit, beyond just this data privacy and security, what are some of the other issues that might jam up these negation negotiations and or are there just generally recommended guidelines and strategies for dealing with it?
Jesse Nash (23:35):
Okay. So we’re talking about a business-to-business SaaS transaction or we’re talking about a private equity venture capital tech transaction?
Yes and yes. How about we do both in one or the other?
Jesse Nash (23:46):
I was thinking more SaaS-to-client.
Jesse Nash (23:50):
Okay. So yeah, we’ll address that scenario. So a couple of the deal points that I spend most of my days negotiating are frankly, data security and privacy issues, as I mentioned and other related points are confidentiality limitation in liabilities and indemnities. So limitation on liability is a classic one. I fight this battle all the time, so I’ll just lay it out, so your audience is aware. So in business-to-business SaaS subscription agreements, there’s this concept that look, let’s say Jesse SaaS service provider is selling John as a customer. I’m going to say, “John, look you’re giving me subscription revenue from this contract and I really appreciate it. Right? But I’m not going to bet my company on every single deal I do. Right? So there needs to be proportionality between the revenue I experienced from selling you my SaaS subscription and the money I get back. Right? I can’t have bottomless risk, every time I do a transaction, I need to maintain that risk proportionality.” Right?
Jesse Nash (24:55):
That’s where limitations on liability provisions come in. It’s this idea that my liability, or frankly, both of our liabilities should be kept to a certain specified amount. So there is a waiver what’s called consequential damages or damages that are not directly causally related to the breach I did, but are kind of tangentially related. Those are waived. We’re talking about and we want to negotiate a hard cap on direct damages. So we might say 12 months service fees, 24 months service fees, 36 months service fees as a cap. So where the controversy is, is the amount of the cap and then the exceptions to the cap and what everybody wants on the customer side is they want to carve out all confidentiality and data security issues from that limitations on liability and John, to a staggering degree, that issue is what jams up these deals. The exceptions to limitations on liability associated with confidentiality, cybersecurity and data privacy.
Got you. So how do you get around that? I mean, is there a magic formula or is it just that’s what attorneys do, is they work stuff out?
Jesse Nash (26:00):
Okay. So first I try to start with a pretty reasonable in-market position, and I try to tout-
Like benchmark, when you say that in-market position, something which has been benchmarked against general industry acceptable practices?
Jesse Nash (26:15):
Exactly. So look, I mean, I represent, I should probably sit down and count them, but dozen 15, 20 B2B SaaS companies personally. So I am counsel for those companies. So I can say, “Hey look, opposing counsel, not for nothing, but I do these deals all day, every day. I have a wealth of transactional history. What you’re asking for is out of market. What I’m proposing is in market.” And you want to have the credibility when you’re looking at another lawyer in the eyeballs to actually be able to say that you’ve seen sufficient transactional long to know what mark it is. Number one.
Jesse Nash (26:50):
Jesse Nash (27:43):
The issue is what makes cost benefits sense in terms of infrastructural commitments that we’re going to put in place and we’re going to commit to you. I say, “Hey customer, look, we’re very proud of what we’ve done. We’re willing to put it in an exhibit and I’ll tell you what we’ll do. If we breach our obligation, our stated obligations to you. And if, as approximate result of that breach, there is a data security or privacy breach that will be unlimited.” Or I might say, “It’s limited by our cyber security coverage.” And make what’s called a super cap. Right? But if we’ve done what we’re going to do, what we tell you we’re going to do. If we can port it with our standards and look, you could diligence the crap out of them. We’re very proud of them, how about it.
Jesse Nash (28:23):
But if we stick to our commitments and there’s still a breach, well, then that should be under the cap. I have a pretty good degree of success arguing that, because it has a certain amount of rhetorical ring to it. But that’s the kind of the kind of tools you employ. Again, super cap with cyber coverage is cybersecurity coverage. So let’s just say you have $5,000,000 of cyber coverage. What you try to say is, “Look, in the event of a breach, your remedies are limited to the pro-rata cash that’s available as a result of that policy.” So your company does-
Yeah. And in pro-rata, that was what I was just going to ask. So if they’ve got five customers, let’s say, and you have that same agreement in all of them, and you’ve got a $5,000,000 policy and they get hit, all five customers get hit. Are they liable for five times five or are they liable for five times one?
Jesse Nash (29:19):
If I get my way when I draft and I don’t always get my way, it says something like the proceeds available in respect of your claim. It says something like that. Where look, we get our proceeds we to divvy them up to-
And then we have to divvy them up. Okay. Yeah. That’s-
Jesse Nash (29:33):
It’s precise and it does leave a degree of risk on the customer, but-
Life’s risky. Right?
Jesse Nash (29:41):
Yeah. So question for you. Do you ever… So you’re working as council for these SaaSs. Do you ever wear the other hat? Because SaaSs are very often hosting in Amazon and Azure and places of that nature. They’re probably using some cloud service providers themselves. Are you ever on the other side where you’re actually doing, negotiating the contracts with another cloud service provider or another SaaS provider?
Jesse Nash (30:06):
A lot of times, it’s a joint service offering. So each wants security commitments from the other because the failure of either party can damage both. So that comes up where now I’m demanding data screen privacy commitments from my counterparty. And sometimes it’s not often, I represent the legitimate customer of a SaaS offering. For example, I just closed a deal to today for a group of insurance brokerages who were getting insurance SaaS products and we’re trying to understand the functionality that affords that data security and privacy commandments, because there’s a lot of claims information that goes on their systems. So having that squared away was super important in that transaction.
Does that happen a lot? If you’ve got a super business critical high data volume, high risk SaaS acquisition, right? Where you’re acquiring the use of the SaaS. Do attorneys often get involved in those bigger deals of that nature? Right up front like it sounds like you are, just for that reason?
Jesse Nash (31:06):
Yeah, so most of my… I would say, okay, so I represent customers that are certain sizes sophistication to be able to use council. So I have a self selected of people I work with, but I don’t think I… I think maybe once time out of 10, there’s no counsel on the other side. Most of these companies, most of these customers know that this is a mission critical type of vendor contract and they better get counsel to look at it and a lot of sophisticated companies are going to have an internal counsel team that again, they don’t understand a darn thing about what you do, but they understand what their data security and privacy needs are and they’re going to make sure that you commit to it. So they’re tough customers, but I haven’t lost a deal yet. We get there somehow.
Got you. So now we get this contract in place, we’ve got our ISO 27001 certified or SOC 2 test and things are starting to go, what do you see in your deals regarding like post contract oversight and enforcement?
Jesse Nash (32:04):
Sure. So oftentimes there’s audit rights that the customer is going to want to negotiate and we need to negotiate the parameters of that audit, right?
And minimize those-
Jesse Nash (32:15):
Minimize the scope. Keep the cost on them, reasonable notice. That sort of thing. God help us if there’s a breach we’re often dealing with breach, actually, in my career, it hasn’t ever happened to be perfectly honest with you. I’ve never had a situation where there was on my watch, there was breach and we had to do kind of breach response notices, but that’s oftentimes when it comes up is when there’s actual or suspected breach and what the respective rights and obligations of the parties are in that case.
Jesse Nash (32:44):
Then there’s insurance, maintaining that insurance, making sure that the requisite coverage is obtained and maintained in place and understanding if there’s any claims working with the carriers to make sure that the carriers are standing by the policies and making sure that the claims are under the scope of the coverage of what are the policies rather than subject tending policy exclusions. I’ll tell you what, John, I don’t know if you had a chance to take a look at cyber security policies, but they’re a heck of a document
You need to be an attorney to understand the riders and the exclusions and the amendments.
Jesse Nash (33:19):
Yeah. We try to look at them very often. At some point, we’re like, “All right, this is what we understand this to be. It’s amazing how often we’ll find in a policy.” We had a client that had a policy in place for like four years and we asked them, “Why do you have this policy?” “Well, because we have 60,000 personal health information of people who attend this one health care clinic county, in this and so we needed to protect against that because of the inordinate risk that amounted to.” I was like, “You realize that there’s a limitation of 50,000 database clearly stated in the insurance policy.”
Jesse Nash (33:57):
John, it’s almost like they’re intentionally vague and opaque.
Oh my gosh, yeah.
Jesse Nash (34:05):
Interesting how that works, isn’t it?
Jesse Nash (34:05):
Yeah. Well, another thing is, so you have your B2B SaaS customer, B2B SaaS service provider. You have 50 client contracts out there. Each of them articulates the insurance commitment a little bit differently. How the heck do you know when your policy is up? All right. And you’re going, “Hey, it’s time to go get a new policy.” Now, the whole world has changed in terms of the exclusions and the market terms and what you’re seeing from carriers and how the heck do you get a policy that comports with all 50 rule books? It can be challenging.
Got you. Question for you. When you’re acting as counsel for a SaaS and let’s say they sign a contract with a specific provision in it, right? That requires something to be done from an information security perspective, as counsel for an organization, what obligation, do you have to ensure that, that provision is actually implemented and complied with?
Jesse Nash (34:59):
Okay. So when I go through the comments provided by the other side, I sit down with the stakeholders at the company and say, “Hey, look, this is going to be an ongoing obligation, right? So, when you have your operational rule book going forward, this has to factor in, and now we’re making this exception for this one client. And we have a suite of 50 clients and this one client wants this special rule. What are you going to do to make sure you don’t create a footfall here, two years from now, after you forgot about how horrendous this negotiation session was and how much you wish it was all over with? What are you going to do to create the operational rules are going to ensure compliance on a go forward basis?” So it’s an exchange like that.
Got you. Because it’s amazing how often we do see, because, one of the things we look at on an ISO certification are those client contractual obligations. It’s amazing how often we’ll stumble upon something in a contract and we’ll say, “Is this being done?” In fact, we’ve seen it in law firms. We were in a law firm once.
Jesse Nash (35:59):
It’s like the-
Yeah. She had agreed to fully segregate an environment for this technology company and we were in there. We were like, “We don’t remember seeing this fully. Now we decided not to do that.” But you decided not to do that, but you’ve got outside counsel guidelines that you agreed to.
Jesse Nash (36:16):
Yeah. I mean, look, just as a quick aside, all the law firm hacks you’re seeing on the news. I mean, it just gives me nightmares. In fact, it’s the bane of my existence. We’ve invested in some additional technology security infrastructure at my firm when we went remote, right? Because we had remote access and everything, but when you really go remote and I’m sure you’re seeing this with a lot of your clients, John. As you go remote more data access via the web, it creates all sorts of additional vulnerabilities that maybe you didn’t plan for and maybe you didn’t fully anticipate that your company was going to be completely remote and what’s that doing to your data security and privacy risk profile. So, I’m sure that’s the story of your life over the last few months.
Yeah. There’s been an interesting shift. The early part of COVID, it was less about security, more about just operations, right? The operational risk was greater than the security risk. So got to get the laptops out there, got to let people log in from home machines. Got to let this happen, got to let that happen. Now that they’ve gotten people up running, we’re working in a work from home world now it’s about, “Okay, let’s revisit our security posture. Let’s revisit our incident response plans. Let’s revisit the way that we do vulnerability and configuration management. Do we have less visibility from a logging and auditing and system audit perspective?” So yeah, it is an interesting time right now.
In terms of I’m trying to go through our little checklist that we had kind of chatted about, anything I missed in what we talked about. I know we didn’t follow the framework but we kind of got I think we got… What a surprise, you and I-
Jesse Nash (37:50):
I would be shocked if [crosstalk 00:37:51]. I will say this, that I think your listeners can can benefit from this. So there is a, as I mentioned, there is a absolute gating issue with a lot of tech transactions about data security and privacy. Lawyers are focused on it on both sides and it is a oftentimes a drag on negotiations and takes what could be a couple of days or a couple of weeks negotiations out to multiples of that. And so, getting out in front of that is a major issue. The other thing is, the other dynamic to note here is that there is an ever evolving landscape in terms of state or international, federal and state data security laws that are being passed and kind of understanding that framework and getting out in front of those requirements is imperative.
Jesse Nash (38:48):
For example, everybody knows California passed the CCPA. Requires all sorts of requirements on how data is used, transferred, stored and how consumers have rights to understand what you’re doing with your data and ways to have their data deleted from your systems. I’m not sure if you… Well, I’m sure you’ve come upon this, but that can have a massive operational limitation on B2B company. So now I need to go identify this particular personal information and be able to delete and be able to verify that they’ve done so.
Yeah, to be blunt with you, it’s a staggering requirement for most organizations because this idea of personal information in the old days, personal information was a privileged identifier, a credit card number, a checking account, a medical number. Nowadays, personal information is your dog’s name, your sexual orientation, your religious party, your IP address, your email address, everything is personal, anything which can be used to reasonably infer a person or their household, which is just-
Jesse Nash (39:53):
When you combine with other data points, right? So you can have one piece of a very large mosaic and it can still qualify.
Right. And so technically if you want to get to GDPR conformance, [inaudible 00:40:05] conformance or CCPA conformance, you literally need to know all of those individual data elements, the sub elements of data. You need to know what processing activities act on them. So, during a job interview or the recruiting process or employee onboarding, or a deliverable of client matters, right? Which pieces come in? Which legal matters? Which services that you provide as a law firm, as an example. Actually act on that data. Then one of the assets, whether it’s email, whether it’s SharePoint, whether it’s Dropbox, whether it’s your document management system, where might that data end up. Then you got to be in the ability-
Jesse Nash (40:41):
Then at that point, if somebody says something, you can bring all that data, present it to them, tell them that you’re doing… Prove to them that you’re doing what you said you were doing with the data and or delete the data, which is incredibly difficult.
Jesse Nash (40:52):
Absolutely. That’s the key point that I think is a lot of companies are scrambling to. Back, before these data regimes, these data regulation regimes came online, having tons of data was a good thing. A lot of companies were kind of forming whole business models around incidental accumulations of data, right? So, “Oh, great. We have all this awesome data. How are we going to monetize this?” It’s almost like now data is a little bit of a hot potato, right? It’s almost like a ticking time bomb and having more of it on your systems inherently increases your risk.
Jesse Nash (41:30):
So how are you managing that data? How are you deleting obsolete or unnecessary data to reduce your risk profile and having kind of a comprehensive information security program that deals with managing this data colon through it, understanding what the heck it is you got. Understanding how it’s stored and under what data security infrastructure it’s stored and how the heck you call it and get rid of it when you don’t need it anymore. And how you respond. Like you said, the right to be forgotten request based upon these different laws. It’s almost like having data in your systems is an inherent risk that needs to be mitigated by a good information security program.
Yeah, no, it’s really interesting. And then on top of that, we’ve got two things going in two different directions, right? So we’ve got this increased risk associated with data, and then we’ve got the increased generation of data. Because if you look at two of the hotter fields, right? You’ve got the concept of the internet of things, right? And these devices that are generating. So we will soon have on the order of magnitude of 20 billion devices generating, let’s say 50 zettabytes of data per day. A zettabyte by the way is like one with 24 zeros after it. Massive. Right. And then on top of that, if you think about artificial intelligence machine learning, what does that require to be effective? Massive datasets.
Jesse Nash (42:48):
That’s been a big problem.
So you’ve got these companies gathering these massive amounts of data because they need to, to train the AI and the machine learning systems. It’s an interesting paradigm we’re in right now.
Jesse Nash (42:59):
I’ve come upon this issue recently but if you have an AI machine, that’s looking at data to train it and now you need to go back into the data that the AI machine used and delete certain aspects of it, how the heck does that work? And some systems are not set up to do that. That’s been a negotiation point that I’ve had buttheads with over a few times.
Yeah. We have a client that we got ISO certified that does AI in the sales process. So they’re sitting in and listening to all of your communication with the client email and things of that nature and you get into some incredibly challenging issues where you’ve got all of this email, you’ve got emails with 10, 12, 15 people on it. Suddenly one person submits a DSAR, Data Subject Access Request that says they no longer want to be included. How do you un-entangle them from and what if they’re mentioned in the email in some meaningful way or multiple ways beyond just… So it’s not just a matter of, “Okay, I’m going to take the matter to, To or CC line.” Right? It gets really fascinating.
Jesse Nash (44:01):
It’s the substance of the discussion. Yeah, absolutely. The substance of discussion that are being read.
Right. Then what happens, what happens to the artificial intelligence, based on the removal of said data?
Jesse Nash (44:14):
Yeah. In a lot of cases, it’s just can’t be done.
Jesse Nash (44:18):
Just can’t get there from here.
Yeah. It’s a really interesting world. All right.
Jesse Nash (44:25):
I was going to ask you anything else that we… You live this and breathe this every day from a very different perspective than I do. So this ha been fun for me. Is there anything else that we didn’t talk about that we probably should be? Anything we missed?
Jesse Nash (44:36):
Sure. So, one of the things I’ll touch on very briefly is data security and privacy in the sale of the company. So for your entrepreneurs, right? You have this great idea. You put blood, sweat, and tears into this business model. You’ve got outside investors, you’ve taken minimal vacation, bare bottom paychecks, barely scraped along, hoping to invest in this company and the ultimate payday for many, many entrepreneurs is a sale of the company, a stock sale or an asset sale where you’re going to finally get the fruits of your labors. Oftentimes, well, what we’re seeing now is a heightened focus on data security and privacy diligence in the mergers and acquisitions context and we’re looking at broad sweeping representations that the purchaser is going to ask in terms of compliance with law, compliance with certain objective standards like ISO or SOC 2 standards, compliance with contracts.
Jesse Nash (45:33):
What they’re looking to do is they’re looking to exclude specific indemnities for any failures or those reps. And they’re looking to have [inaudible 00:45:40] uncapped indemnities for those reps. So you could potentially have a situation where number one, your deal is jammed up because your buyer hired somebody like Pivot Point Security to do this due diligence. So it discovered all sorts of problems with your company before you sold it. So now you’re jammed up in your diligence process or maybe the deal fell apart or maybe you have to redo, try to re-trade the purchase price based upon all the information security risk they’re incurring and all the infrastructural investment they’re going to have to make post-closing, right? So they want to renegotiate price during the diligence process. As a seller, you just got found out, right?
Jesse Nash (46:17):
So you have no leverage. You’re in the thick of diligence, you got called on the carpet for some noncompliance, you know you need to remediate it and the buyer says, “Oh, by the way, we want to reduce the purchase price by X million. Right? To address this issue.” That’s not a world you want to live in. Right?
Jesse Nash (46:34):
The other issue is even if you get to the closing, let’s just say, the buyer grit it’s teeth on your diligence concern, but it wants to have an uncapped indemnity, should anything come up post-transaction, based on that particular issue. So if there was a breach or there was some sort of legal liability related to pre-closing data security issues. So now you have the potential of your buyer coming back at you for purchase price, or even worse if there’s indemnities or escrows, or earn-outs, now they’re saying, “No, we’re not going to pay you, because we’ve discovered this here, new issue.” Right? And now you have to litigate to call that money back. It’s a mess. So they announce preventions worth a pound of cure there and understanding your data security and privacy obligations and dealing with that before the diligence process is absolutely massive. Believe me, buyers are getting more and more sophisticated in terms of doing that diligence, pre-closing.
Jesse Nash (47:38):
A lot of what I do, John is a private equity backed roll-ups. So it’s this concept that a private equity fund is going to identify a specific industry vertical, and then roll companies into this. In fact, I’ve done three or four deals over the past couple of years that were specifically really good on-premises, software service providers acquiring really good SaaS companies to roll out a SaaS solution to all their subscribers. So it’s an on-prem to cloud acquisition model.
I thInk I know one of them.
Jesse Nash (48:12):
Either you do one of them, but it’s surprisingly common. Because imagine you’ve got this company, it’s this big behemoth company to go on the cloud is like a nightmare for these old-school technology companies. If somebody has already invented that mouse trap, why not just acquire them and roll out their solution to your client base and add in the functionality and employ your domain expertise, but just deliver it via the cloud. Same solution, just different method of delivery. Well, you can bet your bottom dollar in those private equity-backed roll up transactions that data security is going to be a massive central gating item and it sure enough has been. So the smart money is on a company that understands that obligation and gets out in front of it early on. Again, it could be a real nightmare if deals start falling apart because issues are discovering diligence.
Yeah. Have you and I ever talked about what people refer to as the shared responsibility model in SaaS?
Jesse Nash (49:08):
No, I don’t think we have.
So yeah, you and I should really chat about that at some point. Microsoft has put out a very famous graphic of this. In fact, we’ll throw it into the podcast and I’ll make sure I send it over to you afterwards. But, depending upon whether you’re buying SaaS or platform-as-a-service or infrastructure-as-a-service, the full risk associated with data is never being assumed by the cloud service provider. Right? So even if you get to a SaaS, which is really the most significant outsourcing you can have, you still own a lot of that risk, right? You’re still responsible for user count management for information classification and governance, access control, monitoring people’s access to those systems.
The data, once it leaves the cloud, right? When somebody’s laptop connects to Salesforce and they’re downloading reports, is that data being maintained to secure by you? So increasingly what we’re working with are SaaS clients in doing is creating… In FedRAMP, they have this concept, they call it a user guide of behavior. But what are the requirements for you as my customer to hold up your end of the bargain? A lot of people think that it reduces risk in that you have a client that misuses your system. They made the mistake. Maybe you don’t have liability in terms of it was your… You’re being sued, but you do end up in a situation where you have an unhappy client that maybe leaves a platform on you.
So a great example would be, I worked as a subject matter expert in a legal case once where someone misused Salesforce and they had 42 administrators, guy stole the database, went and tried to sell it to somebody. Part of the argument was, “You guys didn’t protect it very well. Right? You gave me admin access.”
Jesse Nash (50:57):
Yeah. So we have really beefy provisions about your obligation as a subscriber to do you have password control and management, access control and management. And we have operational obligations on the user. It differs by use case and to be honest with you, some of that stuff’s over my head, John.
Good. Well, it’s good. It sounds like you are accounting for it though, which is increasingly something we see in the SaaS space as being a critical thing to do.
Jesse Nash (51:25):
Excellent. Cool. Anything else before we wrap up?
Jesse Nash (51:30):
That about covers it.
Cool. I always like to ask a fun question, to leave. So usually I ask the question, can you give me a fictional or real world person would make a great or horrible CISO? I’ll give you the option to change that to tech lawyer.
Jesse Nash (51:45):
Okay. All right. Now, for the listeners out there in internet land, John, this is a softball John prepped me for in advance.
Jesse Nash (51:54):
So here’s my answers. I’m going to go with James Bond. Why? Why James Bond? Because he knows how to deal with risk. He knows how to get out of sticky situations. He knows how to handle technology and he’s sexy as hell.
I thought you might’ve gone Ally McBeal for mostly the same reasons.
Jesse Nash (52:12):
And maybe I’m showing my age.
Any other… I don’t get a chance to chat with the attorneys very often on the podcast. As an attorney, is there any other topics that you think would be interesting for a future episode?
Jesse Nash (52:27):
Yeah. One of the things I think that you might want to do is look at equipping CISOs in harmonizing their rule book with their customer or vendors rule book. And how do I do a gap analysis between my data security policy and the data security policy that’s being put upon me or the reverse. My rule book, you need to comply with my rule book, but I see that you have a rule book. So how do I do that gap analysis? I think that skill is an important one. And if you want to speed up transactions either on the vendor side or the customer side, this skill of doing that is key and getting on the same wavelength, speaking the same language, doing that gap analysis and being able to be facile and closing that gap, that’s a big deal.
Got you. One of the more interesting ways to deal with that is to very often you can move somebody off of those asks. Very often the ask, it reflects a situation or reflects an assumption on risk in your particular environment that might not be accurate. So really what we like to do is get on the phone with them and understand why are you asking this? Right? Because at the end of the day, there’s a specific requirement and very often what we are able to do is say, “Hey, we don’t need to do that.” Right? So as an example, we don’t need to maintain locks for that period of time for this reason, we have this compensating control mechanism in place. Or we do IP address restrictions. So we don’t need intrusion detection on top of that, right? Because each customer, their access into our environment is restricted on an IP address basis. Right?
So I mean, there’s mechanisms by which we can minimize the likelihood because the problem you run into is the minute that your security policy is the amalgam of all of your customer’s security policy, you’re in trouble. Right?
Jesse Nash (54:18):
That’s the wrong way to do it.
It becomes impossible. And if you look at the… In a perfect world, you’d be big enough like Salesforce and Oracle and Microsoft to say, “Hey, we put the way we do shit on our website. If you don’t like it, go find somebody else.”
Jesse Nash (54:32):
And John, to a startling the gray and this doesn’t apply to my clients, of course and it certainly doesn’t apply to my clients who happen to be listening to this podcast. But I hear tell through the water coolers in the industry that a lot of tech companies, that’s a lot of SaaS companies, that’s exactly what they do. They develop their data security infrastructure strictly in response to client demands. And it’s almost like that episode of Seinfeld where Kramer’s Manning the movie phone. He’s like, “Why don’t you just tell me what movie you want to see?” It’s almost like that, where you’re acting in reaction to your customer base and it’s nowhere to be, but as a practical reality, a lot of times, again, not my clients find themselves in that exact boat.
Sounds good, man. Well, listen, thank you so much for coming on. I genuinely appreciate it. Look forward to us getting out of COVID world and maybe we can get back together for a lunch or something-
Jesse Nash (55:31):
We’ll have that French drink that you mentioned that I can’t spell, or I would have written it down in-person as soon as it’s appropriate to do so. So fingers crossed for that vaccine.
Yeah, that might be a year from now at the current rate.
Jesse Nash (55:45):
Yeah. [inaudible 00:55:46]. Anyway, John, thanks so much for the opportunity was a lot of fun.
You got it Jess. Same here.
Speaker 1 (55:52):
You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. To ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.