Tune in to this episode of Bigger. Stronger. Faster. and subscribe on Apple Podcasts, Spotify, or your preferred podcast platform to receive updates on our latest content.
Technology Center of Excellence - Imran Shaikh
Within the Shore Resource Team is a specialized group called the Centers of Excellence (COE). COEs are a team of senior professionals who came from careers as operators, and support individual companies or help harness the power of 40+ companies as a competitive advantage. The COE team leads peer cohorts, operational improvement projects, share best practices, and provide the tools and support for companies and executives from early hold through exit readiness.
In this episode we discuss Shore’s COE focused on Technology. Imran Shaikh, Chief Technology Officer for Shore, talks about the IT operating standards Shore sets for portfolio companies, and the way in which Shore uses IT as a value generator. He also discusses real world examples and solutions for dealing with IT security threats in small- and medium-sized companies.
Transcript
Introduction
Anderson Williams: Welcome to Bigger. Stronger. Faster., the podcast exploring how Shore Capital Partners brings billion-dollar resources to the microcap space. Centers of Excellence at Shore Capital are subject matter experts who provide their functional expertise to support our portfolio companies. COEs, as they are known, share best practices and engage with our portfolio companies to address real business challenges and to create opportunities far beyond what a traditional microcap company would be able to do on its own.
In this episode, we highlight Shore Capital's Center of Excellence focused on Information Technology.
Imran Shaikh: Imran Shaikh, I'm the Chief Technology Officer for Shore, part of the COE, the Center of Excellence team. I help our portfolio companies with their technology strategy, which includes employee productivity tools and systems, business applications, information lifecycle management, and cybersecurity.
I spend a lot of time with our portfolio companies on their cybersecurity strategy, and I've been with Shore for a little over a year and a half now.
Anderson Williams: So, Imran, what did you do before you came to Shore Capital?
Imran Shaikh: Prior to Shore, I was with another private equity firm that invested in software and technology companies in a similar role.
I helped the private equity firm with pre acquisition diligence and value generation post close. All of our companies were software SaaS companies. You solve the challenge for one company, you've solved it for everyone else. And it was mostly a kind of rinse and repeat approach. When I joined Shore, it was a little different.
One of the reasons I joined Shore was, in technology companies, we innovated every day, but we never saw a practical application of it. What excited me the most about Shore was, the companies were non tech companies, and the opportunity to use technology to give these companies a superior competitive advantage excited me the most.
Early Stage Focuses
Anderson Williams: And when you think about our portfolio, what are the things that a microcap company should be thinking about that you're focused on? Like, what are the top priorities in the early stage of a microcap company?
Imran Shaikh: Just like any other small businesses, microcap companies have under invested in technology for many, many years, and that causes significant technical debt.
And just like any other debt, it compounds. So, if it's not addressed, in a timely manner, you have to spend significantly more in coming years to pay down that debt.
Anderson Williams: And can you give just like an example? Give us a specific color commentary of what technical debt looks like.
Imran Shaikh: Yeah, let's take example of a healthcare business, wherein they may not have upgraded their server hardware to the latest tech.
And Microsoft, as an example, announces they are going to end of life a certain operating system. Now they're playing catch up trying to upgrade those systems because they did not keep up with the latest operating systems that were released year after year by Microsoft. Now, if you have not upgraded system something for the last nine years or 10 years, you cannot do that overnight.
Now you have to upgrade and replace your server infrastructure to get to the latest code. If in a health care business, if not addressed. It's not only a cyber security risk, also compliance risk from a HIPAA perspective.
Anderson Williams: Can you say a little bit more about what the productivity side of the software or the technology work that you do?
Imran Shaikh: When we acquire new businesses, or partner with them, we see them anywhere from being in a firefighter mode to being a trusted operator. We want them to be innovator. And when you are in a firefighter mode, what that means is you have digital friction. Your employees cannot find the information that they need to do their job.
They have outdated software or the interfaces for the software that are inefficient. Those are a couple of the examples and that comes in different flavors. When it comes to employee productivity tools and systems, they may be running an operating system that's end of life or have email platform that does not meet the current security standards.
That may mean that the endpoints that they use, the laptops that they use, are inefficient or slow, hindering their productivity.
Anderson Williams: And when you think about that point of partnership with Shore and our partner companies, help me understand, how aware are these companies about these issues? Are they coming knowing they've got some technical debt?
To what extent are you sort of educating or evaluating? And to what extent are people coming and saying, hey, we need help?
Imran Shaikh: Before we partner with businesses, as a part of a standard process, we do what we call it pre closed initiating coverage. Pre close initiating coverage uncovers aspects of the businesses that need attention once the transaction closes.
And what are the priorities that we need to undertake to address those issues within the first, you know, 90 to 100 days. As a part of that process, we look at their cybersecurity controls, look at applications that they're utilizing, understand where the lifecycle of the software or hardware it is. Is it toward the end of life?
Is it mid cycle? And how much investment we need to make once the transaction closes.
Anderson Williams: And I'm assuming for the most part that these companies are typically not in the position to have someone like you obviously on their team or to have access to the level of expertise you have. Is that fair to say?
Imran Shaikh: Absolutely. I think if you look at most microcap businesses or small businesses, it is the CFO, the CEO, they are the defacto owners of the IT function. They do not have a dedicated IT function. They may utilize a managed IT service provider to provide those services, and they are ability to look around the curve or around the bend, what's coming is very limited.
Minimum Operating Standards
Anderson Williams: And I'm curious, as you think about our companies, when you think about your experience, it's one thing when you think about removing the digital friction, I love that phrasing. But when you think about the kinds of things that need to be in place, not just removing debt or removing barriers, what are the things that when you look at our companies and you think about a five-year holding period that you say every company needs to have this foundation?
Imran Shaikh: That's a good question because we have what we call is minimum operating standards for all companies. Minimum operating standards are certain foundational requirements that we have for all portfolio companies. Any deviation from those standards calls for attention from the investment partners to ensure those standards are in place.
I'll give a couple examples. Multi factor authentication, MFA, that everyone talks about. You use it when you access your bank account. They ask you to put your email address and or phone number to send a one-time text. Not having a multi factor authentication or MFA for your email is one of the cyber security minimum operating standards that we have.
If companies have those foundational controls in place, that prevents companies from major security hacks and breaches. Because if you look at the cyber security incidents out there, the bad actors are opportunistic. They are knocking every door. They're twisting every handle and trying to see which one's open.
Anderson Williams: And talk a little bit about that. I think a lot of companies think that perhaps they're too small to be at risk from hackers or ransomware or any of those other things. Can you just say a little bit more about that landscape and why it's so important even in these early stages for these companies to get that in order?
Imran Shaikh: Companies need to start by identifying what their crown jewels are. Every company has a crown jewel. If it's a healthcare business, it's your patient records. If you are flavoring company, maybe it's your formula on how to make a barbeque flavor that's your secret sauce. So, focus on what are your crown jewels that you're trying to protect and then work backwards.
And even small businesses have those crown jewels. So, identifying what those crown jewels are, why they are important to your organization, what's the risk that you have because when it comes to cyber security, the budget can be unlimited wherein you could spend millions of dollars and still not be secure.
You don't want to put a $1,000 block to protect a $10 box.
Anderson Williams: And how do you know how much is enough? I think that that's one of those questions that coming into a larger platform and having someone like a CFO running IT and a smaller company, how do you know what's the right amount for a given company or for a given industry, whatever it might be?
Imran Shaikh: There's no thumb rule for that. Taking a risk-based approach makes sense. When we acquire this business, one of the things that we ask them to do is go through a business impact analysis. Hey, here are the 10 scenarios of cybersecurity that will likely happen. What's the likelihood of the company experiencing that issue and what it means to their business?
And then put a dollar amount to quantify your risk. So, it's not one size fits all. It's we take a risk-based approach.
Building Trust
Anderson Williams: And when you do this, when we're partnering with a company, how do people respond? It's like you're coming in and it could be like you're drinking from a fire hose a little bit. Like I've been running this business.
It's been great. We've had no problems so far. Why are you so intense about this cybersecurity things? How is it received generally?
Imran Shaikh: Good question, because gaining the trust of the company early on is critical to make sure they're engaged throughout the process. And there are a couple of scenarios where I've been very successful with a business services company wherein, as a part of the pre closed initiating coverage, we do a deep dive on their cybersecurity systems, which includes deep and dark web monitoring, and we found certain compromised credentials.
For this company, during the process, we shared with the CEO of the portfolio company, hey, this is what we found. In the spirit of partnership, we want to let you know, and then change the tone of the company. Wherein say, hey, thanks for letting us know. And we built trust as a result of that.
Anderson Williams: And can you add for the rest of us who have heard the words deep and dark web, help us understand what that looks like.
You don't have to use that company specifically. What are you looking for? What are you finding? What kind of compromise is really out there that most of us don't know of.
Imran Shaikh: So, there's a surface level web. When you Google that surface web, deep web is where in you require credentials to access a certain system or website.
And the dark web is something that you cannot find through Google. You need specialized browsers, such as an onion browser to surf. Dark web is a platform where the bad actors exchange information, put out for sale data that they may have stolen from a company. It's a rich marketplace, which some of the bad actors have a support number where you can call to get support.
Anderson Williams: What's an example or two of something that you might find as we're partnering with a company that's compromising?
Imran Shaikh: Yeah, most of us use our top four or five passwords for everything. In the absence of foundational security controls, which includes multi factor authentication, if the companies do not have, now you increase your risk of getting hacked as a result of that.
When we find these credentials in the deep dark web, we ask portfolio companies to ensure that the users are not using the same credentials and make sure that they have the multi factor authentication enabled for all business systems.
Biggest Misconceptions
Anderson Williams: Imran, what do you think the biggest misperceptions or misconceptions are about technology and the level of need or risk when you think about our portfolio and the companies we partner with, what misinformation, what misconceptions are out there?
Imran Shaikh: Technology function is looked upon as a cost center still, is not looked upon as a value generator. How do we get over that hump in the long run?
That's challenged for all companies and the technology leaders in our portfolio companies, right? Some of our companies also have technology leaders. They have CIOs. CTOs, Directors of IT, and they often struggle with that, which is how do we get from a cost center more to a value generator? Everything that we do in technology may not have a direct ROI at times.
Technology can help you get into new markets, increase revenues. It can help you reduce your risk or reduce costs. It can improve employee experience. It can improve customer experience or patient experience in a multi-site healthcare or businesses. And to get to that level you have to address the foundational technical debt.
Anderson Williams: So, Imran, will you say a little bit more about value generation as you think about particularly Shore portfolio company as compared to your previous experience with technology companies? What does it mean to create value, to generate value in our particular portfolio companies?
Imran Shaikh: Well, go back to the value framework, which I mentioned earlier.
Which is, does the technology help you get into new markets, acquire new customers? Does it help you reduce costs or reduce risk? Does it help you improve customer experience or employee experience? And each one of these can be measured by certain metrics and KPIs. For example, employee or customer experience can be measured in terms of customer CSAT.
Is the technology initiative helping you improve the customer CSAT? Example would be in healthcare facilities or healthcare businesses, patient intake. How do you automate the patient intake process and reduce the friction to improve the patient experience end to end from the time they come into your office to the time they leave?
Anderson Williams: You've talked some about the evaluation that you do and can do for our portfolio companies through the due diligence process as well as even post close. What types of problems are portfolio companies coming to you with, as opposed to just the analysis that we do, what are CEOs or CIOs or CFOs coming to you and saying, hey, Imran, I need help with this.
Imran Shaikh: Do more with less.
That seems to be a theme because as I mentioned earlier, IT is looked upon as a cost center. When we acquired a platform company or the life of the company, you may have a dozen, two dozen, maybe hundreds of add on acquisitions. And as a result of that, every time they acquire a add on platform, they acquire technical debt in the form of outdated systems, insecure systems, lack of security controls around those.
In addition to that, they also inherit some of their IT support model in the form of a managed service provider or IT staff that may not have the right level of skills and how to integrate this disparate IT support models into a unified support model that makes financial sense.
Everyone seemed to be struggling with that. You have a platform company, and then you have 15 IT managed service providers. How do you rationalize, consolidate, and have a go forward plan that makes financial sense, where you reduce your per employee IT support cost? That seems to be the theme these days, like, hey, what can we do more with less?
And how do you justify the IT costs for the size of the company?
Anderson Williams: And so just practically speaking, how does the company leadership come to you with that problem? Did they just pick up the phone and call or how does that happen?
Imran Shaikh: So, there are a couple of ways. There are some kind of leading and lagging integrators.
What we have is a monthly flash and dash, which is a scorecard of portfolio companies we track. For all companies, I think HIT, HR, data, these are the functions that are common across all portfolio companies. And we track their KPIs and metrics in form of this flash and dash scorecard. That's a good indicator on how the business is performing and if there are any deficiencies.
We flag those early on to the investment team through the flash and dash process. Those may result in identifying engagements with the portfolio companies to make sure that they come go from red to amber or from amber to green.
Real World Example
Anderson Williams: Is there an example, just real world, and you can choose to use the company name or not of one of those engagements, just so that we take technology from the sort of confusion and unknown of the dark and deep web to preventing the risk.
It's so foreign to so many people. Give us an example of like a specific thing that a company has come to you for that you've been able to help with.
Imran Shaikh: I'll give a recent example where a company experienced a wire fraud. The company had all foundational cybersecurity controls in place and ran into a wall as to how that incident happened.
The company did not have an internal IT function. The CFO was the de facto owner of IT. The company assumed that it fell for a phishing attack, and that resulted in a wire fraud. I worked with the CFO to do a forensics discovery, and it turned out it was an insider job. The company was able to get the funds back from the financial institutions, and there was no material loss.
Anderson Williams: And dare I ask what forensics means when you go in and start looking?
Imran Shaikh: Yeah, so you kind of look at the symptoms and kind of work backwards, wherein you're looking at system logs, looking at what happened when, look at some electronic data, which has timestamps to tell what an employee may have done at a specific period of time, including data that they may have deleted out of the systems.
Anderson Williams: So, I think that's really interesting, Imran, because most people are thinking about some bad actor and some foreign country or somewhere hacking into their system. They're not thinking about security sort of from within their team.
Imran Shaikh: That is correct. I think most companies that experience cybersecurity incidents are garden variety cybersecurity incidents.
They're not nation state actors. Those are probably extreme scenarios, but for most microcap slash small businesses, these are garden variety incidents that they experience in the form of phishing, form of malware, ransomware as a result of unsecured systems.
Anderson Williams: I think that's a whole other layer to this idea of how much can happen in house with the range of technologies that different companies are using, with the range of points of access that different people on a given team, you know, may have to certain systems.
I think it's fascinating and slightly frightening to think about the insider version of this. It's much easier to make the boogeyman to be a nation state somewhere than it is to potentially be somebody that's in your team or one or two people removed from your team.
Imran Shaikh: Absolutely right. The human nature by default is to trust, right? And employees want, expect that everyone's doing the right thing.
The Technology Cohort
Anderson Williams: Can you talk a little bit about just how your particular cohort works and how you meet? Who's in your cohort? How do you meet with and how do you connect with your cohort and just kind of describe what that process is?
Imran Shaikh: The technology cohort consists of the heads of IT, which includes CIOs.
They may not have formal CIO titles. It may be director of IT, manager of IT. It could be an IT practitioner. We also have some CFOs in the technology cohort because they own the IT function. We meet virtually every other month in the form of a virtual cohort summit for an hour. It's a peer generated content where companies share some of the challenges that they have and how they are addressing it so their peers can learn from it.
And that's one, a good example of how do you cross pollinate some of the lessons learned from the battlefield, from the front lines. These are the folks who are on the battle lines on the front lines. And they understand what the problems are, and most likely they know what the solution is. At times, they just need a sounding board to validate they are marching in the right direction.
Anderson Williams: And how do you make sure that people feel okay to share that they've had this problem or that problem?
Imran Shaikh: Yeah, so one of the things I announce is, hey, Chatham House rules apply. Anything that discussed here stays in the room unless it's a best practice that we are okay to share with other portfolio companies.
So building that trust takes time. And I promote that, hey, it's okay to be vulnerable because we are on the same side of the table. We're trying to solve similar challenges. And we are on the same team.
Anderson Williams: And what are the patterns that you see in terms of going back to your term, the garden variety, that might show up every other month that become patterns that really now and well into the future, the Shore portfolio can continue to learn and improve with the collective wisdom, not just the wisdom of Imran, but the collective wisdom of our companies.
Imran Shaikh: As you know, one of our growth theses is to add on acquisitions, right? There's only so much you can grow organically, but then all of our portfolio companies grow through add on acquisitions. So, there's a huge opportunity, and we already see that's happening, is companies sharing best practices for add on acquisition integration.
You know, acquiring the business and integrating in a timely manner so that you minimize your risk of a cybersecurity incident during the integration phase is the key to the success of a successful integration.
Anderson Williams: As you think about the audience being a portfolio company or potential acquisition or a potential CEO that's looking and thinking about the resources that Shore is going to bring to bear if they choose to partner with us.
What haven't I covered about the Technology COE?
Imran Shaikh: I think in general. The technology COEs is one of those COEs that's involved from the planting, growing and harvesting phase. The initiating coverage pre close and post close initiating coverage that gives us insights into how the businesses are running their technology function.
And if there is an opportunity for improvement or for de risking mid hold. Through the flash and dash process, we ensure that the minimum operating standards that we had set forward when they were in the planting phase are still being continued to follow. And then during the harvesting phase, when they are ready to exit, make sure they're exit ready.
So we go through the same process that we do pre close, which is doing a diligence on it to understand they still continue to follow the minimum operating standards that we have set forth and also share some of the knowledge base that we have. This may be in the form of questions that a prospective buyer of the business may ask of them so that they're ready when they go to the investment bank or when they're sitting in the room with the prospective buyer.
Anderson Williams: So yeah, really, you're doing due diligence again to make sure that the company that we're looking to exit is in the best possible position from a technology perspective to the benefit of that potential buyer. As well as just making sure that all the holes are closed.
Imran Shaikh: That is correct. And I think if we have numbers to show that the prospective buyers put a higher value on companies that have mature information systems and an institutionalized add on acquisition machine.
Anderson Williams: This podcast was produced by Shore Capital Partners, with story and narration by Anderson Williams. Recording and editing by Andrew Malone. Editing by Reel Audiobooks. Sound design, mixing and mastering by Mark Galup of Reel Audiobooks.
Special thanks to Imran Shaikh.
This podcast is the property of Shore Capital Partners, LLC. None of the content herein is investment advice, an offer of investment advisory services, nor a recommendation or offer relating to any security. See the Terms of Use page on the Shore Capital website for other important information.