2016 private equity cto survey - eze castle integration · pdf file7 | 2016 private equity cto...
TRANSCRIPT
Private Equity CTO Survey
trends in IT operations, investments & priorities for 2017
© Eze Castle Integration | 2
Contents 3
4
5
8
15
20
24
Executive summary
Respondent profile & methodology
Business priorities
Cybersecurity
Outsourcing
The private equity CTO
Managed services for private equity
© Eze Castle Integration | 3
Executive summaryThe tide is changing for private equity firms. They continue to grow in popularity – some say private equity is the new hedge fund –but with increased interest comes amplified speculation and heightened expectations.
In technology, private equity firms have found a fierce enabler for continued growth, and one that has shone the light on organizational benefits to be had far beyond the IT closet.
From the start, the goal of this survey was to more closely examine the evolution of the private equity industry as driven by – and driven to – technology. In reaching the top IT executives and chief technology officers (CTOs) at these firms, this survey highlights their priorities, successes and even failures, and in doing so, sheds light on this industry that has risen to the forefront of the greater financial community.
Our Private Equity CTO Survey encompasses four primary sections: business priorities, cybersecurity, outsourcing trends and the evolution of the private equity CTO.
Business Priorities If one thing is to be derived from the advent of information technology, it is that IT
and disadvantages to managing IT in-house versus outsourcing, and that debate will continue for the time being. Private equity firms are leveraging both strategies seemingly effectively, as evidenced by their future plans. The use of the private cloud endures for private equity firms, who most often rely on the platform to support a wide range of IT functions. The public cloud and hybrid strategies remain secondary choices and greatly vary in popularity depending on the use case.
The Private Equity CTO The role of the private equity firm’s chief technology officer has evolved, arguably, more than any other C-level position in recent years (perhaps with the exception of the chief compliance/risk officer). With technology supporting and impacting more day-to-day business functions than ever before, the CTO has taken on a wide range of responsibilities to align more with the overall organization and address growing investor and regulator concerns. Oftentimes tasked with a multi-functional role in accordance with IT security needs, the private equity CTO’s role will continue to transform to meet the revolving demands of the industry as a whole.
enablement extends well beyond the recesses of the Communications Room. Accordingly, technology decision-making is also impacted by an organization’s business objectives, and the two work in alignment to derive achievements across the firm. In this section of the survey, we’ll highlight areas where business goals have impacted IT budgets and where private equity firms plan to focus their attention in the coming year.
CybersecurityIt’s likely no surprise to you to see security highlighted as part of a technology survey, but some of the survey’s findings may surprise you. As we continue to track the evolution of the hack and the growing cybersecurity threats that permeate the industry, it’s critical to understand how private equity firms do and should address security risk and how their cybersecurity strategies may be impacted by their previous experiences. The prevalence of cyber issues experienced by private equity firms surveyed is significant – and if future budgets are any indication, private equity executives believe 2017 is a year to ensure this growing concern is taken seriously.
Outsourcing Trends We’ve long known that there are advantages
4 | 2016 Private Equity CTO Survey
Respondent profile & methodology
Private Equity Firms100%
VP/Director
C-Level
Other
30%
14%
25%
30%
The Private Equity CTO Survey was commissioned by Eze Castle Integration and conducted by IDG Research Services (Framingham, MA). Survey responses were solicited via online questionnaire during the period of September 26 through October 24, 2016.
To qualify for this survey, respondents were required to hold a senior-level position at a private equity firm and be responsible for some level of IT ownership, input and/or decision-making.
More than two-thirds of respondents are responsible for determining the business need for an IT product or solution, while just at or around 60 percent of respondents are involved in determining technical requirements, recommending or selecting vendors for purchase, authorizing or approving the purchase of products and services and evaluating products/services.
There were 101 total survey respondents.
1 | Business priorities
© Eze Castle Integration | 6
Security, customer experience and organizational efficiency are the top drivers for IT spend for the next 12 months.
Address regulatory and compliance requirements
Support globalization/business expansion
Optimize worker productivity
Improve business agility in response to marketchanges
Improve efficiency by refreshing outdated orlegacy technology
Improve the investor/client experience
Increase protection from cybersecurity threats
29%
30%
34%
40%
47%
48%
51%
We all know and appreciate how technology can impact our day-to-day operations. For private equity firms, advances in technology have enabled their businesses to become more efficient and drive growth across the entire organization.
When asked to identify the top drivers impacting IT spend in the next 12 months, survey respondents highlighted the need for increased protection against growing cybersecurity threats, a desire to improve the investor/client experience, and the goal of improving efficiencies by refreshing outdated or legacy technology.
Larger firms (> $1B AUM) were more likely to indicate a desire to support globalization and business expansion, which is a more probable scenario for a firm managing more assets and likely with a larger footprint.
Smaller firms (< $1B AUM), in contrast, were more likely to select the goal of optimizing worker productivity, an indication that these firms hope to be more agile with their limited resources.
7 | 2016 Private Equity CTO Survey
Cybersecurity, private cloud and big data analytics are the hottest IT investment areas for next year.
VoIP Unified Communications/Collaboration
Converged/Hyperconverged Infrastructure
VDI (Virtual Desktop Infrastructure)
Application Modernization/Legacy Systems…
Business Process Management
Disaster Recovery/Business Continuity
Infrastructure Management Software & Tools
Next-generation Firewalls
Cloud computing: Public Cloud
Application Development
Big Data/Business Analytics
Cloud computing: Private Cloud
Cybersecurity
16%
17%
21%
22%
28%
29%
31%
35%
36%
37%
44%
53%
56%
Cybersecurity is once again at the top of this list, which highlights significant investment areas for private equity firms in 2017. Given the focus on security preparedness across the financial services industry, this should come as no surprise.
Private equity firms are also keen to invest in the private cloud, as evidenced by more than half of the survey respondents. Private equity firms of all sizes are looking to leverage the benefits of managed infrastructures, whether it be to support basic daily operations or host applications.
Forty-four (44) percent of firms also identified a propensity to focus on big data and business analytics going into 2017. The sheer amount of data private equity firms are now attempting to manage has clearly become a focus area, particularly in light of increasing reporting and transparency requirements by investors and regulators.
2 | Cybersecurity
© Eze Castle Integration | 9
Overall, the percentage of IT budget dedicated to cybersecurity projects is expected to increase in the next 12 months.
Less than5%
5% to lessthan 10%
10% toless than
15%
15% toless than
20%
20% toless than
25%
25% ormore
Don'tknow
24%
33%
20%
12% 11%
0% 1%
Current
Less than5%
5% to lessthan 10%
10% toless than
15%
15% toless than
20%
20% toless than
25%
25% ormore
Don'tknow
24%
33%
20%
12% 11%
0% 1%
7%
27%25%
20% 21%
0% 1%
Current Future
Today, private equity firms cover a wide range in terms of what percentage of their IT budgets they allocate to cybersecurity projects and initiatives. More than half of firms (55 percent) have less than 10 percent of their IT budgets earmarked specifically for cybersecurity.
However, those numbers will change in the coming year.
When asked what percentage of their overall IT budget would be dedicated to cybersecurity in the next 12 months, respondents indicated a significant increase. Only 7 percent of private equity firms will have cybersecurity budgets of less than 5 percent, down from 24 percent currently. Increases are also expected in the budget range of 10 to 25 percent.
No firms are expected to allocate more than 25 percent of their technology budgets to cybersecurity preparedness.
10 | 2016 Private Equity CTO Survey
Two-thirds of firms expressed confidence that they are prepared to address cybersecurity risks.
28%
38%
25%
9%
Extremely
Very
Somewhat
Not Very/Not at All
17%
47%
36%
0%
FIRMS WITH $2B+ AUM
Extremely
Very
Somewhat
Not Very/Not atAll
30%
36%
23%
11%
FIRMS WITH < $750M AUM
Extremely
Very
Somewhat
Not Very/Not atAll
Overall, most private equity firms are confident in their in-house abilities to address cybersecurity risks. Two-thirds of firms (66 percent) indicated they are very or extremely confident in their cyber risk capabilities.
The expected increases in cybersecurity budget allocations in 2017, however, may quell the concerns of the less confident group, which includes 25 percent of firms that are somewhat confident and 9 percent not very or not at all confident.
When examined by assets under the firm’s management, the survey shows that firms within the highest asset class (> $2B) have significantly more confidence than their counterparts in the lowest asset class (< $750M).
11 | 2016 Private Equity CTO Survey
There is seemingly a correlation between a firm’s budget allocation for cybersecurity initiatives and its confidence in addressing cyber risk.
28%
38%
25%
9%
Extremely
Very
Somewhat
Not Very/Not at All
65%17%
17% 0%
FIRMS WITH > 15% CYBER BUDGET
Extremely
Very
Somewhat
Not Very/Not atAll
14%
42%32%
12%
FIRMS WITH < 10% CYBER BUDGET
Extremely
Very
Somewhat
Not Very/Not atAll
There are also some slight variances between firms with varying levels of cybersecurity budgets.
Not surprisingly, firms with lower percentages of their IT budgets dedicated to cybersecurity were more likely to indicate they are somewhat, not very or not at all confident in their ability to address cyber risk.
Meanwhile, firms with greater than 15% cyber budgets expressed more extreme confidence, and none of those firms fell into the ‘not very/not at all’ category.
© Eze Castle Integration | 12
Malware and viruses, hacking and unauthorized access have been the most prevalent issues over the past 12 months.
None
Compromise of mobile devices
Denial of service
Theft of proprietary company information
Ransomware
Identity theft of high-level corporate executives
Compromise of client facing systems
Advanced persistent threats (APTs)
Theft of client data
Compromise of operational systems
Website defacement
Hijacking of social media accounts
Unauthorized access to corporate data
Malware, worms & viruses
8%
17%
20%
21%
22%
22%
23%
24%
24%
25%
29%
31%
31%
39%
Unfortunately for private equity firms, there’s been no shortage of cybersecurity incidents experienced recently. In the past 12 months, firms indicated that they’ve experienced a wide range of cybersecurity issues, most notably malware, worms and viruses (1 in 3 firms), unauthorized access to corporate data (nearly 1 in 3 firms) and hijacking of social media accounts (nearly 1 in 3 firms). While the latter, in particular, may not seem like a concerning issue, it’s important to recognize that social media accounts are promising gateways for social engineering hackers. Information within these personal accounts can serve as the keys into corporate information systems – particularly if users are not diligent about maintaining unique passwords for various systems.
That nearly a third of firms have experienced unauthorized access to corporate data highlights a lack of control over an organization’s data and who has access to it. Without a detailed access control policy and ongoing monitoring in place, too often employees receive excessive data access privileges that introduce security risks.
© Eze Castle Integration | 13
The majority of firms have experienced multiple cybersecurity issues in the past 12 months.
3 OR MORE CYBER ISSUES
5 OR MORE CYBER ISSUES
70%
29%
Highlighting the prevalence of cybersecurity issues, virtually every organization that participated in the survey experienced some type of cyber issue in the past 12 months, but some more than others.
Seventy (70) percent of private equity firms surveyed experienced three or more cyber issues in the past year, while 29 percent of firms experienced five or more issues during the same time frame.
14 | 2016 Private Equity CTO Survey
Over the next 12 months, data protection issues are the top concerns for private equity firms.
Website defacement
Denial of service
Compromise of mobile devices
Compromise of client facing systems
Hijacking of social media accounts
Theft of proprietary company information
Ransomware
Malware, worms & viruses
Advanced persistent threats (APTs)
Compromise of operational systems
Identity theft of high-level corporate executives
Theft of client data
Unauthorized access to corporate data
23%
26%
27%
27%
31%
32%
32%
36%
37%
39%
40%
41%
50%
Data protection issues are most concerning to private equity firms as they look ahead to 2017, according to our survey respondents. The top cyber concern in the next 12 months? Unauthorized access to corporate data. This selection should not be surprising given that nearly 1 in 3 firms have experience with it. This risk can take many forms, however, most often it is unknowing employees placing company data in jeopardy. In an effort to reduce security gaps and protect firms from data loss, firms should implement tools to allow for file activity monitoring and auditing as well as employ the principle of least privilege to limit data access to only those employees who require it.
Other top concerns call attention to serious legal, reputational and relationship repercussions that the firm could incur, including theft of client data and corporate identity theft. Social engineering scams have evolved beyond opening fake accounts, but hackers are also using social engineering tricks to entice employees into executing wire transfers worth millions of dollars.
It is worth noting that ‘malware, worms and viruses’, while the top issue experienced, fell in the middle of the pack for future concerns. This likely shows that IT executives today are comfortable defending against these types of security issues and are more concerned with sophisticated attacks or employee mistakes.
3 | Outsourcing trends
© Eze Castle Integration | 16
There does not appear to be much variance in using external parties vs. in-house IT resources over the next 12 months.
47%
25%28%
Current
47%
25%28%
50%
23%27%
Current Future
The average private equity firm is managing nearly half (47 percent) of their IT functions in-house and outsourcing nearly 30 percent of IT. Six (6) percent of firms keep less than 20 percent of functions in-house, and five (5) percent have more than 80 percent in-house. Others fall somewhere in the middle (as evidenced by the overall average).
On the outsourcing side, most firms are leveraging outsourced third party providers for between 20 and 40 percent of their IT functions.
Firms in the smallest asset class (< $100M) are the most likely to outsource greater portions of their IT services, likely given their lack of internal staff and resources.
Overall, firms’ propensity to manage technology via in-house resources, outsourced providers or contract work is expected to stay consistent in the coming year.
In-house Staff (FT) Residency/Contractor/Staff Augmentation
Outsourced to Service Provider
In-house Staff (FT) Residency/Contractor/Staff Augmentation
Outsourced to Service Provider
17 | 2016 Private Equity CTO Survey
Firms are willing to outsource most services/functions, most often: cybersecurity services, cloud and backup.
None
Vendor due diligence and management
Social Engineering simulations
Compliance/Risk management
Application Modernization/Legacy Systems Migration
Networking/network administration
Telecommunications
IT project management
Help desk/IT support
Employee Security Training
Application hosting and management (via Cloud)
Cybersecurity
Backup/Disaster recovery
IT infrastructure (via Cloud – IaaS)
Vulnerability Assessments and IT Audits
3%
15%
22%
26%
28%
29%
31%
31%
33%
35%
37%
41%
42%
42%
43%
The most likely function to be outsourced by a private equity firm is a vulnerability assessment/IT audit, which – from an investor’s perspective – is significantly more reliable if handled by a third party.
Backup and disaster recovery are also popular functions to outsource to a third party, leaving firms and their investors with comfort that data resides in an offsite – and ideally, geographically diverse – location.
Outsourcing to the cloud continues to grow in popularity amongst private equity firms small and large. Respondents from firms with less than $1B in assets under management are slightly more inclined to outsource their infrastructure to the cloud, but not by a significant margin.
Overall, firms that manage less than $1B AUM are more likely to outsource nearly every function, with the notable exception of cybersecurity.
Only three (3) percent of firms indicated they would not outsource any IT functions or services.
© Eze Castle Integration | 18
Outsourcing preferences differ by size of firm (AUM) and cybersecurity budget (as a % of total IT budget).
Smaller cybersecurity budget Largest cybersecurity budget
Lower AUM Higher AUM
<10% +15%
<$1B >$1B
• Backup/Disaster Recovery
• Application hosting• Employee security training• Help Desk/IT Support• IT project management• Telecommunications• Compliance/risk management
• Application hosting• Employee security training• Help Desk/IT Support• IT project management
• Cybersecurity• Social engineering
simulations
Both assets under management and cybersecurity budget allocations appear to influence trends in terms of which functions are outsourced by private equity firms.
Firms with less than 10 percent of their IT budgets earmarked for cybersecurity are most likely to outsource backup and disaster recovery.
On the other end of the spectrum, firms with larger budgets (> 15%) are more likely to outsource application hosting, employee security training, help desk support, IT project management, telecommunications and compliance/risk management.
Firms with smaller AUMs (< $1B) are more likely to outsource application hosting, employee security training, help desk and IT project management, and firms with more than $1B in assets are more likely to outsource cybersecurity and also social engineering simulations, such as managed phishing services.
19 | 2016 Private Equity CTO Survey
The majority of private equity firms strongly prefer private cloud deployments for most applications.
59%57%
38%
50%
54%
38%
51%
21%23%
30%
26% 25% 25%22%
13%
18%
26%
18%16%
32%
24%
4%
0%
4% 4% 3% 4%1%
Prefer Private Cloud Prefer Public Cloud Prefer Hybrid Cloud Will Not Use Cloud
The private cloud is, far and away, the platform preference for most firms to support their IT functions, the most popular applications being email and file sharing/storage (both nearly 60 percent).
Some slightly less popular applications on the private cloud are Deal Flow apps and CRM tools, which only 38 percent of respondents selected the private cloud for. That number still outpaces both the public and hybrid cloud options, however.
While only 13 percent of private equity firms prefer a hybrid cloud approach for email, that figure peaked at 31 percent for firms managing between $1B and $2B.
For file sharing and storage, smaller firms (< $1B) are more amenable to the public cloud (about 30 percent), while larger firms (> $1B) are more open to a hybrid solution (30 percent). This trend also held true for CRM and analytics/reporting platform preferences.
4 | The private equity CTO
© Eze Castle Integration | 21
At private equity firms, the CTO/Top IT Executive seems to be elevating his/her status across the board.
Agreement with statements about the CTO/top technology executive (% Agree)
Is communicating with the Board of Directorsmore frequently than in previous years
Is involved in security initiatives to a greaterdegree than in the past
Has cultivated strong relationships with seniorbusiness stakeholders
Has originated ideas that have directly impactedthe business model and/or go-to-market strategy
Is becoming more involved in driving the firm tomeet regulatory and compliance demands
Is becoming more focused on managingcontractors, cloud and other IT service providers
Is becoming more important to our business
77%
79%
82%
83%
85%
86%
93%
At Eze Castle Integration, we have seen the role of our clients’ Chief Technology Officers evolve over the years in alignment with technology, regulatory and risk landscape shifts. As part of this survey we wanted to dive deeper into that evolution to help CTOs and equivalent IT executives understand where their peers are spending time and what they view as the new role of the CTO.
Ninety-three (93) percent of survey respondents believe their firm’s CTO or top IT executive is becoming more important to their business.
Eighty-six (86) percent said they believe the CTO is becoming more focused on managing contractors, cloud and other IT service providers. This increased focus is in alignment with the trend of today’s progressive CTOs drawing on cloud technology to create agile firms that can quickly deliver the applications users require.
Eighty-five (85) percent also see the CTO becoming more involved in driving the firm to meet regulatory and compliance demands. This is especially true as regulators outline data protection and cybersecurity expectations that can only be fully addressed through the use of technology. Additionally, regulators’ expectations around third-party due diligence has increased, placing more responsibility on CTOs to execute thorough risk assessments on the contractors, cloud and software and IT service providers used by the firm.
22 | 2016 Private Equity CTO Survey
CTOs wear a lot of hats and most often serve as the top IT security executive at their firm.
Yes
No
As regulators call out the role of a Chief Information Security Officer (CISO) more and more, we wanted to understand what percentage of private equity firms have separated the CISO responsibility from the CTO responsibilities.
When asked ‘does the CTO or top technology executive role at your firm also serve as the Chief Information Security Officer (CISO)?”, a resounding 86 percent of respondents answered that ‘Yes’, this is a combined role.
Even at funds with more than $2 billion AUM, the CTO wears a dual hat.
© Eze Castle Integration | 23
The role of the CTO/Top IT Executive is expected to evolve even more from tactical to strategic in the next 12 months.
Enabling global expansion
Enabling plans for client reporting/transparency…
Mapping the infrastructure to align with business…
Overseeing vendor risk management and due diligence
Helping to reach specific revenue goals
Converting business strategies into IT strategies
Controlling IT costs
Upgrading IT and data security to avoid cyber attack
39%
42%
43%
50%
50%
51%
54%
64%
Current
Enabling global expansion
Enabling plans for client reporting and…
Mapping the infrastructure to align with business…
Overseeing vendor risk management and due…
Helping to reach specific revenue goals
Converting business strategies into IT strategies
Controlling IT costs
Upgrading IT and data security to avoid cyber attack
47%
48%
47%
39%
40%
50%
48%
55%
39%
42%
43%
50%
50%
51%
54%
64%
Current Future
As it has remained across the various findings within this survey, cybersecurity is a top focus area for private equity CTOs. When asked what the most significant contributions their firm’s CTO has made to the firm, nearly two-thirds praised CTOs for upgrading IT and data security to prevent cyber-attacks. Controlling IT costs and converting business strategies into IT strategies are two other prominent contributions by today’s CTOs.
Looking ahead to 2017, there are also other areas where private equity CTOs are expected to make significant contributions, and these areas highlight a transition from tactical to more strategic focus areas. The following areas are expected to become more significant to private equity firm CTOs in the next 12 months: enabling global expansion efforts, enabling plans for client reporting and transparency initiatives, and mapping the firm’s infrastructure to align with business strategy and vision.
Each of these items ties into a firm’s strategy objectives aimed at making technology an enabler and differentiator.
About Eze Castle IntegrationEze Castle Integration is a leading provider of IT solutions and private cloud services to more than 650 alternative investment firms worldwide, including more than 100 firms with $1 billion or more in assets under management.
We are uniquely positioned to support today’s private equity firms. Our PE Managed Services include:
Outsourced Technology Services IT Support | Staff Augmentation | Global 24x7x365 Help Desk
Private Cloud Managed PlatformManaged Suite | Managed Infrastructure | Managed DR | Hosted Voice
Cybersecurity Solutions & TrainingCyber Consulting Services | WISP Development | Active Threat Protection | Managed Phishing/Training
Business Resiliency & Contingency Planning Disaster Recovery | Business Continuity Planning | Backup & Recovery | Email & IM Archiving
Boston | Chicago | Dallas | Hong Kong | London | Los Angeles | Minneapolis | New York | San Francisco | Singapore | Stamford
www.eci.com/privateequity