Thoma Bravo, a private equity firm focused on investing in cybersecurity companies, recently participated in the Milken Institute Global Conference to discuss the topic of cybersecurity and its relation to diplomacy. As a managing partner at Thoma Bravo, my role is to help our portfolio companies grow and thrive in the cybersecurity industry. When I was invited to speak on the panel, I knew I would be representing the private sector perspective amongst a group of experts from the public sector.
Thoma Bravo has been investing in cybersecurity companies since 2009. Currently, our portfolio consists of cyber companies with a combined enterprise value close to $40 billion. These companies generate an annual revenue of $5.8 billion and employ over 20,000 individuals. Our goal is to support these companies in their growth and innovation to deliver returns for our investors.
At first glance, the private and public sectors may seem vastly different when it comes to cybersecurity. However, in reality, both sectors face similar challenges and share common goals in protecting the digital economy and society as a whole. This has led to a growing focus on public-private partnerships (PPPs) in cybersecurity, as they aim to bridge the gap between these two sectors and strengthen overall cybersecurity.
As someone involved in the private equity industry, I approach cybersecurity from a pragmatic standpoint. When investing in cybersecurity companies, I look for concrete actions that can enhance performance and security, resulting in measurable improvements. This mindset of tangible results can be valuable in advancing public-private partnerships in cybersecurity.
Based on my experience and the discussions at the Milken panel, I have identified four areas of common interest, language, and perspective that can help advance and accelerate the PPP agenda:
1. Adapt the calculus: It is important to understand that cyber attackers make rational decisions based on costs and benefits. This applies not only to national defense but also to the decisions made by Chief Information Security Officers (CISOs) regarding cybersecurity investments. To make informed decisions about priorities and investments, both public and private defenders need to understand the motivations and calculations of bad actors. Sharing this knowledge can contribute to better cybersecurity strategies.
2. Cover the basics: Often, the weakest points in cybersecurity are not the most complex or attention-grabbing attack vectors. Governments and private companies need to prioritize fundamental cyber hygiene, such as implementing two-factor authorization and identity management. These seemingly simple measures can have a significant impact on defense and protection against cyber threats.
3. Innovating for profit: The rapid advancements in digital technology, including generative AI, highlight the importance of cybersecurity research and development (R&D). However, R&D alone does not guarantee value. It is crucial to channel and focus innovation through business discipline to ensure productive R&D. The drive for profitability should be seen as a feature of productive R&D rather than a constraint.
4. Learning to row: Effective information sharing between the public and private sectors is vital for successful cybersecurity partnerships. This requires systematic and specific sharing of information that is relevant and useful to both sectors. Building the muscle and coordination for collaborative information sharing is essential for a proactive approach to cybersecurity.
Leaving the Milken panel, I am more convinced than ever that PPPs will play a critical role in the future of cybersecurity. To achieve success, collaboration and substantive partnership are necessary, with a focus on identifying specific areas of cooperation and measuring results over time. By working together, public and private organizations can benefit society as a whole and strengthen cybersecurity defenses.