EPISODE 072 – Cybersecurity Lessons on the Path to Private Equity

What does it take to go from safeguarding systems to shaping secure portfolios? Tune in to the latest episode of Agent of Influence where our host, Nabil Hannan, sits down with a trailblazer who’s made the leap from cybersecurity into the world of private equity. 

In this episode, Paul Harragan, Global Cybersecurity Lead, KKR, shares his unique career path, detailing the skills and experiences that proved invaluable in navigating the way to his current role. With insights from over 100 portfolio boardrooms, he reveals surprising cybersecurity challenges that almost every company faces and shines a light on what to look out for during due diligence. 

Tune in to this engaging conversation packed with practical insights for both cybersecurity and private equity professionals. 

Show Notes: 

• 01:56 – The Path to Private Equity
• 05:50 – Unique Skills in Cybersecurity and Private Equity
• 07:00 – Security Patterns Among Companies
• 10:19 – Preparing for Your First Board Meeting
• 13:31 – Preparing for Your First Board Meeting
• 17:40 – Tactical Approaches to Being an Interim CISO
• 21:28 – Building Trust as an Outside Leader
• 22:52 – Balancing Burnout in a Leadership Void
• 28:02 – Tips for Aspiring Cyber Leaders in Private Equity

Transcript between Nabil and Paul Harragan

Topics: The intersection of cybersecurity and private equity, red flags and green lights for security during M&A, tactical approaches to being an interim CISO, building trust as a security leader, balancing burnout, tips for aspiring cyber leaders in private equity.

This transcript has been edited for clarity and readability.

Nabil Hannan: Hi everyone, I’m Nabil Hannan, Field CISO at NetSPI, and this is Agent of Influence. Today we have with us Paul Harragan from KKR. Paul, welcome to the show.  

Paul Harragan: Thanks for having me.  

Nabil: So Paul, as we get started, why don’t you tell us a little bit about yourself and where you are today professionally.  

Paul: I work at KKR, which is a global private equity firm. We have just over three quarters of a trillion dollars in assets under management, and we operate globally, so we do large-scale investments. It’s a fantastic firm to work for; exciting firm to work for. I call myself a portfolio CISO. I don’t really know what that means, but I’m not the CISO of KKR, just to be clear, that’s David Stern. He’s fantastic.

I work on behalf of the investors, so I sit alongside the deal teams. I would consider myself an operating partner. I manage information security and cyber defense across that global portfolio, typically focusing on the majority of shared investments where we have a board seat or we have a creation proposition forward. I sit between the CISO and the board and provide guidance to CISOs and security leaders on what to do and kind of how to give a line of maturity that we as investors want to see and also provide boards insight into what the function is fit for purpose, and whether they’re providing enough support and their insights actually working and are aligned about the creation proposition.  

01:56: How did you come into the private equity space today?

Nabil: I do want to come back to the nuances and the details of what it’s like to be inside, in visibility of 100+ portfolio companies on their boards, etc. But before we do that, I actually want to take a step back, and would love to learn more about your journey and how you actually got into this particular space, in the private equity space. Your role is very unique; it’s not a role that’s commonly out there that you see very frequently.

So, I would love to understand what was your background, and how did you end up in the place you are today?

Paul: Okay, right. So if we go right back, I mean from from the university, I studied software engineering, so I wanted to be a developer. Actually, when I left university, there wasn’t many jobs available. I mean, I was a poll developer, and I struggled to find a job, and I remember having to pivot into the networking space, and I became a firewall engineer in help desk. I specialized in checkpoint firewalls and worked in the retail space for a few years, getting to know that world and going up the ranks of first line, second line, third line, tiering. But they gave me a pretty good oversight into the world of technology.

This is 25 years ago now, so cloud didn’t exist; cyber didn’t exist. It was all networks. And from there, I got new jobs into investment banking and retail banking and wholesale banking. I’ve worked for several banks over the years, mainly dealing with firewalls and those kind of things.

I was picked up by Accenture early, maybe around 2010 and I had the opportunity to lead their security division for UK banking, and I led the offensive security team and the strategy team. It was brilliant because it gave me a whole new world of consulting experience and allowed me to go into many different banks and investment banks and learn that world.

From there, I was picked up by EY, which I spent five years working my way up to partner, and I did a few things at EY. I was head of European strategies and transactions for cyber, which we did hundreds of diligences on, I think probably over 400 during my tenure. But I also got to run incident response, offensive security, and many, many bills went through that way.

And going through that journey, I represented lots of private equity firms, such as Softbank, Carlyle, KKR. And so I got to know a lot of a lot about private equity and a lot in that space. When the offer from KKR came to me originally, I was very excited. However, there was a kind of a view that I should live in America and I’m very British, so that wasn’t going to happen. The interview process went on and then went off and went on again. It lasted about a year and a half, and eventually they came around and said, look, we accept that you’re the right guy, and we’re going to go with London.

Actually, geographically, it works quite well, even though the majority of our business are in the US. I cover Asia, and I cover Europe. So, time-zone wise, it works out pretty well. So here I am at KKR.

05:50: What aspect of your background helped you succeed in this role? 

Nabil: What part of your background do you think gave you an advantage to be successful in this role? Was it more of the exposure from working in the Big Four and getting to see different organizations and their programs, or was it more understanding the financial space and the private equity space?

Paul: I think you need all the ingredients for the cocktail. I think that having a defensive security background and an offensive security background, then traversing into business strategy and transactions in the private equity world, I think it’s a cocktail that works, and it’s given me the ability to work in hundreds of businesses, right? It’s not just working in one organization. All of my life, I’ve literally worked in hundreds of businesses. It’s just provided me that depth and that knowledge and the connections. I wouldn’t say it was all based on my skill; I would say a lot of it’s luck, right timing. I’ve been at the right time, at the right place, known the right people, and just been given fantastic opportunities. I’ve been quite lucky.

07:00: Are there patterns or unexpected insights you’ve observed while working with a high volume of companies from a CISO perspective? 

Nabil: So, with that experience, and now with having exposure to, let’s say, 100 plus companies… 

Paul: 179.

Nabil: 179 to be exact, where you’re in the boardroom with them and looking at the organizations from a from a CISO lens and trying to help them, are there certain patterns that you’re seeing in those discussions, or are there things that you’re being surprised by that you didn’t expect?

Paul: I think that the boardroom situation is an interesting one. People’s perception of boardroom is that they have a view on what their experience is going to be like. But I can tell you now it’s not vanilla at all. Each board is very, very different. They all care about the same things. You know, how the value creation proposition is going to play out. How are you getting our growth to scaling? Is revenue hitting targets? What service lines are we going to get into? But they very rarely care about cyber truly. The answer is no, quite frank. Do I think that CISOs belong in the boardroom? No, is the answer. I back that up because I’ve just seen CISOs fail, unfortunately or not be successful, should I say more than fail, in the boardroom, because often they come with the approach of being a bit of a purist and their world is around protecting and safeguarding the business.  

I think that if you come with that approach to the boardroom, the investors that are in the boardroom, they’re not really focused on that energy. My view is that actually your relationship with your CEO is probably a much better angle to take.

I’ve seen people go to the boardroom and fall apart. And what people have got to realize is they always strive to get there. It’s a rush to get there. I don’t know why there’s such a rush, but every time you enter that room, you pretty much have a job interview, right? If it goes wrong, it’s going to look very, very bad. People are going to question your ability to be there.

The fact is, we don’t really, as security leaders, go to business school. You don’t really do that. There isn’t really even a cyber school, like there are boot camps, right? But then how do you actually have the experience and the knowledge to actually get there? And to be fair to the curriculum, which doesn’t exist, I don’t even know what you would—as I said, it’s not vanilla.

10:19: What prescriptive advice would you give a cybersecurity leader preparing for their first board meeting? 

Nabil: I love the fact that you mentioned there isn’t really a school that teaches you how to do this work. 

Paul: Not that I’m aware of. They might well be. I don’t discredit anyone.

Nabil: But even in the cyber space, you know, there’s no school that really teaches you cyber, but there’s plenty of certifications out there where you can memorize a bunch of stuff and pass an exam and have a bunch of acronyms that you put in your email signature to let people know that if you’re a guru in cyber because you’ve memorized a bunch of stuff. I’ve seen that happen, which fascinates me, and I feel like that should be a different conversation we should have that could maybe take an hour, and then maybe a different episode for that one.

With that being said, I really like the way you put it, that a board meeting is essentially your job interview that you’re doing over and over again. So, from that perspective, someone who’s going into their first board meeting, keep it short, keep it concise, I know those are common things we always hear about, but do you have any prescriptive guidance for, let’s say, a cybersecurity leader that is going to their first meeting? What should they be thinking?

Paul: I mean, there’s a few things, right? First of all, know your audience. Like I said, each board—is it an audit committee? Is it a board? They do vary. They do care about different things. How many investors do you have? Know these people. Know their background. Know what makes them tick. If they’re just hard money, investors are not really going to want to know about your problem, but if they actually do care, be very precise. Be very clear on your messaging. If you’re going to go with a problem, know the answer already, or at least come with a few ways to solve the problem. Don’t just leave it open, because they don’t want to really hear a problem, they want to hear answers.

If you’ve got a direction that you want to navigate someone towards, explain the pros and cons, explain how that can bring value, or typically we don’t feel in value, but preservation, when it comes to how you’re safeguarding the business. I think that’s very, very important. I also think know what you’re going to… typically, you’re asked to do the presentation, or you’re asked to provide insight. I would get feelers from the CTO or the CIO, or whoever your direct report is, if it’s the CEO, speak to the CEO, on how precise do they want the messaging.

For example, if I was going to the board at NetSPI, I could speak technical, like I could speak to the people and say that this is where we need to navigate to. However, if I’m going into a boardroom where they’re not separate, or they simply don’t have that viewpoint, they just deal in numbers, which is typically what you find. You’ve got to really dumb it down and keep it very, very simple because it’s just going to go over their head and they’re not really interested. You will lose them after two minutes. Know your audience, know what you’re actually being asked to say, and if you can get that coaching, I would really try to do that, and that’s a great way to work.

13:31 – What red flags and green lights do you look for in cybersecurity programs during M&A evaluations? 

Nabil: You have the benefit of really getting deep internal visibility into many organizations as part of the M&A activity that KKR is part of, and you’ve seen a lot of programs with varying shapes, sizes, and maturity of cybersecurity initiatives. Are there certain things that you look for that are red flags when you do an evaluation during an M&A diligence process? And are there certain things that you look for that are green lights that you know actually encourage you and give you some peace of mind when you’re going through that process?

Paul: Absolutely, I mean I think we need to clarify that there are several different types of transactions that can take place, and we tend to deal with most of them. So one playbook doesn’t fit all. For example, a straightforward investment, it’s just a cash injection. In those situations, we care about what the future thesis would mean. So if we’re going to inject $500 million or billion into your business, we’re not going to keep it the same, right? So what are you going to do with that money? And how will that currently change the threat landscape.

If you’re going to get a new service line, or you’re going to promote yourself to a new geography, it does change what you have. So we evaluate the current tech stack, we evaluate the current security architecture, and then we work out how much additional investment, how much change will be needed, based on our one to five or maybe 10-year thesis with that company, I would say in that scenario, out of the, even my time at EY, out of just shy of 1000 diligences that I’ve been involved in, I’ve only ever had enough evidence to go to the investment committee to stop two. So the majority of the time, it’s, okay we recognize that there’s risk, but it’s forward fix.  

We put together a number that we that we’ve negotiated with the investment committee to say that once we invest in this business, this is what we think we need to put in, and this is the time it’s going to take, and then we’ll have the correct schedule.  

So on the whole, in that scenario, it’s plow on, really. I mean, that’s the that’s the key. We don’t really want cyber to be a blocker in that way.  

However, if we take a different scenario when it comes to like complex carve outs, this scenario can vary again, but let’s say the scenario of because a big company that we want to carve out a certain section of the business, but we’re setting it up in Greenfield, everything needs to be scoped and planned, and TSA agreements with the existing parent, and then how long it’s going to take for us to set up a new location, new technology, and all of that has to be put into the architecture plans. Next is when you start to see how many positives can you take from a synergy perspective. Should we be copying what they’ve got, or should we be setting up the other efficiencies? And you know, there’s a big piece in the diligence process to actually navigate how much this is going to cost, because sometimes we’re buying energy plants, and that could come with 500 energy sites, and it’s very difficult to start navigating how much that could cost to re-transition over to a new enterprise setup is pipeline.  

Lots of red flags in those situations, because the money could be huge and the time could be huge. But again, typically, we’re good at what we do. We are very, very good at what we do, and we’re able to construct with our partners what the cost of this should look like, OPEX and CAPEX projections. And then we put that into our investment committee, and we go through diligence, and then we go through it, and hopefully we come to an agreement.  

17:40: What approaches do you use to bring order and address challenges when serving as an interim CISO or CIO?

Nabil: Another aspect of your role is you’re often called to action when there’s a very chaotic situation to serve in the role of like an interim CISO or an Interim CIO, when one or more of the businesses are really struggling in a particular area, or they have a gap in that type of leadership role, until they address that gap. What are some of your approaches when you’re put into those situations? Do you have certain things you look for to get started with to at least bring some calm into the chaos as you build out and solve the challenges that the business has?  

Paul: Yeah, and this happens twice, three times a year. I would say that again, it’s never the same situation. It could be that someone’s decided to take on a new opportunity somewhere else, so there’s a gap in leadership. One scenario, it could be that after our investment, we’ve positioned ourselves as actually needing someone more senior in the current role, and so I help transition over to a new person. It could be that, if it’s a carve out, like I said, it’s a brand new business, so the original CISO stays with the parent, and we’re setting a brand new situation. So I can cover that piece as well. This is the fun part of the job, right?  

So, is there a model? Is there a way to work it? I mean, I don’t have anything prescriptive to say, but I know what the view is to take it to a maturity level that’s accepted by business. And so I have a I have a set procedure that I know in terms of control implementations that are critical. And then I have a drive to push the company to a point of confidence that I can go into the board and say, look, whilst security is not perfect here, I can confirm, and I can give you confidence as the investors that this business, has the right people, processes and tooling in place to be able to react if something were to happen. We wouldn’t need to pay a ransom. We are able to recover and respond to a vast array of incidents, but also to give a view that they’re not negligent with customer data or corporate. That’s the confidence we want to do. That’s the confidence we want to do, and that’s what I try and drive when I go in.  

But it’s a bigger piece than that, because I evaluate the current team, I evaluate kind of what’s needed from an information security and cyber defense perspective, then we’re in a bit of an interesting transition now where we can actually automate a lot of things, and so it’s a great time to actually advance the security maturity of the business by bringing in robotic procedures to actually enhance all the monitoring and intelligence into the piece.  

I do a lot of recruiting. It’s my job to know some fantastic people in the industry, and if I must say that, we probably place around 20 CISOs a year. So, it’s good to have a big book of people that you can call upon, and maybe they’re at their point of a new opportunity.  

So yeah, all of those problems, I’m spinning all the time alongside, if I get a CISO job an interim CISO job, I don’t actually stop my day job, I just have to fit it in.  

21:28: How do you build trust and rapport as an outsider when entering a crisis situation?

Nabil: Often, when you’re thrown into these situations too, there’s a critical component of trust involved and building trust and rapport with the team as an outsider that’s coming in to fill a certain void that might exist in the organization itself. What are some approaches you have, or what is your framework for building trust with people who may already be in a crisis situation?  

Paul: I think it differs by geography.

I think the way that I approach it is I try to re-energize them. I try to refocus why they’re doing what they want to do. I put clear goals in front of them, which are achievable, which will give them the spark that they need.  

I mean, I often go back to Maslow’s hierarchical stature of needs, and I think that self actualization is a key component of that model. If you trigger perspectives on what people actually want and what they aspire to be, you can actually drive fantastic results out of them. It doesn’t always work.  

22:52: How do you balance addressing burnout while filling a security leadership void and maximizing team contributions?

Nabil: Another part that’s a big challenge in our industry today is burnout. We understand that there’s a lot of stress and a lot of pressure being put on security groups and security teams, etc. How do you manage that challenge, especially when you’re going into a situation where there’s a void in security leadership, and you’re probably also not only filling that void, but you’re trying to extract a little more out of others that are within the organization to maximize the investment that you’re making, both from a time perspective and from building out a program perspective? How do you find that balance, especially with burnout, is a challenge.  

Paul: That’s an interesting one. There are different types of burnout. I’ll cover them both. But if we take the burnout from the senior leadership perspective, I often think that burnout is a case of someone’s rush to the position that they think they wanted, and they got there quickly, and probably too quickly, and they’re trying to fulfill that role, and it’s just not turned out the way they wanted it to be, and it’s not the highlight that they thought it was going to be, and they’re having to deal with all of these additional focus areas that they didn’t want to take on, and it will lead eventually a burnout.

That’s the whole race to CISO piece, race to the boardroom piece. I think that there’s a lot of that that goes on because you can capture a CISO title working for company that makes bolts, right? But you can also be the CISO of critical national infrastructure. You can carry the same title, but they’re clearly not the same role. One takes 35 years of experience, and one takes your third gig, and because you’ve got that on your CV, you can traject yourself to that pretty quickly. These roles have only been in existence for about 15 or 20 years, so there’s a lot of companies out there that need to have that role. So they just, there’s not been that many, so they’ve been accelerated to the top. And of course, we’ve all taken it because it’s bigger paycheck and it’s getting the dream early. But when you get there, you realize it’s not the dream at all. And you’re already going, I want a new job. I want out of this company. I think the grass is greener on other side, and that leads to unhappiness and burnout.

To go back down the hierarchy, the only other time I really see burnout is in the analyst space and in a SOC, absolutely, because that’s just a bit of a boring job, and it’s often what people have to take on in their first role, because it gets easy. So I understand that, because it’s follow-the-sun modeling, and they may be on shift work, and that’s pretty hard.  

Nabil: That’s more from a volume of work.  

Paul: Yeah, it’s more of a lack of change. 

Nabil: Monotony. 

Paul: Yeah. But for the for the people that cover maybe multiple hats in a business, and they’ve simply been positioned into a job where it’s a job of four people, and they’re trying to do it all. I mean, I’m a victim of this myself. I’m always available to say yes. And actually, I should reflect and say there’s a better person to do this. I think that people can take on too much wanting to progress themselves again and not say no, and they just, they just get swamped by too much. I mean, I’m a victim of this myself. I get overwhelmed sometimes, and I have to kind of put myself in a very quiet space to process all of the data that I capture.

I think there’s a few different categories, but the answer to it is know yourself and know your own capabilities. If you get to a point of where you feel overwhelmed and you haven’t got enough support to get out and you can’t speak to anyone, there’s only one way to remove burnout, it’s to leave the business.

When you get into a new opportunity, maybe a new job, and instead of just going after the money, which is often what we do when we’re young, because we’re growing as a new family, definitely consider who you’re going to be working with. In a job interview, when people ask you, are there any other questions at the end, I would definitely go back and say, tell me about the rest of the team. Tell me about my support structure, because I’m going to be taking on something new, and I’d love to understand who else works here, what they’re about, kind of meet them. Definitely know what you’re getting into because that support structure, they’re going to be your teammates. They’re going to be the ones who carry through, and maybe you’ll have to help them, and they’ll help you. It’s definitely worth knowing rather than just signing up to a job, taking a risk, I think that we can be better in this space.  

28:02: What’s your advice for someone aspiring to a role like yours?

Nabil: For anyone who wants to follow in your footsteps and maybe get a role similar to yours, what’s one piece of advice you’d have for them?  

Paul: I think that knowing a lot about the VC and private equity spaces is definitely a must. Therefore, I’m not saying that you should go that route first; I mean, obviously, go through your security training; that’s the key part. But then as you navigate through your journey, through your career, start to consider working on M&A deals, if that’s an opportunity there for you, if you have an interest in it, and then kind of you can go to forums and insight panels and get to know people in the industry. Most private equity firms, large cap, mid-market, all have a program like KKR’s. Get to know the people. Reach out to them on LinkedIn. Say hello; say you’re interested. People like to talk about themselves, right? If you can find the time, definitely share that knowledge base. That’s how I would, if I would resetting and going back to day one, I would definitely try and navigate that way.  

Nabil: Well, Paul, before I let you go, we always like to learn more about what our guests like to do when they’re not working and not working in security space. So, what is it that you like to do for fun?

Paul: I have two passions. Well, okay, that’s unfair. I have three passions, but my family’s a passion, right? So, definitely, I have two lovely daughters and a fantastic wife, and I love to spend time with them and family time. But outside of them, on my own, I love to play golf. Played golf pretty much all my life, so it’s definitely something I love to do, but I also have a passion for football, or, should I say, soccer. I’m a Leyton Orient fan, and they take up a lot of my time as well. So they’re my kind of three things that I do.

Nabil: Who’s your favorite?

Paul: I would say Faldo. Growing up, I used to play a lot of Faldo tournaments, and he often came in the UK. There’s a tournament called the Faldo Wedge, and I was lucky enough to win a handicap. I didn’t win the scratch one, but I won the handicap prize when I was 14 or something, and he presented me the award, which was fantastic. Ever since that point, Faldo has been my favorite. He gave a speech. It was great for me, personally. It was a high point. I remember that deeply.

Nabil: Well, Paul, thank you so much for your time. I know you’re busy, but anytime we hang out, I always learn something new, and I appreciate your partnership, friendship and insights over the years, and look forward to maybe around of golf tomorrow.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.